DATA PROCESSING AGREEMENT (updated on 26 May 2025)
1 INTRODUCTION
- This Data Processing agreement (”DPA”) is an inseparable part of the agreement signed between the Provider and the Company (as defined in the Agreement) concerning the products and services offered by the Provider (”Agreement”). For the purposes of this Data Processing Agreement, the term “Provider” shall refer only to Allshares Oy, who will, as a Processor, process Personal Data on behalf of the Company based on the Agreement.
- If the terms concerning the Processing of Personal Data of the DPA and the Agreement and its Annexes, if applicable, are in conflict, the terms of this DPA will prevail.
2 DEFINITIONS
- “Allshares Group” means any entity within the group of companies having Allshares Oy as ultimate parent company.
- “Applicable Data Protection Legislation” shall mean all legislation and regulations, including regulations issued by relevant supervisory authorities, protecting the fundamental rights and freedoms of individuals and, in particular, their right to privacy with respect to the processing of personal data that from time to time apply to Controller and the Provider, including without limitation, the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”);
- In accordance with the GDPR, the terms below are defined as follows:
(a) “Controller” means the Company who will define the purposes and methods of Personal Data Processing.
(b) “Personal Data” means any information relating to an identified or identifiable natural person, hereinafter ”Data Subject”; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(c) “Processing” means any operation or set of operation which is performed on Personal Data or sets of Personal Data using automated means or manually, such as data collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(d) “Processor” means Allshares Oy, who will Process Personal Data on behalf of the Controller based on the Agreement.
3 RIGHTS AND OBLIGATIONS OF THE PROVIDER AND THE COMPANY
- The Provider will process the Personal Data of the Controller on behalf of, and per instructions issued by the Company, on the grounds of the Agreement. The Company will be the Controller and the Provider will be the Processor of the Personal Data Processed when the Provider provides the services to the Company under the Agreement. The Parties undertake to Process Personal Data in compliance with the Applicable Data Protection Legislation.
- The Company, acting as a Controller, is responsible for ensuring that the Processing of Personal Data is undertaken in compliance with Applicable Data Protection Legislation. Information regarding e.g. the purpose and nature of the Processing, types of Personal Data Processed and categories of Data Subjects whose Personal Data is Processed when providing the services is listed in Annex 1.
- The Provider is entitled to Process the Personal Data and other data of the Company only on the grounds of the Agreement, this DPA and according to the written instructions of the Company and only to the extent and in a manner, it is necessary in order to provide services. The Provider will notify the Company of any conflict with Applicable Data Protection Legislation and in such a case, the Provider may immediately decline and stop the application of the instructions of the Company.
- The Provider is entitled to collect anonymous and statistic data of the use of the services pursuant to the Agreement, that does not specify the Company nor Data Subjects and use it for analyzing and developing the Allshares Group’s services.
- The Provider has also the right to anonymize the Personal Data processed by it under this DPA and, use that anonymized data within the Allshares Group a) as part of benchmark material used in the production of similar products and/or services, and/or b) in test environment of IT systems. Such anonymized information used as part of the benchmark material and the anonymized information used in the test environment is not Personal Data and is not subject to data protection regulation.
4 SUB-PROCESSORS
- The Provider is entitled to engage sub-processors for the Processing the Company’s Personal Data and is hereby given a general authorization by the Company to do so. The Provider is fully liable for its sub-processor and ensures that it has entered into written agreements with the sub-processors concerning the Processing of Personal Data, which imposes materially the same obligations on the sub-processor as this DPA.
- The currently authorized engaged sub-processors are listed in Annex 1. The Provider will inform the Company in advance on any changes concerning the addition or replacement of sub-processors, with thirty (30) calendar days prior written notice by e-mail to the contact person in the Agreement. The Company may object to such engagement of a sub-processor by written notice to the Provider within twenty (20) calendar days of the Company’s receipt of the notice from the Provider. In the absence of any written objection from the Company, the Company will be deemed to have consented to such change.
