Data Processing Agreement

In German

03 April 2024

For the purposes of Article 28(3) of Regulation 2016/679 (the GDPR)

between

The Customer
(the data controller)

and

HeiaHeia Oy (later: HeiaHeia or H2)
Business-ID: 3115720-3
℅ Terkko Health Hub
Haartmaninkatu 14, Building 14
00290 Helsinki
Finland
(the data processor)

each a ‘party’; together ‘the parties’

HAVE AGREED on the following Contractual Clauses (the Clauses) in order to meet the requirements of the GDPR and to ensure the protection of the rights of the data subject.

1. Preamble

1.1. These Contractual Clauses (the Clauses) set out the rights and obligations of the data controller and the data processor, when processing personal data on behalf of the data controller.

1.2. The Clauses have been designed to ensure the parties’ compliance with Article 28(3) of Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).

1.3. In the context of the provision of the HeiaHeia service, the data processor will process personal data on behalf of the data controller in accordance with the Clauses.

1.4. The Clauses shall take priority over any similar provisions contained in other agreements between the parties.

1.5. Six appendices are attached to the Clauses and form an integral part of the Clauses.

1.6. Appendices A-D contains details about the processing of personal data, including the purpose and nature of the processing, type of personal data, categories of data subject and duration of the processing.

1.7. Appendix E contains the data controller’s conditions for the data processor’s use of sub-processors and a list of sub-processors authorised by the data controller.

1.8. Appendix F contains the data controller’s instructions with regards to the processing of personal data, the minimum security measures to be implemented by the data processor and how audits of the data processor and any sub-processors are to be performed.

1.9. The Clauses along with appendices shall be retained in writing, including electronically, by both parties.

1.10. The Clauses shall not exempt the data processor from obligations to which the data processor is subject pursuant to the General Data Protection Regulation (the GDPR) or other legislation.

2. The rights and obligations of the data controller

2.1. The data controller is responsible for ensuring that the processing of personal data takes place in compliance with the GDPR (see Article 24 GDPR), the applicable EU or Member State (References to ”Member States” made throughout the Clauses shall be understood as references to “EEA Member States”) data protection provisions and the Clauses.

2.2. The data controller has the right and obligation to make decisions about the purposes and means of the processing of personal data.

2.3. The data controller shall be responsible, among other, for ensuring that the processing of personal data, which the data processor is instructed to perform, has a legal basis.

3. The data processor acts according to instructions

3.1. The data processor shall process personal data only on documented instructions from the data controller, unless required to do so by Union or Member State law to which the processor is subject. Such instructions shall be specified in appendices A-F. Subsequent instructions can also be given by the data controller throughout the duration of the processing of personal data, but such instructions shall always be documented and kept in writing, including electronically, in connection with the Clauses.

3.2. The data processor shall immediately inform the data controller if instructions given by the data controller, in the opinion of the data processor, contravene the GDPR or the applicable EU or Member State data protection provisions.

4. Confidentiality

4.1. The data processor shall only grant access to the personal data being processed on behalf of the data controller to persons under the data processor’s authority who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and only on a need to know basis. The list of persons to whom access has been granted shall be kept under periodic review. On the basis of this review, such access to personal data can be withdrawn, if access is no longer necessary, and personal data shall consequently not be accessible anymore to those persons.

4.2. The data processor shall at the request of the data controller demonstrate that the concerned persons under the data processor’s authority are subject to the above-mentioned confidentiality.

5. Security of processing

5.1. Article 32 GDPR stipulates that, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the data controller and data processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

The data controller shall evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. Depending on their relevance, the measures may include the following:

a. pseudonymisation and encryption of personal data;

b. the ability to ensure ongoing confidentiality, integrity, availability and resilience of processing systems and services;

c. the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;

d. a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5.2. According to Article 32 GDPR, the data processor shall also – independently from the data controller – evaluate the risks to the rights and freedoms of natural persons inherent in the processing and implement measures to mitigate those risks. To this effect, the data controller shall provide the data processor with all information necessary to identify and evaluate such risks.


5.3. Furthermore, the data processor shall assist the data controller in ensuring compliance with the data controller’s obligations pursuant to Articles 32 GDPR, by inter alia providing the data controller with information concerning the technical and organisational measures already implemented by the data processor pursuant to Article 32 GDPR along with all other information necessary for the data controller to comply with the data controller’s obligation under Article 32 GDPR.
If subsequently – in the assessment of the data controller – mitigation of the identified risks require further measures to be implemented by the data processor, than those already implemented by the data processor pursuant to Article 32 GDPR, the data controller shall specify these additional measures to be implemented in Appendix F.

6. Use of sub-processors

6.1. The data processor shall meet the requirements specified in Article 28(2) and (4) GDPR in order to engage another processor (a sub-processor).

6.2. The data processor shall therefore not engage another processor (sub-processor) for the fulfilment of the Clauses without the prior general written authorisation of the data controller.

6.3. The data processor has the data controller’s general authorisation for the engagement of sub-processors. The data processor shall inform in writing the data controller of any changes concerning the addition or replacement of sub-processors in advance, thereby giving the data controller the opportunity to object to such changes prior to the engagement of the concerned sub-processor(s). The list of sub-processors already authorised by the data controller can be found in Appendix E.

6.4. Where the data processor engages a sub-processor for carrying out specific processing activities on behalf of the data controller, the same data protection obligations as set out in the Clauses shall be imposed on that sub-processor by way of a contract or other legal act under EU or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Clauses and the GDPR.

