On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) took effect. It is one of the most important international legislative changes in data protection in decades. The purpose of the regulation is to increase the individual’s rights to manage and process their personal data and to harmonize legislation within the European Union. 

Vatzy Oy (business ID 3309464-8, hereinafter “Vatzy”) provides cloud-based Client Data Platform solution “Zenny” designed for the B2B sector (hereinafter “Service”). 

Vatzy is firmly committed to the Data Protection Regulation. In addition to complying with the regulation ourselves, it is important for us to help our clients with their compliance efforts. This goal will be achieved through training, instruction, and technical development of our software. 

By using Vatzy’s Service, you agree to comply with this data protection agreement.

Definitions 

The capitalized terms used herein shall have the meaning ascribed to them below or in the text of this DPA. 

“Client” shall mean any legal entity which is using Vatzy’s Service. 

“Agreement” shall mean the agreement of using the Service between Vatzy and Client 

“Affiliate” shall mean any legal entity which is directly or indirectly owned or controlled by a Party or directly or indirectly owning or controlling a Party or under the same direct or indirect ownership or control as a Party for so long as such ownership or control lasts. 

“Data Protection Laws” shall mean EU Data Protection Regulation (2016/679) and the data protection laws under the governing law of the Service Agreement applicable to the Processing hereunder from time to time. The Parties acknowledge and agree that in the time period prior to the EU Data Protection Regulation (2016/679) becoming applicable (expected on 25 May 2018), interpretation of this DPA shall be based on applicable data protection laws under the governing law of the Service Agreement. 

“Personal Data” shall mean any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed hereunder. 

“Processing” shall mean any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, of Personal Data. 

“Sub-Processor” shall mean a processor contracted by Vatzy to perform Processing hereunder, in part or in whole, on Vatzy’s behalf.

General 

This DPA forms an integral part of the Agreement and shall apply to all processing of personal data under the Agreement. Where applicable and when this DPA does not explicitly state otherwise, the terms of the Agreement, such as governing law and dispute resolution, shall be applied to this DPA. If the Agreement or any other document regulating the relationship between Vatzy and the Client as set out in the Agreement contains provisions that are in conflict with this DPA, this DPA shall have precedence. 

If and to the extent that the Client submits data to the Service and such data constitutes or contains personal data, the Client shall be considered the controller under the EU regulation 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and Vatzy processes, by providing the Service to the Client, such personal data on behalf of Client as a processor for the purposes of the Agreement during the term thereof. If and to the extent that the Client acts as a processor in relation to other controllers, Vatzy shall act as a subprocessor under this DPA. As used herein, personal data means such personal data that Vatzy processes on behalf of the Client as the Client’s processor or subprocessor. 

The Client is responsible for the lawful processing and collection of personal data in compliance with the GDPR and other laws, regulations and directives pertaining to the processing or collection of personal data. Vatzy will not monitor the Client’s processing or collection of personal data in the Service. The Client shall be responsible for having the required rights and necessary permissions from third parties to use and disclose personal data for the purposes set out in the Agreement. The Client shall ensure that the Client is entitled to transfer the relevant personal data to Vatzy so that Vatzy may lawfully process, use and transfer the personal data in accordance with the Agreement and this DPA.

Each Party shall be responsible for the information security of the Party’s own communications networks. Neither Party shall be responsible or liable for the information security of general communications networks, or for interferences or other disruptions, outside of the Parties influence, that may occur in general communications networks. 

The subject matter, categories and types of data as well as other details of the processing are specified in Schedule 1 of this DPA (Description of the Processing Operations).

Processing of personal data 

Vatzy shall only process personal data in accordance with this DPA and documented instructions from Client, unless required to do otherwise under European Union or Member State law to which Vatzy is subject. In such a case Vatzy shall inform the Client of that legal requirement before processing unless that law prohibits such information on important grounds of public interest. 

Vatzy may not use the Client’s personal data for any other uses than for which the personal data for the provision of the Services and as otherwise instructed by the Client. Vatzy shall process information disclosed to it by the Client in accordance with this Agreement and according to written instructions or guidelines given to it by the Client. Client’s instructions must be commercially reasonable, compliant with applicable data protection legislation and regulations and consistent with this Agreement. In case Vatzy detects that any instruction given by the Client is non-compliant with European Union or member state law to which Vatzy is subject, Vatzy shall not be obliged to comply with such instruction and shall inform the Client of that legal requirement. 

In case the Client’s instructions require additional measures or work to be performed by Vatzy, Vatzy has the right to charge an hourly consulting fee from the Client for complying with such Client’s instructions in accordance with Vatzy’s then current price for consulting services, subject to the Client’s prior approval of such additional costs.

Duration of the processing 

Personal Data will be processed by Vatzy for the duration of the Service Agreement unless a longer or shorter period is agreed between the Parties in the Service Agreement or elsewhere in writing. 

