Last update: July 4, 2024
Table of contents
1. Introduction, purpose and application
3. Scope of processing and processing activities
4. Subcontractors and subprocessors
7. International data transfers
8. Personal data breaches and reporting obligations
9. Documentation and auditing rights
1. Introduction, purpose and application
This Data Processing Agreement (“DPA“) is applied as part of the commercial agreement (“Agreement“) to the processing of personal data carried out by Beamex Oy Ab, Business ID: 0181602-8, Ristisuonraitti 10, 68600 Pietarsaari, FINLAND (“Processor”), or any of its subsidiaries or affiliates (as the case may be), in connection with providing digital services (“Services“) to the customer who is a contracting party in the Agreement as well as the data controller of such personal data (“Controller“), which Services are described in more detail in the Agreement concluded by and between the Processor and the Controller.
This DPA is an integral and inseparable part of the Agreement between the parties. All terms used in this DPA, but not defined, have the same meaning as they have in the Agreement. If there is a conflict between the Agreement and this DPA, the terms of the DPA take precedence.
2. Definitions
“Controller” means the natural person or legal entity, authority, agency or other body mentioned in this DPA, which alone or jointly with others defines the purposes and means of personal data processing.
“Data Protection Law(s)” means the Data Protection Act (1050/2018) and the EU General Data Protection Regulation (2016/679) with amendments and replacement regulations as well as other valid and applicable data protection legislation and instructions and binding regulations of data protection authorities.
“Data Subject” means an identified or identifiable natural person whose Personal Data is Processed on the basis of this DPA.
“Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is considered to be a natural person who can be directly or indirectly identified especially on the basis of identification information such as name, social security number, location information, online identification information or one or more physical, physiological, genetic, psychological, economic, cultural or social factors characteristic of him or her.
“Personal Data Breach” means a data security breach event resulting in the accidental or illegal destruction, loss, alteration, unauthorized disclosure or access to personal data transferred, stored or otherwise processed.
“Processing” means the function or functions that are applied to Personal Data or data sets containing Personal Data in connection with the provision of Services, either using automatic data processing or manually, such as collecting, storing, organizing, structuring, storing, modifying or changing, searching, querying, using, transferring data , distributing or otherwise making them available, matching or combining, limiting, deleting or destroying the information.
“Processor” means the natural person or legal entity, authority, agency or other body mentioned in this DPA that Processes Personal Data on behalf of the Controller. “Standard Contractual Clauses” means the Standard Contractual Clauses (EU) 2021/914 as of 4 June 2021. Any reference made to the Standard Contractual Clauses shall refer to the Standard Contractual Clauses, which includes the parties’ selection on certain Modules and optional clauses as well as Appendix I to II in this DPA. In addition, the parties agree that the use of Subprocessors shall be governed by Clause 9, Option 1 of the Standard Contractual Clauses.
“Subprocessor” means a natural person or legal entity in a contractual relationship with the Processor, who processes Personal Data as a subcontractor of the Processor as part of performing Services for the Controller.
3. Scope of processing and processing activities
Pursuant to this DPA such Personal Data is processed, for which the Controller acts as the sole data controller.
The Processor Processes Personal Data (i) in accordance with Data Protections Laws and the terms of this DPA to fulfill the obligations described in the Agreement; and (ii) in compliance with the written instructions given by the Controller from time to time, unless otherwise required by the Data Protection Laws applicable to the Processor. The Processor may not process Personal Data for any of its own purposes or hand it over to third parties, unless this DPA allows it. The Processor must notify the Controller if it considers or suspects that the Controller’s written instructions violate the Data Protection Laws. Unless otherwise stipulated in this DPA or its appendices, the Processor may Process Personal Data only for the duration of the Agreement.
The Controller (i) undertakes to comply with the obligations in accordance with the Data Protection Laws applicable to it in the Processing of Personal Data; and (ii) is responsible for the fact that it, as the sole data controller, has the right to Process Personal Data and that it has fulfilled its obligation to inform the Data Subjects and/or received (or will receive) all the consents required by the applicable Data Protection Laws from the Data Subjects for the Processor to Process Personal Data on behalf of the Controller in accordance with this DPA.
