On 25 May 2018, the European Union’s General Data Protection Regulation (GDPR) took effect.
It is one of the most important international legislative changes in data protection in
decades. The purpose of the regulation is to increase the individual’s rights to manage and
process their personal data and to harmonise legislation within the European Union.
Valohai is firmly committed to the Data Protection Regulation and we have been studying it’s
content and impact. In addition to complying with the regulation ourselves, it is important
for us to help our customers with their compliance efforts. This goal will be achieved
through training, instruction, and technical development of our software.
Valohai’s updated GDPR compliant terms come to force on the 1st of January 2020. By using
Valohai you agree to comply with this data protection agreement.
1. Service agreement and purpose of this DPA
This DPA has been entered into in connection with the agreement concerning the provision of
Valohai’s services entered into between the Parties two parties (“Service Agreement”) and
this DPA sets additional requirements and details regarding the Supplier’s handling of
personal information relating to the Customer’s employees, contractors, partners or other
parties (“Personal Data”) on behalf of the Customer in accordance with and as required by
the Service Agreement. Subject-matter, nature and purpose of the Processing are defined and
agreed under the Service Agreement.
The DPA shall form an integral part of the Service Agreement, meaning that applicable parts
of the Service Agreement (including its provisions on governing law and dispute resolution)
shall apply also to this DPA. However, in the event of a conflict, the provisions of this
DPA shall prevail over the provisions of the Service Agreement.
2. Duration of the process
Personal Data will be processed by the Supplier for the duration of the Service Agreement
unless a longer or shorter period is agreed between the Parties in the Service Agreement or
elsewhere in writing.
3. Types of personal data processed
For each event, Customer shall define what data is to be collected. Regarding each event,
Supplier shall collect and store the processed data as defined by Customer. This type of
data may include, for example, person’s name, required contact information, and as well as
other necessary additional information needed for registration, using the service, and
payment. The responsibility of defining this information is on Customer alone.
Details may be further specified under the Service Agreement.
The capitalized terms used herein shall have the meaning ascribed to them below or in the
text of this DPA.
“Affiliate” shall mean any legal entity which is directly or indirectly owned or controlled
by a Party or directly or indirectly owning or controlling a Party or under the same direct
or indirect ownership or control as a Party for so long as such ownership or control lasts.
“Data Protection Laws” shall mean EU Data Protection Regulation (2016/679) and the data
protection laws under the governing law of the Service Agreement applicable to the
Processing hereunder from time to time. The Parties acknowledge and agree that in the time
period prior to the EU Data Protection Regulation (2016/679) becoming applicable (expected
on 25 May 2018), interpretation of this DPA shall be based on applicable data protection
laws under the governing law of the Service Agreement.
“Personal Data” shall mean any information relating to an identified or identifiable natural
person; an identifiable natural person is one who can be identified, directly or indirectly,
in particular by reference to an identifier such as a name, an identification number,
location data, an online identifier or to one or more factors specific to the physical,
physiological, genetic, mental, economic, cultural or social identity of that natural
“Personal Data Breach” shall mean a breach of security leading to the accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data
transmitted, stored or otherwise processed hereunder.
“Processing” shall mean any operation or set of operations which is performed on Personal
Data or on sets of Personal Data, whether or not by automated means, such as collection,
recording, organisation, structuring, storage, adaptation or alteration, retrieval,
consultation, use, disclosure by transmission, dissemination or otherwise making available,
alignment or combination, restriction, erasure or destruction, of Personal Data.
“Sub-Processor” shall mean a processor contracted by the Data Processor to perform
Processing hereunder, in part or in whole, on the Data Processor’s behalf.
5. Rights and obligations of the parties
Both Parties shall be responsible to ensure that the Processing is made in accordance with
the Data Protection Laws which apply to each Party as well as good data processing
The Data Controller shall
a) give the Data Processor documented and comprehensive instructions on the Processing,
which instructions shall comply with the Data Protection Laws;
b) have the right and obligation to specify the purpose and means of Processing of Personal
c) represent that all the data subjects of the Personal Data have been provided with all
appropriate notices and information and establish and maintain for the relevant term the
necessary legal grounds for transferring the Personal Data to the Data Processor and
allowing the Data Processor to perform the Processing contemplated hereunder;
d) represent that if the Data Controller represents its Affiliates or third parties under
this DPA, it has the legal grounds to enter into this DPA with the Data Processor and allow
the Data Processor to process the Personal Data according to the terms of this DPA and the
Service Agreement; and
e) confirm that the Processing stipulated under this DPA meets the Data Controller’s
requirements including, but not limited to, with regard to intended security measures, and
it has provided the Data Processor with all necessary information in order for the Data
Processor to perform the Processing in compliance with the Data Protection Laws.
