Data Processing Agreement

Last updated September 2, 2024

1. Parties

This Data Processing Agreement (“Agreement”) is defined between the Customer (hereinafter the “Customer”) and Taito.hr Oy (hereinafter the “Supplier”).

2. Background

2.1. The Supplier carries out HR related services for the Customer. The services are agreed upon separately. This Agreement only covers the processing of personal data involved in such services. The services provided by the Supplier, which may include the processing of personal data, involve automatic management of employee feedback; payroll data processing; and data synchronization from and integrations with customer's systems such as Customer's Human Resources Information System (HRIS) (all together “Service”). This Agreement sets out the terms and conditions for the processing of personal data by the Supplier on behalf of the Customer.

3. Terms for data processing

3.1. General. In connection with the performance of the Service pursuant to the Agreement, the Supplier shall process the Customer's personal data. In this regard, the Customer acts as the controller and the Supplier is the processor who processes the personal data on behalf of and under the instructions of the Customer. The terms used in this Agreement shall have the same meaning as the corresponding terms under the General Data Protection Regulation (2016/679/EU) (“GDPR”).

3.2. Description of Processing. The Supplier shall process the personal data only for the purposes and obligations set out in this Agreement and during the term of the Agreement. The nature and purpose of personal data processing by the Supplier on behalf of the Customer has been described in Section 2.1 (Background) of the Agreement. The categories of data subjects whose data is processed includes the Customer's employees. The categories of personal data processed are:

• Personal Identification Information: Full name, gender
• Contact Information: Email address.
• HR Information: Role, working location, job level, team, supervisory, salary and benefits, personal development plans, employee goals
• Feedback Data: Feedback given by employees
• Communication data: Information about employee's communication with support team.

3.3. The Supplier's General Obligations. The Supplier shall process the personal data in accordance with data protection legislation (including but not limited to the GDPR) and this Agreement. The Supplier shall notify the Customer of any requests from data subjects and supervisory authorities regarding the processing of personal data under this Agreement. The Supplier shall not use or otherwise exploit the personal data or any other material of the Customer for any purpose other than the purposes set out in the Agreement and only to the extent necessary for such purpose. The Supplier shall, at the Customer's choice, either delete or return the personal data to the Customer upon the termination of the Agreement, unless otherwise required by the GDPR or data protection legislation.

3.4. The Supplier's Assistance Obligations. The Supplier shall assist the Customer in responding to requests from data subjects and supervisory authorities regarding the processing of personal data under this Agreement. The Supplier shall assist the Customer in complying with the requirements of the GDPR relating to security, data breaches, data protection impact assessments and prior consultations.

3.5. Security. The Supplier shall always take appropriate technical and organizational measures to protect the personal data from unauthorized access and loss or any other unlawful processing.

3.6. Personal Data Breaches. The Supplier shall notify the Customer of any personal data breaches without undue delay after becoming aware or having a reasonable suspicion of such breach. The Supplier shall cooperate with the Customer in the investigation of the breach and shall assist the Customer in preparing the notification to the supervisory authority.

3.7. Sub-processors. The Supplier is entitled to use sub-processors only with the Customer's prior consent. By agreeing to this Agreement, the Customer shall be deemed to have authorised the processing by sub-processors specified on the list of sub-processors at taito.ai/dpa/#subprocessors. The Supplier shall ensure that the obligations set out in this Agreement are imposed on sub-processors by way of a contract. The Supplier is obliged to regularly monitor the performance of its sub-processors and it remains fully liable for the work of its sub-processors. Any omission, wilful misconduct or gross negligence by the sub-processor shall be deemed an omission, wilful misconduct or gross negligence by the Supplier. The Supplier shall notify the Customer of new sub-processors on the list of sub-processors.

3.8. International transfers of personal data. The Supplier may only process or transfer personal data to a sub-processor for processing outside the European Economic Area if the Customer provides a prior written approval and the Supplier ensures that, insofar as it processes or transfers personal data outside the European Economic Area, the international transfers comply with the requirements of Chapter V of the GDPR. The Supplier describes the processing locations outside the European Economic Area on the list of sub-processors referred to under section 3.7.

3.9. Auditing. The Customer has the right to audit the Supplier's actions and data related to the processing of personal data in order to ensure that the Supplier has fulfilled its obligations under this Agreement. The Customer shall notify the Supplier of the audit 14 days in advance.

List of authorized sub-processors