More detailed information about the Processing, such as the nature of the processing, types of Personal Data and groups of Data Subjects, are described in Appendix 1. The appendix can be updated if changes occur in the Processing.
However, the Controller acknowledges and accepts that as part of providing the Services to the Controller, the Processor has the right to use information related to the operation, support or use of the Service or obtained in connection with it for its legal and legitimate internal business purposes, such as (i) invoicing the Service based on usage or number of users, (ii) delivery of the Service and for managing the provision thereof, (iii) for the functional and technical development of the Service, (iv) for compliance with applicable laws (including responding to official requests), (v) for ensuring the security of the Service, and (vi) for preventing fraud and abuse or reducing risks. To the extent that such information is Personal Data, the undertakes that: (a) it will process such Personal Data in accordance with the applicable Data Protection Laws and only for purposes that are compatible with the objectives described in this section; and (b) it does not use such Personal Data for any other purpose or disclose it to third parties, unless it has first anonymized the data so that the Controller or no other person or entity can be identified from the data.
4. Subcontractors and subprocessors
The Processor has the right to use Subprocessors in the Processing. Upon request, the Processor must provide the Controller with more information about the Subprocessors it uses. If the Processor makes significant changes to its Subprocessors it must notify the Controller in writing. The Controller has the right to prohibit the use of a specific Subprocessor for a justified reason. If the Controller prohibits the use of a particular Subprocessor and it is not reasonably possible to transfer the tasks of that Subprocessor to anyone else, including to the Processor, the Processor has the right to terminate the DPA and end the Processing. The Controller is not entitled to any compensation solely on the basis that the Processing ends and the DPA has been terminated due to the Controller prohibiting the use of a specific Subprocessor.
The Processor must enter into a written agreement with each Subprocessor, which contains the terms and conditions required by the Data Protection Laws and essentially similar types of obligations as the Processor has under this DPA. The Processor is responsible for the Subprocessors it uses, just as it is for its own actions.
5. Data security
The Processor must implement appropriate technical, physical and organizational measures to ensure a high level of security in the Processing of Personal Data by the Processor and to protect Personal Data from unauthorized or illegal processing and from unintentional loss, destruction, damage, change or transfer. When evaluating the necessary measures to guarantee the level of security, the instructions of the Controller, the latest technology and implementation costs, the nature, scope, context and purposes of the Processing, as well as the risks to the rights and freedoms of natural persons, which vary in probability and severity, must be taken into account.
Applicable measures may be, for example: (i) pseudonymization and encryption of personal data; (ii) the ability to guarantee the continuous confidentiality, integrity, availability and fault tolerance of the systems and services; (iii) the ability to quickly restore the availability of Personal Data and access to Personal Data in the event of a physical or technical failure; and (iv) the procedure for regularly testing, examining and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing. The Processor must take measures to ensure that every natural person working under the Processor who has access to Personal Data processes it only in accordance with the instructions of the Controller, unless otherwise required by applicable Data Protection legislation. The Processor is responsible, in accordance with its own policies, for taking backups of the data and files of the Controller in its possession and for checking their functionality.
Without limiting the requirements and obligations described above, the Processor must always implement at least the technical and organizational information security measures which essentially correspond to the measures described in Appendix 2.
6. Confidentiality
The Processor must ensure, to the extent reasonably possible, that only those persons acting on its behalf who have a need to access the information in order to fulfill the purpose of this DPA have access to the Personal Data, and that the persons who have the right to process the Personal Data are committed to complying with the obligation of confidentiality or are subject to the appropriate statutory obligation of confidentiality.
7. International data transfers
7.1 Transfers allowed
The processor may transfer to a country outside the European Union or the European Economic Area. The processor must always comply with the conditions and requirements of the Data Protection Laws when transferring data to countries outside the European Union or the European Economic Area, such as using standard contract clauses published by the EU Commission applicable to data transfer.
