Terms and conditions for the processing of personal data

The Y-Foundation Group (hereinafter referred to as the Group, including, inter alia, the parent group Y-Foundation (registered in the Register of Foundations), its subsidiaries Koy M2-Kodit, Y-Säätiön Palvelut Oy and Koy Y-Säätiön Palvelutalot) acquires goods and services (hereinafter referred to as the Service), the supply of which may involve the processing of personal data within the meaning of the EU General Data Protection Regulation (hereinafter referred to as the Regulation). These terms and conditions apply to situations where the Group is the controller of such personal data and the entity or foundation providing the Services (hereinafter referred to as the Supplier) is the processor of that data. These terms and conditions apply when no separate agreement has been made on the processing of personal data.

The terms and conditions are part of the agreement that is created between the Group and the Supplier when the delivery of a Service is agreed on (for example, Group’s order à Supplier’s approval or Supplier’s offer à Group’s approval). By accepting the contract, the Supplier undertakes to comply with these terms and conditions.

In connection with the provision of the Service, the Supplier may receive personal data concerning the Group’s customers, employees or stakeholders. The Supplier undertakes to process such personal data in a careful and secure manner in accordance with the Regulation and data protection legislation. The Supplier may process such personal data only to the extent necessary for the performance of the Service. The Supplier shall not otherwise process such personal data unless there are grounds for processing under the Regulation or data protection legislation.

The Supplier and its personnel must be sufficiently informed about the Regulation and data protection legislation. If the Supplier is not sufficiently informed about the Group’s data protection practices, the Supplier must ask the Group to provide the instructions necessary to perform the Service. The Supplier has access to the Group’s privacy statements on the Group’s website.

Data subjects whose personal data is processed by the Supplier may submit requests to the Group under the Regulation. The Supplier shall assist the Group in these situations in all reasonable ways without undue delay so that the Group can fulfil its obligations to the data subject. The Supplier shall immediately notify the Group of any security breaches that have come to its knowledge.

When the Supplier no longer has the right to process the Group’s personal data under the Regulation or data protection legislation, the Supplier shall erase or return all personal data to the Group and erase existing copies.

In order to verify that personal data is processed in accordance with the Regulation or data protection legislation, the Group has the right to ask the Supplier to provide the necessary information concerning the processing of personal data. The Group or an auditor authorised by the Group shall have the right to carry out, at its own expense, an audit of the processing activities during a pre-agreed period of time. If the Supplier has the right to use subcontractors, it must include requirements equivalent to these terms and conditions in its contracts with these subcontractors. The subcontractor does not have the right to disclose personal data without the right provided for in the Regulation.

The Group and the Supplier are each independently liable for any penalties arising from activities that violate the Regulation or data protection legislation. The Group and the Supplier shall be liable for direct damage caused to each other.

The Group may amend these terms and conditions without prior notice in the event of changes in the data protection provisions or interpretations thereof or if so required by the data protection authority. The Group reserves the right to make minor changes to these terms and conditions. Up-to-date terms and conditions are publicly available on the website.