Data Processing and Transfer Addendum

Before using any of our services, you are required to read, understand, and agree to these terms. You can also download this document below.

Last updated December 22, 2023

illustration

1 Introduction

  1. This Addendum is entered into between Nokia Solutions and Networks Oy, or its affiliate identified in the applicable Order Confirmation (the "Nokia") and the person or entity using the NaC Services (the "Customer"), each a party and together the parties.

  2. This Addendum forms part of the agreement between the parties for Customer's use of the NaC Services (the "Agreement") and sets out the additional terms, requirements and conditions on which Customer will disclose, and Nokia will process Customer Personal Data when providing the NaC Services under the Agreement. This Addendum contains mandatory clauses required by Data Protection Laws for contracts between controllers and processors.

  3. In addition to terms defined elsewhere in this Addendum, the definitions and other provisions in Schedule 2 to this Addendum apply throughout this Addendum unless the contrary intention appears. In this Addendum, unless the contrary intention appears, a reference to a clause or schedule is a reference to a clause or schedule of or to this Addendum. The schedules form part of this Addendum.

2 Roles and Responsibilities

  1. Customer and Nokia acknowledge that the status of each party is a question of fact determined under Data Protection Laws.

  2. Without limiting clause 2.1, Customer and Nokia each acknowledge that, it is their mutual understanding that, in relation to Customer Personal Data, the Customer is the controller; and Nokia is a processor.

  3. Each party shall comply with its respective obligations under Data Protection Laws in relation to the processing of personal data under, or in connection with the performance of, this Addendum.

  4. Nothing in this Addendum shall:

    i. relieve either party of its own responsibilities and liabilities under Data Protection Laws.

    ii. require either party to breach any applicable law.

3 Compliance with Instructions

  1. Nokia shall:

    i. only process Customer Personal Data in accordance with the written or programmatic instructions of Customer as set out in this Addendum, subject to any written instructions provided by Customer that amount to an amendment to this Addendum in order to reflect any changes in the Services agreed by the parties in accordance with the Agreement, unless Nokia is otherwise required to process Customer Personal Data under applicable laws to which Nokia is subject; and

    ii. notify Customer if, in Nokia's opinion (but without any obligation to provide legal advice), Customer's instructions provided after the date of this Addendum would cause Nokia to breach applicable law (including Data Protection Laws), provided that to the extent permitted by applicable law, Nokia shall not be liable for any Losses arising from or in connection with any processing in accordance with the Customer's instructions following that notification.

  2. Customer (for itself and on behalf of each member of its Group which is a controller of Customer Personal Data) hereby generally instructs Nokia (and subject to clause 10 authorizes Nokia to instruct its sub-processors on their behalf) to process Customer Personal Data for the purpose of exercising its rights and performing its obligations under this Addendum and the Agreement.

  3. Nothing in this Addendum restricts Nokia's use of anonymized data. Nokia may process Customer Personal Data for the purpose of anonymizing the data

4 Cooperation and Assistance

  1. Nokia shall provide reasonable assistance to Customer on written request in connection with any assessment of the impact of processing Customer Personal Data, in each case that Customer is required to conduct under Data Protection Laws.

  2. Customer undertakes to use tools provided by Nokia via the Services to indicate files or logs provided to Nokia that contain Customer Personal Data.

5 Description of Processing

  1. Nokia shall process Customer Personal Data in accordance with, and only for the purposes and duration specified in Schedule 1.

  2. The parties acknowledge that nothing in this Addendum constitutes a transfer or assignment of any rights in Customer Personal Data (including any intellectual property rights) unless otherwise expressly set out in the Agreement.

6 Individual rights

  1. Nokia shall provide reasonable assistance to Customer, by appropriate technical and organizational measures, to fulfil and respond to requests by individuals to exercise their rights under Data Protection Laws.

  2. If an individual makes a written request to Nokia to exercise any of their rights under Data Protection Laws in relation to Customer Personal Data, Nokia shall forward the request to Customer as soon as reasonably practicable.

