Data Processing Agreement (DPA)

Last Updated: September 17 2024

Last Updated the Subprocessors page: May 12 2024

This DPA outlines the terms under which we process personal data on your behalf.

This Data Processing Agreement (Agreement) outlines the obligations and conditions under which Petitions24 Oy (Service Provider) processes personal data on behalf of the petition author (Petition Author or Data Controller) in the provision of online petition hosting services (Services).

Modification of Terms

We reserve the right to change or modify these Terms at any time without prior notice.

Definitions and Roles

  • Service Provider: Petitions.net (Petitions24 Oy), acting as the Data Processor, processes personal data on behalf of the Data Controller as necessary to deliver the Services.
  • Data Controller: The Petition Author, who determines the purposes and means of the processing of personal data collected from the signatories of their petition. As the author of a petition hosted on Petitions.net, you are considered the Data Controller. You decide the content of the petition, what is asked from the signatories, the purposes for processing their personal data, and the duration for which the personal data is stored. Petitions.net provides an online platform for creating and hosting petitions, facilitating your role as Data Controller with the autonomy to shape the petition's data collection and usage according to your objectives and legal obligations.

Scope of Processing

The Service Provider will process personal data solely based on the Data Controller's instructions and only as necessary to provide the Services. The scope of processing activities is limited to hosting, managing, and facilitating online petitions.

Data Protection

The Service Provider commits to implementing technical and organizational measures to ensure the security of personal data against unauthorized access, loss, or damage.

Prohibited Data Collection

It is prohibited to request personal identification numbers (such as national ID numbers) from signatories.

Subprocessors

The Service Provider may engage subprocessors to assist in providing the Services. The Service Provider will ensure subprocessors comply with data protection obligations consistent with this DPA. You acknowledge and agree that The Service Provider retain the discretion to select and replace subprocessors as needed to provide the Services efficiently.

List of the subprocessors. (Last Updated: May 12 2024)

Data Controller Responsibilities

The Data Controller is responsible for ensuring that the collection, processing, and handling of personal data comply with all applicable laws and regulations.

Data Controller Identification

Under the General Data Protection Regulation (GDPR), it is required that the identity of the data controller is clearly stated. The following provisions are made for petition authors using our website:

Individual Petition Authors

If you, as an individual, are creating a petition, you are required to provide your full legal name. This serves as your identification as the data controller for the purposes of the GDPR.

Organizational Petition Authors

If a petition is created on behalf of an organization, the organization's full legal name must be provided. Additionally, the organization should designate and provide contact details of a representative responsible for data processing activities, such as a Data Protection Officer (DPO) or similar.

Data Subject Rights

The data controller must ensure that data subjects (petition signatories) can exercise their rights under the GDPR, such as the right to access, rectify, or erase their data, or to lodge a complaint with a supervisory authority.

Accountability and Compliance

The data controller must be able to demonstrate compliance with the GDPR, including responding to data subjects' requests regarding their personal data.

Privacy Policy or Notice

A clear and accessible privacy policy or notice must be provided, outlining how personal data is processed, the purposes of processing, and how data subjects can exercise their rights.

Notification of Changes

Petition authors are required to notify Petitions.net (Petitions24 Oy) of any changes in their status as a data controller or in their representative's contact details.

Annual Review of Data Processing

The Petition Author is required to conduct an annual review to ascertain whether there is still a valid reason for the continued processing of the personal data of the signatories. This review should assess the necessity and relevance of the data in relation to the purpose of the petition. If the Petition Author determines that there is no longer a valid reason to continue processing the data, they must take appropriate steps to cease the processing and initiate the deletion of the data in accordance with applicable data protection laws.

Data Retention and Deletion

Should the Data Controller (the author of the petition) breach any terms of the Data Processing Agreement (DPA), including but not limited to failure in conducting an annual review of data processing activities or providing a valid justification for ongoing processing of signatories' personal data, the Service Provider reserves the right to remove or delete the personal data associated with their petition.

Limitation of Liability

In no event shall the total liability of the data processor to the data controller for all damages, losses, and causes of action, whether in contract, tort (including negligence), or otherwise, exceed the total amount paid by the data controller to the data processor under this agreement.

Applicable law

This Agreement shall be governed by the laws of Finland.