Following expiration of the Agreement Vatzy will delete the personal data within reasonable time after the end of the Client relationship.

Types of personal data processed 

During the course of providing the Client with the Service, Vatzy may process certain personal data on behalf of the Client. The individuals whom the personal data concerns are Client’s customers and/or vendors. 

The particular types of personal data may vary on a case-by-case basis depending on what personal data the Client and its users may decide to process as part of their use of the service. Such personal data may, for example, include the following information: 

• First and last name 
• Email address 
• Phone number 
• Postal address, postal code, country 
• Language 
• Gender 
• Name of the company the data subject represents 
• Other Personal data the Client chooses to transfer to Vatzy Oy to be processed in connection with the provision of the Service 
• Commencement date of the customer relationship 
• Purchase history 
• Delivery history 
• Accounting information 
• Bank account information 

Security processing 

Vatzy ensures that it shall implement and maintain appropriate technical and organizational security measures to protect the personal data within its area of responsibility, in order to safeguard the personal data against unauthorized or unlawful processing or access and against accidental loss, destruction or damage, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing carried out by Vatzy hereunder as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 

Such measures shall include, where appropriate and relevant for each processing action: 

1. the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and 
2. the risks that are presented by the Processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.

Such measures include, as appropriate: 

1. the pseudonymisation and encryption of the Personal Data; 
2. the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 
3. the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and 
4. a process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing. 5. the ongoing confidentiality, integrity, availability, resilience and restoration of all processing systems and services in which personal data is stored or processed 6. the pseudonymisation and encryption of personal data and communications containing personal data when it is appropriate and necessary to maintain the integrity and confidentiality of personal data. 

The Client shall inform Vatzy of all issues (including but not limited to risk assessment and the inclusion of special categories of Personal Data) related to the Personal Data provided by the Client which affect the technical and organizational measures that should be employed under this DPA.

Audits 

The Client or an auditor appointed by the Client shall with the assistance of Vatzy have the right to audit the processing activities of Vatzy under this DPA to assess the compliance of Vatzy with its contractual obligations under this DPA and applicable data protection legislation during ordinary business hours of Vatzy and with 30 days’ prior written notice. If Vatzy’s employees or other representatives participate in such audits at the request of the Client, the Client shall compensate Vatzy for the expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit. Where an audit may lead to the disclosure of business or trade secrets of Vatzy or threaten intellectual property rights of Vatzy, the Client shall employ an independent expert to carry out the audit, and the expert shall agree to be bound by confidentiality to Vatzy’s benefit. 

Where an audit may, in Vatzy’s sole opinion, lead to the disclosure of business or trade secrets of Vatzy or threaten the intellectual property rights of Vatzy, the Client shall employ an independent auditor, that is not a competitor of Vatzy, to carry out the audit, and the auditor shall agree to be bound to confidentiality to Vatzy’s benefit. 

Vatzy makes available to the Client, at the Client’s request, information necessary to demonstrate compliance with the GDPR. In case the Client’s request requires measures or work to be performed by Vatzy, Vatzy has the right to charge an hourly consulting fee in accordance with its then current price for consulting services for handling such requests, subject to the Client’s prior approval of such additional costs.

Sub-processors 

The Client gives its general authorization to allow Vatzy to engage subcontractors as sub processors to process personal data in connection with the provision of the Service. 

Vatzy is free to choose and change its sub processors. Upon request, Vatzy shall inform the Client of sub processors currently involved. In case there is a later change of a subprocessor (addition or replacement), Vatzy shall notify the Client of such change, thereby giving the Client the opportunity to object to such change. If Vatzy is not willing to change the subprocessor the Client has objected to, both Parties shall have the right to terminate the Agreement and this DPA. 

Where Vatzy engages a subprocessor for carrying out specific processing activities on behalf of the Client, the same data protection obligations as set out in this DPA shall be included in the DPA between Vatzy and that subprocessor. Where a subprocessor fails to fulfil its data protection obligations, Vatzy shall remain liable to the Client for the performance of the subprocessor’s obligations as further stipulated in the Agreement. 

Sub Processors are listed in Annex A

Transfer of personal data 

The Client accepts that Vatzy may have personal data processed and accessible by Vatzy or its subprocessors outside the European Economic Area (“EEA”) to provide the Service. If personal data is transferred from the EEA for processing in any country outside the EEA that is not recognized by the European Commission as providing an adequate level of protection for personal data, then Vatzy shall comply with Chapter V of the GDPR and use transfer tools which ensure appropriate safeguards for protection of the personal data, including (but not necessarily limited to) entering into the standard contractual clauses adopted by the European Commission (by the implementing decision (EU) 2021/914 and as amended) and carrying out a transfer impact assessment.the Client authorizes Vatzy to enter, on behalf of the Client, into the standard contractual clauses adopted or approved by the European Commission applicable to processing outside the EEA, or Vatzy shall provide for other appropriate safeguards for the protection of the personal data transferred outside the EEA as set out in the GDPR. 

