Tietojenkäsittelysopimus

Tässä on meidän

Tietojenkäsittelysopimus

Background of the Data Processing Agreement

This agreement sets out the rights and obligations applicable when Booking Board (the data processor) processes personal data on behalf of a customer (the data controller). The agreement is designed to ensure compliance with Article 28(3) of the European Parliament and Council Regulation (EU) 2016/679 of April 27, 2016, on the protection of natural persons in relation to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), which sets specific requirements for the content of a data processing agreement. The data processor’s processing of personal data occurs in connection with the data controller’s use of the Booking Board system, as described in Booking Board’s business terms. The data processing agreement and Booking Board’s business terms are interdependent and cannot be terminated separately. However, the data processing agreement may – without affecting Booking Board’s business terms – be replaced by another valid data processing agreement. If the data processing agreement is modified, Booking Board must notify the data controller and provide the new data processing agreement. This data processing agreement takes precedence over any similar provisions in other agreements between the parties, including Booking Board’s business terms.

Rights and Obligations

The data controller is ultimately responsible for ensuring that the processing of personal data is conducted within the framework of the General Data Protection Regulation and the Data Protection Act. The data processor must always comply without undue delay with reasonable requests from the data controller to ensure compliance with the General Data Protection Regulation and the Data Protection Act.

The Data Processor Acts According to Instructions

The data processor may only process personal data according to documented instructions from the data controller unless required by EU law or national law to which the data processor is subject; in such cases, the data processor shall inform the data controller of this legal requirement before processing, unless the relevant law prohibits such notification for important societal reasons.
The data processor shall immediately inform the data controller if, in its opinion, an instruction violates the General Data Protection Regulation or data protection provisions in other EU or national laws.

Confidentiality

The data processor ensures that only persons who need access for their work for Booking Board have access to the personal data processed on behalf of the data controller. Access to the data must be immediately revoked if the person no longer needs access or is no longer affiliated with Booking Board.

Data Security

The data processor shall implement all measures required under Article 32 of the General Data Protection Regulation, ensuring appropriate technical and organizational security measures based on the risk to the rights and freedoms of natural persons.

Pseudonymization and encryption of personal data
Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures to ensure processing security

Use of Sub-processors

The data processor must fulfill the conditions outlined in Article 28(2) and (4) of the General Data Protection Regulation to engage another data processor (sub-processor). The data processor may not engage a sub-processor without prior specific or general written approval from the data controller.

Transfer of Information to Third Countries or International Organizations

The data processor may only process personal data according to documented instructions from the data controller, including for transfers to third countries or international organizations, unless required by EU or national law.

Assistance to the Data Controller

The data processor shall assist the data controller in fulfilling its obligations to respond to requests from data subjects regarding their rights under Chapter 3 of the General Data Protection Regulation.

Notification of Data Breaches

The data processor shall notify the data controller without undue delay upon becoming aware of a personal data breach.

Deletion and Return of Data

Upon termination of the services related to processing, the data processor must, at the data controller's choice, delete or return all personal data to the data controller and delete any existing copies, unless EU or national law requires retention of personal data.

Supervision and Audit

The data processor shall make available all necessary information to demonstrate compliance with Article 28 of the General Data Protection Regulation and this agreement and allow for audits or inspections carried out by the data controller.

Effective Date and Termination

This agreement takes effect when the data controller starts using Booking Board’s system. The agreement remains in force as long as the processing continues and cannot be terminated separately from the business terms of Booking Board.

Contact Person at the Data Processor

Inquiries regarding personal data, etc., can be directed to the following contacts.

Casper S. Paulsen

Partner/Developer

Phone: 60534462

Email: casper.s.paulsen@bookingboard.io

Morten Lambek

Partner/Sales

Phone: 53521433

Email: morten.lambek@bookingboard.io

Annex A: Information on Processing

The purpose of the data processor's processing of personal data on behalf of the data controller is:

To allow the data controller to use the Booking Board system, which is owned and managed by the data processor, to collect and process information about the data controller's members.

The processing includes the following types of personal data about the data subjects:

Name, email address, phone number, address, date of birth, type of membership, registration, and attendance for the data controller’s classes.

The processing includes the following categories of data subjects:

Individuals who have created a profile with the data controller using Booking Board.

The data processor's processing of personal data on behalf of the data controller may begin after this agreement comes into effect. The processing has the following duration: The processing is not time-limited and lasts until the agreement is terminated or canceled by either party.

Annex B: Conditions for the Data Processor's Use of Sub-processors and List of Approved Sub-processors

B.1 Conditions for the Data Processor’s Use of Any Sub-processors

The data processor has the data controller’s general approval to use sub-processors. However, the data processor must notify the data controller of any planned changes regarding the addition or replacement of other sub-processors, thereby allowing the data controller to object to such changes. Such notification must reach the data controller at least one month before the change is implemented. If the data controller objects to the changes, they must notify the data processor within 14 days of receiving the notification. The data controller may only object if there are reasonable, specific grounds for doing so.

B.2 Approved Sub-processors

The data controller has, at the time of the agreement’s commencement, approved the use of the following sub-processors:

Name	Description of Processing
Twilio	Handles the sending of SMS messages from the system.
Mailgun	Handles the sending of emails from the system.
DigitalOcean	Provides IT infrastructure for running the system.
Hetzner	Provides IT infrastructure for running the system.
OneSignal	Handles the sending of push notifications from the system.
Sentry	Manages error logging of events in the system.

The data controller has specifically approved the use of the above sub-processors for the exact processing described. The data processor may not – without the data controller's specific and written approval – use an individual sub-processor for a "different" type of processing or allow another sub-processor to perform the described processing.

Annex C: Instructions Regarding the Processing of Personal Data

C.1 Subject of Processing / Instructions

The data processor's processing of personal data on behalf of the data controller occurs as follows: Managing the data controller’s customers' data in connection with the data controller’s use of Booking Board to manage classes, courses, payments, etc.

C.2 Data Security

The security level must reflect: That the processed data includes basic personal information about the data subjects as well as details about their purchases and use of the data controller's products, but generally not “special categories of personal data” as described in Article 9 of the General Data Protection Regulation. The data processor is therefore authorized and obligated to decide which technical and organizational security measures are necessary to ensure the required (and agreed-upon) level of security for the data.

C.3 Retention Period / Deletion Routine

Personal data is stored by the data processor until the data controller requests the deletion or return of the data. When an individual user/customer is deleted from the system, this is done by marking the customer as "deleted," and all directly identifiable information is removed. This means that the name, address, email, date of birth, and any descriptive comments are deleted. What remains is an anonymized user, allowing the data controller to continue extracting reports, etc.

C.4 Detailed Procedures for the Data Controller’s Supervision of Processing Performed by the Data Processor

The data controller bears any costs related to physical supervision. However, the data processor is obligated to allocate the necessary resources (mainly time) required for the data controller to conduct supervision.

Tietojenkäsittelysopimus

Tässä on meidän