The data processor shall therefore be responsible for requiring that the sub-processor at least complies with the obligations to which the data processor is subject pursuant to the Clauses and the GDPR.

6.5. A copy of such a sub-processor agreement and subsequent amendments shall – at the data controller’s request – be submitted to the data controller, thereby giving the data controller the opportunity to ensure that the same data protection obligations as set out in the Clauses are imposed on the sub-processor. Clauses on business related issues that do not affect the legal data protection content of the sub-processor agreement, shall not require submission to the data controller.

6.6. The data processor shall agree a third-party beneficiary clause with the sub-processor where – in the event of bankruptcy of the data processor – the data controller shall be a third-party beneficiary to the sub-processor agreement and shall have the right to enforce the agreement against the sub-processor engaged by the data processor, e.g. enabling the data controller to instruct the sub-processor to delete or return the personal data.

6.7. If the sub-processor does not fulfil his data protection obligations, the data processor shall remain fully liable to the data controller as regards the fulfilment of the obligations of the sub-processor. This does not affect the rights of the data subjects under the GDPR – in particular those foreseen in Articles 79 and 82 GDPR – against the data controller and the data processor, including the sub-processor.

7. Transfer of data to third countries or international organisations

7.1. Any transfer of personal data to third countries or international organisations by the data processor shall only occur on the basis of documented instructions from the data controller and shall always take place in compliance with Chapter V GDPR.

7.2. In case transfers to third countries or international organisations, which the data processor has not been instructed to perform by the data controller, is required under EU or Member State law to which the data processor is subject, the data processor shall inform the data controller of that legal requirement prior to processing unless that law prohibits such information on important grounds of public interest.

7.3. Without documented instructions from the data controller, the data processor therefore cannot within the framework of the Clauses:

a. transfer personal data to a data controller or a data processor in a third country or in an international organisation

b. transfer the processing of personal data to a sub-processor in a third country

c. have the personal data processed in by the data processor in a third country

7.4. The data controller’s instructions regarding the transfer of personal data to a third country including, if applicable, the transfer tool under Chapter V GDPR on which they are based, shall be set out in Appendix F.6.

7.5. The Clauses shall not be confused with standard data protection clauses within the meaning of Article 46(2)(c) and (d) GDPR, and the Clauses cannot be relied upon by the parties as a transfer tool under Chapter V GDPR.

8. Assistance to the data controller

8.1. Taking into account the nature of the processing, the data processor shall implement appropriate technical and organisational measures, to enable the data controller to fulfill the data controller’s obligations to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR.

This entails the data controller’s compliance with:

a. the right to be informed when collecting personal data from the data subject

b. the right to be informed when personal data have not been obtained from the data subject

c. the right of access by the data subject

d. the right to rectification

e. the right to erasure (‘the right to be forgotten’)

f. the right to restriction of processing

g. notification obligation regarding rectification or erasure of personal data or restriction of processing

h. the right to data portability

i. the right to object

j. the right not to be subject to a decision based solely on automated processing, including profiling

8.2. In addition to the data processor’s obligation to assist the data controller pursuant to Clause 6.3., the data processor shall furthermore, taking into account the nature of the processing and the information available to the data processor, assist the data controller in ensuring compliance with:

a. The data controller’s obligation to without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the competent supervisory authority, OFFICE OF THE DATA PROTECTION OMBUDSMAN of Finland, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons;

b. the data controller’s obligation to without undue delay communicate the personal data breach to the data subject, when the personal data breach is
likely to result in a high risk to the rights and freedoms of natural persons;

c. the data controller’s obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a data protection impact assessment);

d. the data controller’s obligation to consult the competent supervisory authority, OFFICE OF THE DATA PROTECTION OMBUDSMAN of Finland, prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the data controller to mitigate the risk.

8.3. The parties shall define in Appendix F the appropriate technical and organisational measures by which the data processor is required to assist the data controller as well as the scope and the extent of the assistance required. This applies to the obligations foreseen in Clause 9.1. and 9.2.

9. Notification of personal data breach

9.1. In case of any personal data breach, the data processor shall, without undue delay after having become aware of it, notify the data controller of the personal data breach.

9.2. The data processor’s notification to the data controller shall, if possible, take place within 72 hours after the data processor has become aware of the personal data breach to enable the data controller to comply with the data controller’s obligation to notify the personal data breach to the competent supervisory authority, cf. Article 33 GDPR.

9.3. In accordance with Clause 9(2)(a), the data processor shall assist the data controller in notifying the personal data breach to the competent supervisory authority, meaning that the data processor is required to assist in obtaining the information listed below which, pursuant to Article 33(3)GDPR, shall be stated in the data controller’s notification to the competent supervisory authority:

a. The nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

b. the likely consequences of the personal data breach;

c. the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.4. The parties shall define in Appendix D all the elements to be provided by the data processor when assisting the data controller in the notification of a personal data breach to the competent supervisory authority.

10. Erasure and return of data

10.1. Data retention policies applying to personal data processed under this agreement are defined in Appendices A-D.

11. Audit and inspection

11.1. The data processor shall make available to the data controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 and the Clauses and allow for and contribute to audits, including inspections, conducted by the data controller or another auditor mandated by the data controller.

11.2. Procedures applicable to the data controller’s audits, including inspections, of the data processor and sub-processors are specified in appendices F.7. and F.8.

11.3. The data processor shall be required to provide the supervisory authorities, which pursuant to applicable legislation have access to the data controller’s and data processor’s facilities, or representatives acting on behalf of such supervisory authorities, with access to the data processor’s physical facilities on presentation of appropriate identification.

