BACKGROUND AND PURPOSE OF APPENDIX
This Appendix sets out the terms and conditions for the processing of the Personal Data of the Customer by eMabler Oy (Business ID 3021922-2) (“eMabler”) based on the Agreement. This Appendix is an integral part of the Agreement and therefore, the terms and conditions of the Agreement and of its General Terms and Conditions (eMabler OPEN EV Charging Platform Software Service General Terms and Conditions) are applicable to this Appendix.  

When Personal Data is being processed according to this Appendix, the Customer acts as the Controller and eMabler acts as the Processor.  


DEFINITIONS
“Controller” means a natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data. 

”Data Subject” is defined above in the definition of Personal Data. 

“Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”) and Finnish data protection laws applicable to the Processing of Personal Data, as amended from time to time.  

“Personal Data” means any information relating to an identified or identifiable natural person (“Data Subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. 

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed. 

 “Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Controller. 

“Process” or “Processing” means any operation or set of operations which is performed on the Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. 


PROCESSING 
The types of the Personal Data and the categories of the Data Subjects are: 

(a) Personal Data of the Customer’s employees (Operator) who use the Software Service and Personal Data of the Customer’s customers (User): name, title, profession, address, user name, email address, password, RFID/NFC identification, phone number, identification number from 3rd party system, car location data, car’s MAC address, ISO15118 certificate data, VIN number, Bluetooth related data (MAC address, chipset info, location and signal related info), MAC address (from the Operator or User client device), IP address (from the Operator or User client device), Browser used and its version, data on the electricity consumption per time, data on the time used for charging.    

The subject of Processing is the above-mentioned Personal Data and the duration of the Processing is the term of the Agreement.  

The nature and purpose of the Processing is providing Services according to the Agreement.  

In order to provide the Services, eMabler will Process Personal Data in accordance with the documented instructions given by the Customer, unless required to do so by an EU or an EU Member State law to which eMabler is subject. In such a case, eMabler shall inform the Customer of that legal requirement before the Processing, unless that law prohibits such information. Such documented instructions are hereby given by the Customer to eMabler and they are limited to: Providing Services according to the eMabler Service Description in force at the time of the Processing. If the Customer desires to amend the documented instructions or give new documented instructions to eMabler, the amended and new instructions may be priced according to the price list of eMabler.  

eMabler shall ensure that persons authorised to Process the Personal Data on its behalf have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.  


CUSTOMER’S DUTIES 
The Customer acts as a Personal Data Controller. The Customer is liable, for example, for ensuring that eMabler and its subcontractors have the right to Process the Personal Data. The Customer warrants that the Personal Data has been provided to eMabler and its subcontractors as required in Personal Data legislation.  


DATA SECURITY
Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, eMabler shall implement appropriate technical and organisational measures with respect to eMabler’s systems and procedures to ensure a level of security appropriate to the risk, including inter alia as appropriate a) the pseudonymisation and encryption of Personal Data as agreed with the Customer, in accordance with the price list of eMabler; b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of eMabler’s systems.   

For the sake of clarity, obligations mentioned in this Section are not applicable to the security of the systems, devices or environments of the Customer or customer’s customer.  


NOTIFICATION OF PERSONAL DATA BREACH  
eMabler shall notify Customer without undue delay after becoming aware of a Personal Data Breach. 

The notification referred to above shall at least: 

(a) describe the nature of the Personal Data Breach including where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned; 

(b) communicate the name and contact details of the data protection officer or other contact point where more information can be obtained; 

(c) describe the likely consequences of the Personal Data Breach; and 

(d) describe the measures taken or proposed to be taken by eMabler to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.   Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without undue further delay. 


ASSISTANCE OBLIGATIONS  
Taking into account the nature of the processing, eMabler shall assist the Customer with appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights under Chapter III of the GDPR.  

