Data Processing Addendum

You or the legal entity that you represent (hereinafter “You”) and Edicy OÜ (registry code: 12176224; Raekoja plats 1, 51003 Tartu) registered under the laws of Estonia (hereinafter “Voog”) individually herein referred to as a “Party” and collectively as the “Parties”, have concluded this Data Processing Addendum (hereinafter “DPA”) on the following terms:

  1. Background 

     1.1. Parties have concluded a Terms of Service. This DPA is an addendum of the Terms of Service. In the event of conflict between Terms of Service and the DPA the DPA shall prevail.

  2. Definitions

    2.1. The DPA terms that are written in the upper case first letter hereinafter is used in the following meanings unless the context indicates a different meaning: 

    2.1.1. Applicable Law means all legislation, ordinations and advice from supervisory authorities, applicable to Voog (includes also the European Regulation 2016 /679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data known as the EU GPDR (General Data Protection Regulation), hereinafter the “GDPR”);

    2.1.2. Consent means any freely given, specific, informed and unambiguous indication of the Data Subject's wishes by which he/she, by a statement or by a clear affirmative action, signifies agreement to the processing of Personal Data relating to him/her; 

    2.1.3. Controller means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of Personal Data; 

    2.1.4. Data Subject means an identified or identifiable natural person;

    2.1.5. Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed; 

    2.1.6. Personal Data means any information relating to a Data Subject that enables to identify, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person; 

    2.1.7. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction; 

    2.1.8. Processor means a natural or legal person, public authority, agency or other body which processes Personal Data on behalf of the Controller;

    2.1.9. Services means services which are listed or provided according to the Terms of Service; 

    2.1.10. Subprocessor means any subprocessor processing Personal Data engaged by Voog; 

    2.1.11. Third Party means a person who is not a Party to the contract concluded between the Parties; 

    2.1.12. Third Party Services means all services which are provided to and for or from a Third Party; 

    2.1.13. Your Controlled Data means the Personal Data processed by Voog on Your behalf and according to Your instructions as part of the Services, but only to the extent of which You are subject to under Applicable Law. Your Controlled Data does not include Personal Data when controlled by us, including without limitation data we collect (including IP address, device/browser details and web pages visited prior to coming to Voog’s Site) with respect to Your end users’ interactions with Your site through their browser and technologies like cookies; 

    2.2. Headings are used in this DPA are for convenience only and shall not affect any construction or interpretation of this DPA.

  3. Confidentiality 

    3.1. Voog guarantees to Process and store Personal Data in strict confidence. Personal Data may only be accessed and managed by such persons and Subprosessors and Third Parties of Voog that need access to Personal Data for fulfilling Voog’s obligations under this DPA, have confirmed confidentiality, and only to the extent necessary for fulfilling Voog’s obligations according to this DPA. 

    3.2. The obligation of confidentiality pursuant to this section shall apply without any limitation in time and survive termination of the DPA.

  4. Liability 

    4.1. Voog is not responsible for Personal Data that You have elected to process through Third Party Services or outside of the Services, including the systems of any Third Party cloud services, offline or on-premises storage.

  5. Indemnification 

    5.1. You shall indemnify and hold Voog harmless from any damage, claims or administrative fines incurred by or arising against Voog, whether directly or indirectly, due to Your Processing of Personal Data in breach of this DPA or Applicable law. 

    5.2. If claims or administrative fines are directed against Voog as a result of breach of this DPA or Applicable Law, You shall immediately notify Voog thereof and take every possible measure to mitigate the damages resulting from the breach. 

    5.3. Without prejudice to the regulations regarding right to compensation, liability and fines, if Voog infringes Applicable Law by determining the purposes and means of Processing, Voog shall be considered to be a Controller in respect of the Processing and hence fully responsible for any such Processing.

  6. Force majeure 

    6.1. Parties understand and agree that the Party shall not be liable in connection with any force majeure event, including, labour disputes or other industrial disturbances, electrical, telecommunications, hardware, software or other utility failures, software bugs or weaknesses, earthquakes, storms, or other nature-related events, blockages, embargoes, riots, strikes, acts or orders of government authority, acts of terrorism or war, technological change and changes in interest rates or other monetary conditions. 