The data from outside of the EU may be transferred to the EU, processed and may be transferred back to any country / area. 

If required by applicable legislation, Vatzy shall enter into relevant contractual arrangements with required parties (including with the Client itself or any of the Client’s Affiliates) for the lawful transfer of Personal Data from the Approved Jurisdiction to third countries.

Such contractual arrangements shall be carried out in accordance with the standard data protection clauses adopted or approved by the European Commission (“Standard Contractual Clauses”). As an alternative to entering into the Standard Contractual Clauses, Vatzy may rely upon an alternative transfer safeguard permitting and providing for the lawful transfer of Personal Data outside of the Approved Jurisdictions, provided that such safeguard is in compliance with applicable legislation. 

The Parties acknowledge that the European Commission intends to publish a set of new Standard Contract Clauses (“New SCC”). The Parties acknowledge and agree that once the New SCCs have been adopted, Vatzy shall sign them with any other third-party companies who are involved in transferring personal data outside of the EEA, the New SCCs will supersede any prior agreements between the Client, Vatzy, and said sub-processor that conflict with the New SCCs. The Parties also acknowledge and agree that this section shall be amended accordingly after the New SCCs have been adopted. 

In case of conflict between the Standard Contractual Clauses or any other alternative transfer safeguard permitting the lawful transfer of Personal Data outside the Approved Jurisdictions and the DPA, the Standard Contractual Clauses or such alternative framework shall always take precedence over the Service Agreement and this DPA.

Assistance Obligations 

Taking into account the nature of the processing, Vatzy shall assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Client’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR. 

Taking into account the nature of the processing and the information available to Vatzy, Vatzy shall further provide the Client with assistance in ensuring compliance with the Client’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority). 

In case such assistance requires measures from Vatzy, Vatzy has the right to charge an hourly consulting fee from the Client for handling such assistance requests in accordance with Vatzy’s then current price for consulting services, subject to the Client’s prior approval of such additional costs.

Notification of personal data breach 

Vatzy shall without undue delay (24h) notify the Client if it, or one of its Sub-Processors, becomes aware of a Personal Data Breach. Information shall be provided to the contact person named by the Client, if not otherwise agreed between the Parties. 

Vatzy shall without undue delay inform the Client of the circumstances giving rise to the Personal Data Breach, and any other related information reasonably requested by the Client and available to Vatzy. 

Additionally, to the extent it is available, Vatzy shall provide to the Client the following information: 

1. a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of Personal Data records concerned; 
2. a description of the likely consequences of the personal data breach; and 3. a description of the measures taken or proposed to be taken by Vatzy to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

Confidentiality 

Vatzy shall: 

1. keep any Personal Data received from the Client confidential; 
2. ensure that persons authorized to process the Personal Data have committed themselves to confidentiality; and 
3. ensure that Personal Data is not disclosed to third parties without the Client’s prior written consent, unless Vatzy is obliged by mandatory law or decree to disclose such information. 

In case data subjects or governmental authorities make a request concerning Personal Data, Vatzy shall, as soon as reasonably possible, inform the Client about such requests before providing any response or taking other action concerning the Personal Data. 

In case any applicable authority prescribes an immediate response to a disclosure request, Vatzy shall inform the Client as soon as reasonably possible, unless the Supplier is prohibited by mandatory law or authority order to disclose such information. 

Limitation of liability 

The limitations of liability set out under the Service Agreement shall apply also to this DPA.

The Parties agree that the general principle of division of responsibilities between the Parties relating to administrative fines imposed by any relevant supervisory authority or claims by data subjects under this DPA is based on the principle that the respective Party needs to fulfill its own obligations under the Data Protection Laws. Hence, any administrative fines imposed or damages ordered should be paid by the Party that has failed in its performance of its legal obligations under the Data Protection Laws, as decided by the relevant supervisory authority or competent court authorized to impose such fines or damages. Therefore, the limitations of liability set out under the Service Agreement shall not, however, apply such fines. 

Term and Termination 

This DPA shall be in effect as long as the Parties have Service Agreements between them in force. 

All provisions which by nature are intended to survive the termination of this DPA shall remain in full force and effect regardless of the termination of this DPA.

ANNEX A – List of Sub-Processors 

Digital Ocean 

• Purpose of Processing: Hosting Services 
• Country of Processing: Germany / EU 

Stripe 

• Purpose of Processing: Subscription Management & Billing
• Country of Processing: EU/EEA Area

ANNEX B – Transfers outside of the EU or the EEA -area 

As per June 2023, Vatzy is not transferring any data outside EU / EEA -area