Notifications
Search
Search
Notifications
User

TERMS AND CONDITIONS CONCERNING JOINT CONTROLLERSHIP

 

1. BACKGROUND AND APPLICATION

 

These terms and conditions concerning joint controllership (the “Joint Controllership Terms”) are applied as supplements to the Terms between Avant Tecno Oy:n (“Avant Tecno”), its importers (“Importer”) and resellers (“Reseller”). Avant Tecno, the Importers and the Resellers are hereinafter referred to jointly also as the “Parties” and each one individually as a “Party”.

The Parties act as joint controllers as defined in Article 26 of the General Data Protection Regulation1 (the “GDPR”) in regard to the processing of personal data carried out in the Service defined in the Terms. For the sake of clarity, it is stated that the Parties act as independent data controllers when the processing of personal data is not related to the processing of personal data carried out in the Service.

The respective responsibilities of the Parties in complying with the obligations of data controllers set out in the GDPR are defined herein these Joint Controllership Terms. These Joint Controllership Terms form an agreement between the Parties using the Service.

Unless otherwise stated, the terms used in these Joint Controllership Terms shall have the same meaning as in the GDPR. Unless otherwise stated, capitalized terms shall have the same meaning as in the Terms.

Should there be any discrepancies between the wordings of these Joint Controllership Terms and the Terms, these Joint Controllership Terms shall be applied primarily.

1Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2916 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

 

2. THE SUBJECT-MATTER, PURPOSE AND BASES FOR PROCESSING

 

2.1. The Subject-Matter

 

The data subjects are the consumer clients who have purchased Products as well as contact persons of business clients (hereinafter referred to jointly as the “Data Subjects”).

The categories of personal data processed are the Data Subject’s name, contact details, information concerning any organizations possibly represented, client segment, the purchase, maintenance and warranty histories of Products as well as information contained in possible product-related safety deviation notices (hereinafter referred to jointly as “Personal Data”).

 

2.2. The Purposes and Bases for Processing

 

Personal data is processed for the following purposes:

  • managing customer relationships
  • managing the life cycle of Products
  • managing warranties
  • direct marketing based on customer relationships

In regard to consumer clients, the legal basis for the processing of personal data, pursuant to the GDPR, is the performance of a contract, and in regard to business clients, the Parties’ legitimate interest (the operation and development of business activities).

Compiled and statistical datasets may be derived from Personal Data stored in the Service. However, it is impossible to identify individual Data Subjects from such datasets.

Personal Data is not used for automated decision making or profiling.

 

3. OBLIGATIONS OF THE PARTIES

 

3.1. General Obligations

 

The Parties undertake to adhere to the applicable data protection legislation at any given time, including, but not limited to the GDPR.

Each Party must independently ensure the lawfulness and appropriate documentation of the processing of Personal Data which they conduct. Each Party must ensure that there is a lawful and documented basis for the processing of Personal Data, and ensure the confidentiality, integrity, availability and fault tolerance of the processing systems they use.

 

3.2. Collecting and Storing Personal Data

 

Each Party must ensure that the Personal Data processed in connection with the Service is limited to that defined in Section Error! Reference source not found..

Each Party must ensure that Personal Data is stored only for the duration of the customer relationship of the Data Subject or the organization they represent. Each Party must update the Personal Data stored in the Service with any possible amendments that they become aware of.

 

3.3 Informing the Data Subjects

 

Avant Tecno has drafted a privacy notice concerning the processing of Personal Data, through which the Data Subjects’ rights to information pursuant to Articles 13 and 14 of the GDPR are fulfilled. Here the Data Subjects are also informed of the joint controllership between the Parties.

 

3.4 Exercising Data Subject Rights

 

Data Subjects are encouraged to send their requests concerning the use of data subject rights defined in the GDPR via email to an email account (gdpr@avanttecno.com) maintained by Avant Tecno. Avant Tecno shall forward the requests it receives to that Importer or Reseller with whom the relevant Data Subject has a direct customer relationship or to the actions of which the request is targeted. The aforementioned Importer or Reseller is primarily responsible for fulfilling the Data Subject’s request, unless the Importer or Reseller and Avant Tecno separately agree otherwise. The Parties undertake to use reasonable measures to assist one another in fulfilling the requests concerning Data Subject rights.

For the sake of clarity, it is stated that irrespective to the aforementioned, under paragraph 3 of Article 26 of the GDPR, the Data Subjects may exercise their rights under the GDPR against each of the Parties.

 

3.5 Information Requests from Supervisory Authorities

 

Any Importer or Reseller who receives an information request or other correspondence form a supervisory authority must without undue delay notify Avant Tecno via email (gdpr@avanttecno.com).