    6.2. If an event of force majeure occurs, the Party injured hereto by the other’s inability to perform may elect to suspend the DPA, in whole or part, for the duration of the force majeure circumstances.

  7. Voog’s Processing Responsibilities 

    7.1. We process Your Controlled Data for the purpose described in our Privacy Policy and Terms of Service or consents You give us through Your Account. You agree that the Agreement and the instructions given through Your Account are your complete and final documented instructions to us in relation to Your Controlled Data. 

    7.2. Audits

    7.2.1. Voog shall make available to You upon request all information necessary to demonstrate compliance with the obligations laid down in this DPA.

    7.2.2. Voog shall allow for and contribute to audits, including inspections, requested by You. These audits may be conducted by an independent auditor bound by confidentiality obligations appointed by Voog.

    7.2.3. The audits will be carried out no more than once a year, unless an exceptional event justifies an audit (e.g. a request or investigation by a supervisory authority, a request by a Data Subject).

    7.2.4. Your right to request audits cannot affect and/or impede Voog’s economic and professional activities, other Voog’s clients and Data Subjects, Voog’s confidentiality obligations etc. Voog can determine the audit conditions regarding time and place.

    7.2.5. When infringements are detected during the audits, Voog will be given a reasonable timeframe (usually from twenty (20) to forty (40) days, but possibly less), depending on the nature and severity of the infringements, to implement corrective actions at Voog’s own expense.

    7.2.6. You will pay Voog’s costs in considering and addressing any request in relation to the audits. 

    7.3. Sub-Processors

    7.3.1. Voog has the right to engage Subprocessor to carry out all or part of the Processing activities entrusted to Voog by You.

    7.3.2. Upon your written request Voog shall communicate to You in writing (i) the identity of the Subprocessor, (ii) the location of the Subprocessor and (iii) the location of the Processing activities carried out by the Subprocessor.

    7.3.3. The Subprocessor shall be subject to the same obligations as Voog according to this DPA. Therefore, the Subprocessor shall comply with all obligations set out in this DPA and the obligations applicable to the Processor under the GDPR and any applicable data protection laws and regulations. Voog must impose these obligations on the Subprocessor, in writing by the way of a contract.

    7.3.4. Voog shall cause the Subprocessor to strictly comply with all obligations set out in this DPA and Voog will in any case remain fully liable to You for the due and timely performance of all and any such obligations by the Subprocessor.

    7.4. Security measures

    7.4.1. Parties shall implement appropriate technical and organizational measures to ensure an adequate level of security for the Personal Data in order (in particular) to prevent the Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, use or unauthorized access. These measures must comply with Applicable Law.

    7.4.2. Parties must implement a process for regularly testing, assessing and evaluating the effectiveness of these measures for ensuring the security of the Processing.

    7.4.3. Voog agrees that it shall not disclose any Personal data to any third party without Your consent, except according to this DPA or if legally allowed or obligated to do so.

    7.5. Cross border data transfers

    7.5.1. Voog shall not transfer Personal Data provided by You, its affiliates or their employees to countries outside the European Economic Area or other countries with cross border data transfer restrictions unless Voog has implemented appropriate safeguards in accordance with Applicable Law.

    7.5.2. Prior to any cross border transfer, Voog must confirm whether there is (i) a decision from the European Commission or a competent authority in the relevant exporting country acknowledging that the importing country or importing category of recipients provide an adequate level of protection (ii) approved binding corporate rules or (iii) an approved certification authorizing the transfer or (iv) an approved code of conduct authorizing the transfer or (v) another approved data transfer mechanism in the relevant exporting country.

    7.5.3. When the transfer cannot benefit from the above-mentioned safeguards, Voog (as a Data Exporter) and the Data recipient (as a Data Importer) must conclude and implement standard contractual clauses adopted or approved under Applicable Law or regulations of the exporting country, such as the “Standard Contractual Clauses (processors) for the transfer of personal data to processor established in third countries which do not ensure an adequate level of data protection” proposed by the EU Commission. In this context, Voog (i) will make sure that, at all times, the Data Importer fully implements appropriate safeguards in accordance with this DPA, Applicable Law and (ii) proceeds with any relevant assessment, and (iii) immediately informs the Data Controller (You) in case of any breach by the data Importer or as the case may be, any subsequent Subprocessors.

