DATA PROCESSING AGREEMENT

There is an agency agreement between the Customer and the Executor (“Agreement"), according to which the Executor provides accounting services to the Customer ("Teenus").

This data processing agreement is concluded with reference to Clause 2.1 of the Agreement, according to which the Contractor's data processing agreement is an important part of the Agreement.

  1. Personal data, Roles of the parties in the processing of personal data
    1. The Executor processes the personal data of the Customer's employees, representatives, customers, customer representatives and cooperation partners ("Personal data").
    2. The Personal Data processed by the Contractor may include, among other things, the following: personal data, contact data, payment data and financial data, data arising from employment relationships, including employment-related information about the employee's health, the employee's family members, data on the calculation of working and rest time and vacations, etc.
    3. The Subscriber is the responsible processor of Personal Data and the Executor is the authorized processor of Personal Data.
  2. Executor obligations and rights related to the processing of personal data
    1. The executor processes Personal Data only to provide the Service and to fulfill the obligations stipulated in the Agreement. Processing for the respective purposes is considered a documented instruction of the Subscriber in the processing of Personal Data. The Contractor may not transfer Personal Data to third countries or international organizations without the Customer's consent.
    2. The Executor keeps Personal Data confidential and discloses and transmits Personal Data only in connection with the provision of the Service to the Executor's employees, whose work tasks require Personal Data. Regarding the referred persons, the Executor applies the obligation of confidentiality. The Contractor may transfer Personal Data only to such third parties (including state authorities) to whom the transfer of Personal Data is necessary for the provision of the Service.
    3. The executor takes appropriate technical and organizational measures to ensure the confidentiality of personal data in accordance with the General Regulation on the Protection of Personal Data (Regulation (EU) 2016/679, "General regulation") to Article 32.
    4. The Executor helps the Customer to fulfill the obligations set forth in Articles 32 - 36 of the General Regulation, taking into account the nature of the processing of Personal Data and the information available to the Executor.
    5. The Executor shall disclose to the Customer the information necessary to prove the fulfillment of the obligations agreed in this Agreement and specified in Article 28 of the General Regulation.
    6. The Contractor allows the Customer or an auditor designated by the Customer to conduct audits and checks regarding the processing of Personal Data, in a manner and to an extent that does not unreasonably burden the Contractor, does not violate the rights of other persons regarding the protection of their personal data, and does not reveal the Contractor's business secrets.
    7. The executor helps the Customer to ensure that the Customer's activities are in accordance with its obligations defined in the General Regulation, based on the nature of the processing and the available data, and on the condition that the corresponding obligation is stipulated in the General Regulation;
    8. The executor may use subcontractors for the processing of personal data in compliance with the conditions set out in paragraphs 2 and 4 of Article 28 of the General Regulation. The customer gives a general permission for the use of subcontractors. The Executor shall inform the Subscriber of all planned changes regarding the addition or replacement of subcontractors used for the processing of Personal Data, thereby giving the Subscriber the opportunity to submit objections to such changes. The Subscriber has the right to receive information from the Contractor about the subcontractors participating in the processing of Personal Data at any time. The executor is responsible for the activities of subcontractors involved by him to the same extent as for his own activities, and signs a written contract with each subcontractor who will process Personal Data. The personal data processing agreement between the executor and the subcontractor must contain at least equivalent data protection obligations as agreed in this data processing agreement.
    9. The Executor immediately forwards each data subject's request to the Subscriber ("Application") in connection with the Personal Data of the data subject, which the Executor processes within the framework of the execution of the Agreement. The Customer responds to the request. According to the nature of the processing, the Executor will assist the Customer with appropriate technical and organizational measures to the extent possible, so that the Customer can fulfill the obligation to respond to the Request.
    10. The Executor does not have the right to represent the Customer when answering the requests of the supervisory authority, therefore the Executor directs all relevant inquiries to the Customer for answering.
    11. The executor shall retain Personal Data for as long as the retention of Personal Data is necessary for the provision of the Service, the performance of the Agreement, the submission of a claim based on the Agreement or to respond to a claim, and the fulfillment of the obligation stipulated in legislation. Upon expiry of the retention period for personal data, the Contractor shall delete the Personal Data or, upon the Customer's request, return the Personal Data to the Customer.
    12. The Executor shall inform the Subscriber of important violations related to Personal Data known to the Executor without delay, by providing relevant information to the Subscriber no later than 24 hours after becoming aware of the violation.
  3. Executor obligations and rights related to the processing of personal data
    1. This data processing agreement is an integral part of the valid Agreement between the Parties. In case of inconsistencies between the Agreement and the data processing agreement, the data processing agreement shall apply.
    2. The Data Processing Agreement shall enter into force retroactively from the moment the Contractor started processing Personal Data on the basis of the Agreement on the authority of the Subscriber. The data processing agreement is valid as long as the Contractor processes Personal Data based on the Agreement.
    3. In matters not regulated in the Data Processing Agreement, the provisions of the Agreement shall apply.
    4. The law in force in Estonia applies to the data processing agreement, disputes are settled primarily through negotiations, in the case of failure to reach an agreement in the Harju County Court.