  3. Upon Customer's reasonable written request, Nokia shall provide Customer co-operation and assistance reasonably requested by Customer in relation to any individual request to exercise their rights under Data Protection Laws.

7 Security measures

  1. Nokia shall, taking into account the state of the art, the costs of implementation and the nature, scope, context and purpose of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including the risk of unauthorized or unlawful processing of Customer Personal Data, and of accidental or unlawful loss, alteration, unauthorized disclosure or destruction of, or damage to, Customer Personal Data.

  2. Without limiting clause (7.1), Nokia shall implement the Security Measures.

8 Personal data breach

  • Nokia shall notify Customer without undue delay after becoming aware of a Personal Data Breach. Upon Customer's written request, Nokia shall provide Customer with co-operation and assistance reasonably requested by Customer to enable Customer to notify the Personal Data Breach to the relevant Supervisory Authority and relevant individual(s) (as applicable).

  • Upon becoming aware of a Personal Data Breach, Nokia shall take reasonable steps to investigate, and mitigate the effects of, the Personal Data Breach.

  • When notifying the Customer of a Personal Data Breach, Nokia shall include a reasonable description of the Personal Data Breach, including (to the extent known at the time of notification):

    i. the categories and approximate number of data subjects concerned and the categories of affected Customer Personal Data;

    ii. the technical and organizational measures applied to the Customer Personal Data affected by the Personal Data Breach; and

    iii.the measures taken by Nokia to address the Personal Data Breach,

and where it is not possible to provide the above information at the time of notification, Nokia shall provide such information subsequently without undue further delay.

9 Confidentiality

  1. Nokia shall keep Customer Confidential Information and Customer Personal Data confidential in accordance with the terms of this Addendum except where disclosure is required in accordance with applicable law, in which case Nokia shall, where practicable and not prohibited by applicable law, notify the Customer of any such requirement before such disclosure.

  2. Customer shall only use information (including Nokia Confidential Information) received, arising in connection with, or generated pursuant to clause 13.2 for the sole purpose of conducting an audit in accordance with this Addendum. Customer shall not disclose such information to any other person, other than to Customer's employees, directors, subcontractors and professional advisers on a strict "need-to-know" basis, and shall ensure that any such employee, director, subcontractor or professional advisor is (as applicable) bound to hold such information in confidence, is subject to a professional or statutory duty to protect confidentiality, or is party to a written confidentiality undertaking with the Customer.

10 Sub-processors

  1. Notwithstanding any provisions governing the appointment of sub-contractors in the Agreement, Customer provides general authorization for Nokia, to engage other processors (each a "sub-processor") to process Customer Personal Data. Nokia shall:

    i. before disclosing Customer Personal Data to any sub-processor, enter into a contract with that sub-processor containing terms equivalent to those in this Addendum;

    ii. be responsible for all acts and omissions of any sub-processor as fully as if they were the acts and omissions of Nokia or its employees or agents; and

    iii.except where expressly provided otherwise, be Customer's sole point of contact for the performance of Nokia's obligations under this Addendum.

  2. Before disclosing Customer Personal Data to any of its employees, agents or sub-processors, Nokia shall ensure that those persons:

    i. have taken appropriate training in data protection; and

    ii. are bound to hold the Customer Personal Data in confidence.

11 International data transfers

  1. This clause 11 applies only to international transfers of Customer Personal Data by a Data Sender to a Data Recipient, including any onward international transfer.

  2. Subject to clause 11.3, Customer hereby authorizes Nokia to transfer, store and process Customer Personal Data outside the country or territory in which the Customer is located.