5 PROVIDER’S OBLIGATION TO PROVIDE ASSISTANCE
- The Provider will immediately forward all Data Subjects requests under the GDPR to the Company. If requested by the Company, the Provider will support the Company in fulfilling the requests of the Data Subjects.
- The Provider is obligated, taking into account the nature of the Processing of Personal Data and the data available, to assist the Company in ensuring that the Company complies with Art. 32-36 GDPR. The Provider is obligated to assist the Company only to the extent that applicable legislation obligates the Processor of Personal Data. Unless otherwise agreed, the Provider is entitled to invoice the expenses incurred from assisting the Company.
- The Provider will forward all inquiries made by data protection authorities directly to the Company and will await further guidance from the Company. Unless otherwise agreed, the Provider is not authorized to represent the Company or act on behalf of the Company in relation to the authorities supervising the Company.
6 TRANSFERS OF PERSONAL DATA OUTSIDE THE EU/EEA
- The Provider and its sub-processors may from time-to-time process Personal Data outside the EU/EEA when providing the services within the Agreement.
- In case Personal Data would be transferred outside the EU/EEA, the Provider ensures that the transfer is: to (a) countries for which the European Commission has decided that they have an adequate level of data protection or (b) subject to standard contractual clauses approved by the European Commission or other appropriate safety measures as they are described in Article 46 of the GDPR.
7 AUDITING
- The Company or an auditor authorized by the Company (however, not a competitor of the Provider) is entitled to undertake audits, including inspections, the Provider’s activities pursuant to the DPA. The Provider shall make available to the Company, or the auditor authorized by the Company, all information necessary to demonstrate compliance with the Provider’s obligations laid down this DPA and in Art. 28 GDPR. The Parties will agree on the time of the auditing and other details ahead of time and at latest fourteen (14) days before the audit. The auditing will be carried out in a way that does not impede the obligations of the Provider or its sub-processors in regard to third parties. The representatives of the Company and the auditor must sign conventional nondisclosure commitments.
- Each Party will be responsible for its own expenses caused by the auditing. If the audit discloses the Provider being in a material breach of this DPA, the Provider will compensate the Company for costs and expenses of the audit.
8 TECHNICAL AND ORGANIZATIONAL MEASURES
- The Provider implements and maintains the appropriate technical and organizational measures in accordance with Annex 2 to protect the Personal Data of the Company, taking into account all the risks of Processing, especially the unintentional or illegal destruction, loss, alteration, unauthorized disclosures or access to Personal Data that has been transferred, saved or otherwise Processed, and other requirements of the GDPR. When organizing the security measures, the technical options and their costs will be assessed in relation to the special risks of the Processing at hand and the sensitivity of the Personal Data Processed.
- The Provider will ensure that the personnel of the Provider and the sub-processors of the Provider will abide by the appropriate non-disclosure and confidentiality commitments.
9 DATA BREACHES
- The Provider must notify the Company of all Personal Data breaches without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a breach. The Provider will, without undue delay give the Company all relevant information concerning the data breach. In so far as the information in question is available to the Provider, the Provider will describe at least the following to the Company:
(a) the occurred data breach,
(b) the nature of the personal data including, where if possible, the sets of Data Subjects and the number thereof, as well as the sets of Personal Data types and estimated numbers,
(c) a description of the likely consequences caused by the data breach, and
(d) a description of reparative measures, that the Provider has implemented or will implement in order to prevent data breaches in the future, and if necessary, the measures to minimize the harmful effects of the data breach. - The Provider will document and report to the Company all the Personal Data breaches and the consequences thereof, along with the corrective actions it has taken or plans to take.
10 LIABILITY
- The Provider will be liable for the damage only in so far that it has not explicitly abided by the obligations directed to processors in the GDPR or this DPA.
- Both Parties are obligated to pay only the part of the damages or administrative fine that corresponds to the liability for damage imposed on the Party in breach of its obligations in the final decision of a data protection authority or a court of law, and, in consequence, neither Party will bear the other Party’s administrative fines to the extent that it is not the Party's contractual breach that has given rise to the circumstances for which the administrative fine has been imposed.
