[Customer Ltd] (hereinafter the "Customer")
Ouman and the Customer are referred to separately as a 'Party to the Agreement' and jointly as the 'Parties to the Agreement'

1. Background and purpose of Agreement
The Parties to the Agreement comply with the Finnish Data protection act (1050/2018, as amended) and the General Data Protection Regulation (GDPR) (EU) 2016/679 when processing personal data. The privacy statement for the Ounet service is available via Ouman's website, and as an appendix to the Service Agreement concluded between the Parties. The Customer is responsible for ensuring that it, as a controller of personal data, has an appropriate privacy policy in place. OUMAN provides the Customer with the services specified in other agreements between the Parties. On the basis of such agreements, Ouman, as the processor of personal data, may process personal data that the Customer, as the controller of these personal data, assigns to Ouman for processing in order to meet the rights and obligations between the Parties and, in general, for the management of the contractual and customer relationship between the Parties. This Data Processing Agreement ('DPA') applies to the relationship between the Parties in the extent that Ouman processes personal data on behalf of the Customer. Unless otherwise agreed in this DPA, the terms used here have the same meaning as in the GDPR.

2. Processing of personal data
The Customer is responsible for ensuring that it has the right to disclose personal data for processing by Ouman in accordance with this DPA and the agreements concluded between the Parties in the extent required by the agreements.

2.1. Customer's obligations
As the controller, the Customer must have the necessary rights and permissions for the collection, storage, processing and disclosure of personal data. The Customer is responsible for preparing and updating a privacy statement and/or register description and keeping it accessible, the informing of the data subjects, implementation of the inspection right, and other legality of personal data processing and compliance with the GDPR. The Customer agrees to comply with personal data legislation in force in Finland and the European Union at any given time. The Customer informs Ouman  without delay, of a data subject's requests for exercising their rights, if such are quest requires actions from Ouman.

2.2. Ouman's obligations
Ouman processes the Customer's personal data on documented instructions from the Customer and the legislation in force at any given time, and protects the data in accordance with current practice and its own data protection practices. The Customer is responsible for the lawfulness of its instructions on personal data processing. Ouman will not transfer personal data outside the EU/EEA area without the Customer's prior written consent or a reason based on the GDPR.

Ouman will not transfer personal data outside the EU/EEA area without the Customer's prior written consentor a reason based on the GDPR.

Ouman ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Taking into account the nature of the personal data processing activities, Ouman shall assist the Customer, insofar as this is possible and reasonable, to fulfil the Customer's obligation to respond to requests for exercising the rights of a data subject as laid down in the GDPR. The customer shall always first use the features implemented in the Services to respond to the data subject's requests. To the extent the Customer cannot respond to the request made by a data subject by using the features of the Services, Ouman shall otherwise provide assistance to the Customer with commercially reasonable way. Such rights of the data subject mentioned above are:

including:
a) the right to access personal data;

b) the right to rectify and erase personal data;

c) the right to restrict the processing of personal data;

d) the right to data portability;

e) the right to object to the processing of personal data. At the Customer's request, Ouman assists the Customer, insofar as this is possible and reasonable, to fulfil the controller's obligations laid down in the GDPR, including

f) the implementation of appropriate technical and organisational measures;g) the assistance in the notification of a personal data breach to the supervisory authority and the datasubject;

h) the participation, where necessary, in the preparation of a data protection impact assessment and the prior consultation of the supervisory authority. Ouman implements the appropriate technical and organizational measures to ensure an appropriate level of security, including inter alia as appropriate:

i) the pseudonymization and encryption of personal data;

j) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systemsand services;

k) the ability to restore the availability and access to personal data in a timely manner in the event of aphysical or technical incident;

l) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisationalmeasures for ensuring the security of the processing.

In the above cases, Ouman assists the Customer on the basis of the Customer's request and the information provided by the Customer, using Ouman's own solutions, working methods and data protection instructions. Ouman informs the Customer if a data subject has notified Ouman directly about exercising its rights. The Parties mutually agree on how to react to such requests in practice and which Party responds to such requests.

Ouman has the right to invoice the Customer in accordance with Ouman's price list for the above measures and measures that have been agreed to be carried out by Ouman.

3. Personal data breaches
Ouman will notify the Customer of any personal data breach without undue delay after becoming aware of a personal data breach. If the Customer detects a personal data breach, it will notify Ouman thereof without undue delay. The notification issued by the Parties to one another will at least:

a) describe the nature of the personal data breach;

b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;

c) describe the likely consequences of the personal data breach;

d) describe the measures taken or proposed to be taken by the controller to address the personal data breach.

Where it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay

The Customer documents any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken.

The Customer is responsible for making the necessary notifications to the supervisory authority. If the personal data breach is attributable to the Customer, Ouman has the right to invoice the Customer for any costs incurred by the personal data breach and its investigation.