APPENDIX TO API INTERFACE TERMS AND CONDITIONS / PERSONAL DATA PRO-CESSING

This Data Processing Appendix (”Appendix”) forms an inseparable part of the Api interface Terms and Conditions, (“Agreement”) between the Finnish Composers’ Copyright Society Teosto (”Teo-sto”) and the User (“Service Provider”).

Definitions:

Controller; means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data.

Data Protection Laws; means all mandatory laws and regulations applicable to Processing of Per-sonal Data from time to time, including the EU General Data Protection Regulation 2016/679 and all related national laws, regulations and other statutes implementing the General Data Protection Regulation.

Personal Data; means any information relating to an identified or identifiable natural person (“Data Subject”); an identifiable natural person is one who can be identified, directly or indirectly, in partic-ular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, econom-ic, cultural or social identity of that natural person.

Personal Data Breach; means a breach of security leading to the accidental or unlawful destruc-tion, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

Processing; means any operation which is performed on Personal Data, whether or not by auto-mated means, such as collection, recording, organisation, structuring, storage, adaptation or al-teration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Processor; means natural or legal person, public authority, agency or other body which processes personal data on behalf and for the account of the Controller.

Service; means the service(s) provided by Service Provider to Teosto pursuant to the Agreement and as further specified in Schedule A hereto, that involves Processing of Teosto’s Personal Data.

Standard Contractual Clauses; means the standard contractual clauses adopted by the EU Com-mission under its decision 2017/87/EU on 2 February 2010 on transfers of Personal Data to pro-cessors of Personal Data established in third countries. In case these standard contractual clauses are at any time revised, updated, abolished and replaced or otherwise amended by a new EU Commission decision, Standard Contractual Clauses shall always mean the latest set of Standard Contractual Clauses adopted by the EU Commission.

Teosto’s Personal Data; means any Personal Data in Teosto’s data files to which Service Provider may have access when providing the Service to Teosto.

1. General

1.1 Roles of the Parties

The Parties acknowledge and agree that in relation to the Service provided to Teosto pursuant to the Agreement, Teosto shall act as the Controller and Service Provider as the Processor.

1.2 General Obligations of Service Provider

When providing the Service to Teosto and in relation to the consequent Processing of Teosto’s Personal Data, Service Provider undertakes to comply and act in accordance with the Data Protection Laws, Agreement, any documented instructions from Teosto and any applicable guidelines given by data protection authorities. Service Provider shall notify Teosto in case Service Provider considers that Teosto’s documented instructions violate the Data Protection Laws.

Service Provider shall Process Teosto’s Personal Data only for purposes defined by Teosto and as instructed by Teosto, and only to extent required for Service Provider to fulfil its obliga-tions relating to the provision of the Service to Teosto. Service Provider shall keep Teosto’s Personal Data separate from any Service Provider’s own data or any data of Service Provider’s other customers.

No rights to Teosto’s Personal Data shall be transferred or assigned to Service Provider.

Service Provider shall keep confidential any Teosto’s Personal Data it may receive, and not assign, disclose or convey it to any third party during or after the term of the Agreement without Teosto’s prior written consent. Service Provider shall limit access to Teosto’s Personal Data to authorized and properly trained personnel with a well-defined “need-to-know” basis, and who are bound by appropriate confidentiality obligations.

A more detailed description of the subject-matter of the Processing, the nature and purpose of the Processing, the type of Personal Data and categories of Data Subjects is given in Schedule A to this Appendix.

1.3 Subcontractors

Service Provider shall not use subcontractors in the Processing of Teosto’s Personal Data without Teosto’s prior written approval.

Prior to Service Provider allowing access to Teosto’s Personal Data by any approved subcon-tractor, Service Provider shall enter into a written agreement with the subcontractor imposing on the subcontractor the same obligations as to Processing Teosto’s Personal Data than those set out in this Appendix and the Agreement. Service Provider shall, however, remain fully liable for any acts or omissions of its subcontractors as for its own in relation to Teosto.

Regardless of any Teosto’s approval for using subcontractors, Service Provider shall regularly monitor that its subcontractors comply with all confidentiality, data security and other obliga-tions as defined in this Appendix, specifically those relating to confidentiality and data security measures. Teosto may revoke any given approval for justified reasons.