  3. Nokia shall only process or transfer Customer Personal Data in or, in the case of transfer, to, any country or territory outside the UK and EEA if and for so long as:

    i. an Adequacy Decision is in place;

    ii. the international transfer or onward international transfer is subject to a derogation in accordance with Article 49 EU GDPR or Article 49 UK GDPR (as applicable); or

    iii. it is made in accordance with Article 46 EU GDPR or Article 46 UK GDPR (as applicable), including where (i) SCC are in place between the Data Sender and Data Recipient and (ii) pursuant to Nokia BCR once approved.

  4. If Nokia relies initially on SCC to transfer Customer Personal Data internationally pursuant to clause 11.2, Nokia may subsequently opt to rely solely or partially on Nokia BCR (once approved) to process or transfer the same Customer Personal Data internationally to members of the Nokia Group. Nokia may, by notice in writing to the Customer, elect that the Nokia BCR shall apply in place of the relevant SCC and to terminate the application of the relevant SCC to the relevant international transfers.

  5. If Nokia wishes to undertake an international transfer or onward international transfer in accordance with clause 11.3III, pursuant to EU Processor-Processor SCC or the UK Data Transfer Addendum:

    i. Customer acknowledges and hereby authorizes Nokia (as Data Sender) acting as processor to conduct an international transfer or onward international transfer to a sub-processor (as Data Recipient) using the EU Processor-Processor SCC or UK Data Transfer Addendum (as applicable); and

    ii. Nokia shall assume all the rights, obligations and liability of the "data exporter" under the EU Processor-Processor SCC or UK Data Transfer Addendum (as applicable).

  6. If the mechanism for international transfers of Customer Personal Data relied upon pursuant to clause 11.3, 11.4, or 11.5 ceases for any reason to be a valid means of complying with the restrictions on international data transfers as set out in Data Protection Laws, or otherwise ceases to apply for any reason, or the exporting party determines that it does not provide appropriate protection for Customer Personal Data in the circumstances, the parties shall act in good faith to agree the implementation of an alternative solution to enable both parties to comply with Data Protection Laws.

12 Communications with Supervisory Authorities

  1. Nokia shall notify Customer if it is subject to any inspection or investigation conducted by any Supervisory Authority regarding the processing of Customer Personal Data.

  2. Nokia shall provide reasonable assistance to Customer in responding to any investigation, inspection, notice or communication from any Supervisory Authority or other authority in relation to the processing of Customer Personal Data.

13 Compliance and audit

  1. Subject to compliance with applicable laws, Nokia shall, upon Customer's reasonable written request, provide all information necessary to demonstrate compliance with this Addendum.

  2. Nokia shall, without limiting any other right of Customer under this Addendum, allow Customer or a third party auditor appointed by Customer or by Nokia (on terms of reference upon which Customer is consulted in advance) to carry out audits, relating to the processing of Customer Personal Data by Nokia (including Nokia's appointment and management of sub-processors), to enable Customer to verify compliance with this Addendum, provided that:

    • Customer shall provide Nokia reasonable prior written notice of at least [30] days before any audit or inspection (unless a shorter notice period is required by Data Protection Laws), along with the scope and methodology of the audit, and the identity of the person(s) or third-party auditor(s) appointed or acting on behalf of the Customer to perform the audit;

    • Customer shall not involve or engage any competitor of Nokia to conduct or participate in any such audits, and Nokia has the right to refuse the appointment of any such third-party auditor;

    • Customer shall not perform or request an audit within the first twelve-month period after the date of this Addendum, and is limited to conducting or requesting only one audit in every subsequent 12-month period;

    • Customer carries out the audit or inspection during the normal business hours and uses reasonable endeavors not to cause any disruption to Nokia, its customers or any sub-processors; and

    • Customer complies with clause 9,and ensures that any third-party auditor enters into a non-disclosure agreement with Nokia.

  3. Nothing in this Addendum shall require Nokia to agree to any penetration testing of systems used by Nokia to provide the Services.

