These data processing terms ("Terms") become applicable between Koskinen Family Business Oy (“Koskinen & Co”) and its customer (“Customer“) (together “Party” or “Parties”) with whom Koskinen & Co has concluded an agreement ("Agreement"), if Koskinen & Co is considered as data processor and Customer data collector in the meaning as given in EU General Data Protection Regulation.

Headings and bullets are included only to increase readability of the Terms, and shall have no relevance for the interpretation of the relevant clause.


The terms used herein shall have the same meaning as given in Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the “Regulation”).

Such terms used herein include without limitation controller, processor, personal data, data subject, processing and personal data breach.


With these Terms, the Parties agree that Customer, the controller, appoints Koskinen & Co as its processor to process Customer’s personal data during the term of an Agreement under the Terms agreed herein.

Processor shall process the personal data only to further its obligations set forth in an Agreement and accordance with the written instructions provided by the controller.

The controller shall be the sole controller for the personal data and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller’s documentation obligations and ensuring that data is kept accurate. If and to the extent the legal basis for processing personal data is individual’s consent, the controller is liable for obtaining the consent and managing it as provided in the Regulation.

Processor is not entitled to process personal data for any other purpose or for anyone else. Processor is entitled to transfer personal data outside the EU or EEA, provided that the transfer is made in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers. Processor must immediately notify controller, if it considers that the written instructions provided by controller for processing personal data violate the Regulation or national data protection laws.

In addition to the terms of this annex, the parties agree to comply with the Regulation as applicable to each party. Additional details regarding processing may be described in the Agreement or in a separate document.


Processor is entitled to use sub-processors for processing personal data. Additional information about sub-processors can be provided at request.

If the processor plans to make changes to its sub-processors, it will notify the controller by giving at least five (5) days written notice. Processor's obligation to notify concerns intended adding, removal or change of a sub-processor. After receiving notification, controller has the right to object the intended change in the use of sub-processor. If the controller objects the intended change and the data processor cannot reasonably use another sub-processor or another method in processing the personal data, then the processor is not liable for damages or harm caused by such objection. In this situation the processor is entitled to terminate the agreement by giving at least one (1) month’s written notice to the controller.

When using sub-processors for processing personal data, processor agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this Annex.

Processor is fully liable that its sub-processors comply with the requirements of this Annex.


All personal data processed by processor on behalf of controller is considered controller’s confidential information and processor shall not disclose the personal data to anyone or use it for any other than agreed purpose.

Processor ensures that only such people shall have access to the personal data that is necessary for furthering processor’s obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal data who is not under such a duty of confidentiality.

The duties of confidentiality shall survive the termination or expiration of the Agreement.


Processor shall implement appropriate technical and organisational measures to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. Such measures should, under the circumstances, appear to a reasonable person to be confidential or proprietary. Such measures can include, as appropriate:

  1. the pseudonymisation and encryption of personal data;
  2. the ability to ensure the ongoing confidiality, integrity, availibility and resilience of processing systems and services;
  3. the ability to restore the availability and access to personal data in a timely manner in the event of physical or technical incident; or
  4. the process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.

Personal Data Breaches

Processor must notify controller, without undue delay, about personal data breaches it becomes aware of, so that controller can comply with the provisions of the Regulation regarding personal data breach notifications within the set time limits.

When notifying controller, processor must include necessary details about the personal data breach and also otherwise provide reasonable assistance for the controller.

Processor must also take all such other measures needed to mitigate or remedy the effects of the personal data breach and to prevent further breaches.

Data Protection Impact Assessment

If processor becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons it must notify controller about this and assist the controller, if necessary, in conducting a data protection impact assessment.

Data Subject’s Rights

Taking into consideration the nature of data processing, the processor must reasonably and without undue delay assist controller, including by applicable technical and organisational measures, to fulfil any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, correction, objection, erasure (“right to be forgotten”) and data portability.

If such requests are made directly to processor, it must notify controller about the request without undue delay.


Processor shall permit controller to audit processor’s compliance with these terms, and shall provide access and make available to controller all systems, premises, resources, information and staff as necessary for controller to conduct such audit. Audits will be performed during normal business hours with the aim of causing as little disruption to processor’s business operation as reasonably possible.

Controller must also provide reasonable advance notification of planned audits.

Both parties are responsible for their own costs and expenses relating to an audit.

Other Terms

If the processor must assist the controller in fulfilling the controller’s obligations related to data breaches, data subject’s rights and data protection impact audits, are these assistance tasks performed within the scope and time limitations provided in the Parties’ services Agreement.

If the parties have not concluded such Agreement or the time required exceeds what is included in the Agreement, the processor is entitled to invoice the reasonable actual time used for the assistance tasks using hourly-based pricing. In such case, Koskinen & Co must provide Customer with the current price list. Koskinen & Co may update the price list while the Agreement is in force and valid, but has to notify the Customer one (1) month in advance. Invoicing the time used for the assistance tasks requires that the controller has accepted that the processor can use time to perform assistance tasks.

Processor is not liable to the controller for any indirect or consequential loss or damage or third party claims.

Term and Effects of Termination

These Terms come into force on the same date as the Agreement between the Parties and shall thereafter remain in force until the Agreement is terminated or expires under its terms.

Within a reasonable time after the termination or expiration of the agreement, processor shall delete or return all personal data to controller and also delete all copies of the personal data, unless national or EU or member state law requires processor to retain some or all of that data. In such event any further processing of the personal data is prohibited, except to the extent required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.

If the controller has not notified the processor about deletion or return of data within twelve (12) months from the termination or expiration of the agreement, the processor shall delete all personal data in its possession, including any copies, unless national or EU or member state law requires processor to retain some or all of that data. In such event, any further processing of the personal data is prohibited, except to the extent of required by law. The controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.

Description of the Processing

Koskinen & Co collects, processes and stores personal data relating to its customers in accordance with the Agreement, applicable laws and these Terms.

Personal data may include, for instance, the following categories of personal data:

  1. contact details (such as name, email and phone number);
  2. company details (such as company name and job title);
  3. communication details (such as chat transcripts, email correspondence, text messaging and meeting memos);
  4. usage details (such as website, service and product use data);
  5. relationship details (such as details shared while using services and products); or
  6. any other data the Processor needs to further its obligations set forth in an Agreement and accordance with the written instructions provided by the controller.

The personal data mainly relates to such data subjects that:

  1. are potential, existing or past clients of the Customer;
  2. are potential, existing or past employees of the Customer;
  3. are potential, existing or past suppliers of the Customer; or
  4. are other potential, existing or past third parties of the Customer.

Updated 12th of September, 2021