7.2 Processors in the EEA and the Controller outside the EEA
If the Processor is located inside the EEA and the Controller outside the EEA, the transfer of Personal Data shall be governed by Module 4 of the Standard Contractual Clauses which are incorporated herein by reference and form an integral part of the DPA. The Controller enters into the Standard Contractual Clauses as “data importer” and Processor as “data exporter”. For the purposes of the Standard Contractual Clauses:
i) the module four shall apply;
ii) the optional docking clause, Clause 7, shall apply;
iii) in Clause 11, the optional language is to be deleted;
iv) in Clause 17, the substantive laws of Finland shall apply;
v) in Clause 18, disputes shall be resolved before the district court of Helsinki, Finland; and
vi) the Annexes of the Standard Contractual Clauses shall be populated with the
information set out in the DPA, including its appendices.
vii) If and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement or the DPA regarding the transfer of Personal Data from Controller to Processor, the Standard Contractual Clauses shall prevail to the extent of such conflict.
If the Processor is located within the EEA and commissions a Subprocessor located outside the EEA, the Processor shall enter into the Standard Contractual Clauses (Module 3) with such Subprocessor. Any further onward transfer of Personal Data must comply with the applicable Module of the Standard Contractual Clauses.
8. Personal data breaches and reporting obligations
The Processor must notify the Controller of all real or suspected Personal Data breaches without undue delay after becoming aware of the breach.
The Processor must provide the Controller with all available information about the Personal Data Breach, which the Controller may need to fulfill its own investigation and reporting obligations. The Processor can later supplement the information if it does not have comprehensive information about the violation immediately available. The Processor must otherwise assist and cooperate with the Controller in the investigation of the Personal Data Breach and in possible matters related to notifications to authorities and interested parties. The Processor must also take the necessary reasonable follow-up measures to mitigate the adverse effects of the Personal Data Breach, repair the violation or breach that has occurred, and prevent future violations. The Processor may not comment on the Personal Data Breach to third parties, especially media representatives, without express written consent and instructions from the Controller, unless otherwise required by Data Protection Laws.
Unless otherwise required by the Data Protection Laws or the order of the competent authority, the Controller makes the final decision at its own discretion on whether the Personal Data Breach must be notified to the authorities or other parties involved, and on the possible way to make such notifications. If the Processor reports a Personal Data Breach to the authorities or other interested parties, they must be approved in advance by the Controller.
9. Documentation and auditing rights
A party has the obligation to make available to the other party all the required information and documents that are necessary for demonstrating compliance with this DPA and the Data Protection Laws.
At the request of the Controller, the Processor must also allow audits of the Processing, Services, information security measures and the Processor’s information systems and processes, and participate at reasonable intervals to such audits for the purpose of ensuring compliance with this DPA and the Data Protection Laws. Such audits may be carried out no more than once a year, unless there is a justified reason to assume that the Processor does not comply with the DPA or the Data Protection Laws. Audits may also include visits to the Processor’s offices or other physical premises. The audit is carried out during normal working hours and in such a way that it does not unnecessarily disturb the Processor’s operations. Each party is responsible for its own costs related to the audit. The Processor must be notified of planned audits at least fifteen (15) days before the intended audit. Information about the Processor’s activities obtained by the Controller during the audit is confidential.
10. Assisting the Controller
The Processor must, at the request and expense of the Controller, reasonably assist the Controller in complying with the obligations data controllers have in accordance with the Data Protection Laws. The duty to assist applies in particular to the following matters:
10.1 Access to Personal Data
Insofar as the Personal Data is not available directly through the Services, the Processor shall, upon request, provide the Controller with the data in question. If the information is available in electronic form, it must also be delivered to the Controller in that form.
