1 SCOPE OF APPLICATION
These general data processing terms ("Terms") shall apply to the Infrakit software service delivered via data network between Infrakit Group Oy ("Supplier") and its customer who has registered to Infrakit software service ("Service") and accepted these terms ("Customer").
The Infrakit software service comprises the Infrakit website, Infrakit OFFICE™ web application and its service APIs, equipment integration services, Infrakit FIELD™ app and Infrakit TRUCK™ app for Android and iOS ("Infrakit mobile apps").
2 PURPOSE OF THESE TERMS AND CATEGORIES OF DATA SUBJECTS
2.1 With these Terms, the parties agree on processing of personal data persons who Customer has given access or connected to the service (“Personal Data”) to provide Service to Customer based on agreement between Customer and Supplier (“Service Agreement”). Such persons may be for example: Customer’s employees, subcontractors, partners, Customer’s, customer’s employees and representatives as authorized by the Customer.
2.2 This agreement shall form an integral part of the Service Agreement. Therefore, all applicable parts of the Service Agreement (including its provisions on governing law and dispute resolution) shall apply also to this agreement. However, in the event of conflict, the provisions of these Terms shall prevail over the provisions of the Service Agreement.
3 SUBJECT MATTER AND NATURE, PURPOSE AND DURATION OF PROCESSING
3.1 Personal Data will be processed for the fulfilment of the Service Agreement, to improve and develop the Service and for optimization of construction works in cooperation with the Customer.
3.2 Personal Data will be processed by Service Provider for the duration of the Service Agreement and unless a longer period is agreed between the parties in the Service Agreement e.g. for storage service. Customer can always require Supplier to stop processing of Personal Data. Customer’s admin users can remove users and their information from the Service. Employees can also modify their own information within the Service.
4 TYPES OF PERSONAL DATA BEING PROCESSED
The following data relating to the Customer's employees and other users of the Service are collected and recorded with their user account: name, password, email address, phone number, role, language, time zone, association with tracked equipment, messages on project communications channels, usage of Infrakit services, login dates and times.
Infrakit mobile apps and equipment integration services collect and record the user's exact location and time along with work equipment activity during work hours when the user has enabled tracking. Infrakit will not record this information outside the user's working hours nor when the user has paused tracking for a break. Tracking by mobile apps can only be enabled for one day at a time and will not resume until the user opens the app again next working day. The user may stop the recording at any time by pausing or ending their work day in the app.
Location, time, and active model on the equipment are recorded to calculate performance data, such as work efficiency and capacity.
Infrakit uses Google Analytics to improve and develop the Service usability.
5 PROCESSING OF PERSONAL DATA
5.1 The parties note that Customer is data controller as defined in the European Union General Data Protection Regulation (2016/679) (“GDPR”) and that Supplier processes Personal Data as a data processor for such data. Supplier informs employees of data processing with data protection statement that is available within the Service.
5.2 The parties agree to comply with the data protection laws, the GDPR, applicable national and international regulations concerning data protection as well as guidance and decisions of the relevant data protection authorities (together “Data Protection Regulations”).
5.3 Customer is responsible to ensure that it can pass the Personal Data to Supplier and that Supplier is entitled to process the Personal Data provided to it under this agreement by Customer and its employees.
5.4 Supplier shall comply with all instructions and guidance by Customer regarding data protection. Customer will inform Supplier of these obligations and their possible amendments well in advance.
5.5 Supplier shall comply with Customer’s separate instructions and requirements regarding data security.
5.6 Supplier is entitled to hand over Personal Data to third parties so that they can process Personal Data for the purposes of the Service Agreement and in accordance with this Agreement. Supplier is responsible for the performance of its subcontractors of the provisions of this agreement. Supplier will upon request provide Customer with details of suppliers who process Personal Data.
5.7 Supplier is responsible to
(i) Process Personal Data lawfully, carefully and according to good data protection practices and act also otherwise so that data subject’s privacy and other basic rights protecting privacy are not limited without legal grounds;
(ii) Process Personal Data only on and as per the documented instructions from the Customer. Processing for Supplier’s own purposes, e.g. marketing purposes, is strictly prohibited. Conditions and descriptions of Supplier’s products and services included in the Service Agreement are also considered documented instructions;
(iii) Without delay assist Customer and provide the required information that is required to comply with the rights of data subjects and to answer the requests by data subjects and supervisory authorities described in the Data Protection Laws;
(iv) Informs Customer upon request the countries where it will process Personal Information
(v) Only transfer Personal Data to third parties outside the territory of the member states of the European Union and the European Economic Area or to international organisations in accordance with the Data Protection Regulations;
(vi) Upon commercially reasonable terms and to the extent possible, include terms and conditions similar to the ones contained in this agreement to all its contracts with its subcontractors who process Personal Data directly or indirectly on behalf of Customer;
(vii) In case data subjects, governmental authorities or supervisory authorities make a request for information, Supplier shall immediately inform Customer about such request;
(viii) Maintain appropriate technical and organisational measures to protect the Personal Data, taking into account: the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, and the risks that are presented by the processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed. Such measures include, inter alia as appropriate: a) the pseudonymisation and encryption of the Personal Data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to the Personal Data in a timely manner in the event of a physical or technical incident; and d) a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the Processing. When determining the appropriate security level special attention needs to be paid to risks involved in processing Personal Data, in particular accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data transmitted, stored or otherwise processed.