  4. When considering whether an audit pursuant to clause 13.4 is necessary, Customer shall consider relevant certifications held by Nokia. Nokia may discharge its obligations under this clause 13 by providing reasonable evidence to Customer on request of third party security audits or information security certification relevant to the provision of the Services (for example a copy of Nokia's ISO 27001 certification or equivalent).

14 Warranties

  1. Each party warrants that it has full capacity and authority to enter into and to perform its obligations under this Addendum.

  2. Customer warrants, represents and undertakes that:

    i. it is entitled to, and will only, transfer personal data to Nokia for the purposes and in the manner contemplated under this Addendum;

    ii. its instructions given to Nokia with respect to the processing of Customer Personal Data are in accordance with Data Protection Law; and

    iii.fair processing and all other notices have been provided to individuals with respect to the Customer Personal Data and all relevant consents obtained and maintained, in each case as required by Data Protection Laws in connection with Nokia's processing activities under this Agreement.

  3. Except as expressly provided in this Addendum, no representation, warranty or condition, express or implied, statutory or otherwise, as to condition, satisfactory quality, performance or fitness for purpose or otherwise is given by any party and all such representations, warranties and conditions are excluded save to the extent that their exclusion is prohibited by applicable laws.

15 Liability

  1. Notwithstanding any provisions governing liability of the parties in the Agreement, subject to clause 15.4, neither party will be liable to the other party in contract or tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this Addendum for any:

    i. direct or indirect (i) loss of profit; (ii) loss of revenue, contracts, turnover, business or business opportunity or damage to goodwill or reputation; or (iii) loss of anticipated savings; or

    ii. indirect, consequential or special Loss,

    in each case of whatever nature and whether or not reasonably foreseeable, reasonably contemplated or actually contemplated by the parties before, at or after the date of this Addendum.

  2. Nokia is not liable to Customer for any Losses arising under or in connection with this Addendum due to Customer's failure to comply with its obligations under this Addendum, including Customer's failure to comply with clause 2.3.

  3. Nokia's aggregate liability to Customer, whether in contact or tort (including negligence), for breach of statutory duty, or otherwise, arising under or in connection with this Addendum shall, where arising under or in connection with this Addendum, not exceed in the aggregate the amount paid by Customer for the NaC Services under the Agreement.

  4. Nothing in this Addendum limits or excludes a party's (or its Group's) liability for any liability, to the extent it cannot be limited or excluded under applicable laws.

16 Consequences of termination and expiry

  1. Unless expressly stated otherwise in this Addendum or the Agreement, upon termination or expiry of the Agreement, Nokia shall, and shall procure that each sub-processor shall:

    i. immediately cease to use Customer Personal Data; and

    ii. at Customer's option and in accordance with Customer's instructions:

    a. return Customer Personal Data to Customer or to a processor nominated by Customer in an industry standard format; or

    b. delete or anonymize the Customer Personal Data and all copies and extracts of Customer Personal Data unless required to retain a copy in accordance with applicable laws or to the extent it is contained in an electronic file created pursuant to any routine backup or archiving procedure which renders it inaccessible or incapable of deletion and such file is not generally accessible beyond the need for disaster recovery or similar operations or to comply with applicable law.

17 Non-standard Costs

Customer shall pay Nokia any reasonable costs and reasonable third-party expenditure suffered or incurred by Nokia (or any of its Affiliates) in providing assistance and co-operation to Customer in accordance with clauses:

(4) (impact assessments), (6.1) (individual rights requests), (6.3) (individual rights requests), (8) (personal data breaches), 12 (communications with supervisory authorities), (13.1) (assistance to demonstrate compliance), (13.2) (Customer audits) and (16.ii.a) (return of Customer Personal Data).

18 Governing law and jurisdiction

  1. This Addendum and any non-contractual obligations arising out of or in connection with it or its subject matter or formation shall be governed by, and construed in accordance with, the law specified in the Agreement.

  2. The parties to this Addendum irrevocably agree that the courts specified in the Agreement shall have exclusive jurisdiction to settle any dispute or claim that arises out of or in connection with this Addendum or its subject matter.