10.2 Fulfillment of Data Subjects’ rights and requests from the supervisory authority
The Processor must notify the Controller without delay: (i) of all requests, complaints or notifications made by the supervisory authority or other competent authority; and (ii) from any requests received directly from the Data Subject, related to the fulfillment of the data subject’s rights. The Processor may respond directly to the request only if the Controller has given permission and instructions to do so in advance. If the Controller so requests, the Processor must reasonably assist the Controller in responding to official requests and in fulfilling the data subject’s rights according to the Data Protection Legislation.
10.3 Data protection impact assessment
If the Processor becomes aware that the planned Processing would cause a high risk in terms of the rights and freedoms of a natural person, it must inform the Controller of this and, if necessary, assist the Controller in carrying out an impact assessment regarding data protection.
10.4 Correction, deletion and restriction of Personal Data
The Processor must either (i) offer the possibility to correct, delete or limit the processing of Personal Data through the functions of the Service or (ii) correct, delete or limit the processing of Personal Data in accordance with the instructions of the Controller.
11. Term and termination
11.1 Entry into force and termination
Unless otherwise agreed, this DPA enters into force at the same time as the Agreement and remains valid as long as the Processor Processes the Controller’s Personal Data in connection with the provision of its Services. Regardless of the termination of the DPA, the provisions of the DPA, which are of such a nature that they are intended to remain in force regardless of the termination of the Agreement, remain in effect regardless of the termination of the DPA.
11.2 Returning or deleting Personal Data at the end of Processing
Upon termination of the DPA, the Processor must, at the Controller’s choice, either delete all Personal Data Processed on behalf of the Controller or, alternatively, return all Personal Data to the Controller and delete existing copies, unless the Data Protection Laws or other regulation (e.g. ISO 17025) require retention of Personal Data. In that case, the Processor has the right to keep the Personal Data in accordance with the requirements of the law, without otherwise continuing the Processing of the Personal Data and still complying with the confidentiality obligations described in this DPA. The return or deletion of personal data must be carried out without undue delay after the Controller’s request. If the Controller has not given any instructions regarding the deletion or return of Personal Data, the Processor may on its own initiative delete the Personal Data in its possession when twelve (12) months have passed from the end of the DPA. The Processor must return the Personal Data in a commonly used, data-secure electronic format or in another format agreed upon by the parties.
12. Other terms
12.1 Changes
All changes to this DPA must be agreed in writing between the parties. For the sake of clarity, it is stated that the written instructions given by the Controller from time to time to carry out the Processing of Personal Data are not considered to be changes to this DPA.
12.2 Responsibilities and liability
If the Data Subject suffers damage due to a violation of the Data Protection Laws, the responsibility of the Controller and the Processor for the damage is determined in accordance with Article 82 of the EU General Data Protection Regulation (2016/679). Each party is responsible for possible administrative fines imposed by the supervisory authority on the basis of a violation of the Data Protection Laws. A party’s liability for damages to the other party based on a breach of contract of this DPA is a total maximum amount that corresponds to the VAT-free service fees paid on the basis of the Agreement for the six (6) months preceding the submission of the first claim for damages. In other respects, the terms of limitation of liability that may be contained in the Agreement between the parties or its appendices also apply to this DPA. Unless otherwise expressly stated herein, a party is not liable to the other for any indirect, consequential, incidental, special or punitive damages (including any damages for business interruption and loss of use, data, sales, revenue or profit), which are specifically excluded.
12.3 Applicable law and dispute resolution
Regarding the applicable law and the resolution of disputes, the terms of the Agreement between the parties are followed, unless the Data Protection Laws states otherwise. If the Agreement does not state applicable law or contain dispute resolution terms, the DPA shall be governed by the substantive laws of the Processor’s domicile.
13. Appendices
This DPA consists of this document and the attachments listed below:
− Appendix 1: Description of processing operations
− Appendix 2: Technical and organizational information security measures
Appendix 1 to DPA (and where applicable, to Standard Contractual Clauses)
A. LIST OF PARTIES
Data exporter:
Name: Beamex Oy Ab
Address: Ristisuonraitti 10, 68600 Pietarsaari, FINLAND
Activities relevant to the data transferred under these Clauses: Beamex is a technology company manufacturing and providing calibration equipment, software and related services and support to its industrial customers. The data importer is a customer of Beamex and user of Beamex’s digital services, which this DPA concerns.
