Legal
Data Processing Agreement
This Data Processing Agreement (“DPA”) is supplementary to the PromoRepublic Master Platform Subscription Agreement between PROMOREPUBLIC OY, Business ID 2703642-5, a Finnish company (“PromoRepublic”) and the entity or person(s) identified as Customer in the Order Form referencing this DPA (“Customer”).
PromoRepublic and Customer have agreed to enter into this DPA for the purposes of ensuring compliance with Data Protection Legislation.
This DPA applies to the processing of personal data in the context of the Platform Subscription Agreement, where and to extent to PromoRepublic is acting as a Processor (Service Provider).
PromoRepublic and Customer are collectively referred to as the “Parties” and individually referred to as a “Party”.
SECTION I
1. Definitions
(a) “Platform Subscription Agreement” means contract governing Customer’s acquisition and use of PromoRepublic’s services.
(b) “Platform” means a social media marketing collaboration platform currently located at https://promorepublic.com/ and https://app.promorepublic.com/.
(c) “Platform Services” means some or all of the Platform functionality described in the Order Form.
(d) “User” means an individual who is authorized by Customer to use the Platform Services on behalf of Customer.
(e) “Data Protection Legislation” means:
(1) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the “GDPR”);
(2) EU Directive 2002/58/EC on Privacy and Electronic Communications;
(3) the Data Protection Act 2018 and the GDPR as saved into United Kingdom law by virtue of Section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”);
(4) the Swiss Federal Act on Data Protection of 19 June 1992 and its corresponding ordinances (the “Swiss DPA”);
(5) the California Consumer Privacy Act of 2018 and its regulations (the “CCPA”);
(6) the Australian Privacy Act 1988;
(7) the New Zealand Privacy Act 2020;
(8) any applicable national law made under or pursuant to items (1) – (7); in each case as amended, superseded or replaced from time to time.
(f) “International Transfer” means:
(1) where the GDPR applies, a transfer of personal data from the European Economic Area (“EEA”) to a country outside the EEA which is not subject to an adequacy decision by the European Commission;
(2) where the UK GDPR applies, a transfer of personal data from the UK to any other country which is not based on adequacy regulations pursuant to Section 17A of the UK GDPR;
(3) where the Swiss DPA applies, a transfer of personal data to a country outside of Switzerland which is not included on the list of adequate jurisdictions published by the Swiss Federal Data Protection and Information Commissioner.
(g) “Personal Data” means any information relating to an identified or identifiable individual.
(h) “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.
(i) “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(j) “Standard Contractual Clauses” (“SCCs”) mean standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
(k) “UK Addendum” means the International Data Transfer Addendum (version B1.0) issued by the Information Commissioner’s Office under s.119(A) of the UK GDPR.
(l) Any capitalised terms used but not defined in this DPA shall have the meanings given to them in the Data Protection Legislation, namely the GDPR, and the terms “Business” and “Service Provider” have the meanings given to them in the CCPA.
2. Relationship of the Parties
Where the Data Protection Legislation provides for the roles of “controller,” “processor,” “joint controller,” and “sub-processor”:
(a) Where Customer is a Controller (Business) of the personal data covered by this DPA, PromoRepublic shall be a Processor (Service Provider) processing personal data on behalf of the Customer, and this DPA shall apply accordingly.
(b) Where Customer is a Processor (Service Provider) of the personal data covered by this DPA, PromoRepublic shall be a Sub-processor of the personal data, and this DPA shall apply accordingly.
(c) Where Customer and PromoRepublic are the Joint Controllers of the personal data, Joint Controllership Agreement shall apply accordingly instead of this DPA.
3. Interpretation
This DPA shall not be interpreted in a way that runs counter to the rights and obligations provided for in the Data Protection Legislation or in a way that prejudices the fundamental rights or freedoms of the data subjects.
4. Hierarchy
(a) In the event of a contradiction between this DPA and the provisions of related agreements between the Parties existing at the time when this DPA is agreed or entered into thereafter, this DPA shall prevail.
(b) In the event of a contradiction between this DPA and the standard contractual clauses, the standard contractual clauses shall prevail.
SECTION II
OBLIGATIONS OF THE PARTIES
5. Description of processing(s)
The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Customer, are specified in Annex I.
6. Obligations of the Parties
6.1. Instructions
(a) PromoRepublic shall process personal data only on documented instructions from the Customer to perform its obligations under the Platform Subscription Agreement, unless required to do so by the Data Protection Legislation to which PromoRepublic is subject. In this case, PromoRepublic shall inform the Customer of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the Customer throughout the duration of the processing of personal data. These instructions shall always be documented.
