Personal Data Processor Agreement

1. PARTIES

Åland Post Ab (“Axla”) and “the Customer” have concluded the following personal data processor agreement.

2. BACKGROUND

The parties separately concluded a service agreement in accordance with which Axla will provide services specified in the service agreement to the Customer (“the Service Agreement”). Within the scope of the execution of these services, Axla will process personal data on behalf of the Customer such as the names of recipients of consignments, address data, consignment contents and other delivery information. Given this fact, the parties have agreed in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (the “EU’s General Data Protection Regulation”) to conclude this agreement as an appendix to the Service Agreement.

Terms in accordance with this agreement shall be interpreted in accordance with the EU’s General Data Protection Regulation. Personal data in accordance with this agreement refers to such personal data that is processed by Axla on behalf of the Customer through execution of services in accordance with the Service Agreement.

3. INSTRUCTIONS

Axla shall process personal data in accordance with documented instructions from the Customer, as included in the Service Agreement and Service Specifications.

4. ÅLAND POST’S OBLIGATIONS AS A PERSONAL DATA PROCESSOR

Axla shall undertake reasonable technical and organisational measures to protect personal data from unauthorised access, observing the requirements in article 32 of the EU’s General Data Protection Regulation.

Axla may not engage another processor without prior specific or general authorisation of the Customer. Axla shall enter into a written sub-processing agreement with its sub-processor. Such agreement shall contain obligations not less stringent as those imposed on Axla under these instructions.

Axla shall assist the Customer with using appropriate technical and organisational measures, insofar as this is possible, to respond to individuals’ requests to exercise their rights in accordance with the EU’s General Data Protection Regulation.

Axla shall assist the Customer in ensuring compliance with obligations with regard to security measures, reporting personal data incidents and information on such incidents to the registered parties, as well as impact assessment and prior consultation in accordance with the EU’s General Data Protection Regulation.

Axla shall ensure that the employees authorised to handle personal data has committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Axla shall delete all personal data processed by Axla in its capacity as a personal data processor in relation to the Customer when Axla’s provision of processing services in accordance with the Service Agreement has come to an end.

Axla shall make available to the Customer information required to demonstrate compliance with its obligations as a personal data processor and contribute to audits conducted by the Customer in its capacity as a personal data controller.

5. CONFIDENTIALITY

Axla may not without the Customer’s consent submit personal data to any third party, except when such submission may be required by law.

The law provides for the assurance of the privacy of correspondence and a duty of confidentiality for post office employees.

6. INDEMNITY

The Customer shall indemnify and hold Axla harmless of any sanctions and/or claims for damages aimed at Axla as a consequence of Axla’s position as a personal data processor in relation to the Customer, unless such sanctions and/or claims for damages are due to Axla acting contrary to the Customer’s written instructions regarding the processing of personal data.

Axla bears no liability for indirect damage, unless Axla has caused such damage by wilful conduct or gross negligence.

7. DISPUTE RESOLUTION, ETC.

This agreement constitutes an annex to the Service Agreement. In case of discrepancy between this agreement and the Service Agreement the Service Agreement shall prevail. Disputes arising out of or in relation to this agreement shall be determined as specified in the Service Agreement.

8. TERM OF THE AGREEMENT

This agreement will apply from the day of signing and stay in force for as long as Axla processes personal data on behalf of the Customer in accordance with the Service Agreement.