Data processing agreement

Data processing agreement (DPA)

The addendum governing the processing of personal data in the Smove service under GDPR Article 28.

Updated 9 June 2026

1. Purpose and parties

This data processing agreement (DPA) forms part of the Smove service terms and applies when Smove processes personal data on the customer's behalf in providing the service.

The customer is the data controller and Smove Oy (business ID 3596026-3) acts as the data processor. In case of conflict, this agreement prevails over other terms regarding the processing of personal data.

2. Definitions

In this agreement, controller, processor, personal data, processing, data subject and sub-processor have the same meaning as in the EU General Data Protection Regulation (GDPR, 2016/679).

3. Subject matter, duration, nature and purpose

Smove processes personal data solely to provide the service: shift planning and human resources.

  • Subject matter: the personal data the customer stores in the service
  • Duration: for the term of the service agreement
  • Nature and purpose: storing, organising, using and otherwise processing data to deliver the service's features
  • Data subjects: the customer's employees and users
  • Data categories: name and contact details, employment and shift data, working hours and absences, skills data, and technical data related to use of the service

4. Processing on documented instructions

Smove processes personal data only on the customer's documented instructions, including this agreement and use of the service, and does not use the data for its own purposes. Smove informs the customer if it considers an instruction to infringe data protection law.

The customer is responsible for ensuring there is a lawful basis for the processing and that its instructions comply with data protection law.

5. Confidentiality

Smove ensures that persons processing personal data are bound by confidentiality and that access to the data is limited to those who need it for their tasks.

6. Security

Smove implements appropriate technical and organisational measures under GDPR Article 32, including:

  • encryption of personal data in transit and at rest
  • ensuring the confidentiality, integrity, availability and resilience of processing systems
  • the ability to restore access to data after an incident
  • role-based access control on a least-privilege basis, and logging of access
  • regular testing and assessment of the measures

Additional safeguards are applied to special categories of data where necessary. Security is described in more detail on the GDPR page.

7. Sub-processors

The customer grants Smove general authorisation to use sub-processors. Smove has entered into agreements containing data protection obligations with each sub-processor and remains responsible for their performance as for its own.

An up-to-date list of sub-processors is on the GDPR page. Smove notifies the customer of intended changes in advance, and the customer may object to a change on reasonable grounds.

8. Transfers outside the EU and EEA

Personal data is not transferred outside the EU or EEA. Data is stored and processed in Finland and the EU.

9. Assistance and data subject rights

Smove assists the customer with appropriate technical and organisational measures so the customer can respond to data subjects' requests (access, rectification, erasure, portability, restriction and objection). The service includes tools to export and delete data.

If a data subject contacts Smove directly, Smove does not respond to the request itself but directs it to the customer. Smove also informs the customer without undue delay of any supervisory authority inquiries concerning the customer's personal data.

Smove further assists the customer with the obligations of GDPR Articles 32–36, such as security, data protection impact assessments (DPIA) and prior consultation.

10. Data breaches

Smove notifies the customer of a personal data breach without undue delay, and within 72 hours of becoming aware of it at the latest. The notification includes the essential information available, such as:

  • the nature of the breach and the categories and approximate number of data subjects affected
  • a contact point for more information
  • the likely consequences of the breach
  • the measures taken or proposed to address the breach and mitigate its effects

Smove acts without delay to contain the breach, documents breaches, and assists the customer in meeting its notification obligations.

11. Audits

Smove provides the customer with the information necessary to demonstrate compliance with these obligations and allows audits conducted by the customer or an auditor mandated by the customer who is bound by confidentiality. Audits are carried out on reasonable terms with advance notice, generally no more than once a year unless data protection law or an authority requires otherwise. Each party bears its own costs arising from an audit.

12. End of processing

When the service agreement ends, Smove, at the customer's choice, returns or deletes the personal data within the agreed period and deletes existing copies, unless law requires the data to be retained.

13. Liability and governing law

This agreement is governed by Finnish law. The parties' liability is determined by the service agreement. Disputes are primarily resolved through negotiation.