1.4. Deletion or Return of Personal Data

Upon termination or expiration of the Agreement or if separately requested by Teosto, Service Provider shall, as Teosto may decide, immediately return or delete all materials containing Te-osto’s Personal Data together with all copies made thereof. Service Provider shall confirm in writing that it has complied in full with its foregoing obligation. If returning or deleting Teosto’s Personal Data is not possible, Service Provider shall be entitled to continue storing Teosto’s Personal Data, but always subject to the confidentiality obligations set out in section 1.2.

1.5. Records of Processing Activities

Service Provider shall maintain a record of all Processing of Teosto’s Personal carried out pur-suant to this Appendix on behalf of Teosto, containing at least: (a) the name and contact details of Service Provider, and the data protection officer (if nominated); (b) the categories of pro-cessing carried out on behalf of Teosto; (c) information on any transfers of Personal Data out-side of the EU/EEA and documentation of appropriate safeguards implemented; (d) a descrip-tion of the technical and organisational security measures taken; and (e) a list of subcontrac-tors used for Processing of Teosto’s Personal Data.

Service Provider agrees to make the foregoing records available to Teosto without delay fol-lowing Teosto’s request, however, no later than within five business days as from the request.

2. REQUESTS FROM AUTHORITIES

Service Provider undertakes to immediately notify Teosto of any possible requests for information or access it may receive from supervisory authorities in relation to Teosto’s Personal Data, unless such notification is prohibited pursuant to mandatory law or regulation. Service Provider shall ob-tain Teosto’s prior approval before submitting any responses to the supervisory authority based on such requests.

3. PRIVACY IMPACT ASSESSMENTS

If requested, Service Provider agrees to assist Teosto in any privacy impact assessments that may be required in the event the Processing of Teosto’s Personal Data in connection with the Service is likely to result in a high risk to the rights and freedoms of natural persons.

4. TRANSFERS OF PERSONAL DATA

Service Provider may not transfer Teosto’s Personal Data to any non-EU/EEA country (transfers of Teosto’s Personal Data to servers located outside the EU/EEA or otherwise facilitating access to Teosto’s Personal Data from outside the EU/EEA) without agreeing on the transfer in advance with Teosto and without complying with the statutory requirements regarding the transfer of Personal Data outside the EU/EEA countries set out in the Data Protection Laws.

In the event Teosto has consented on the transfer of Teosto’s Personal Data outside the EU/EEA, and the Parties have not specified otherwise, the Standard Contractual Clauses, including the in-demnification clause in Appendix 2 thereto, shall be deemed incorporated by this refence to this Appendix as Schedule B.

5. DATA SECURITY AND DATA BREACHES

Service Provider warrants that it will implement and maintain appropriate and at least industry standard technical and organisational measures, as required under the Data Protection Laws, to protect Teosto’s Personal Data from any accidental or unlawful destruction, loss, alteration, unau-thorised disclosure of, or access to personal data transmitted, stored or otherwise processed, in-cluding: (a) the pseudonymisation and encryption of Teosto’s Personal Data; (b) the ability to en-sure the ongoing confidentiality, integrity, availability and resilience of processing systems and Service; (c) the ability to restore the availability and access to Teosto’s Personal Data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, as-sessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing.

Without limiting the generality of the foregoing, Service Provider undertakes to comply with the Data Security Appendix in Schedule C to this Appendix when providing the Service to Teosto.

The Service Provider shall provide Teosto with a prompt written notice, and in no event later than within twenty-four (24) hours, upon becoming aware of any occurred or threatening Personal Data Breach in the Service. Such notice shall: a) describe the nature of the personal data breach includ-ing categories and approximate number of Data Subjects concerned and the categories and ap-proximate number of Personal Data records concerned; b) communicate the name and contact details of the data protection officer or other contact point of the Service Provider where more in-formation can be obtained; c) describe the likely consequences of the Data Breach; d) describe the measures taken or proposed to be taken to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to pro-vide the information at the same time, the information may be provided in phases without undue further delay.

