This Data Processing Agreement ("DPA") becomes applicable between Koskinen Family Business Oy ("Koskinen & Co" or "Processor") and its customer ("Customer" or "Controller") (together "Party" or "Parties") with whom Koskinen & Co has concluded a services agreement ("Agreement"), when Koskinen & Co processes personal data on behalf of Customer in the capacity of data processor.
This DPA is incorporated into and forms part of the Agreement between the Parties. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to matters concerning data protection.
Headings and bullets are included only to increase readability of this DPA, and shall have no relevance for the interpretation of the relevant clause.
The terms used herein shall have the same meaning as given in Regulation 2016/679 of the European Parliament and the Council on the protection of natural persons concerning the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the "GDPR" or "Regulation").
Such terms used herein include without limitation controller, processor, personal data, data subject, processing and personal data breach.
With this DPA, the Parties agree that Customer, the Controller, appoints Koskinen & Co as its Processor to process Customer's personal data during the term of an Agreement under the terms agreed herein.
Processor shall process the personal data only to further its obligations set forth in an Agreement and in accordance with the written instructions provided by the Controller.
The Controller shall be the sole controller for the personal data and shall be responsible for complying with the obligations the Regulation and other applicable laws set for data controllers, such as ensuring that there is a legal basis for processing personal data, informing data subjects about processing activities with privacy policies, complying with other controller's documentation obligations and ensuring that data is kept accurate. If and to the extent the legal basis for processing personal data is the individual's consent, the Controller is liable for obtaining the consent and managing it as provided in the Regulation.
Processor is not entitled to process personal data for any other purpose or for anyone else.
Processor must immediately notify Controller if it considers that the written instructions provided by Controller for processing personal data violate the Regulation or national data protection laws.
Processor is entitled to transfer personal data outside the EU or EEA, provided that the transfer is made in compliance with the obligations that the Regulation specifies in terms of adequate safeguards in international data transfers.
For transfers of personal data outside the EU/EEA to countries not covered by an adequacy decision of the European Commission, the Parties shall ensure appropriate safeguards are in place, including the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), which are hereby incorporated by reference where applicable.
In addition, the parties agree to comply with the Regulation as applicable to each party. Additional details regarding processing may be described in the Agreement or in a separate document.
Processor is entitled to use sub-processors for processing personal data. A current list of sub-processors, including AI service providers, is maintained at www.koskinen.co/legal/sub-processors and is available upon request.
If the Processor plans to make changes to its sub-processors, it will notify the Controller by giving at least fourteen (14) days' written notice. Processor's obligation to notify concerns the intended adding, removal or change of a sub-processor.
After receiving notification, Controller has the right to object to the intended change in the use of sub-processor within the notice period. If the Controller objects to the intended change and the Processor cannot reasonably use another sub-processor or another method in processing the personal data, then the Processor is not liable for damages or harm caused by such objection. In this situation, either Party is entitled to terminate the Agreement by giving at least one (1) month's written notice to the other Party.
When using sub-processors for processing personal data, Processor agrees that it will impose data protection terms on any sub-processor it appoints that protect the personal data to the same standard as provided for by this DPA.
Processor is fully liable that its sub-processors comply with the requirements of this DPA.
All personal data processed by Processor on behalf of Controller is considered Controller's confidential information and Processor shall not disclose the personal data to anyone or use it for any other than the agreed purpose.
Processor ensures that only such people shall have access to the personal data as is necessary for furthering Processor's obligations relating to the purpose and that such people shall be subject to a strict duty of confidentiality, contractual or statutory, and shall not permit any person to process the personal data who is not under such a duty of confidentiality.
The duties of confidentiality shall survive the termination or expiration of the Agreement.
Processor shall implement appropriate technical and organisational measures to protect the personal data from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to the personal data. Such measures should, under the circumstances, appear to a reasonable person to be appropriate to the risks presented by the processing. Such measures can include, as appropriate: a) the pseudonymisation and encryption of personal data; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of processing.
Processor must notify Controller of any personal data breach without undue delay, and in any event within twenty-four (24) hours of becoming aware of the breach, to enable Controller to comply with the 72-hour notification requirement under Article 33 of the Regulation.
When notifying Controller, Processor must include all necessary details about the personal data breach, including: (a) the nature of the breach; (b) categories and approximate number of data subjects affected; (c) categories and approximate number of personal data records affected; (d) likely consequences of the breach; and (e) measures taken or proposed to address the breach.