12. The parties’ agreement on other terms

12.1. The parties may agree other clauses concerning the provision of the personal data  processing service specifying e.g. liability, as long as they do not contradict directly  or indirectly the Clauses or prejudice the fundamental rights or freedoms of the data  subject and the protection afforded by the GDPR.

13. Commencement and termination

13.1. The Clauses shall become effective on the date, when both parties have signed the Commercial agreement and the Customer’s representative has approved these terms in HeiaHeia's Admin tools.

13.2. Both parties shall be entitled to require the Clauses renegotiated if changes to the law or inexpediency of the Clauses should give rise to such renegotiation.

13.3. The Clauses shall apply for the duration of the provision of personal data processing services. For the duration of the provision of personal data processing services, the Clauses cannot be terminated unless other Clauses governing the provision of personal data processing services have been agreed between the parties.

13.4. If the provision of personal data processing services is terminated, and the personal data is deleted or returned to the data controller pursuant to Clause 11.1. and Appendix F.4., the Clauses may be terminated by written notice by either party.

14. Data controller and data processor contacts/contact points

14.1. The parties may contact each other using the contacts/contact points defined in the Commercial agreement


Appendix A: 

Information about the processing (Case: the Customer is an employer)

This appendix provides detailed information about personal data processing, when the Customer is either a private or public sector employer, and the data subjects are the Customer’s employees. Public sector customers may also provide services for citizens, these cases are covered in Appendix B.

A.1. The purpose of the data processor’s processing of personal data on behalf of the data controller

The Customer provides an employee wellbeing program utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer. The purpose of Processing of Personal Data is to provide a wellbeing-improving service for the employees of the Customer.

A.2. The nature of the data processor’s processing of personal data on behalf of the data controller

The Parties hereby agree that the scope and manner of Personal Data Processing shall be the following:

The Customer provides an employee wellbeing program utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer.

Personal data processing governed by this agreement shall consist of the following cases:

HeiaHeia is a "freemium SaaS service" consisting of a free service level and premium services provided via "communities". Personal data processing in HeiaHeia governed by this agreement takes place in the context of communities, one customer may run many communities, which may have different functionality enabled, different sets of users (data subjects), and different personal data processing related controller-processor roles.

The Act on the Protection of Privacy in Working Life (of the Finnish law, Työelämän tietosuojalaki in Finnish) limits how and what kind of personal data of employees an employer can process (and thus limits the employer’s possible privacy related roles). Employers need to have a lawful purpose and a reason related to the occupation of the employee for processing any personal data of the employee, and some data types (such as health or location data) are seen as particularly sensitive, processing those is not allowed without a specific reason related to meeting obligations or rights of the employer or the employee. In HeiaHeia, such requirements are not met: an employer's data processing role is limited to special cases listed below.

HeiaHeia Oy is the Data Controller for personal data collected and processed. The legal basis for processing is end-user consent: HeiaHeia Oy becomes the Data Controller for an individual end-user’s personal data upon end-user giving consent to personal data collection and processing.

In the case of an employer inviting employees to HeiaHeia via email (or HeiaHeia assisting the employer in the practical invitation process), the employer is the Data Controller for the list of employees, which includes personal data (e.g. names and emails), and HeiaHeia is a Data Processor on behalf of the employer. After the email invitations have been sent, the employer remains the Data Controller for the original list of employees, which may contain both individuals, who have given consent to HeiaHeia and individuals who have not given consent to HeiaHeia, and HeiaHeia Oy remains a Data Processor for this list of employees. For clarity, HeiaHeia Oy is the Data Controller for all user accounts and personal data collected to the accounts with no Controller-Processor relationship involving the Customer.

HeiaHeia’s community product includes a possibility for activity challenges. Activity challenges may include different types of community level targets as well as a list of participants visible in the product. The same participation data may be visible in Customer reporting and can be used e.g. for rewarding for activity. The reporting includes both aggregate community data and individual data for typical rewarding cases (e.g. meeting step goal, collecting a given amount of wellbeing points, etc). Individual data is included in reporting based on a separate participation list consent by end-users, which end-users can remove (or re-enable) at any time. Individual data in community reports is defined as high level and thus non-sensitive, no individual events are included. In the case of HeiaHeia providing the Customer reporting including personal data, the Customer is the Data Controller for these reports, and HeiaHeia is a Data Processor working on behalf of the Controller.

A.3. Types of personal data about data subjects included in the processing

  • Personal details: Name, email address
  • End-user memberships and consents: community memberships (B2B community consent), team memberships, participant list consent
  • Admin and coach roles
  • Reporting content: aggregate activity data, aggregate step data, aggregate wellbeing task completion data, wellbeing point summary, team memberships, aggregate social activity
  • The detailed contents of this personal data register are listed in the HeiaHeia Privacy Policy: www.heiaheia.com/privacy

A.4. Data subject categories included in the processing

  • Admin users
  • End-users

A.5. Duration of the data processor’s processing of personal data on behalf of the data controller

In HeiaHeia, end-users own and control their own personal data. The service includes a free subscription level, which end-users can utilise prior to joining any premium services levels, and can continue utilising, if their access to a premium service is discontinued for any reason. If the user’s membership in a community is discontinued by either the user leaving the community (user removes community consent), the user being removed from the community (e.g. the user’s employment status changing) or the community being discontinued (e.g. the user’s employer discontinues offering the HeiaHeia service), HeiaHeia continues as the data controller of the free service.

