Ilmakuva tilan pihalta

Privacy Policy

Data Protection Annex

1. Subject and Scope of Application

These instructions concerning the processing of Personal Data (hereinafter also referred to as the “Data Protection Annex”) form an integral part of the valid service agreement, other agreement, or order (the “Main Agreement”) concluded between the Customer, or a company belonging to the same group as the Customer (the “Customer”), and the Supplier.

The Customer and the Supplier have agreed in this Data Protection Annex that the Customer, as the Controller, determines the purposes and means of processing Personal Data, and the Supplier, as the Processor, processes Personal Data in accordance with the instructions provided by the Customer. This Data Protection Annex constitutes a written agreement between the Parties regarding the processing of Personal Data in accordance with the EU General Data Protection Regulation.

The provisions and instructions of this Data Protection Annex shall apply whenever the Supplier processes Personal Data of the Customer. In the event of any conflict between the terms of this Data Protection Annex and the Main Agreement, the provisions of this Data Protection Annex shall prevail.

2. Definitions

Personal Data means any information relating to an identified or identifiable natural person, or other personal data as defined in applicable data protection legislation.

Processor (hereinafter also referred to as the “Processor”) means the Supplier that processes Personal Data on behalf of and according to the instructions of the Controller.

Processing means any operation or set of operations performed by the Supplier on behalf of the Customer under the agreement between the Parties and applied to Personal Data or sets of Personal Data, whether by automated means or manually, or other processing of Personal Data as defined in data protection legislation.

Controller means the Customer who alone or jointly with others determines the purposes and means of processing Personal Data.

3. Nature and Purpose of Processing

Within the framework of this agreement, the Personal Data processed consist of Personal Data stored in the Customer’s personal data registers and disclosed by the Customer to the Supplier for purposes including, but not limited to:

  • matters related to trips and other services organized by the Customer

  • matters related to participants in trips organized by the Customer

The subject, nature, and purpose of processing are defined in more detail in the Main Agreement.

4. Types of Personal Data

The Personal Data processed by the Supplier may include:

  • Personal Data of registered individuals stored in the Customer’s registers such as: name, date of birth, address, telephone number, email address and other necessary contact details, as well as the registered person's job duties, profession, position and role within organizations.

  • Content produced by the registered person, as well as additional information provided by them, such as travel or service-related preferences, satisfaction data, interests and other similar information.

5. General Obligations

5.1 Obligations of the Customer

The Customer is responsible for ensuring that it has the necessary legal basis and consents for the processing of Personal Data in accordance with the Main Agreement and that sufficient information regarding the processing of Personal Data has been provided to the data subjects.

The Customer is responsible for determining the purposes and means of the processing of Personal Data. The Customer shall provide the Supplier with sufficiently comprehensive, written, and lawful instructions for the processing of Personal Data for the performance of the services under the Main Agreement.

5.2 Obligations of the Supplier

The Supplier shall immediately notify the Customer if it considers that the Customer’s instructions violate data protection legislation. In such cases, the Supplier shall request clarified instructions.

The Supplier shall maintain a record of processing activities required by the EU General Data Protection Regulation.

The Supplier shall process Personal Data in accordance with the Customer’s instructions. Work related to following these instructions is included in the services under the Main Agreement.

6. Data Security

The Supplier shall implement appropriate technical and organizational measures to protect the Customer’s Personal Data, taking into account the risks involved in the processing, in particular the risks of accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

The Customer may provide more detailed instructions regarding information security in the processing of Personal Data. When transferring data between the Customer and the Supplier, the data transfer methods defined by the Customer shall be followed.

7. Notification of Personal Data Breaches

The Supplier shall notify the Customer immediately (within a maximum of 36 hours) in writing of all personal data breaches and other incidents that may have compromised the security of Personal Data processed on behalf of the Customer.

Upon the Customer’s request, the Supplier shall provide all relevant information related to the personal data breach without undue delay. To the extent such information is available to the Supplier, the notification shall at least include:

a) a description of the personal data breach
b) where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned
c) a description of the likely consequences of the personal data breach
d) a description of the corrective measures taken or proposed to be taken by the Supplier to address the breach and to prevent future breaches, including measures to mitigate possible adverse effects.

The Supplier shall document and report the results of the investigation and the measures taken to the Customer. The Customer is responsible for any necessary notifications to data protection authorities and data subjects.

8. Assistance and Obligation to Provide Information

The Supplier shall immediately notify the Customer of all requests and inquiries from data subjects, the data protection authority, or other authorities.

Upon request, the Supplier shall assist the Customer in matters related to data security, breach notifications, and responding to requests concerning the exercise of data subjects’ rights.

9. Processing Period and Deletion of Personal Data

The Supplier shall destroy and/or return all data and materials received from the Customer under the Main Agreement, as well as any Personal Data and data repositories created under the Main Agreement, no later than three (3) months after all agreed or necessary measures related to the service have been completed.

The deletion and/or return obligation also applies to subcontractors and all backup copies.

10. Transfer and Processing of Personal Data Outside the EU/EEA

The Supplier and its subcontractors may process Personal Data outside the EU/EEA without the Customer’s written consent.

In such cases, each Party shall ensure compliance with the requirements and restrictions of applicable data protection legislation regarding the processing of Personal Data.

11. Confidentiality

The Parties undertake to keep confidential all materials and information received from the other Party that are marked as confidential or that should reasonably be understood to be confidential and shall not use them for purposes other than those specified in the agreement.

The confidentiality obligation does not apply to material or information:

a) that is publicly available or otherwise public
b) received from a third party without confidentiality obligations
c) already in the possession of the receiving Party without confidentiality obligations before receipt
d) independently developed by the receiving Party without using the other Party’s material or information
e) required to be disclosed by law or by order of an authority.

Upon termination of the Main Agreement, or when the Supplier no longer needs the confidential material for the purposes of the Main Agreement, the Supplier shall immediately cease using such material and, upon request, return or destroy it together with all copies. However, either Party may retain material as required by law or by authority.

The Parties shall ensure that their employees, group companies, and subcontractors comply with the confidentiality provisions of this Data Protection Annex.

12. Other Terms

  1. The Supplier shall inform the Customer in writing of any changes that may affect its ability to comply with this Data Protection Annex and the written instructions provided by the Customer.

  2. Confidentiality obligations and other obligations which by their nature are intended to survive termination shall remain in force after the termination of the Main Agreement and this Data Protection Annex.