Processor must also take all such other measures needed to mitigate or remedy the effects of the personal data breach and to prevent further breaches.
If Processor becomes aware that the planned processing would cause a high risk for the rights and freedoms of natural persons, it must notify Controller about this and assist the Controller, if necessary, in conducting a data protection impact assessment.
Taking into consideration the nature of data processing, the Processor must reasonably and without undue delay assist Controller, including by applicable technical and organisational measures, to fulfil any request from a data subject to exercise its rights under the Regulation. Such rights may include, as they are described in the Regulation, rights of access, rectification, objection, erasure ("right to be forgotten"), restriction of processing, and data portability.
If such requests are made directly to Processor, it must notify Controller about the request without undue delay and in any event within five (5) business days.
Processor shall maintain records of processing activities carried out on behalf of Controller as required by Article 30 of the Regulation, and shall make such records available to Controller upon request.
Processor shall permit Controller to audit Processor's compliance with this DPA, and shall provide access and make available to Controller all systems, premises, resources, information and staff as necessary for Controller to conduct such audit.
Controller may conduct or commission an audit no more than once per calendar year, unless a personal data breach has occurred or regulatory requirements mandate additional audits.
Controller must provide at least fourteen (14) days' advance notification of planned audits. Audits will be performed during normal business hours with the aim of causing as little disruption to Processor's business operation as reasonably possible.
Both parties are responsible for their own costs and expenses relating to an audit.
Controller's written instructions may be provided in the Agreement, in subsequent written communications (including email), or through Controller's documented policies provided to Processor. Processor shall document and retain all instructions received.
If the Processor must assist the Controller in fulfilling the Controller's obligations related to data breaches, data subject's rights and data protection impact assessments, these assistance tasks are performed within the scope and time limitations provided in the Parties' services Agreement.
If the parties have not concluded such Agreement or the time required exceeds what is included in the Agreement, the Processor is entitled to invoice the reasonable actual time used for the assistance tasks using hourly-based pricing. In such case, Koskinen & Co must provide Customer with the current price list. Koskinen & Co may update the price list while the Agreement is in force and valid, but has to notify the Customer one (1) month in advance. Invoicing the time used for the assistance tasks requires that the Controller has accepted that the Processor can use time to perform assistance tasks.
Processor is not liable to the Controller for any indirect or consequential loss or damage or third party claims arising from data processing activities.
This DPA comes into force on the same date as the Agreement between the Parties and shall thereafter remain in force until the Agreement is terminated or expires under its terms.
Within a reasonable time after the termination or expiration of the Agreement, Processor shall delete or return all personal data to Controller and also delete all copies of the personal data, unless national or EU or member state law requires Processor to retain some or all of that data. In such event, any further processing of the personal data is prohibited, except to the extent required by law. The Controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
If the Controller has not notified the Processor about deletion or return of data within twelve (12) months from the termination or expiration of the Agreement, the Processor shall delete all personal data in its possession, including any copies, unless national or EU or member state law requires Processor to retain some or all of that data. In such event, any further processing of the personal data is prohibited, except to the extent required by law. The Controller is obligated to make sure that it has backup copies of the data prior to deletion, if it considers the data still necessary.
Koskinen & Co processes personal data relating to its customers in accordance with the Agreement, applicable laws and this DPA.
Categories of Personal Data:
Personal data may include, for instance, the following categories: a) contact details (such as name, email and phone number); b) company details (such as company name and job title); c) communication details (such as chat transcripts, email correspondence, text messaging and meeting memos); d) usage details (such as website, service and product use data); e) relationship details (such as details shared while using services and products); and f) any other data the Processor needs to further its obligations set forth in an Agreement and in accordance with the written instructions provided by the Controller.
Categories of Data Subjects:
The personal data mainly relates to such data subjects that: a) are potential, existing or past clients of the Customer; b) are potential, existing or past employees of the Customer; c) are potential, existing or past suppliers of the Customer; or d) are other potential, existing or past third parties of the Customer.
Duration of Processing:
Processing will continue for the duration of the Agreement and for such period thereafter as required to complete obligations under this DPA.
Nature and Purpose of Processing:
Processing is performed for the purpose of providing the consulting services described in the Agreement.
Version 2.0: December, 2025