HeiaHeia continues processing the email list of invitees as long as the commercial agreement with the Customer continues. If a user’s membership in a community is discontinued, the user’s data is longer included in the reporting, and HeiaHeia discontinues processing this data. If a user removes consents from the free and the premium services, the user's personal data is removed from the service and all personal data processing, for which HeiaHeia is a controller, discontinues.


Appendix B: 

Information about the processing (Case: the Customer is not an employer)

This appendix provides detailed information about personal data processing, when the Customer is not an employer, and thus the data subjects are not the Customer’s employees. Public sector customers may also provide services citizens as well as employees, the latter cases are covered in Appendix A.

B.1. The purpose of the data processor’s processing of personal data on behalf of the data controller

The Customer provides a wellbeing promotion program utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer. The purpose of Processing of Personal Data is to provide a wellbeing-improving service for end-users.

B.2. The nature of the data processor’s processing of personal data on behalf of the data controller

The Parties hereby agree that the scope and manner of Personal Data Processing shall be the following:

The Customer provides a wellbeing promotion program utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer.

HeiaHeia is a "freemium SaaS service" consisting of a free service level and premium services provided via "communities". Personal data processing in HeiaHeia governed by this agreement takes place in the context of communities, one customer may run many communities, which may have different functionality enabled, different sets of users (data subjects), and different personal data processing related controller-processor roles.

The Act on the Protection of Privacy in Working Life (of the Finnish law, Työelämän tietosuojalaki in Finnish) limits how and what kind of personal data of employees an employer can process (and thus limits the employer’s possible privacy related roles). Employers need to have a lawful purpose and a reason related to the occupation of the employee for processing any personal data of the employee, and some data types (such as health or location data) are seen as particularly sensitive, processing those is not allowed without a specific reason related to meeting obligations or rights of the employer or the employee. In HeiaHeia, such requirements are not met: for employees, the Customer’s data processing role is limited to special cases listed in Appendix A; for Customers that are not employers, the role is typically the data controller.

Personal data processing governed by this agreement shall consist of the following cases:

1) Email invitations

In the case of the Customer inviting users to HeiaHeia via email, the Customer is the Data Controller for the list of, which includes personal data (e.g. names and emails) and HeiaHeia is a Data Processor on behalf of the Data Controller.

After end-users have given consent for data processing, the Customer remains the Data Controller for the original list of invitees, which may contain both individuals, who have given consent and individuals, who have not given consent, and HeiaHeia remains a Data Processor for this list.

2) Personal data created after consent

HeiaHeia is a “freemium SaaS service" (a service that consists of for-free and paid-for service levels), where Controller-Processor roles can be depicted with the Community Interface Model, as described below. The complete model includes elements outside of the scope of this agreement, but are described below for clarity. The scope of this agreement is data processing by HeiaHeia on behalf of the Customer, as described below. In the following, the term “Partner” refers to the Customer.

Background of the Community Interface Model:

The pivot point of this model is The Community Interface, which forms a Controller Demarcation Line (a separation line for separate registers of personal data with separate data controllers). The Controller Demarcation Line indicates the point at which this responsibility (controllership) changes hands.

The purpose of this model is to reconcile and clarify data control and data processing in the case of a free / B2C relationship that pre-dates the Partner (Customer) relationship, and/or an end-user wishing to continue using the free / B2C service after severing ties with the Customer. The Community Interface creates the legal and technical space to allow (repeatedly) shifting data controllership.

Description of the Community Interface model:

HeiaHeia is the data controller for all data held solely within its servers. ​​This controllership can be initiated by the end-user (e.g. through the free service). As the model shows, this relationship may commence before any relationship with the Customer.

HeiaHeia provides a Community Interface that crosses the Controller Demarcation Line. In essence, the Community Interface encapsulates the technical and legal controls that allows HeiaHeia to transfer and then regain controllership between Customers. When HeiaHeia provides access to data held within its servers through the Community Interface, the Partner (Customer) becomes the controller and HeiaHeia becomes a data processor on behalf of the Partner. This shift happens by granting the Partner the ability to use/extract the data for its own purposes. The double-sided arrow in the model indicates the ability for controllership of the data to cross back over the demarcation line. Securing this ability is handled in both the Privacy Policy and the DPA.

The Community Interface serves as the ”control center” for Partners and allows an easy way for Partners to manage the content of the service as well as gather, analyse, and modify well-being data for research purposes as well as for tracking and/or improving the well-being of data subjects.

Linking of Personal Data to the Community Interface (disclosure) requires end-user consent.

The functionality offered by and content managed by the Community Interface maybe be adjusted by HeiaHeia in accordance with the Commercial Agreement and end-user consent. HeiaHeia can gradually extend the functionality of The Community Interface without disturbing the controller/processor balance.

HeiaHeia shall remain the controller of the data that is collected by HeiaHeia prior to the Partner relationship. HeiaHeia shall have the right to extract all and any personal data from the Interface and use it for the original purpose of data processing as described in the end-user consent (i.e. extracting end-user wellbeing data for providing the free service). For clarity, HeiaHeia does not have any rights for any intellectual property or other content of the Partner or customers of the Partner. HeiaHeia will act as a controller for any data that it extracts from the Interface. This establishes the ability to cross back over the Controller Demarcation Line.

HeiaHeia shall be the sole controller of the data retained in its own systems, outside of the Community Interface. HeiaHeia shall have the right at any point in time to dispose, block, modify or otherwise use this data.