- In all cases the Parties’ liability for damages under the DPA will be determined pursuant to the Agreement and will be limited in scope and to the maximum amounts set out in the Agreement.
11 OTHER PROVISIONS
- The Provider will notify the Company in writing of all changes that may affect its ability or chances to abide by this DPA and the written guidance of the Company. The Parties will agree on all additions and amendments to this DPA in writing.
- The DPA will remain in force as long as (i) the Agreement is in force or (ii) the Parties have obligations concerning Personal Data processing activities towards one another.
- If the Agreement is terminated, the Provider will either: (i) delete or irreversibly anonymize the Personal Data, or (ii) if the Company so requests in writing, return the Personal Data to the Company. The Personal Data will be deleted or anonymized by the end of June in the year succeeding the year in which the termination notice was issued, unless the Provider has by then received the Company’s written request for returning the Personal Data. However, the Provider will continue to retain the Personal Data if required to comply with applicable legal retention obligations.
- Those obligations that due to their nature are meant to survive the expiry of this DPA will remain in force after the expiry of the DPA.
PROCESSING SPECIFICATION FORM (ANNEX 1)
This Processing Specification Form is an inseparable part of the DPA. The Processing Specification Form specifies the processing assignment the Processor performs for the benefit of the Controller in the manner provided for in the Agreement, DPA and this Annex.
1 Services
The Processing will concern the following services:
Incentive plan administration service and related online portal offered by Allshares Oy
2 Approved Sub-processors
The sub-processors used and approved by the Company at the time of signing this DPA are listed out in the website linked here: https://www.allshares.com/allshares-subprocessors. The password to the page is “Sub-processors”.
3 Sets of Data Subjects
The Company’s employees, directors, managers, shareholders (if applicable) agents, consultants, temporary and casual workers as well as other participants in the Company’s incentive plans, as relevant.
4 Types of Personal Data
Employment and HR information, such as name, email, date of birth, address, social security number, X-ID, phone number, personnel ID, title, legal and business unit, country, employment status (start, end, leaver status), language.
Financial information, such as incentive schemes, incentive grants, ownerships and payouts, salary, taxation country, currency, bank account number, securities account number.
IT management details such as IP address, login data, access rights, username.
5 Special sets of Personal Data processed
None.
6 Retention Period for Incentive Plan Participants
Unless otherwise instructed by the Company in writing, the Provider will retain the Personal Data for a duration of six (6) years following: (i) the conclusion of the year in which the Data Subject’s employment or service ceases, (ii) the conclusion of the year in which the incentive plan in which the Data Subject participated has ended, on the condition that the Data Subject has not engaged in any subsequent incentive plans and no awards are outstanding, or (iii) the conclusion of the year in which the Data Subject’s awards were settled, on the condition that the Data Subject has not engaged in any subsequent incentive plans and no awards are outstanding. Upon expiry of the retention time, the Provider will delete or irreversibly anonymize the Personal Data.
7 Retention Period for Shareholders in the Share Register Service (if applicable)
Unless otherwise instructed by the Company in writing, the Provider will retain the Personal Data for a duration of ten (10) years from the conclusion of the year in which the Data Subject ceased to be a shareholder in the Company. Upon expiry of the retention time, the Provider will delete or irreversibly anonymize the Personal Data.
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES (ANNEX 2)
The purpose of this document is to describe the principles of the technical and organizational data security measures of Allshares Oy (“Provider”), which the Provider provides for all customers as a standard in the Provider’s products and services as required by the Regulation (EU) 2016/679 of the European Parliament and of the Council (“General Data Protection Regulation”).
The Provider implements appropriate technical and organizational data security measures which are designed to meet the data protection principles in an effective manner and ensures that appropriate safeguards are integrated into the personal data processing in order to meet the requirements of the GDPR and to protect the rights of data subjects as described below.