Service Provider shall take all necessary measures to mitigate the damage and avoid the occur-rence of any further damage and, if agreed between Teosto and Service Provider, prepare notifica-tion to the supervisory authority and/or the Data Subjects whose Personal Data is affected by the Personal Data Breach, as required under the Personal Data Laws.

6. AUDIT

Teosto or any third party authorised by Teosto has the right to audit Service Provider’s production environment and processes as well as Service Provider’s data security measures and Service Pro-vider’s facilities for the purpose of verifying Service Provider’s compliance with this Appendix and Data Protection Laws. Teosto agrees to notify Service Provider of any audits no later than 14 days prior to commencing the audit.

In case the audit reveals that the Service provided by Service Provider does not satisfy the condi-tions set out in this Appendix and Data Protection Laws, Service Provider shall immediately and at its own expense take all necessary corrective action to render the Service compliant with this Ap-pendix and Data Protection Laws. Teosto has further the right to perform a subsequent audit after Service Provider has taken the foregoing corrective actions.

Teosto shall bear the costs of its own audits, however, excluding any Service Provider’s working time it uses in relation to the audits, which shall be at Service Provider’s expense, provided that the audits are performed no more than once in a calendar year. In case the audit reveals that Service Provider has breached its obligations set out in this Appendix or Data Processing Laws, Service Provider shall reimburse to Teosto immediately and in full the costs and expenses Teosto has in-curred in relation to the audit, the foregoing being without prejudice to any Service Provider’s liabili-ties, damages or other consequences, or any remedies available to Teosto, that may arise in rela-tion to Service Provider’s breach of agreement.

7. FULFILMENT OF DATA SUBJECTS’ RIGHTS

Upon Teosto’s separate request Service Provider undertakes to provide assistance to Teosto it may need in fulfilling its obligations relating to responding to requests for fulfilment of Data Sub-jects’ rights that relate to Teosto’s Personal Data being Processed in connection with the Service. Service Provider shall: a) provide to Teosto without delay a copy of Teosto’s Personal Data in a generally used machine-readable form, b) immediately rectify certain Teosto’s Personal, prevent access to certain Teosto’s Personal Data to restrict the Processing or erase certain Teosto’s Per-sonal Data from the Service, and c) provide assistance to Teosto in providing notifications to Data Subjects as may be required under the Data Processing Laws in relation to Teosto’s Personal Da-ta.

8. SERVICE PROVIDER’S LIABILITY

Service Provider shall be liable for all direct, indirect and consequential damages, including dam-ages payable to Data Subjects, legal expenses and administrative fines, that Teosto may incur as the result of Service Provider’s breach or violation of Data Processing Laws, this Appendix or any documented instructions given by Teosto.

In case any claims or demands are made against Teosto in relation to Processing of Personal Data carried out by Service Provider, Service Provider shall provide to Teosto all assistance it may re-quire in responding to such claims or demands.

The limitations of liability set out in the Agreement do not apply to any claims or damage based on this section 8.

9. TERM AND TERMINATION

This Appendix enters into force and becomes binding on the Parties when Service Provider has accepted this Appendix in writing (including by email), and remains in force until the termination or expiration of the Agreement and after that time so far as necessary to end the Processing of Teo-sto’s Personal Data (including, without limitation, deletion of Teosto’s Personal Data). Such provi-sions that by their nature are intended to survive the termination of the Agreement or this Appendix shall remain in force regardless of termination.

In case Service Provider materially breaches this Appendix Teosto has the right to terminate the Agreement with immediate effect.

10. AMENDMENTS, ORDER OF PRECEDENCE

All amendments to his Appendix shall be made in writing and become effective when duly signed by both Parties.

In case of any discrepancy or conflict between this Appendix and the Agreement, this Appendix shall prevail.





SCHEDULE A: DETAILS OF PROCESSING

1. Nature and Purposes of Processing Personal Data

Service Provider shall Process Personal Data for purposes of:

2. Personal Data and Categories of Data Subjects

Service Provider shall Process the following categories of Personal Data:

Personal Data listed above concern the following categories of Data Subjects:

3. Duration of Processing

Personal Data is Processed as long as necessary for the performance of the development work al-lowed under the Agreement.