The end-user may at any time remove consents for different service elements, which results in removing personal data from those service elements.

3) Premium service discontinued

In the case of the paid-for service being discontinued for an end-user for whatsoever reason (Partner discontinuing, end-user discontinuing the use of the HeiaHeia premium service), the end-user continues as a user of the free service level of HeiaHeia, for which HeiaHeia is the sole data controller, and the Partner's controllership ends. For clarity, the end-user may at any point discontinue using the free service level (remove all personal data from HeiaHeia), which causes the personal data to be removed from all parts of the service and from all registers within the scope of HeiaHeia.

B.3. Types of personal data about data subjects included in the processing

  • Personal details: Name, email address
  • End-user memberships and consents: community memberships (B2B community consent), team memberships, participant list consent
  • End-user’s activity data, wellbeing tasks completed, programs started, surveys answered, and other data entered to the service by the user in the scope of the premium community
  • Admin and coach roles
  • Reporting content: aggregate activity data, aggregate step data, aggregate wellbeing task completion data, wellbeing point summary, team memberships, aggregate social activity
  • Log files
  • The detailed contents of this personal data register are listed in the HeiaHeia Privacy Policy: www.heiaheia.com/privacy

B.4. Data subject categories included in the processing

  • Admin users
  • End-users

B.5. Duration of the data processor’s processing of personal data on behalf of the data controller

In HeiaHeia, end-users own and control their own personal data. The service includes a free subscription level, which end-users can utilise prior to joining any premium services levels, and can continue utilising, if their access to a premium service is discontinued for any reason. If the user’s membership in a community is discontinued by either the user leaving the community (user removes community consent), the user being removed from the community or the community being discontinued (e.g. the Customer discontinues offering the HeiaHeia service), HeiaHeia continues as the data controller of the free service, and the Customer's controllership ends.

HeiaHeia continues processing the email list of invitees as long as the commercial agreement with the Customer continues.

If a user removes consents from the free and the premium services, the user's personal data is removed from the service and all personal data processing, for which HeiaHeia is a controller, discontinues.


Appendix C: 

Information about the processing (Case: the Customer is a reseller, whose customer is an employer)

This appendix provides detailed information about personal data processing, when the Customer is a reseller, providing wellbeing challenges or wellbeing coaching to either private or public sector employers, and the data subjects are employees. Resellers for the public sector may also provide services for citizens, these cases are covered in Appendix D.

C.1. The purpose of the data processor’s processing of personal data on behalf of the data controller

The Customer is a reseller providing employee wellbeing programs utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer. The purpose of Processing of Personal Data is to provide a wellbeing-improving service for the employees of the Customer's customers.

C.2. The nature of the data processor’s processing of personal data on behalf of the data controller

The Parties hereby agree that the scope and manner of Personal Data Processing shall be the following:

The Customer is a reseller providing employee wellbeing programs utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer.

HeiaHeia is a "freemium SaaS service" consisting of a free service level and premium services provided via "communities". Personal data processing in HeiaHeia governed by this agreement takes place in the context of communities, one customer may run many communities, which may have different functionality enabled, different sets of users (data subjects), and different personal data processing related controller-processor roles.

The Act on the Protection of Privacy in Working Life (of the Finnish law, Työelämän tietosuojalaki in Finnish) limits how and what kind of personal data of employees an employer can process (and thus limits the employer’s possible privacy related roles). Employers need to have a lawful purpose and a reason related to the occupation of the employee for processing any personal data of the employee, and some data types (such as health or location data) are seen as particularly sensitive, processing those is not allowed without a specific reason related to meeting obligations or rights of the employer or the employee. In HeiaHeia, such requirements are not met: an employer's data processing role is limited to special cases listed below.

Personal data processing governed by this agreement shall consist of the following cases:

1) Email invitations

In the case of an Employer inviting users to HeiaHeia via email, the Employer is the Data Controller for the list of, which includes personal data (e.g. names and emails), the Customer is a Data Processor on behalf of the Data Controller, and HeiaHeia is a Sub-Processor on behalf of the Customer.

After end-users have given consent for data processing, the Employer remains the Data Controller for the original list of invitees, which may contain both individuals, who have given consent and individuals, who have not given consent, the Customer remains a Data Processor for this list, and HeiaHeia remains a Sub-Processor.

2) Personal data created after consent

HeiaHeia is a “freemium SaaS service" (a service that consists of for-free and paid-for service levels), where Controller-Processor roles can be depicted with the Community Interface Model, as described below. The complete model includes elements outside of the scope of this agreement, but are described below for clarity. The scope of this agreement is data processing by HeiaHeia on behalf of the Customer, as described below. In the following, the term “Partner” refers to the Customer.

Background of the Community Interface Model:

The pivot point of this model is The Community Interface, which forms a Controller Demarcation Line (a separation line for separate registers of personal data with separate data controllers). The Controller Demarcation Line indicates the point at which this responsibility (controllership) changes hands.

The purpose of this model is to reconcile and clarify data control and data processing in the case of a free / B2C relationship that pre-dates the Partner (Customer) relationship, and/or an end-user wishing to continue using the free / B2C service after severing ties with the Customer. The Community Interface creates the legal and technical space to allow (repeatedly) shifting data controllership.

Description of the Community Interface model:

HeiaHeia is the data controller for all data held solely within its servers. ​​This controllership can be initiated by the end-user (e.g. through the free service). As the model shows, this relationship may commence before any relationship with the Customer.

