Data Processing Agreement (DPA)
Last Updated: 2024-05-20
Last Updated the Sous-traitants page: 2024-05-12
This DPA outlines the terms under which we process personal data on your behalf.
This Data Processing Agreement ("Agreement") outlines the obligations and conditions under which Petitions24 Oy ("Service Provider") processes personal data on behalf of the petition author ("Petition Author" or "Data Controller") in the provision of online petition hosting services ("Services").
Modification of Terms
We reserve the right to change or modify these Terms at any time without prior notice.
Definitions and Roles
- Service Provider: Petitionenligne.net (Petitions24 Oy), acting as the Data Processor, processes personal data on behalf of the Data Controller as necessary to deliver the Services.
- Data Controller: The Petition Author, who determines the purposes and means of the processing of personal data collected from the signatories of their petition. As the author of a petition hosted on Petitionenligne.net, you are considered the Data Controller. You decide the content of the petition, what is asked from the signatories, the purposes for processing their personal data, and the duration for which the personal data is stored. Petitionenligne.net provides an online platform for creating and hosting petitions, facilitating your role as Data Controller with the autonomy to shape the petition's data collection and usage according to your objectives and legal obligations.
Scope of Processing
The Service Provider will process personal data solely based on the Data Controller's instructions and only as necessary to provide the Services. The scope of processing activities is limited to hosting, managing, and facilitating online petitions.
Data Protection
The Service Provider commits to implementing technical and organizational measures to ensure the security of personal data against unauthorized access, loss, or damage.
Sous-traitants
The Service Provider may engage subprocessors to assist in providing the Services. The Service Provider will ensure subprocessors comply with data protection obligations consistent with this DPA. You acknowledge and agree that The Service Provider retain the discretion to select and replace subprocessors as needed to provide the Services efficiently.
List of the subprocessors (Last Updated: 2024-05-12)
Data Controller Responsibilities
The Data Controller is responsible for ensuring that the collection, processing, and handling of personal data comply with all applicable laws and regulations.
Data Controller Identification
Under the General Data Protection Regulation (GDPR), it is required that the identity of the data controller is clearly stated. The following provisions are made for petition authors using our website:
Individual Petition Authors
If you, as an individual, are creating a petition, you are required to provide your full legal name. This serves as your identification as the data controller for the purposes of the GDPR.
Organizational Petition Authors
If a petition is created on behalf of an organization, the organization's full legal name must be provided. Additionally, the organization should designate and provide contact details of a representative responsible for data processing activities, such as a Data Protection Officer (DPO) or similar.
Data Subject Rights
The data controller must ensure that data subjects (petition signatories) can exercise their rights under the GDPR, such as the right to access, rectify, or erase their data, or to lodge a complaint with a supervisory authority.
Accountability and Compliance
The data controller must be able to demonstrate compliance with the GDPR, including responding to data subjects' requests regarding their personal data.
Privacy Policy or Notice
A clear and accessible privacy policy or notice must be provided, outlining how personal data is processed, the purposes of processing, and how data subjects can exercise their rights.
Notification of Changes
Petition authors are required to notify Petitionenligne.net (Petitions24 Oy) of any changes in their status as a data controller or in their representative's contact details.
Annual Review of Data Processing
The Petition Author is required to conduct an annual review to ascertain whether there is still a valid reason for the continued processing of the personal data of the signatories. This review should assess the necessity and relevance of the data in relation to the purpose of the petition. If the Petition Author determines that there is no longer a valid reason to continue processing the data, they must take appropriate steps to cease the processing and initiate the deletion of the data in accordance with applicable data protection laws.
Data Retention and Deletion
Should the Data Controller (the author of the petition) breach any terms of the Data Processing Agreement (DPA), including but not limited to failure in conducting an annual review of data processing activities or providing a valid justification for ongoing processing of signatories' personal data, the Service Provider reserves the right to remove or delete the personal data associated with their petition.
Limitation of Liability
In no event shall the total liability of the data processor to the data controller for all damages, losses, and causes of action, whether in contract, tort (including negligence), or otherwise, exceed the total amount paid by the data controller to the data processor under this agreement.
Applicable law
This Agreement shall be governed by the laws of Finland.