Skip to content

Uuva Cloud Privacy Statement

Data protection agreement


They apply to all entities that have entered into a service contract with Uuva Oy from 25 May 2018
the terms of this privacy notice. The contracting parties commit themselves to the general European Union
data protection regulation (679/2016) based on compliance with this appendix. The attachment applies
situations where the client processes personal data of Uuva acting as the data controller
Oy's account.


2.1 The processor will process personal data on behalf of the controller. The object of processing is
may arise from the data controller's collection and other administrative systems
personal data of registered users. Those registered are respectively debtor customers or
financial customers.

2.2 The processor will process personal data on behalf of the controller for the time being.

2.3 The personal data processed are necessary for the collection of receivables
personal information necessary to identify debtor customers, as well as possible
personal data used in invoicing services, invoice financing and financial services.


3.1 The more precise scope of this appendix is ​​determined by the scope of cooperation between the parties prevailing at any given time. The parties undertake to secure the protection of registered rights referred to in the General Data Protection Regulation.

3.2 The controller has the right to give the processor more specific binding instructions on the application of the terms of this appendix. Such instructions must be given in writing.

3.3 The processor and the personnel it uses undertake to comply with the valid one
provisions of data protection legislation when processing personal data. The processor immediately informs the data controller if the latter considers that the data controller's instructions violate the applicable data protection legislation.
3.4 The controller must take the necessary measures to ensure that the processing of personal data transferred to the processor is in accordance with the data protection legislation in force for the controller.

3.5 At the request of the data controller, the processor must immediately provide everything to the data controller
such information that the controller may need to fulfill the rights of the data subjects or to comply with the requirements or instructions of the data protection authorities. The processor immediately informs the controller of all the demands and inquiries of data subjects, data protection commissioners or other authorities that come to their attention, related to the terms of this appendix and their compliance.

3.6 The processor must take appropriate technical and organizational measures to combat and prevent unauthorized and illegal processing of personal data and to prevent accidental loss, change, destruction or damage of personal data.

3.7 The processor must ensure that the persons processing personal data are bound by a duty of confidentiality or are subject to an appropriate statutory
confidentiality obligation and that personal data is processed only for the purpose of use agreed between the parties.

3.8 The processor notifies the controller as required by the General Data Protection Regulation without
unjustified delay in writing about all personal data
data security breaches and other events based on which on behalf of the controller
the data security of the processed personal data has been compromised, or when the processor has reason to believe that the data security may have been compromised. At the request of the data controller, the processor must provide the data controller with all relevant information related to the data security breach. The handler will
also inform the data controller of the measures taken due to the data security breach.

3.9 The processor must document all data security breaches with all related aspects, the possible effects of the data security breaches and the corrective actions taken

3.10 The processor has the right to transfer personal data within the European Union or the European Economic Area in order to implement the service. Data may not be transferred outside the mentioned area. The controller has the right at any time to receive information from the processor about the place of personal data processing.

3.11 The processor may not use this appendix to carry out its tasks
subcontractor, unless otherwise agreed in writing.

3.12 During the validity period of the service contract, the processor may not delete the account of the data controller
processed personal data without the controller's express request.

3.13 At the end of the service contract, the processor can, at the choice of the controller, either delete it
all personal data processed on behalf of the data controller or return them to the data controller,
and delete all copies of them, unless otherwise required by applicable legislation. If
the controller does not request that the personal data processed by the processor be deleted or
to be returned, the processor keeps the personal data processed on behalf of the controller six (6)
month from the end of the service contract, after which the processor must delete everything
copies of them, unless otherwise determined by current legislation.