HeiaHeia provides a Community Interface that crosses the Controller Demarcation Line. In essence, the Community Interface encapsulates the technical and legal controls that allows HeiaHeia to transfer and then regain controllership between Customers. When HeiaHeia provides access to data held within its servers through the Community Interface, the Partner (Customer) becomes the controller and HeiaHeia becomes a data processor on behalf of the Partner. This shift happens by granting the Partner the ability to use/extract the data for its own purposes. The double-sided arrow in the model indicates the ability for controllership of the data to cross back over the demarcation line. Securing this ability is handled in both the Privacy Policy and the DPA.

The Community Interface serves as the ”control center” for Partners and allows an easy way for Partners to manage the content of the service as well as gather, analyse, and modify well-being data for research purposes as well as for tracking and/or improving the well-being of data subjects.

Linking of Personal Data to the Community Interface (disclosure) requires end-user consent.

The functionality offered by and content managed by the Community Interface maybe be adjusted by HeiaHeia in accordance with the Commercial Agreement and end-user consent. HeiaHeia can gradually extend the functionality of The Community Interface without disturbing the controller/processor balance.

HeiaHeia shall remain the controller of the data that is collected by HeiaHeia prior to the Partner relationship. HeiaHeia shall have the right to extract all and any personal data from the Interface and use it for the original purpose of data processing as described in the end-user consent (i.e. extracting end-user wellbeing data for providing the free service). For clarity, HeiaHeia does not have any rights for any intellectual property or other content of the Partner or customers of the Partner. HeiaHeia will act as a controller for any data that it extracts from the Interface. This establishes the ability to cross back over the Controller Demarcation Line.

HeiaHeia shall be the sole controller of the data retained in its own systems, outside of the Community Interface. HeiaHeia shall have the right at any point in time to dispose, block, modify or otherwise use this data.

The end-user may at any time remove consents for different service elements, which results in removing personal data from those service elements.

3) Premium service discontinued

In the case of the paid-for service being discontinued for an end-user for whatsoever reason (Partner discontinuing, end-user discontinuing the use of the HeiaHeia premium service), the end-user continues as a user of the free service level of HeiaHeia, for which HeiaHeia is the sole data controller, and the Partner's controllership ends. For clarity, the end-user may at any point discontinue using the free service level (remove all personal data from HeiaHeia), which causes the personal data to be removed from all parts of the service and from all registers within the scope of HeiaHeia.

C.3. Types of personal data about data subjects included in the processing

  • Personal details: Name, email address
  • End-user memberships and consents: community memberships (B2B community consent), team memberships, participant list consent
  • Admin and coach roles
  • Reporting content: aggregate activity data, aggregate step data, aggregate wellbeing task completion data, wellbeing point summary, team memberships, aggregate social activity
  • The detailed contents of this personal data register are listed in the HeiaHeia Privacy Policy: www.heiaheia.com/privacy

C.4. Data subject categories included in the processing

  • Admin users
  • End-users

C.5. Duration of the data processor’s processing of personal data on behalf of the data controller

In HeiaHeia, end-users own and control their own personal data. The service includes a free subscription level, which end-users can utilise prior to joining any premium services levels, and can continue utilising, if their access to a premium service is discontinued for any reason. If the user’s membership in a community is discontinued by either the user leaving the community (user removes community consent), the user being removed from the community (e.g. the user’s employment status changing) or the community being discontinued (e.g. the user’s employer discontinues offering the HeiaHeia service), HeiaHeia continues as the data controller of the free service.

HeiaHeia continues processing the email list of invitees as long as the commercial agreement with the Customer continues. If a user’s membership in a community is discontinued, the user’s data is longer included in the reporting, and HeiaHeia discontinues processing this data. If a user removes consents from the free and the premium services, the user's personal data is removed from the service and all personal data processing, for which HeiaHeia is a controller, discontinues.


Appendix D: 

Information about the processing (Case: the Customer is a reseller, whose customer is not an employer)

This appendix provides detailed information about personal data processing, when the Customer is a reseller, providing wellbeing challenges or wellbeing coaching to its customers (later: 'end-customer', 'end-customers'), and the data subjects are not employees of the end-customer. Resellers for the public sector may also provide services for public sector employees, these cases are covered in Appendix C.

D.1. The purpose of the data processor’s processing of personal data on behalf of the data controller

The Customer is a reseller providing wellbeing promotion programs utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer. The purpose of Processing of Personal Data is to provide a wellbeing-improving service for end-users nominated by the end-customer.

D.2. The nature of the data processor’s processing of personal data on behalf of the data controller

The Parties hereby agree that the scope and manner of Personal Data Processing shall be the following:

The Customer is a reseller providing wellbeing promotion programs utilising the HeiaHeia digital service provided by HeiaHeia Oy, based on the commercial terms set in the Commercial agreement between HeiaHeia Oy and the Customer.

HeiaHeia is a "freemium SaaS service" consisting of a free service level and premium services provided via "communities". Personal data processing in HeiaHeia governed by this agreement takes place in the context of communities, one customer may run many communities, which may have different functionality enabled, different sets of users (data subjects), and different personal data processing related controller-processor roles.

Personal data processing governed by this agreement shall consist of the following cases:

1) Email invitations

In the case of an end-customer inviting users to HeiaHeia via email, the end-customer is the Data Controller for the list of, which includes personal data (e.g. names and emails), the Customer is a Data Processor on behalf of the Data Controller, and HeiaHeia is a Sub-Processor on behalf of the Customer.