19 Variation

Subject to any change control procedure contained in the Agreement, any variation of this Addendum shall not be binding on the parties unless set out in writing, expressed to vary this Addendum, and signed by authorized representatives of each of the parties.

20 Schedule 1 - Description of Processing

Duration of Processing

Unless stated otherwise in this Addendum, or agreed in writing between the parties, Customer Personal Data will be processed for the term of this Addendum.

Nature and purpose of processing

For the purpose of the provision of Services by Nokia under the Agreement.

In particular:

  • Nokia will use the Customer Personal Data to provision access to the NaC Portal for Customer's individual users and manage the relationship with Customer.

  • Nokia may also use the Customer Personal Data to implement 2 Factor Authentication and perform identity verification, for secure access to the NaC Services.

  • Nokia may also use Customer Personal Data to carry out business operations such as charging and billing and account communications.

  • Nokia may also use the Customer Personal Data in the course of providing troubleshooting to the Customer, including preventing, detecting, identifying and repairing defects, malfunctions, errors and non-conformance in the NaC Services.

  • Nokia may also use the Customer Personal data to detect, prevent or investigate security incidents, fraud, and other abuse or misuse of the Services.

  • Nokia may also use the Customer Personal Data to comply with Nokia's legal or regulatory obligations on data retention.

Individuals may include any of:

  • Customer's personnel

  • Application End-Users

Categories of personal data may include any of:

  • Title or gender

  • Name

  • Email address

  • IP address

  • Telephone or mobile number

  • Photograph containing an individual

  • Online identifier

  • Payment Card Details

  • Geolocation Data

Special categories of personal data may include any of:

None - the personal data being processed does not include any special categories of personal data.

21 Schedule 2 - Definitions & Interpretation

21.1 Definitions

  • "Adequacy Decision" means, in respect of a third country, a territory, or one or more specified sectors within that third country, a finding of adequacy pursuant to Article 45 of the EU GDPR or section 17A of the UK Data Protection Act 2018 (as applicable), in each case to the extent applicable to an international data transfer under this Addendum;

  • "Affiliate" means with respect to any person, any corporation, company, partnership or other organization which directly or indirectly is within the Control of such person or over which such person has Control or is under common Control with such person or over which such person has an option to acquire Control or common Control;

  • "Confidential Information" means all information disclosed by whatever means in any medium or format (whether marked "confidential" or not) which a party (Party A) receives from the other party (Party B) either directly or from any person associated with Party B, which concerns the business, operations or customers of any or all of Party B and its Affiliates, including the subject matter and provisions of the Agreement;

  • "Control" means, in relation to a person, the direct or indirect ownership of more than 50 per cent of the voting capital or similar right of ownership of that person or the legal power to direct or cause the direction of the general management and policies of that person whether through the ownership of voting capital, by contract or otherwise, and "Controls" and "Controlled" shall be interpreted accordingly;

  • "Customer Personal Data" means any personal data in respect of which Customer is a controller that is: (i) supplied by or on behalf of Customer to Nokia (including where Nokia has access to personal data held by Customer or on its behalf), or which Nokia collects, generates or otherwise processes on behalf of Customer; and (ii) processed by Nokia under or in connection with providing the Services or performing an obligation under the Agreement, as further described in Schedule 1

  • "Data Protection Laws" means any law, enactment, regulation or order concerning the processing of data relating to living persons including[^1] each to the extent applicable to the activities or obligations of the parties under or pursuant to this Addendum;

  • "Data Recipient" means a party to this Addendum or a third party who receives Customer Personal Data from, or is given access to Customer Personal Data by, the Data Sender under, or in connection with, the terms of this Addendum;

  • "Data Sender" means a party to this Addendum that transfers (via international transfer or otherwise) Customer Personal Data with a Data Recipient or provides access to Customer Personal Data to a Data Recipient under or in connection with this Addendum;

