DATA PROCESSING AGREEMENT

There is an agency agreement (hereinafter referred to as the Agreement) between the Customer and the Contractor, pursuant to which the Contractor provides the Customer with the accounting service (hereinafter referred to as the Service).

This data processing agreement is entered into with reference to Clause 2.1 of the Agreement, according to which the Contractor’s data processing agreement is an essential part of the Agreement.

  1. Personal data and roles of the Parties upon processing of personal data
    1. To perform the Agreement, the Contractor processes the personal data of the Customer’s employees, representatives, clients, clients’ representatives and partners (hereinafter referred to as Personal Data).
    2. The Personal Data to be processed by the Contractor may include, among other things, the following: personal details, contact details, payment details and financial details, data arising from employment relationships, including information about an employee’s health or family members as far as the employment relationship is concerned, data about working time and rest time, as well as calculation of holidays, etc. 
    3. The Customer is the responsible processor of the Personal Data and the Contractor is the authorised processor of the Personal Data.
  2. Obligations and rights of the Contractor concerning processing of the Personal Data
    1. The Contractor only processes the Personal Data for providing the Service and for performing the obligations stipulated in the Agreement. Processing for the respective purposes is deemed to be the Customer’s documented instruction upon processing of the Personal Data. The Contractor may not transfer Personal Data to third countries or international organisations without the consent of the Customer.
    2. The Contractor maintains the confidentiality of the Personal Data and only discloses and forwards the Personal Data, in connection with providing the Service, to employees of the Contractor who need the Personal Data for performing their duties of employment. The Contractor applies the duty of confidentiality in respect of the aforementioned persons. The Contractor may only transfer the Personal Data to such third parties (including public authorities) to whom the transfer of the Personal Data is necessary for the provision of the Service.
    3. The Contractor takes appropriate technical and organisational measures for ensuring the confidentiality of the Personal Data in accordance with Article 32 of the General Data Protection Regulation (Regulation (EU) 2016/679, GDPR).
    4. The Contractor assists the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing of the Personal Data and the information available to the Customer;
    5. The Contractor discloses to the Customer the information necessary to prove compliance with the obligations stipulated in the Agreement and in Article 28 of the GDPR.
    6. The Contractor allows for the Customer or an auditor designated by the Customer to conduct audits and inspections in respect of processing of the Personal Data in the manner and to the extent that do not unduly burden the Contractor, do not breach the rights of other persons in respect of the protection of their personal data and do not disclose the business secrets of the Contractor.
    7. The Contractor helps the Customer ensure that the Customer’s activities are in compliance with their obligations defined in the GDPR as concern the nature of processing and available data and provided that such an obligation has been stipulated in the GDPR. 
    8. The Contractor may use subcontractors for processing of the Personal Data, following the terms and conditions stipulated in Article 28 (2) and (4) of the GDPR. The Customer grants a general authorisation for the use of subcontractors. The Contractor notifies the Customer of all planned changes concerning the addition or replacement of subcontractors used for processing of the Personal Data, thereby providing the Customer with the opportunity to object to such changes. The Customer has the right at any time to obtain from the Contractor information about the subcontractors involved in processing of the Personal Data. The Contractor is liable for the activities of the subcontractor involved by them to the same extent as for the activities of their own, and enters into a written agreement with every subcontractor who will process the Personal Data. The agreement between the Contractor and the subcontractor for processing of the Personal Data must contain at least equivalent data protection obligations as those agreed in this data processing agreement.
    9. The Contractor immediately sends the Client the request (hereinafter referred to as the Request) of each data subject concerning the Personal Data of the data subject that the Contractor processes pursuant to the Agreement. The person who responds to the request is the Customer. In accordance with the nature of processing, the Contractor helps the Customer, if possible, with the appropriate technical and organisational measures in order for the Customer to perform their obligation to respond to the Request. 
    10. The Contractor has no right to represent the Customer upon responding to inquiries made by supervisory authorities, due to which the Contractor forwards all the corresponding inquiries to the Customer for responding.
    11. The Contractor stores the Personal Data as long as storage of the Personal Data is necessary for providing the Service, performing the Agreement, filing or responding to a claim under the Agreement and performing the legal obligations. Upon expiry of the term of storage of the Personal Data the Contractor deletes or, at the Customer’s request, returns the Personal Data to the Customer.
    12. The Contractor notifies the Customer of serious breaches related to the Personal Data that are known to the Contractor without delay, forwarding the appropriate information to the Customer by no later than 24 hours after having learned of the breach.
  3. Obligations and rights of the Contractor concerning processing of the Personal Data
    1. This data processing agreement comprises an integral part of the Agreement in effect between the Parties. In the event of any discrepancies between the Agreement and the data processing agreement, the data processing agreement shall apply.
    2. The data processing agreement shall enter into force retroactively as of the moment when the Contractor started processing the Personal Data on the basis of the Agreement on behalf of the Customer. The data processing agreement shall remain in force for as long as the Contractor processes the Personal Data under the Agreement.
    3. Any issues not regulated by the data processing agreement are subject to the provisions of the Agreement.
    4. The data processing agreement is governed by the law in force in Estonia, while disputes are resolved, first of all, by way of negotiations and, upon failure to reach an agreement, in the Harju County Court.