After end-users have given consent for data processing, the end-customer remains the Data Controller for the original list of invitees, which may contain both individuals, who have given consent and individuals, who have not given consent, the Customer remains a Data Processor for this list, and HeiaHeia remains a Sub-Processor.

2) Personal data created after consent

HeiaHeia is a “freemium SaaS service" (a service that consists of for-free and paid-for service levels), where Controller-Processor roles can be depicted with the Community Interface Model, as described below. The complete model includes elements outside of the scope of this agreement, but are described below for clarity. The scope of this agreement is data processing by HeiaHeia on behalf of the Customer, as described below. In the following, the term “Partner” refers to the Customer.

Background of the Community Interface Model:

The pivot point of this model is The Community Interface, which forms a Controller Demarcation Line (a separation line for separate registers of personal data with separate data controllers). The Controller Demarcation Line indicates the point at which this responsibility (controllership) changes hands.

The purpose of this model is to reconcile and clarify data control and data processing in the case of a free / B2C relationship that pre-dates the Partner (Customer) relationship, and/or an end-user wishing to continue using the free / B2C service after severing ties with the Customer. The Community Interface creates the legal and technical space to allow (repeatedly) shifting data controllership.

Description of the Community Interface model:

HeiaHeia is the data controller for all data held solely within its servers. ​​This controllership can be initiated by the end-user (e.g. through the free service). As the model shows, this relationship may commence before any relationship with the Customer.

HeiaHeia provides a Community Interface that crosses the Controller Demarcation Line. In essence, the Community Interface encapsulates the technical and legal controls that allows HeiaHeia to transfer and then regain controllership between Customers. When HeiaHeia provides access to data held within its servers through the Community Interface, in the case of this Appendix D, the end-customer becomes the  the controller, the Customer becomes a data processor on behalf of the end-customer, and HeiaHeia becomes a sub-processor on behalf of the Customer. This shift happens by granting the end-customer the ability to use/extract the data for its own purposes. The double-sided arrow in the model indicates the ability for controllership of the data to cross back over the demarcation line. Securing this ability is handled in both the Privacy Policy and the DPA.

The Community Interface serves as the ”control center” for end-customers and Partners and allows an easy way for end-customers and Partners to manage the content of the service as well as gather, analyse, and modify well-being data for research purposes as well as for tracking and/or improving the well-being of data subjects.

Linking of Personal Data to the Community Interface (disclosure) requires end-user consent.

The functionality offered by and content managed by the Community Interface maybe be adjusted by HeiaHeia in accordance with the Commercial Agreement and end-user consent. HeiaHeia can gradually extend the functionality of The Community Interface without disturbing the controller/processor balance.

HeiaHeia shall remain the controller of the data that is collected by HeiaHeia prior to the Partner relationship. HeiaHeia shall have the right to extract all and any personal data from the Interface and use it for the original purpose of data processing as described in the end-user consent (i.e. extracting end-user wellbeing data for providing the free service). For clarity, HeiaHeia does not have any rights for any intellectual property or other content of the Partner or customers of the Partner. HeiaHeia will act as a controller for any data that it extracts from the Interface. This establishes the ability to cross back over the Controller Demarcation Line.

HeiaHeia shall be the sole controller of the data retained in its own systems, outside of the Community Interface. HeiaHeia shall have the right at any point in time to dispose, block, modify or otherwise use this data.

The end-user may at any time remove consents for different service elements, which results in removing personal data from those service elements.

3) Premium service discontinued

In the case of the paid-for service being discontinued for an end-user for whatsoever reason (Partner discontinuing, end-user discontinuing the use of the HeiaHeia premium service), the end-user continues as a user of the free service level of HeiaHeia, for which HeiaHeia is the sole data controller, and the end-customer's controllership ends. For clarity, the end-user may at any point discontinue using the free service level (remove all personal data from HeiaHeia), which causes the personal data to be removed from all parts of the service and from all registers within the scope of HeiaHeia.

D.3. Types of personal data about data subjects included in the processing

  • Personal details: Name, email address
  • End-user memberships and consents: community memberships (B2B community consent), team memberships, participant list consent
  • Admin and coach roles
  • Reporting content: aggregate activity data, aggregate step data, aggregate wellbeing task completion data, wellbeing point summary, team memberships, aggregate social activity
  • Log files
  • The detailed contents of this personal data register are listed in the HeiaHeia Privacy Policy: www.heiaheia.com/privacy

D.4. Data subject categories included in the processing

  • Admin users
  • End-users

D.5. Duration of the data processor’s processing of personal data on behalf of the data controller

In HeiaHeia, end-users own and control their own personal data. The service includes a free subscription level, which end-users can utilise prior to joining any premium services levels, and can continue utilising, if their access to a premium service is discontinued for any reason. If the user’s membership in a community is discontinued by either the user leaving the community (user removes community consent), the user being removed from the community (e.g. the user’s employment status changing) or the community being discontinued (e.g. the user’s employer discontinues offering the HeiaHeia service), HeiaHeia continues as the data controller of the free service.

HeiaHeia continues processing the email list of invitees as long as the commercial agreement with the Customer continues. If a user’s membership in a community is discontinued, the user’s data is longer included in the reporting, and HeiaHeia discontinues processing this data. If a user removes consents from the free and the premium services, the user's personal data is removed from the service and all personal data processing, for which HeiaHeia is a controller, discontinues.