(b) PromoRepublic shall immediately inform the Customer if, in PromoRepublic’s opinion, instructions given by the Customer infringe applicable Data Protection Legislation.
6.2. Purpose limitation
PromoRepublic shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex I, unless it receives further instructions from the Customer.
6.3. Duration of the processing of personal data
Processing by PromoRepublic shall only take place for the duration specified in Annex I.
6.4. Security of processing
(a) PromoRepublic shall at least implement the technical and organisational measures specified in Annex II to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.
(b) PromoRepublic shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. PromoRepublic shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6.5. Sensitive data
If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), PromoRepublic shall apply specific restrictions and/or additional safeguards.
6.6. Documentation and compliance
(a) The Parties shall be able to demonstrate compliance with this DPA.
(b) PromoRepublic shall deal promptly and adequately with inquiries from the Customer about the processing of data in accordance with this DPA.
(c) PromoRepublic shall make available to the Customer all information necessary to demonstrate compliance with the obligations that are set out in this DPA and stem directly from the Data Protection Legislation. At the Customer’s request, PromoRepublic shall also permit and contribute to audits of the processing activities covered by this DPA, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Customer may take into account relevant certifications held by PromoRepublic.
(d) The Customer may choose to conduct the audit by itself or mandate an independent auditor. Audits shall, where appropriate, be carried out with reasonable notice at least forty five (45) days in advance and be subject to reasonable confidentiality procedures.
(e) The audit rights set out in Clause 6.6. are subject to the following conditions:
(1) the audits may only occur once per calendar year and during normal business hours;
(2) before the commencement of any audit, the Customer and PromoRepublic shall mutually agree upon the scope, timing, duration and terms of the audit;
(3) the audit reports and any records, data, or information accessed by the Customer and/or the mandated auditor in the performance of any audit will be deemed to be the confidential information of PromoRepublic, and may be used for no other reason than to assess PromoRepublic compliance with the terms of this DPA.
6.7. Use of sub-processors
(a) PromoRepublic has the Customer’s general written authorisation for the engagement of sub-processors from an agreed list. PromoRepublic shall specifically inform in writing the Customer of any intended changes of that list through the addition or replacement of sub-processors at least fourteen (14) days in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). PromoRepublic shall provide the Customer with the information necessary to enable the Customer to exercise the right to object.
(b) Where PromoRepublic engages a sub-processor for carrying out specific processing activities (on behalf of the Customer), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on PromoRepublic in accordance with this DPA. PromoRepublic shall ensure that the sub-processor complies with the obligations to which PromoRepublic is subject pursuant to this DPA and to the Data Protection Legislation.
(c) At the Customer’s request, PromoRepublic shall provide a copy of such a sub-processor agreement and any subsequent amendments to the Customer. To the extent necessary to protect business secrets or other confidential information, including personal data, PromoRepublic may redact the text of the agreement prior to sharing the copy.
(d) PromoRepublic shall remain fully responsible to the Customer for the performance of the sub-processor’s obligations in accordance with its contract with PromoRepublic. PromoRepublic shall notify the Customer of any failure by the sub-processor to fulfil its contractual obligations.
(e) PromoRepublic shall agree a third party beneficiary clause with the sub-processor whereby – in the event PromoRepublic has factually disappeared, ceased to exist in law or has become insolvent – the Customer shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.
(f) The Customer agrees where PromoRepublic engages a sub-processor in accordance with Clause 6.7. for carrying out specific processing activities (on behalf of the Customer) and those processing activities involve a transfer of personal data, PromoRepublic and the sub-processor can ensure compliance with data protection obligations by using SCCs, provided the conditions for the use of those standard contractual clauses are met.
7. International transfers
Any transfer of data to a third country or an international organisation by PromoRepublic shall be done only on the basis of documented instructions from the Customer or in order to fulfil a specific requirement under the Data Protection Legislation to which PromoRepublic is subject and shall take place in compliance with the Data Protection Legislation.
7.1. Transfers from the European Economic Area to a third country
Where the processing involves data transfers from PromoRepublic subject to Customer established in a third country, the SCCs shall be incorporated by reference and form an integral part of this DPA with PromoRepublic as “data exporter” and Customer as “data importer”.
