Sopimus henkilötietojen käsittelystä / tietosuojasopimus (englanniksi)

Henkilötietojen suojaamisesta pitää sopia

Tietojenkäsittelysopimuksessa rekisterinpitäjä ja henkilötietojen käsittelijä sopivat, miten käsittelijä suojaa rekisterinpitäjän sille luovuttamat henkilötiedot. Sopimusta voidaan nimittää paitsi sopimukseksi henkilötietojen käsittelystä, myös tietosuojasopimukseksi, tietojenkäsittelysopimukseksi, GDPR-sopimukseksi tai DPA:ksi (Data Processing Agreement).

Vuonna 2018 velvoittavaksi tulleen GDPR:n (General Data Protection Regulation) mukaan sopimus pitää poikkeuksetta laatia, kun henkilötietoja käsitellään.

Henkilötiedoista voidaan tunnistaa yksityishenkilö

Henkilötietoja ovat kaikki tiedot, joiden perusteella voidaan suoraan tai epäsuorasti tunnistaa yksityishenkilö. Henkilötietoja ovat esimerkiksi nimi, henkilötunnus, osoitetiedot sekä verkkotunnistetiedot kuten IP-osoite. Käsiteltävät henkilötietoryhmät tulee määritellä tietojenkäsittelysopimuksessa.

Tietojenkäsittelyn sisältö ja tarkoitus pitää kartoittaa tarkasti

GPDR asettaa varsin laajat velvollisuudet siihen, mistä tietojenkäsittelysopimuksissa tulee sopia. Sopimuksessa tulee määritellä muun muassa henkilötietojen käsittelyn kohde ja kesto, käsittelyn luonne ja tarkoitus, henkilötietojen tyyppi ja rekisteröityjen ryhmät sekä rekisterinpitäjän velvollisuudet ja oikeudet.

Sopimuskone huomioi GDPR:n vaatimukset

Sopimuskoneen tietojenkäsittelysopimuksen mallissa on otettu huomioon GDPR:n asettamat vaatimukset käsittelysopimuksille. Sisällöt ovat juristiemme laatimia ja muuntuvat valintojesi mukaan. Kysymyksessä ei ole siis yksittäinen pohja tai lomake, vaan älypohja, jolla laadit sopimuksesi helpommin. Tulostamisen ja muun vaivan välttämiseksi käytössäsi on Sopimuskoneen sähköinen allekirjoitus, jolla kaikki osapuolet voivat hyväksyä sopimuksen.

Tämä malli on englanniksi, mutta sama malli on tarjolla Sopimuskoneessa erikseen myös suomeksi.


--------------------

Agreement on the Processing of Personal Data (Privacy Agreement or "GDPR Agreement")

What is the agreement on the processing of personal data?

In the agreement on the processing of personal data, the controller and processor agree on how the processor needs to protect the personal data disclosed to it by the controller. In addition to being called an agreement on the processing of personal data, the agreement can be referred to as a privacy agreement, a Data Processing Agreement (DPA) or a GDPR agreement.

What is personal data?

Personal data refers to all information that can be used to identify a private individual, either directly or indirectly. For example, your name, personal identification number, address information and network identification information, such as your IP address, are all personal data. The personal data groups being processed must be defined in the data processing agreement.

When should a privacy agreement be drafted?

When a company processes personal data received from another company, the parties need to draft a written agreement on the processing of the personal data. This situation is typically encountered when companies transfer information regarding their customers or employees to subcontractors.

The obligation for creating an agreement is based on the EU’s General Data Protection Regulation (GDPR), which became binding in May 2018 and introduced substantially tighter data protection regulations for companies. Particular attention has been paid to the high fines and other sanctions which the Data Protection Ombudsman can impose for infringements.

On the other hand, the importance of data protection has also been increasing in recent times, which makes good data processing a differentiating factor.

What should the agreement contain?

Legislation sets forth fairly extensive obligations regarding what needs to be agreed in the data processing agreements. The agreement needs to define, among other things, the target of the personal data processing and its duration, the nature and purpose of the processing, the type of personal data and the groups of data subjects, and the obligations and rights of the controller.

What is the easiest way to create this agreement?

Sopimustieto’s data processing agreement template is suitable for thousands of different scenarios. You can freely add our standard content to your agreement and edit it as you see fit. This is not a traditional single template or form template, but a modern technology that includes terms and standard content from thousands of different templates.

Our customer companies have already used Sopimustieto to create more than 2,000 data processing agreements.

Which standard clauses does Sopimustieto offer for the data processing agreement?

Sopimustieto offers standard clauses based on legislation in the following areas, for example:

  • General rights and obligations of the controller
  • General rights and obligations of the processor
  • Use of subcontractors in data processing
  • Geographical location of data processing
  • Auditing of data processing
  • Confidentiality
  • Purpose of processing personal data
  • Personal data being processed
  • Data security
  • Validity of the agreement and the duration of the processing of personal data
  • Limitations of liability and other liability matters

In addition to our standard content, you are free to add your own content into the agreement.

What is the difference between the controller and the processor? Which one is my company?

The distinction between the controller and processor is central due to the nature of the entire data processing agreement.

Controller is the party that determines the purposes and means of processing personal data. Processor is the party that handles the disclosed personal data on behalf of the controller. In practice, the processor is a “work horse” that must not have any contractual power to influence the processing flow of personal data.

In principle, the processor is less likely to be liable for the erroneous processing of personal data than the controller, provided that the processor has acted in accordance with an appropriate privacy agreement.

A typical processor may be, for example, a wages clerk who calculates and pays wages for another company according to the instructions provided.

How do I describe my company’s data security policies in the agreement?

The adequate implementation of data security must be expressly agreed on in the agreement on the processing of personal data. In Sopimustieto’s privacy agreement, you can choose your level of data security commitment by ticking different boxes from anti-virus software to password protection and access control.

How can the other party accept the agreement I have drafted using Sopimustieto?

You can invite the other party to view your agreement on the processing of personal data in Sopimustieto via SMS or email. The party can accept the agreement with its electronic signature that is a part of our service. Using our electronic signature allows you to meet your statutory obligations without printing a single page.

How does the privacy agreement template in Sopimustieto actually work?

  1. Select from our list the terms you wish to include in your agreement (e.g. use of subcontractors, confidentiality, data security)
  2. Sopimustieto will ask you further questions step by step and automatically format texts for your agreement accordingly (e.g. whether personal data is processed outside of the EU)
  3. Sopimustieto advises you about the things you should take into consideration, based on law and the established agreement practice (e.g. the obligation to agree on the duration of the processing of personal data)
  4. When the agreement is complete, the parties will sign it electronically by phone or computer
  5. The agreement is automatically archived on your company’s agreement account, which you can later access directly from your computer or phone (the other party will also receive its agreement copy digitally)
  6. Going forward, you have the opportunity to edit and duplicate this agreement on the processing of personal data for similar situations