  • "EEA" means the European Economic Area, which includes all member states of the European Union, plus (as at the date of this Addendum) Norway, Iceland and Liechtenstein;

  • "EU Processor-Processor SCC" means a data transfer agreement in the form adopted by the European Commission Decision 2021/914 of 4 June 2021 between a processor as "data exporter", and a processor as "data importer" (as amended, superseded or replaced from time to time);

  • "EU GDPR" means General Data Protection Regulation 2016/679;

  • "Group" means, in relation to each party, that party and its Affiliates;

  • "Loss" means each loss, damage, fine, penalty, cost, reasonable fee, expense or other liability (including legal and other professional fees) and Losses shall be interpreted accordingly;

  • "Nokia BCR" means (as applicable): (i) the Nokia Group UK binding corporate rules (for processors) approved by the UK ICO in accordance with Article 63 UK GDPR; or (ii) the Nokia Group EU binding corporate rules (for processors) approved by the relevant Supervisory Authority(ies) in accordance with Article 63 EU GDPR, in each case pursuant to which personal data is transferred between members of the Nokia Group;

  • "Nokia Group" means Nokia and each member of its Group;

  • "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored or otherwise processed by Nokia;

  • "SCC" means EU Processor-Processor SCC or the UK Data Transfer Addendum (as applicable);

  • "Security Measures" means the security measures outlined at [insert URL for TOMS];

  • "Services" means the services provided under the Agreement;

  • "Supervisory Authority" means the relevant competent authority responsible for data privacy and protection where the Customer or Nokia is established;

  • "UK Data Transfer Addendum" means the international data transfer addendum to the EU Commission standard contractual clauses issued by the UK ICO under section 119A of the Data Protection Act 2018 valid from 21 March 2022 (as amended, superseded or replaced from time to time) incorporating the EU Processor-Processor SCC;

  • "UK GDPR" means the General Data Protection Regulation 2016/679 as incorporated into UK law by virtue of the European Union (Withdrawal) Act 2018; and

  • "UK ICO" means the United Kingdom Information Commissioner's Office.

21.2 Interpretation

  • "controller", "personal data", and "processor" shall have the meaning given to them in Data Protection Laws;

  • any reference to "processing" means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaption or alteration, retrieval, consultation, use, disclosure, dissemination, making available, alignment, combination, restriction, erasure or destruction, and "process" and "processed" shall be construed accordingly;

  • any reference to a "transfer" means the sharing of, or the enabling of access to, personal data, by one party with another party, and "transferred" shall be construed accordingly;

  • any reference to an "international transfer" (or equivalent) means a transfer of Personal Data by a party (as Data Sender) in one jurisdiction to another party (as Data Recipient) in another jurisdiction (excluding transfers between parties that are both within the same territory or jurisdiction, for example if both parties are located within the EEA);

  • any reference to an "onward international transfer" (or equivalent) means onward transfer of any Customer Personal Data, received by a Data Recipient pursuant to an international transfer, to a Data Recipient in another jurisdiction; and

  • in this Addendum any reference, express or implied, to an enactment (which includes any legislation in any jurisdiction) includes, except to the extent that the contrary intention appears: that enactment as amended, extended or applied by or under any other enactment (before, on or after execution of this Addendum); any enactment which that enactment re-enacts (with or without modification); any subordinate legislation made (before, on or after execution of this Addendum) under that enactment, including (where applicable) that enactment as amended, extended or applied, or under any enactment which it re-enacts.

If there is any conflict or inconsistency between a term in the body of this Addendum and a term in the Agreement, or in any of the schedules or other documents referred to or otherwise incorporated into this Addendum, the following hierarchy of precedence shall apply:

  1. the provisions of any SCC;

  2. separate standalone data sharing agreements which are expressed to take precedence over this Addendum;

  3. a term in the body of this Addendum;

  4. a term in a schedule of this Addendum; and

  5. the provisions of the Agreement.