Role (controller/processor): processor
Data importer(s):
Name: the name stated in the commercial agreement concluded with Beamex Oy Ab.
Address: as stated in the commercial agreement.
Activities relevant to the data transferred under these Clauses: The data importer is a customer of Beamex using Beamex’s digital services.
Role (controller/processor): controller
Processor’s essential Sub-Processors at the time of concluding the DPA:
a) Microsoft Datacenter Netherlands B.V. As Beamex Oy Ab subscribes to Azure cloud services (PaaS) – West Europe under the terms of the Microsoft Product Terms site, the data processing and security terms are defined in Microsoft Online Services Data Protection Addendum (DPA).
B. DESCRIPTION OF TRANSFER/PROCESSING
Categories of data subjects whose personal data is transferred
Primarily such employees or subcontractors of the controller that use and perform calibrations with Beamex calibration equipment, which results are then stored in the Beamex calibration software.
Categories of personal data transferred
Especially name, job title, employer’s name as well as data relating to the activities the person has performed with Beamex’s calibration equipment.
The frequency of the transfer
Data is transferred both on a continuous and as needed to provide the service(s) basis.
Nature of the processing
Providing user rights to Beamex calibration software to the controller and storing calibration data in the software of the calibrations the controller’s employees and subcontractors have performed.
Purpose(s) of the data transfer and further processing
Use of Beamex calibration software for storing calibration results.
The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period
The duration of the commercial agreement and as long as the controller uses the Beamex digital services.
C. COMPETENT SUPERVISORY AUTHORITY
Office of the Data Protection Ombudsman (Tietosuojavaltuutetun toimisto)
Street address: Lintulahdenkuja 4, 00530 Helsinki, FINLAND
Switchboard: +358 29 566 6700, Registry: +358 29 566 6768
Appendix 2 to DPA (and where applicable, to Standard Contractual Clauses)
A description of the technical and organizational measures that the Processor must implement in addition to the general obligations mentioned in the DPA to ensure an appropriate level of data security.
Area | Plans and practices |
Microoft Azure (PaaS) | Beamex LOGiCALand Beamex Sync services are built on Azure (PaaS). Microsoft Service trust portal lists all relevant business continuity (ISO22301) and ISMS (ISO27001 and other 27000 series) certifications, reports, documents etc., at address https://servicetrust.microsoft.com/viewpage/ISOIEC |
Premises and physical security | Access to premises. The Processor limits access to its premises with personal ID cards (RFID). Access rights to different areas within the premises are granted based on rights defined by the management and supervisors. Certain special areas may have enhanced measures of protection and access control. Guests have access only to public premises (lobby, cafeteria, restrooms) and move in the Processor’s premises only with a host. Alarm systems and guarding of facilities. Guarding of premises is outsourced to a professional security company. The premises have industry standard alarm systems, including alarms for unauthorized access, laboratory condition monitoring, cooling/temperature of the ICT data centers, air conditioning system alarms and fire alarm systems. The company’s Manager of Technical Services is responsible for the technical maintenance of the access monitoring and alarm systems. The employees have been trained or have available instructions on how to operate in various alarm or crisis situations, certain situations may be practiced on a regular basis. |
Personnel, organization and information security management | Personnel security. Employment agreements signed with employees contain an industry standard confidentiality clause. In certain special situations additional confidentiality agreements may be signed (e.g. specific projects and/or information). The employees are also required to follow any guidelines or policies the Processor may have, including without limitation those relating to business ethics, privacy and information security. Training and guidelines. A compulsory information security training is part of every new employee’s onboarding program. Additional general or specific information security training is organized for the employees from time to time. Management, supervisors, system owners, access control and other responsible persons are trained for contents of the Processor’s information security policy and its future revisions. Many of such persons also participate in risk management and business continuity planning reviews, training and/or exercises. Specific guidelines for employees may exist in various areas, such as work email, remote access and remote work, tools and software as well as managing files, documents and records. Management, monitoring, reviews and audits. The assessment of information security and business continuity risks is part of the company’s quality system audits. Separate risk assessments, inspections and development plans are made on the basis of findings, identified risks and always in connection with new development projects or planning system/facilities/process changes. External experts, peer reviews or audits are utilized when possible or necessary for the assessment of the technical information security level. The company’s ICT function manages the framework for information security and is responsible for many practical and technical information security measures. ICT is represented in the company’s management team. |
