Record of Data Processing Activities under Roima’s Responsibility

1 Purpose

This is the Record of the processing activities concerning Roima’s Customers’ Personal Data, performed by Roima in its capacity as the supplier of system solutions or as a service provider. This Record is referred to in Section 4 “Records of Processing activities” of the Roima Privacy Policy contract addendum, in the paragraph on Roima’s Record.

Personal data (the “Personal Data”) shall refer to all information concerning an identified or identifiable natural person, as referred to in the EU General Data Protection Regulation (EU 2016/679) (the “GDPR”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, social security number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Roima is considered to be Processor of the Customer’s Personal Data, as in Roima’s capacity as operator of the Customer’s systems for maintenance purposes, Roima’s employees have a technical possibility to view and modify the Customer’s Personal Data.

In the systems supplied by Roima, Personal Data includes, at the very least, the user identifiers, forming one Personal Data register. Some of Roima’s software also allows customers to establish other Personal Data registers, related to, for example, the Customer’s employees or the contact persons of business partners.

2 Record of Processing Activities

2.1 Data Controller

The company that controls and uses the system maintained by Roima and the Personal Data register or registers included in the system (Customer).

2.2 Data Processor

Roima Intelligence Inc. (Roima)
Main office: Upseerinkatu 1, FI-02600 Espoo, Finland
Contact person: The maintenance contact person named by Roima for the Customer.

2.3 Grouping of Processing Activities Performed on Behalf of the Data Controller

Roima processes the Customer’s Personal Data in connection with performing the following work or service requests requested by the Customer or agreed upon with the Customer:

a) Investigation request that concerns or involves the Customer’s Personal Data
b) Error fix that concerns or involves the Customer’s Personal Data
c) Installation and testing of a new feature or software modification that is related to the Customer’s Personal Data
d) Installation and testing of a new version
e) Service or a work performance ordered by the Customer involving the Customer’s Personal Data

The Personal Data in the Customer’s database are viewed, transferred or stored elsewhere only when performing the work requested by the Customer so requires.

The Customer’s Personal Data will not be disclosed to any third parties without the Customer’s written permission. The secure means of transferring Personal Data have been defined in separate instructions.

2.4 Processing by System Supplier

a) User counting

Roima calculates the number of system users (active user identifiers) from time to time and compares the verified number of users to the Customer’s user licenses. If the licenses have been defined by user-group, the users are also calculated by user group. To exclude possible overlapping identifiers, individual users might be considered for the Customer’s benefit.

2.5 Transferring of Personal Data to a Third Country or to an International Organization

In principle, Personal Data will not be transferred outside the EU or to international organizations. Should a situation arise where such transfer of Personal Data could be considered, Roima will ask the Customer’s written permission for transferring the data in advance.

2.6 General Description of the Security Measures to Protect the Customer’s Personal Data

From information security point of view, all operations of Roima and its employees are guided by Roima’s Privacy Policy. The Privacy Policy includes, among others, the information security instructions and procedures related to Roima’s server environments, workstations and physical environment.

Roima’s employees have general confidentiality obligation regarding the Customer’s Personal Data and business information. Roima typically maintains the Customer’s system through remote connections. The information needed for establishing a remote access session are stored so that they can be only accessed with a personal identifier and a password. The remote access information can only be viewed by persons who, due to their role, have a right to access the Customer’s environment. Remote connections are implemented using secure connections.

Separate instructions have been prepared on remote access information and the processing of Customer’s Personal Data, including instructions on the secure transfer of Personal Data.