Appendix E: 

Authorised sub-processors

On commencement of the Clauses, the data controller authorises the engagement of the  following sub-processors: 

Name (Country)

Description of Processing

makandra GmbH (Germany)

Data hosting

Datadog, Inc / makandra GmbH (Germany)

Log file hosting

Amazon Web Services EMEA Sarl (Ireland)

Log file hosting, image and GPX file hosting

Henna Ojanen (Germany)

Customer support (separate consent)

 Typeform SL (Spain / USA)

 Challenge creation wizard (separate  consent) 

The data controller shall on the commencement of the Clauses authorise the use of the  above-mentioned sub-processors for the processing described for that party. The data  processor shall not be entitled – without the data controller’s explicit written authorisation – to  engage a sub-processor for a ‘different’ processing than the one which has been agreed upon  or have another sub-processor perform the described processing.

 


Appendix F: 

F.1. Authorised sub-processors

This Data Processing Agreement and the Commercial Agreement form the data controller’s final and complete instructions at the time of execution of the DPA for the Processing of Personal Data. Any additional or alternate instructions must be agreed on separately.

F.2. Security of processing

  • The processing involves a large volume of personal data. The data types that are processed are not classified as sensitive or medical (mostly activity data that is designed to be shared with other users).
  • The data processor shall hereafter be entitled and under obligation to make decisions about the technical and organisational security measures that are to be applied to create the necessary (and agreed) level of data security.
    The data processor shall however – in any event and at a minimum – implement the following measures that have been agreed with the data controller:
  • State of the art technical security measures applied, including pseudonymisation and encryption of personal data, whenever applicable
    3rd party security audits commissioned systematically
  • Architecture and processes to ensure high availability and ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident
  • Extensive logging of user and admin actions applied
  • Protection of data during storage:
  • The Data Processor’s applications are deployed onto a Private VLAN in a hosting platform that makandra GmbH provides. It is a private network that is separate from the office network.
  • The configuration addresses security by limiting outside access to minimum, applying firewalling for each server instance and deploying services to subnets that have limited access to each other and to outside networks.
  • Limiting access from outside: The only access points to the private network are the load balancers. These access points can be found from the above diagram.
  • Network access: SSH connections are done with personal SSH keys and only a few people responsible for system operations are granted access. Each SSH session is logged.
  • Firewalls: Each service type has their own security rules that determines which other services can connect to selected ports. E.g. application servers allow HTTP and HTTPS traffic to ports 80 and 443 only from load balancers.
  • Security: We operate a server cluster optimized for data and failure safety with multiple machines in order to be able to guarantee smooth operation even in case of hardware failures. We maintain the host systems regularly and install available security updates.
  • Makandra GmbH is certified according to TISAX VDA-ISA 3.0.
  • Data centre:
    The data centre has all relevant security and precautionary mechanisms in place. Among them are the following:
    Fire protection equipment
    Heat and smoke sensors
    Sensors for particle analysis
    Extinguishing systems in several zones
    Cooling system with redundancy (n+1)
    Redundant power supply
    Power supply via two power feeds (A+B)
    24/7 personnel for remote hands
    Video surveillance system with motion sensors
    Biometric fingerprint scanners and/or access cards with personal PIN
    Automatic alarm systems with direct connection to the security service
    All hardware servers have redundant power supply units as well as redundant hard disk arrays (RAID) - thus failures are further limited.
  • Fault tolerance:
    With this high-availability architecture there is no so-called “single point of failure” and enables a maximum of availability - in the past 12 months an availability of over 99.99% has been achieved.
    In case of one or multiple servers breaking, we have configured auto-scaling procedures that are monitoring the health of the servers and if problems are detected such as non-responsive server instances, the malfunctioning instance is automatically removed and replaced with a new instance.
    If needed, also auto-scaling could be enabled for the situations where we would get higher load from increase in http requests. In this situation the auto-scaling would start new instances and add them to loadbalancers to share the load between additional computing units.
    Database is provided with dedicated instances on physically separate servers for maximum reliability and performance and we have automatic deactivation of a server in case of local malfunction. Setup includes two database servers at different physical locations to achieve redundancy. Thus if one of the servers goes offline (failure, outage, planned maintenance) the databases are still available and usable.
  • Backups:
    We copy backups for disaster recovery cases via an encrypted connection to a separate fire compartment. These backups include database dumps or exports, static assets such as images or files uploaded to the application. We practice the recovery of backups on a regular basis to ensure that the process runs smoothly in an emergency. Data uploaded by the user (GPX files, pictures) are held in AWS S3 and are not included in extraneous backup procedures.

F.3. Processing location

The processing involves a large volume of personal data.

Processing of the personal data under the Clauses cannot be performed at other locations than the following without the data controller’s prior written authorisation:
Data processor and sub-processor offices and employee remote work locations inside the European Union.

F.4. Instruction on the transfer of personal data to third countries

Personal data hosting and processing of the HeiaHeia service takes place inside the European Union.

Customer support tickets (including personal data in the form of email address and ticket content), are managed with a support portal that runs on HubSpot, a service hosted in the US. HubSpot is GDPR compliant.

F.5. Procedures for the data controller’s audits, including inspections, of the processing of personal data being performed by the data processor

To ensure GDPR compliance, the data processor runs an annual process, including a DPIA, where it consults external experts, when necessary. The DPIA reports shall be made available for the data controller.

If the data controller requests, the data processor shall at the data controller’s expense obtain an auditor’s report from an independent third party concerning the data processor's compliance with the GDPR, the applicable EU or Member State data protection provisions and the Clauses.

 


Get the application