Business continuity | The Processor maintains plans and measures for business continuity and disaster recovery. |
Third parties, subcontractors, processors and subprocessors | Background and contracts. Background of third parties, subcontractors and subprocessors is checked as considered appropriate and necessary before entering into a business relationship. Third party partners are contractually bound by confidentiality obligations. Written data processing agreements (or annexes) are concluded with such partners that are considered as data processors or subprocessors of the Processor. If and when relevant, training or instructions may be provided to third parties employed by the Processor on topics relating also to information security. IT procurement. Computers, mobile devices, systems and software are procured primarily by the IT function. License information is registered and stored by the IT as well. |
Beamex internal data, servers and networks | Access control and authentication. The Processor uses industry standard measures to authenticate persons and users, limit access (as well as to prevent unauthorized access) to systems, software, files and data. Two-factor authentication is primarily required when logging into the network from a remote connection. The aim is to primarily use domain single sign-on in the applications. Passwords must be at least 8 characters long, but 14-character strong passwords containing special characters, numbers and capital letters are preferred. Access to certain files may also be restricted to system, folder, and document-specific access right restriction. Email. Guidelines to email communications exist. Special email security issues need to be considered when sending or receiving confidential information. The connection between the email server and terminal device (computer, telephone, tablet, etc.) is encrypted. Files and databases. Various practices are in place for storing data in the cloud. Saving important data to a local computer hard drive is not recommended. Servers and systems in the Processor’s own on-premises are used for saving sensitive or highly confidential information. Separate guidelines and practices exist for storing and managing records requiring filing and archiving or version and lifecycle management. Sharefile is the primary tool for delivering confidential information to third parties in a secure way. Microsoft Office365 is widely used for storing and sharing especially such documents that are used in teamwork (excluding very sensitive or highly confidential information). Remote connections. Supervisors define the need for devices, software and remote connections for mobile work. Secure client VPN or Citrix/XenApp with two-factor authentications required for remote work. Mobile devices are password/code protected and when applicable, MDM controlled. Separate policies may exist for mobile work and storing files and records in the cloud. Networks, servers and IT infrastructure. Data networks are segmented into separate sub/virtual networks. Appropriate tools and/or services are used for their traffic monitoring, prevention of penetration and observation as well as AV monitoring. Certain data connections and critical network edge components are duplicated. The aim is to arrange either duplication or a back-up device for all the critical components to mitigate so-called single point of failure (SPOF) risks in data networks, servers, storages and other critical systems. An own storage is maintained for critical device spare parts and components. The electricity supply for certain critical systems and devices are backed up by an uninterrupted electricity supply (UPS) system. High Availability (HA) storage systems, storage mirroring or some other fault-tolerant systems considered for critical information systems may be used. Regular image/system back-ups are performed on virtual servers, production systems and some other computers in critical use, in accordance with the applicable standard operating procedure. System back-ups are implemented in other objects according to case-specific consideration and risk assessment. Back-up policy. The Processor has various back-up plans and measures for the purpose of data and systems recovery. The plans and measures may vary depending on the importance of the data and system. The Processor has a separate standard operating procedure for backups of data and information systems. Malicious software. The Processor maintains firewalls as well as antivirus, anti-malware, spam filtering and other similar technical measures to detect, prevent and protect against external cyber attacks, unauthorized access and installation of malicious software to its data, systems, networks and devices. |