NOTE: THIS IS UNOFFICIAL TRANSLATION MEANT FOR A REFERENCE, THUS THE FINNISH VERSION TAKES PRECEDENCE OVER ENGLISH VERSION.
PERSONAL DATA OBLIGATIONS IN THE UPM KIINTEISTÖT
1 SCOPE AND CONTENT OF THE AGREEMENT
This processing agreement applies to leases entered into by UPM Kiinteistö where the customer uses an electronic lock system provided by UPM Kiinteistö. As part of the lease agreement, UPM Real Estate may make changes to the agreement.
For the performance of the services related to the lease, UPM Kiinteistöt processes personal data within the meaning of the General EU Data Protection Regulation (EU 679/2016) on behalf of the tenant and UPM Kiinteistöt is a processor of personal data within the meaning of the Regulation. The tenant of UPM Real Estate is the data controller for personal data on the use of its own doors.
The personal data to be processed is the reading data of the electronic lock doors in the area rented by the tenant (later Asiakastieto), which can be combined with natural persons. The tenant shall determine the persons who have the right to enter the premises occupied by the tenant through the electric doors assigned to the tenants.
2 COMPLIANCE WITH LAWS AND INSTRUCTIONS
UPM Kiinteistöt and the tenant undertake to comply with the data protection, privacy and data security obligations under the Data Protection Regulation and national data protection legislation, as well as the written processing instructions set out in this document.
3 PROCESSING OF PERSONAL DATA
UPM Kiinteistöt undertakes to process personal data in accordance with the written instructions set out in this document and provided by the tenant during the term of the lease and also after the termination of the agreement. The costs of the measures have been agreed in the lease.
UPM Kiinteistöt undertakes to process Customer Data only to the extent and for the purpose necessary to perform the tasks referred to in the lease. Customer data will not be used or processed for any other purpose and will not be disclosed, transferred or disclosed to third parties without the tenant's consent, unless required by mandatory legislation or an authority decision.
UPM Kiinteistöt may use a sub-processor to process personal data. In this case, UPM Properties enters into a written agreement with a partner or subcontractor, in which the Customer Information Manager undertakes to comply with obligations similar to those agreed in this document. UPM Kiinteistöt is responsible for the actions and omissions of the subcontractors it uses in accordance with the Data Protection Regulation. Only operators who take adequate safeguards to implement appropriate technical and organizational measures shall be used for processing. UPM Kiinteistöt uses the following sub-processors: Aventra, Schneider, Stanley, Generics Finland, Visy, Avarn, Stanley.
UPM Kiinteistöt has taken risk-based technical and organizational measures to protect Customer Data from unauthorized use and modification in compliance with data protection laws. UPM Kiinteistöt has also taken all precautionary measures required by the tenant and required by the data protection regulation to prevent unauthorized use, alteration and damage to the data.
UPM Kiinteistöt restricts the access of personnel and processors to Asiakastieto to persons who have received adequate data protection training, who need information in the performance of their duties and who have undertaken to comply with confidentiality obligations.
UPM Kiinteistöt undertakes to notify the tenant without delay if the data protection and security measures do not comply with the tenant's instructions or if there is a suspicion of a security breach or anomalies in the processing of Customer Data.
4 DOCUMENTATION AND BREACHES
Both parties are obliged to ensure that the processing of Customer Data is documented in accordance with the Data Protection Regulation and that the other party has access, if necessary, to all information necessary to demonstrate that the data processing obligations have been complied with.
UPM Kiinteistöt undertakes to notify the tenant of the breach of security without undue delay so that the tenant can fulfill its obligations under the data protection regulation. UPM Kiinteistöt is also obliged to assist in resolving the security breach.
5 OTHER TERMS
The lessee has the right to verify compliance with the obligations set out in this Annex to an appropriate extent in accordance with the Data Protection Regulation. The tenant is responsible for the costs of such inspection.
UPM Kiinteistöt discards and deletes or restores Customer Data in its entirety from the systems when the data is no longer needed or when processing operations cease. The data retention period is six years from the creation of the data, Customer data may be needed for the tax authority.
The limitation of liability agreed in the lease agreement applies to the limitation of liability.