(a) In relation to transfers of personal data protected by the GDPR and processed in accordance with Sections 2 (a) of this DPA, the SCCs shall apply, completed as follows:
(1) the Module Four (Processor to Controller) provisions shall apply and the Module One, Two and Three provisions shall be deleted in their entirety;
(2) Clause 7 shall be omitted;
(3) in Clause 11 right to lodge a complaint with an independent dispute resolution body shall not be included;
(4) for the purpose of Clause 13 the data exporter is established in an EU Member State;
(5) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the law of Finland;
(6) in Clause 18 (b), disputes shall be resolved before the courts of Finland;
(7) the Annexes of the SCCs shall be populated with the information set out in the Annexes to this DPA;
(8) In the event of a contradiction between the SCCs and the provisions of related agreements between the Parties, existing at the time these SCCs are agreed or entered into thereafter, these SCCs shall prevail.
(b) In relation to transfers of personal data protected by the GDPR and processed in accordance with Sections 2 (b) of this DPA, the SCCs shall apply, completed as follows:
(1) the Module Three (Processor to Processor) provisions shall apply and the Module One, Two and Four provisions shall be deleted in their entirety;
(2) Clause 7 shall be omitted;
(3) in Clause 11 right to lodge a complaint with an independent dispute resolution body shall not be included;
(4) for the purpose of Clause 13 the data exporter is established in an EU Member State;
(5) in Clause 17, Option 1 shall apply and the SCCs shall be governed by the law of Finland;
(6) in Clause 18 (b), disputes shall be resolved before the courts of Finland;
(7) the Annexes of the SCCs shall be populated with the information set out in the Annexes to this DPA;
(8) In the event of a contradiction between the SCCs and the provisions of related agreements between the Parties, existing at the time these SCCs are agreed or entered into thereafter, these SCCs shall prevail.
7.2. Transfers from the UK to a third country
(a) In relation to transfers of personal data protected by the UK GDPR, the SCCs as incorporated under Section 7.1. shall apply with the following modifications:
(1) the SCCs shall be amended as specified by the UK Addendum, which shall be incorporated by reference;
(2) Tables 1 to 3 of Part 1 of the UK Addendum shall be deemed completed using the information contained in the Annexes of this Addendum;
(3) Table 4 of Part 1 of the UK Addendum shall be deemed completed by selecting “importer”; and
(4) any conflict between the SCCs and the UK Addendum shall be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
7.3. Transfers from Switzerland to a third country
(a) In relation to transfer of personal data protected by the Swiss DPA, the SCCs as incorporated under Section 7.1. shall apply with the following modifications:
(1) references to “Regulation (EU) 2016/679” shall be interpreted as references the Swiss DPA;
(2) references to “EU,” “Union,” and “Member State” shall be replaced with “Switzerland”;
(3) references to the “competent supervisory authority” and “competent courts” shall be interpreted as references to the “Swiss Federal Data Protection and Information Commissioner” and the “competent Swiss courts”;
(4) the SCCs shall be governed by the laws of Switzerland and disputes shall be resolved before the competent Swiss courts.
8. Assistance to the Customer
(a) PromoRepublic shall promptly notify the Customer of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the Customer.
(b) PromoRepublic shall assist the Customer in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), PromoRepublic shall comply with the Customer’s instructions.
(c) In addition to PromoRepublic’s obligation to assist the Customer pursuant to Clause 8(b), PromoRepublic shall furthermore assist the Customer in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to PromoRepublic:
(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Customer to mitigate the risk;
(3) the obligation to ensure that personal data is accurate and up to date, by informing the Customer without delay if PromoRepublic becomes aware that the personal data it is processing is inaccurate or has become outdated;
(4) the obligations specified in Article 32 of the GDPR.
(d) The Parties shall set out the appropriate technical and organisational measures by which PromoRepublic is required to assist the Customer in the application of this Clause as well as the scope and the extent of the assistance required.
9. Notification of personal data breach
In the event of a personal data breach, PromoRepublic shall cooperate with and assist the Customer for the Customer to comply with its obligations, where applicable, taking into account the nature of processing and the information available to PromoRepublic.