(ix) Informs Customer, if the Supplier deems that instructions or practises of Customer are in breach of Data Protection Laws;
(x) Assists Customer in ensuring compliance with their legal obligations, such as, data security, data breach notification, data protection assessment and prior consulting obligations, as required from Customer by the Data Protection Laws,
(xi) Ensure that persons authorised to perform the processing hereunder have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality as further described in this agreement;
(xii) Implement measures to ensure that every person processing Personal Data on behalf of Supplier only processes them as instructed by Customer unless applicable laws otherwise require;
(xiii) At Customer’s instructions, delete or return to Supplier all the Personal Data after the end of the provision of the Services relating to Processing, and delete existing copies, unless applicable laws require storage of the Personal Data.
5.8 Customer shall be entitled to audit Supplier’s performance of its obligations under this agreement and compliance with Data Protection Laws (“Audit”). They are entitled to use external auditors who are not competitors of Supplier, to conduct such an Audit.
5.9 Customer shall inform Supplier on the timing and other details relating to the conduct of such Audits at the latest thirty (30) days in advance, provided that mandatory decision of the authorities does not prevent such notice.
5.10 Supplier agrees to enable necessary access to Supplier‘s and its subcontractor’s premises and systems for the party conducting the Audit at the agreed time during their normal business hours. Supplier will, upon request, provide the information, documents and other material reasonably requested by the auditing party. Supplier will also reasonably assist in the Audit. The parties will agree on how to implement the changes identified in the Audits. Parties preforming Audits will need to agree to maintain confidentiality of the information they receive and not to use it for any other purpose than to conduct the Audit itself. Customer is responsible for the compliance of their aforesaid obligations.
5.11 Nothing stated in this clause limits the audit rights of authorities supervising Customer. These will be performed as instructed by the said authorities.
5.12 Customer shall bear all costs for Audits and it will compensate Supplier for all costs incurred due to the Audit.
5.13 Supplier shall without undue delay, an in any case within 48 hours after becoming aware of it, notify Customer if it or one of its sub-processors becomes aware of a personal data breach or of breach of Data Protection Laws relating to Customer’s employees (“Personal Data Breach”). Information shall be provided to the contact person named by Customer, unless otherwise agreed. Supplier’s notice shall include at least the following information, provided that Supplier has access to it:
(i) a description of the nature of the Personal Data Breach and description of the security breach that caused the Personal Data Breach;
(ii) what information was subject to Personal Data Breach;
(iii) when Personal Data Breach relates to personal information, Supplier needs to specify those data subjects whose information was compromised and the overall number of data subjects affected by the Personal Data Breach;
(iv) who performed the Personal Data Breach and which parties obtained access to information that was exposed;
(v) a description of the likely consequences of the Personal Data Breach and possible damages and consequences for data subjects;
(vi) a description of the measures taken or proposed to be taken by Supplier to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects and prevent Personal Data Breaches in the future; and
(vii) any other information relating to Personal Data Breach possibly requested by Customer.
5.14 To prove that its compliance with Data Protection Laws, Supplier needs to document all Personal Data Breaches including details and consequences as well as the measures taken after Supplier became aware of Personal Data Breach.
5.15 Supplier is not allowed to provide information on Personal Data Breaches to third parties or publicise them without Customer’s prior written consent, unless Supplier is obliged by mandatory law or decree to disclose such information. Supplier assists Customer in reporting Personal Data Breaches to supervisory authorities and data subjects as instructed by Customer. If the practises, instructions and requirements mandated by Customer create wider responsibilities to Supplier that what is set by Data Protection Laws, Supplier is entitled to compensation for additional costs incurred.
5.16 All changes and amendments to the agreement shall be agreed in writing in order to be valid. This agreement constitutes the entire agreement between the parties concerning the subject matter hereof and supersedes all prior agreements, discussions, offers, representations or other communiqués of whatever nature.