The Data Processor shall
a) perform the Processing only on and as per the documented, legitimate and reasonable
instructions from the Data Controller unless required to do otherwise by Data Protection
Laws, in which latter case the Data Processor shall inform the Data Controller of such
deviating legal requirement (provided the Data Protection Laws do not prohibit such
notification). For the avoidance of doubt, the Data Controller shall at all times be deemed
to have instructed the Data Processor to provide the Service as defined and agreed under the
b) ensure that persons authorised to perform the Processing hereunder have committed
themselves to confidentiality or are under an appropriate statutory obligation of
confidentiality as further stated under this DPA;
c) take all security measures required to be taken by data processors under the Data
Protection Laws as further stated under this DPA;
d) respect the conditions referred to under Data Protection Laws for engaging any Sub-
Processor as further stated under this DPA;
e) insofar as this is possible and taking into account the nature of the Processing, assist
the Data Controller by appropriate technical and organisational measures for the fulfillment
of the Data Controller’s obligation to respond to requests for exercising the data subject’s
rights laid down in under the Data Protection Laws;
f) assist the Data Controller in ensuring compliance with its legal obligations, such as
data security, data breach notification, data protection assessment and prior consulting
obligations, as required of the Data Processor by the Data Protection Laws, taking into
account the nature of Processing and the information available to the Data Processor;
g) maintain necessary records and make available to the Data Controller all information
necessary to demonstrate compliance with the obligations of the Data Processor, as laid down
in the Data Protection Laws, and allow for and contribute to audits, including inspections,
conducted by the Data Controller or any auditor mandated by the Data Controller as further
agreed under this DPA; and
h) at the Data Controller’s instructions, delete or return to the Data Controller all the
Personal Data after the end of the provision of the Services relating to Processing, and
delete existing copies unless applicable laws require storage of the Personal Data. Deletion
and return methods may be further agreed between the Parties;
Unless otherwise agreed, the Data Processor shall have the right to invoice any costs
resulting from the above assistance under e) and f) above in accordance with the Data
Processor’s prevailing price list.
6. Security processing
Both Parties shall implement and maintain appropriate technical and organisational measures
to protect the Personal Data, taking into account:
a) the state of the art, the costs of implementation and the nature, scope, context and
purposes of Processing as well as the risk of varying likelihood and severity for the rights
and freedoms of natural persons, and
b) the risks that are presented by the Processing, in particular from accidental or unlawful
destruction, loss, alteration, unauthorised disclosure of, or access to the Personal Data
transmitted, stored or otherwise processed.
Such measures include, inter alia as appropriate:
a) the pseudonymisation and encryption of the Personal Data;
b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience
of processing systems and services;
c) the ability to restore the availability and access to the Personal Data in a timely
manner in the event of a physical or technical incident; and
d) a process for regularly testing, assessing, and evaluating the effectiveness of technical
and organisational measures for ensuring the security of the Processing.
The Data Controller shall inform Data Processor of all issues (including but not limited to
risk assessment and the inclusion of special categories of Personal Data) related to the
Personal Data provided by the Data Controller which affect the technical and organizational
measures that should be employed under this DPA.
The Data Processor may from time to time use Sub-Processors to process the Personal Data
hereunder. Sub-Processor(s) used in the provision of Services are listed in the Service
Agreement. Sub-Processors agreed and used under the existing Services and Service Agreement
shall be considered approved Sub-Processors. The companies listed on Valohai’s website are
approved Sub-Processors at the time of entering into the Service Agreement.
Such use will be under written contract and the Data Processor will require the
Sub-Processor to comply with the data protection obligations applicable to the Data
Processor under this DPA or obligations which provide for the same level of data protection.
The Data Processor will be liable for its Sub-Processor’s actions as for its own.
The Data Controller agrees that the Data Processor has a general consent to use the Data
Processor’s Affiliates as Sub-Processors when Processing Personal Data.
The Data Processor will inform the Data Controller in advance on any intended changes
concerning the addition or replacement of Sub-Processors.
8. Transfer of personal data
The Data Processor will only transfer Personal Data out of the territory of the member
states of the European Union, the European Economic Area, or other countries which the
European Commission has found to guarantee an adequate level of data protection
(collectively, the “Approved Jurisdictions”) with the Data Controller’s prior written
The data from outside of EU may be transferred to EU, processed and may be transferred back
to any country / area.