9.1. Data breach concerning data processed by the Customer
In the event of a personal data breach concerning data processed by the Customer, PromoRepublic shall assist the Customer:
(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the Customer has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
(b) in obtaining the following information which shall be stated in the Customer’s notification, and must at least include:
(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
(2) the likely consequences of the personal data breach;
(3) the measures taken or proposed to be taken by the Customer to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
(c) in complying with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
9.2. Data breach concerning data processed by PromoRepublic
In the event of a personal data breach concerning data processed by PromoRepublic, PromoRepublic shall notify the Customer without undue delay after PromoRepublic having become aware of the breach. Such notification shall contain, at least:
(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
(b) the details of a contact point where more information concerning the personal data breach can be obtained;
(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
SECTION III
FINAL PROVISIONS
10. Non-compliance with the DPA and termination
(a) Without prejudice to any provisions of the Data Protection Legislation, in the event that PromoRepublic is in breach of its obligations under this DPA, the Customer may instruct PromoRepublic to suspend the processing of personal data until the latter complies with this DPA or the contract is terminated. PromoRepublic shall promptly inform the Customer in case it is unable to comply with this DPA, for whatever reason.
(b) The Customer shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with this DPA if:
(1) the processing of personal data by PromoRepublic has been suspended by the Customer pursuant to point (a) and if compliance with this DPA is not restored within a reasonable time and in any event within one month following suspension;
(2) PromoRepublic is in substantial or persistent breach of this DPA or its obligations under the Data Protection Legislation;
(3) PromoRepublic fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to this DPA or to the Data Protection Legislation.
(c) PromoRepublic shall be entitled to terminate the contract insofar as it concerns processing of personal data under this DPA where, after having informed the Customer that its instructions infringe applicable legal requirements in accordance with Clause 6.1 (b), the Customer insists on compliance with the instructions.
(d) Following termination of the contract, PromoRepublic shall, at the choice of the Customer, delete all personal data processed on behalf of the Customer and certify to the Customer that it has done so, or, return all the personal data to the Customer and delete existing copies unless applicable law requires storage of the personal data. Until the data is deleted or returned, PromoRepublic shall continue to ensure compliance with this DPA.
ANNEX I
A. LIST OF PARTIES
| PROMOREPUBLIC | CUSTOMER |
| Name: PromoRepublic Oy | Name: entity/ies identified as Customer in the Order Form |
| Company number: 2703642-5 | Company number: the Customer’s company number |
| Address: Tammasaarenkatu 1, 00180 Helsinki, Finland |
Address: the Customer’s address |
| Contact person’s name, position and contact details: the Primary Contact name, position, email specified in the Order Form by PromoRepublic | Contact person’s name, position and contact details: the Primary Contact name, position, email specified in the Order Form by the Customer |
| Activities relevant to the data processed under these Clauses: PromoRepublic has developed and operates a marketing collaboration platform through which it provides Platform Services. | Activities relevant to the data processed under these Clauses: Customer orders Platform Services for Users. |
| Role: Processor | Role: Controller/Processor |
B. DESCRIPTION OF THE PROCESSING
Categories of data subjects whose personal data is processed: Users of the Platform
Categories of personal data transferred: Contact information (first name, last name, email address, telephone number, role, country), Account information, User Content, Technical information and any other personal data that Users provide on the Platform or through the Platform.
The frequency of the transfer: on a continuous basis.
Nature of the processing: any or all of the following processing operations: collection, recording, organisation, structuring, storage, adaptation/alteration, retrieval, consultation, use, alignment / combination, restriction, erasure / destruction.
Purpose(s) of the data transfer and further processing: provision of the Platform Services.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period: The personal data shall be retained for no longer than necessary for the purpose(s) of the Platform Subscription Agreement.
C. COMPETENT SUPERVISORY AUTHORITY
(a) With respect to the processing of personal data to which the GDPR applies, the competent supervisory authority must be the supervisory authority applicable to the data exporter in its EEA country of establishment:
Office of the Data Protection Ombudsman
P.O. Box 800
FI-00531 Helsinki
Tel. +358 29 56 66700
Fax +358 29 56 66735
Email: tietosuoja@om.fi
Website: http://www.tietosuoja.fi/en/
(b) With respect to the processing of personal data to which the UK GDPR applies, the competent supervisory authority is the Information Commissioner’s Office.
(c) With respect to the processing of personal data to which the Swiss DPA applies, the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.
ANNEX II
TECHNICAL AND ORGANISATIONAL MEASURES
Description of the technical and organisational measures implemented by the data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.
ANNEX III
LIST OF PROMOREPUBLIC PROCESSORS/SUB-PROCESSORS
The Customer has authorised PromoRepublic to use the processors/sub-processors set out on this list.
Enterprise: for multi-location and direct selling brands. Manage thousands of social media pages of your local distributors, partners, or franchisees.
Agency: for marketing agencies. Manage all your clients’ social media pages on one platform.
