Data Processing Schedule for Mapiosa Content Creator Users
Version 2024-10-28
This document in Finnish | Tämä dokumentti suomeksi
1. Scope
Mapiosa is an interactive map service platform provided as a cloud service and mobile application (“Platform”) developed and provided by Fennoscandic Simulation Systems Oy (“Platform Provider”), a Finnish company with business ID 3136431-7 and official address at Kympinkatu 3 C, FI-40320 Jyväskylä, Finland.
The Platform enables the creation, distribution, use, and sale and purchase of interactive maps that the Platform’s users can use through their mobile device.
This Data Processing Schedule for Mapiosa Content Creator Users (“Schedule”) is applicable between the Platform Provider and the registered user (“User”) that creates maps or other content through the Platform. The User shall provide the Platform’s users with assistance in relation to the maps or other content created by the User, and for that purpose have access to the Platform’s users’ email addresses, and map and content usage data stored in the Platform.
This Schedule sets forth the parties’ rights and obligations regarding data protection and compliance with all directly applicable EU legislative acts related to the protection of the Platform’s users’ personal data received by the User (“Personal Data”) as in force from time to time, and all other applicable EU or national data protection legislation (“Data Protection Law”).
2. Assistance and processing activities
With regard to each map created by the User through the Platform, the User shall have access to the Platform’s users’ email addresses as well as their map and content usage data stored in the Platform, once the Platform’s users’ have activated the map. Such Personal Data is made available to the User for the sole purpose that the User can provide assistance to the Platform Provider and/or the Platform’s users who have activated the map, in the event of erraneous content or other problems with or feedback on the map. For clarity, the Platform’s users may contact the User directly with the contact information submitted by the User in the Platform.
The User undertakes to respond to the above-mentioned contacts from the Platform Provider and/or the Platform’s users without undue delay from the receipt of the contact.
3. Compliance with law and instructions
The parties shall comply with this Schedule and the Data Protection Law in relation to the processing of Personal Data as long as the User has access to Personal Data. The User shall process Personal Data only to the extent necessary for fulfilling its obligations under this Schedule and following the Platform Provider’s written instructions.
Once the User no longer has a need to process Personal Data, or on a written request of the Platform Provider, the User shall promptly at the choice of the Platform Provider either delete or return to the Platform Provider all Personal Data.
4. Transfer of personal data
The User shall not process Personal Data outside the area of the EU and the EEA unless otherwise agreed expressly in writing with the Platform Provider.
5. Subcontractors
The User shall not engage subcontractors to process Personal Data unless otherwise agreed expressly in writing with the Platform Provider.
6. Confidentiality
Except to the extent necessary for the User to assist the Platform’s users in accordance with this Schedule, the User shall keep Personal Data confidential, shall have no rights to Personal Data, and shall not access, use, process, disclose, or transfer Personal Data, in part or in whole, to any third party during or after the term of this Schedule unless legally required. The User shall also ensure that its personnel, if any, who have access to Personal Data will process Personal Data only in accordance with this Schedule and have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
7. Safeguards
The User shall implement and use its reasonable efforts to maintain appropriate technical and organisational measures to protect Personal Data against accidental, unauthorized or unlawful destruction, loss, alteration, disclosure or access. The User shall implement, in compliance with the agreed information security requirements and the Data Protection Law, the appropriate measures, which may include, for example, the following measures: (i) the pseudonymisation and encryption of Personal Data where so required, (ii) ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services processing Personal Data, (iii) restoring the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, (iv) regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing of Personal Data, and (v) keeping accurate records of all processing of Personal Data under this Schedule.
8. Data breach notices
The User shall without undue delay provide the Platform Provider with reasonably detailed written notification of its discovery of any data breach. The notification shall contain at least (i) a description of the nature of the data breach including, where possible, the categories and approximate number of individuals concerned and the categories and approximate number of Personal Data records concerned, (ii) the name and contact details of the contact point where more information can be obtained, (iii) a description of the likely consequences of the data breach, and (iv) a description of the measures taken or proposed to be taken by the User to address the data breach, such as measures to mitigate its possible adverse effects.
9. Audit procedures
The Platform Provider shall have the right to audit the processing activities of the User to examine the level of protection and security provided for Personal Data under this Schedule.
The parties agree that the audit right may be exercised by appointment of a recognized independent third-party auditor with proven experience in the field. Such third party must not be a competitor of the User and, prior to the commencement of any auditing activities, the auditor must sign a confidentiality agreement with the User that is substantially similar to the confidentiality provisions contained in this Schedule.
Regarding an audit request directly from a supervisory authority regarding the processing of Personal Data, the User must cooperate with the Platform Provider in responding to the request.
10. Rights of data subjects
If requested by the Platform Provider in order for the Platform Provider to comply with the Data Protection Law, the User shall (i) provide the Platform Provider with a copy of individuals’ Personal Data in tangible or electronic form, (ii) correct, block, or delete individuals’ Personal Data, (iii) provide the Platform Provider with such information and cooperation regarding the processing of Personal Data under this Schedule as the Platform Provider may reasonably request, including assisting in facilitating the exercise of individuals’ rights, and (iv) assist the Platform Provider in providing individuals whose Personal Data is being processed with such information regarding the processing as the Platform Provider may reasonably request.
11. Division of liability
Each party shall be fully liable for its own acts and omissions, including those of its subcontractors, under this Schedule. Consequently, in the event a data subject presents claims, the liability shall be determined in accordance with article 82 of the general data protection regulation (EU) 2016/679 (“GDPR”) or corresponding Data Protection Law, and each party shall be fully liable for any administrative fines imposed on it pursuant to article 83 of the GDPR or corresponding Data Protection Law.
12. Governing law and disputes
This Schedule shall be governed by the substantive laws of Finland, excluding conflict of law principles in any jurisdiction.
Any and all disputes, controversies or claims, which the parties fail to settle amicably, arising out of or relating to this Schedule, or the breach, termination or validity thereof, shall be submitted to the District Court in Jyväskylä (Keski-Suomen käräjäoikeus) as the court of first instance.
13. Updates and validity
The Platform Provider may from time to time update this Schedule at its sole discretion. The updated version of the Schedule will be published on the Platform. The User must accept the updated Schedule as a precondition to continue to access and use the Platform.
This Schedule will be applicable as of the version date set forth at the beginning of this Schedule.