DATA PROTECTION AND DATA SECURITY
This Agreement on Data Protection and Data Security shall be applied between Oilon Group Oy incl. subsidiaries (Oilon) and the customer logged in Oilon Care (Reseller).
1 SCOPE AND PURPOSE
1.1 This Agreement sets forth Oilon’s and Reseller’s general obligations regarding data protection and compliance with Laws (as defined below) with the purpose of ensuring the implementation of consistent data protection and data security practices to be applied in the Oilon Care service offered by Oilon to the Reseller.
2 COMPLIANCE WITH LAWS AND REGULATIONS
2.1 The Reseller agrees to comply with the provisions of all applicable laws relating to data protection, privacy and security, including EU Directive 95/46/EC and EU Directive 2002/58/EC (collectively the “EU Directives”), Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (“GDPR”), and any amendments of those.
2.2 For the purposes of this Appendix, “Personal Data” shall mean personal data as defined in the Laws. The Reseller shall also comply with Oilon’s written instructions, policies and regulations, e.g., on handling, protecting and when separately agreed encrypting data, and all other similar regulations that are important in terms of Oilon’s operations. “Processing” shall have the meaning set forth in the Laws, including any operation, or set operations, performed on Personal Data, by any means, such as by collection, recording, organisation, storage, adaption or alteration, retrieval, dissemination, transfer, erasure or destruction.
2.3 The Reseller operates as a processor of Personal Data on behalf of the controller of Personal Data, i.e., Oilon, within the meaning of the Laws.
3 HANDLING OF PERSONAL DATA AND SECURITY
3.1 The Reseller shall obtain a written permission from the end user for entering the following Personal Data in the Oilon Care database: full name, mail address, phone number and email address. This permission shall be authorized when new maintenance tasks are performed to Oilon Care.
3.2 Except to the extent necessary for the Reseller to perform its obligations towards Oilon under the Agreement or as required by Law, the Reseller shall keep Personal Data confidential and shall have no rights to Personal Data and shall not access, use, process, disclose, or transfer Personal Data (in part or in whole) to any third party (excluding its approved subcontractors) during or after the term of the Agreement.
3.3 Without prejudice to the foregoing obligation, upon termination of the Agreement, after providing Oilon at no additional cost with a complete copy and up-to-date copy of the Personal Data, the Reseller shall (and shall procure that its subcontractors shall) without undue delay destroy all Personal Data in tangible form and delete all Personal Data from all computer hardware (including storage media) and software used by the Reseller to process the Personal Data and shall confirm in writing that this has been done.
3.4 The Reseller shall without undue delay inform Oilon in writing about any data breaches and other events where the security of the Personal data processed on behalf of Oilon has been compromised or the Reseller has a reason to believe that such security may have been compromised (“Data Breach”).
3.5 To the extent any Laws require that a person and/or competent authorities are notified about Data Breach, the Reseller agrees that, in addition to any obligation set forth in this Appendix, it will be responsible for
(i) at Oilon’s request and subject to Oilon’s prior approval of the content, form and timing, to support Oilon in providing any notices to such person or competent authority containing the information as mandated by applicable law,
(ii) conducting any forensic and security review and audit in connection with such Data Breach,
(iii) providing remediation services and other reasonable assistance to such persons directly or through a third party as
(1) required under applicable law,
(2) requested by governmental authorities, or
(3) agreed by the Parties, and
(iv) reasonably cooperating with the relevant Customer Affiliate in responding to such Data Breach.
3.6 Oilon shall provide the Reseller with reasonable support required in order for the Reseller to meet its aforementioned obligations. The Reseller shall bear all costs related to its responsibilities set forth above if the Data Breach has occurred due to Reseller’s failure to meets its obligations set forth in the Appendix and/or the Agreement.
3.7 The Reseller shall document any Data Breaches, including the facts relating to the Data Breach, its effects and the remedial action taken.
4 OTHER PROVISIONS
4.1 This Appendix shall remain in full force for as long as the Agreement is in force and for such period thereafter as is necessary for the activities after termination of the Agreement to be completed (including the deletion of Personal Data). To the extent that Personal Data is processed by or for the Reseller, for whatsoever reason, after the termination or expiration of the Agreement, this Appendix shall continue to apply to such processing for as long as such processing is carried out.
5 DATA SECURITY
5.2 The Reseller shall identify, respond to, recover from and follow up on any information security incidents, using an adequate information security incident management process. The Reseller shall have and maintain the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident. The Reseller shall immediately and fully inform Oilon of all security related issues that are discovered by the Reseller or brought to Reseller’s attention.