1 DATA PROTECTION RISK ASSESSMENT
The Provider executes a risk assessment for each product or service. The Provider executes the data protection risk assessment in order to decide which data security measures shall be implemented. The aim is to define the appropriate level of data security measures for each product or service. In all cases, Provider has implemented at least the security measures described in chapters below.
2 SECURITY MEASURES
The Provider maintains security and privacy policies. The policies comply with applicable rules on data protection and information security. Said policies are subject to regular internal review process and may be reviewed by third parties, in accordance with applicable laws and regulations.
The published ISO2700 standards related to information security, cybersecurity and privacy protection are used internally as a guiding framework, however, the Provider is not ISO certified.
The Provider uses Microsoft Azure cloud hosting environment in EU region which is ISO compliant. Microsoft online services undergo regular independent third-party audits for ISO compliance. More information is available at the following address: https://servicetrust.microsoft.com/viewpage/ISOIEC
More information on relevant certifications of Microsoft Azure cloud hosting environment is available at the following address: https://servicetrust.microsoft.com/
3 SECURITY OF PERSONAL DATA
The Provider is implementing the following measures based on article 32 of the General Data Protection Regulation (Security of processing).
3.1 Pseudonymizing and Encryption of Personal Data
Provider is utilizing encryption and/or pseudonymizing in its operations to mitigate data protection risks where appropriate. Encryption and pseudonymizing techniques may vary between services upon the service requirements and data protection risk assessment. Details of the used measures are available upon request by adequate authority.
3.2 Ability to Ensure the Ongoing Confidentiality, Integrity, Availability and Resilience of Processing Systems and Services
Protection of personal data requires implementation of multiple security controls. Operational processes follow good industry practice and help to secure quality of service and safeguards personal data processing.
The Provider has a centralized system to manage administrative access to customer environments. To access a customer system, the employee must have a valid reason and access is only approved by utilizing a jointly agreed process with the customer. At minimum all access to customer environments requires an encrypted tunnel within Provider’s network. Connections to customer environments are logged to provide full audit trail on administrative operations in customer environments. All remote access to the Provider’s services requires an encrypted connection and other possible measures (e.g. MFA, strong authentication, or IP-verification) as required by the data protection risk assessment.
Unauthorized persons are prevented from gaining physical access to data processing facilities. Microsoft designs, builds, and operates datacenters in a way that strictly controls physical access to the areas where the personal data is stored. Microsoft conducts periodical security reviews of facilities. Personal data is protected against accidental and unlawful destruction utilizing physical and environmental controls.The Provider controls, monitors and audits all administrative connections, 3rd party access and file transfers which are deployed within the Provider’s infrastructure.
The Provider executes a framework for planning, executing and controlling customer business related operations. The organizational structure assigns roles and responsibilities to provide for adequate staffing and efficiency of operative capabilities. The Provider management establishes authority and appropriate lines of reporting for key personnel. As a part of the hiring processes education verification and background checks are conducted based on employee’s position and level of access to the Provider’s processing facilities and systems.
The Provider maintains and controls the execution of the Provider’s security policy, provides security training to employees, and performs application security reviews. These reviews assess the confidentiality, integrity, and availability of data, as well as conformance to the Provider information security policy.
3.3 Ability to Restore the Availability and Access to Personal Data in a Timely Manner in the Event of a Physical or Technical Incident
To restore the availability and access to personal data in a timely manner in the event of a physical or technical incident, the Provider has backup and business continuity management processes and strategies which ensure rapid restoration of business-critical systems as and when necessary.
The Provider has defined continuity and disaster recovery plans for the Provider infrastructure supporting service delivery to customers. These plans are regularly updated and tested and are subject to auditing.
3.4 A Process for Regularly Testing, Assessing and Evaluating the Effectiveness of Technical and Organizational Measures for Ensuring the Security of the Process
The Provider emergency processes, plans and systems are regularly tested to assess and evaluate the effectiveness of technical and organizational measures for ensuring the security of personal data processing. Customer specific disaster recovery testing is agreed separately.
The Provider conducts internal security testing and vulnerability scanning.