If required by applicable legislation, the Data Processor shall enter into relevant
contractual arrangements with required parties (including with the Data Controller itself or
any of the Data Controller’s Affiliates) for the lawful transfer of Personal Data from the
Approved Jurisdiction to third countries.
Such contractual arrangements shall be carried out in accordance with the standard data
protection clauses adopted or approved by the European Commission (“Standard Contractual
Clauses”). As an alternative to entering into the Standard Contractual Clauses, the Data
Processor may rely upon an alternative transfer safeguard permitting and providing for the
lawful transfer of Personal Data outside of the Approved Jurisdictions, provided that such
safeguard is in compliance with applicable legislation.
In case of conflict between the Standard Contractual Clauses or any other alternative
transfer safeguard permitting the lawful transfer of Personal Data outside the Approved
Jurisdictions and the DPA, the Standard Contractual Clauses or such alternative framework
shall always take precedence over the Service Agreement and this DPA.
9. Notification of personal data breach
The Data Processor shall without undue delay (24h) notify the Data Controller if it, or one
of its Sub-Processors, becomes aware of a Personal Data Breach. Information shall be
provided to the contact person named by the Data Controller, if not otherwise agreed between
The Data Processor shall without undue delay inform the Data Controller of the circumstances
giving rise to the Personal Data Breach, and any other related information reasonably
requested by the Data Controller and available to the Data Processor.
Additionally, to the extent it is available, the Data Processor shall provide to the Data
Controller the following information:
a) a description of the nature of the Personal Data Breach including, where possible, the
categories and approximate number of data subjects concerned and the categories and
approximate number of Personal Data records concerned;
b) a description of the likely consequences of the personal data breach; and
c) a description of the measures taken or proposed to be taken by the Data Processor to
address the Personal Data Breach, including, where appropriate, measures to mitigate its
possible adverse effects.
The Data Controller and its customers whose data may be processed hereunder shall be
entitled to audit the Data Processor’s performance of its Processing obligations under this
The Data Controller shall use external auditors who are not competitors of the Data
Processor, to conduct such an Audit. The Parties shall agree well in advance on the time and
other details relating to the conduct of such Audits.
The Audit shall be conducted in such a manner that the Data Processor’s undertakings towards
third parties (including but not limited to the Data Processor’s customers, partners and
vendors) are in no way jeopardized. All the Data Controller’s representatives or external
auditors participating in the Audit shall execute customary confidentiality undertakings
towards the Data Processor.
The Data Processor shall always allow any relevant regulatory authority supervising the Data
Controller’s business to conduct Audits of the Data Processor’s operations, in which case
relevant parts of the Parties’ agreement hereunder shall apply.
The Data Controller shall bear all Audit expenses, and compensate the Data Processor for any
and all costs incurred as a result of the Audit.
The Data Processor shall:
a) keep any Personal Data received from the Data Controller confidential;
b) ensure that persons authorized to process the Personal Data have committed themselves to
c) ensure that Personal Data is not disclosed to third parties without the Data Controller’s
prior written consent, unless the Data Processor is obliged by mandatory law or decree to
disclose such information.
In case data subjects or governmental authorities make a request concerning Personal Data,
the Data Processor shall, as soon as reasonably possible, inform the Data Controller about
such requests before providing any response or taking other action concerning the Personal
In case any applicable authority prescribes an immediate response to a disclosure request,
the Data Processor shall inform the Data Controller as soon as reasonably possible, unless
the Supplier is prohibited by mandatory law or authority order to disclose such information.
12. Limitation of liability
The limitations of liability set out under the Service Agreement shall apply also to this
The Parties agree that the general principle of division of responsibilities between the
Parties relating to administrative fines imposed by any relevant supervisory authority or
claims by data subjects under this DPA is based on the principle that the respective Party
needs to fulfill its own obligations under the Data Protection Laws. Hence, any
administrative fines imposed or damages ordered should be paid by the Party that has failed
in its performance of its legal obligations under the Data Protection Laws, as decided by
the relevant supervisory authority or competent court authorized to impose such fines or
damages. Therefore, the limitations of liability set out under the Service Agreement shall
not, however, apply such fines.
13. Term and Termination
This DPA shall be in effect as long as the Parties have Service Agreements between them in
All provisions which by nature are intended to survive the termination of this DPA shall
remain in full force and effect regardless of the termination of this DPA.