Taking into account the nature of the processing and the information available to eMabler, eMabler shall further provide the Customer with assistance in ensuring compliance with the Customer’s obligations set out in Articles 32 to 36 of the GDPR (e.g. to perform security and data protection impact assessments, breach notifications and prior consultations of the competent supervisory authority). 

In case such assistance requires measures from eMabler, eMabler has the right to charge a reasonable hourly consulting fee from the Customer for handling such assistance requests in accordance with eMabler’s then-current fee for consulting services, subject to the Customer’s prior approval of such additional costs. 


INTERNATIONAL TRANSFER OF PERSONAL DATA
 eMabler does not transfer the Personal Data outside of the European Union (EU) / European Economic Area (EEA), and eMabler uses data centers located within the EU / EEA. Some of eMablers sub-processors are established or may have access to the Personal Data outside of the EU/EEA e.g., in cases where the Customer has initiated support ticket and customer support of the cloud service provider may have access to the Personal Data within the support ticket.  

If Personal Data is transferred to the country outside of the EU/EEA that is not recognized by the European Commission as providing an adequate level of protection for Personal Data, eMabler shall (i) comply with chapter v of the GDPR; (ii) use transfer tools (such as standard contractual clauses for processor-to-processor transfers adopted by the European Commission (by the implementing decision (EU) 2021/914 and as amended)); (iii) take necessary steps to provide appropriate safeguards for international data transfers; (iv) to the extent necessary implement supplementary measures for protection of Personal Data as required by applicable laws; and (v) ensure that the party responsible for the transfer of Personal Data have conducted the transfer impact assessment if needed. 


SUBPROCESSORS  
The Customer gives its general authorization to allow eMabler to engage subcontractors as sub-processors to process Personal Data in connection with the provision of the Service.  

eMabler is free to choose and change its sub-processors. Upon request, eMabler shall inform the Customer of the sub-processors currently involved. In case there is a later change of a sub-processor (addition or replacement), eMabler shall notify the Customer of such change, thereby allowing the Customer the opportunity to object to such change. If eMabler is not willing to change the sub-processor the Customer has objected to, both Parties shall have the right to terminate the Agreement and this Data Processing Appendix.  

Where eMabler engages a sub-processor for carrying out specific processing activities on behalf of the Customer, the same data protection obligations as set out in this Data Processing Appendix shall apply in the Data Processing Appendix between eMabler and that sub-processor. Where a sub-processor fails to fulfil its data protection obligations, eMabler shall remain liable to the Customer for the performance of the sub-processor’s obligations as further stipulated in the Agreement. 


AUDITS  
The Customer or an auditor appointed by the Customer shall with the assistance of eMabler have the right to audit the processing activities of eMabler under this Data Processing Appendix to assess the compliance of eMabler with its contractual obligations under this Data Processing Appendix and applicable data protection legislation during ordinary business hours of eMabler and with 30 days prior written notice. If eMabler’s employees or other representatives participate in such audits at the request of the Customer, the Customer shall compensate eMabler for the expenses caused by such participation. Otherwise, each Party shall bear its own costs for any such audit.  

Where an audit may, in eMabler’s sole opinion, lead to the disclosure of business or trade secrets of eMabler or threaten the intellectual property rights of eMabler, the Customer shall employ an independent auditor, that is not a competitor of eMabler, to carry out the audit, and the auditor shall agree to be bound to confidentiality to eMabler’s benefit.  

eMabler makes available to the Customer, at the Customer’s request, information necessary to demonstrate compliance with the GDPR. In case the Customer’s request requires measures or work to be performed by eMabler, eMabler has the right to charge an hourly consulting fee in accordance with its then-current pricing for consulting services for handling such requests. 


DESCRIPTION OF THE PROCESSING OPERATIONS  

DURATION OF THE PROCESSING 
Personal Data shall be processed as long as the Agreement with the Customer remains in force. Following the expiration of the Agreement eMabler will either delete or return the Personal Data within a reasonable time after the end of the customer relationship.