    7.5.4. If You are the one who asks for the transfer of Personal data to third country, You have to submit to Voog documentation, which confirms that the transfer complies with Applicable Law.

  8. Data Breach

    8.1. In case of a Data Breach that is likely to result in a high risk for the rights and freedoms of a Data Subject, Voog shall notify You immediately after becoming aware of the Data Breach.

    8.2. The notification shall, in any case, include the following information: description of the facts, type of breach (confidentiality / integrity / availability), stakeholders, countries, nature of compromised Personal Data, number of individuals impacted, approximate number of records compromised, likely consequences of the Data Breach, measures taken to address the Data Breach, measures taken to address the adverse effects. Where any of the information is not available at the time of the original notification, Voog shall obtain such information forthwith and immediately notify You of such information after becoming aware of it.

    8.3. Voog must provide prompt support to You in assessing the need of and dealing with the notification of a Data Breach to supervisory authorities and to the Data Subjects, including the communication of any information needed to comply with these obligations. Voog shall forthwith propose measures to mitigate the Data Breach and its adverse effects on Data Subjects. Once agreed by You, these measures shall be promptly implemented by Voog at Voog’s cost, unless the Data Breach is due to Your default or failure.

  9. Data Subjects’ rights

    9.1. As part of its duties under this DPA, Voog shall, provide all reasonable assistance to You for the fulfilment of Your obligation to respond to requests from Data Subjects exercising their data protection rights.

    9.2. In the event that Voog as the Processor receives such requests directly from Data Subjects, Voog must not respond directly to such request but, within maximum 10 days from the receipt of such request, inform You and provide timely all relevant information to You in order to enable You to respond to the Data Subject’s request taking into account the nature of the Processing, Voog must (i) provide You all necessary information in order to respond to a request based on the right of access and the right to portability, in the appropriate form and format, (ii) take necessary steps in order to implement the instructions given by You to address requests based on the rights of erasure, rectification, restriction and objection. Voog’s action and response must be provided timely in order to enable You to comply with the required timeframes under applicable laws and regulations.

    9.3. In the event that Voog receives a data protection claim, from a Data Subject, it shall immediately inform You and provide forthwith all relevant information in order to enable You to participate in the defense of such a claim. In the event of a failure to do so Voog shall bear any costs, losses, expenses or claims which You pay or is ordered to pay to Data Subjects in respect of such a claim, unless the claim is caused by Your actions or omissions.

  10. Cooperation with the supervisory authority 

    10.1. Voog must inform You immediately upon receiving a request relating to data privacy from a supervisory authority according to Applicable Law, unless court document or equivalent document forbids to do so.

    10.2. Taking into account the information available, Parties will promptly and efficiently assist other Party in its obligation to cooperate with the supervisory authority, in order to enable the Party to respond promptly to any queries of the supervisory authority.

  11. Term and changes of the DPA

    11.1. This DPA is valid from signing and for as long as Voog Processes any Personal Data on behalf of Party.

    11.2. In case of changes in Applicable Law, a final judgement causes another interpretation of Applicable Law, the Services under this DPA, or in the event of a material change in the ownership structure of Voog, the Parties shall in good faith cooperate to update the DPA accordingly.

    11.3. Voog shall be entitled to give written notice of termination of this DPA, effective immediately or at any later date, in the event the Parties cannot agree on a suitable change in the DPA due to changes in Applicable Law, a final judgment, if the Services under the Agreement require changes to this DPA, or in the event of a material change in the ownership structure of Voog.

    11.4. Any breach of the obligations by You under this DPA is deemed material and entitles Voog to give written notice of termination of this DPA effective immediately or at any later date.

  12. Applicable law and Disputes

    12.1. The DPA has been drawn up in accordance with the laws of the Republic of Estonia and the application, interpretation, and termination thereof shall be subject to the laws of the Republic of Estonia.

    12.2. Any disputes arising from the performance of the DPA shall be settled through negotiations. If the Parties fail to resolve the dispute through negotiation, the disputes shall be settled by Harju Maakohus (Harju County Court), pursuant to the procedure provided by the law of the Republic of Estonia.