The Party who has received an information request or other correspondence from a supervisory authority is primarily responsible for replying to it, unless the Parties separately agree otherwise.

 

3.6 Data Security

 

Taking into account all the risks relating to the processing of Personal Data, each Party must implement appropriate technical, physical and organizational security measures which ensure a high level of security of Personal Data and protect Personal Data from unauthorized or illegal processing and from unintentional loss, destruction, damage, alteration or disclosure.

Each Party must ensure that only such persons have access to Personal Data for whom it is necessary in order to achieve the purposes for processing said Personal Data, and that these persons are aware of their obligations relating to the processing of Personal Data and they process such data only in accordance with the Parties’ instructions. Each Party must ensure that all persons authorized to access Personal Data have signed a confidentiality agreement or are under a statutory obligation of confidentiality.

 

3.7 Data Security Breaches

3.7.1. Notifying Other Controllers

Importers and Resellers shall without undue delay notify Avant Tecno via email (gdpr@avanttecno.com) of any and all suspected or detected data security breaches concerning the Personal Data.

The notification to Avant Tecno shall include at least the following:

  • a description of the nature of the suspected or detected breach, including the groups and estimated amounts of Data Subjects affected as well as the groups and estimated amounts of categories of personal data, to the extent that these are known;
  • name and contact details of a designated person from whom additional details may be requested;
  • a description of the likely consequences of the breach; and
  • a description of the actions the Party proposes or has taken due to the breach, and, when necessary, actions to minimize the adverse effects of the breach.

Importers and Resellers must also without undue delay report any other detected disturbances or problems which concern Personal Data and could impact the status and rights of a Data Subject.

Avant Tecno shall send a notification of data security breaches concerning Personal Data and the actions already taken and planned due to the breach to all Importers and Resellers through the Service.

3.7.2. Notifying Supervisory Authorities and/or Data Subjects

Unless the Parties separately agree otherwise, the Party who has detected the data security breach is primarily responsible for notifying the relevant supervisory authority and/or Data Subjects of the data security breach.

3.7.3. Actions Taken due to a Data Security Breach

Upon detecting a data security breach concerning the Personal Data, the Parties must without undue delay take actions necessary to eliminate the data security breach and to minimize and rectify its effects.

Importers and Resellers must adhere to any possible instructions given by Avant Tecno concerning the elimination of a data security breach and the minimization and rectification of its effects.

 

4. DATA PROCESSORS

 

The Parties may use data processors in the processing of Personal Data provided that the conditions for the use of data processors set out in data protection legislation are met. The Party engaging a data processor must enter into a written agreement with the data processor in accordance with Article 28 of the GDPR.

If the operations of the data processor or their sub-processor require Personal Data to be transferred outside of the EU or the EEA to so called third countries, the Party which has engaged the data processor must ensure that a transfer mechanism is in place pursuant to Chapter V of the GDPR.

The Parties are responsible for the actions or omissions of the data processors they have engaged as for their own.

 

5. LIABILITY FOR DAMAGE

 

Should a Party breach these Joint Controllership Terms causing damage to another Party, the Party in breach is obligated to compensate the suffering Party for the damage.

Should claims be made against a Party due to the actions of another Party violating data protection legislation or these Joint Controllership Terms, the Party violating data protection legislation is liable for such claims in full and is obligated to compensate the other Party for any damages incurred, including, but not limited to legal fees.

The mutual responsibility of the Parties and the data processors possibly engaged for damages caused to a Data Subject is determined pursuant to Article 82 of the GDPR. For the sake of clarity, it is stated that the term “compensation” mentioned in paragraph 5 of Article 82 of the GDPR is also considered to include the reasonable legal fees incurred by a Party.

 

6. MISCELLANEOUS

 

6.1 Term of the Agreement

 

The agreement entered into by accepting these Joint Controllership Terms is binding on the Party for as long as said Party processes Personal Data in the Service as intended in these Joint Controllership Terms. For the sake of clarity, it is stated that when ceasing to use the Service, a Party is responsible for any Personal Data possibly in its possession as an independent data controller in accordance with the obligations set out for data controllers in applicable data protection legislation.

Should the agreement formed by accepting these Joint Controllership Terms be terminated for any reason, the Section concerning liability for damages (Section 5) shall remain in force regardless.

 

6.2 Termination of the Agreement

 

Should any Importer or Reseller substantially breach these Terms, Avant Tecno is entitled to cease offering the Service either wholly or partially and terminate the agreements formed by accepting these Joint Controllership Terms and the Terms.

 

6.3 Applicable Law and Dispute Resolution

 

The applicable law and dispute resolution clause of the Terms shall be applied to these Joint Controllership Terms.