Teliqon Legal Information
Data Processing Addendum
List
Introduction
Customer and Teliqon Communications OÜ (“Teliqon”) have entered into an agreement for the provision of the Teliqon Services ___________________ (the “Agreement”) that may require Teliqon to process Personal Data on behalf of Customer.
This Data Processing Addendum (the “DPA”) sets out the additional terms, requirements and conditions on which Teliqon will process Personal Data when providing services under the Agreement. This DPA contains the mandatory clauses required by Article 28(3) of the retained EU law version of the General Data Protection Regulation ((EU) 2016/679) for contracts between Controllers and Processors and the General Data Protection Regulation ((EU) 2016/679).
This Data Processing Addendum forms an integral part of the Agreement and is applicable where Teliqon is the Processor of Customer’s Personal Data.
All the capitalised terms in this DPA shall have the same meaning as defined in Terms of Service and Privacy Policy, unless otherwise specified in this DPA directly.
The Controller and the Processor shall also be referred to collectively as the “Parties” and individually as “Party”.
Definitions
-
“Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
-
“Customer Personal Data” shall mean any Personal Data submitted by Customer to Teliqon for the provision of Teliqon Services or stored on Customer’s behalf through Customer’s Account in connection with Customer’s use of the Teliqon Services.
-
“Data Protection Laws” shall mean the data protection laws of the country in which Customer are established and any data protection laws applicable to Customer in connection with the Agreement, including but not limited to (a) laws and regulations applicable to the GDPR, (b) in respect of the UK, the GDPR as saved into United Kingdom by virtue of section 3 of the United Kingdom European Union (Withdrawal) Act 2018 (“UK GDPR”) and the Data Protection Act, 2018 (c) the Swiss Federal Data Protection Act and its implementing regulations (“Swiss DPA”) in each case, as may be amended, superseded or replaced.
-
“Data Subject” means any identified or identifiable natural person.
-
“GDPR” shall mean the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
-
“Standard Contractual Clauses” or “SCCs” means (i) where the GDPR applies, the standard contractual clauses as approved by the European Commission (Implementing Decision (EU) 2021/914 of 04 June 2021) Implementing Decision (EU) 2021/914 of 04 June 2021) and available at https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32021D0914 (“EU SCCs”); (ii) where the UK GDPR applies, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner, Version B1.0, in force from 21 March 2022 set forth as Appendix IV available at https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf (“UK SCCs”) and (iii) where the Swiss DPA applies, the applicable standard data protection clauses issued, approved or recognized by the Swiss Federal Data Protection and Information Commissioner (the “Swiss SCCs”) (in each case, as updated, amended or superseded from time to time).
-
“Personal Data” shall mean any information relating to a Data Subject that is Processed by Processor as part of providing the Services to Controller.
-
“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed.
-
“Process” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
-
“Processor” means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of the Controller.
-
“Special Categories of Personal Data” means Personal Data consisting of a Data Subject’s racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, or data concerning a natural person’s sex life or sexual orientation. It also includes information about an individual’s criminal offences or convictions, as well as any other information deemed sensitive under applicable data protection laws.
-
“Services” means Teliqon Services, which Customer receives under the Agreement.
-
Scope and Responsibilities
-
Customer and Teliqon agree and acknowledge that for the purpose of the Data Protection Laws:
-
Customer is the Controller and Teliqon is the Processor of the Customer Personal Data;
-
Customer retains control of the Customer Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Laws, including but not limited to providing any required notices and obtaining any required consents, and for the written processing instructions it gives to Teliqon; and
-
Teliqon may process Customer Personal Data to provide the Teliqon Services in compliance with the rules set out in this DPA.
-
Within the scope of this DPA, each Party shall be responsible for complying with its respective obligations as Controller and Processor under Data Protection Laws.
-
Processing Instructions
-
Teliqon will Process Customer Personal Data in accordance with the Customer’s instructions. This DPA contains Customer’s initial instructions to Teliqon with respect to the Customer Personal Data. The Parties agree that Customer may communicate any change in its initial instructions to Teliqon by way of amendment to this DPA.
-
For the avoidance of doubt, any instructions that would lead to Processing outside the scope of this DPA will require a prior agreement between the Parties.
-
Teliqon shall, without undue delay, inform the Controller in writing if, in Teliqon’s opinion, an instruction infringes Data Protection Laws, and provide a detailed explanation of the reasons for its opinion in writing.
-
Teliqon Personnel
-
Teliqon will ensure that all Teliqon personnel:
-
are informed of the confidential nature of the Customer Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Customer Personal Data; and
-
are aware of both Teliqon’s duties and their personal duties and obligations under the Data Protection Laws and this DPA.
-
Disclosure to Third Parties; Data Subjects Rights
-
Teliqon will not disclose Customer Personal Data to any government agency, court, or law enforcement except as necessary to comply with applicable mandatory laws. If Teliqon is obliged to disclose Customer Personal Data to a law enforcement agency Teliqon agrees to give Customer reasonable notice of the access request prior to granting such access, to allow Customer to seek a protective order or other appropriate remedy. If such notice is legally prohibited, Teliqon will take reasonable measures to protect the Customer Personal Data from undue disclosure as if it were Teliqon’s own confidential information being requested and shall inform Customer promptly as soon as possible if and when such legal prohibition ceases to apply.
-
In case Customer receives any request or communication from Data Subjects which relates to the Processing of Customer Personal Data (“Request”), Teliqon shall reasonably provide Customer with full cooperation, information and assistance (“Assistance”) in relation to any such Request where instructed by Customer.
-
Where Teliqon receives a Request, Teliqon shall (i) not directly respond to such Request, (ii) forward the request to Customer within ten (10) business days of identifying the Request as being related to the Customer and (iii) provide Assistance according to further instructions from Customer.
-
Technical and Organizational Measures
-
Teliqon shall implement and maintain appropriate technical and organizational security measures to ensure that Customer Personal Data is Processed according to this DPA, to provide assistance and to protect Customer Personal Data against a Personal Data Breach. Such measures shall include the measures set out in Appendix 2.
-
Assistance with Data Protection Impact Assessment
-
Where a Data Protection Impact Assessment (“DPIA”) is required under applicable Data Protection Laws for the Processing of Customer Personal Data, Teliqon shall provide upon request to Customer any information and assistance reasonably required for the DPIA and assistance for any communication with data protection authorities, where required, unless the requested information or assistance is not pertaining to Teliqon’s obligations under this DPA.
-
Customer shall reimburse Teliqon for reasonable charges for providing the assistance in this clause 8 to the extent that such assistance is not reasonably able to be accommodated within the normal provision of the Teliqon Services.
-
Information Rights and Audit
-
Teliqon shall, in accordance with applicable Data Protection Laws, make available to the Customer, upon request and within a reasonable timeframe, such information as is necessary to demonstrate Teliqon’s compliance with its obligations under Data Protection Laws.
-
Teliqon shall, upon reasonable notice, allow for and contribute to audits of Teliqon's Processing of Customer Personal Data during regular business hours and with minimal interruption to Teliqon’s business operations. Such audits shall be conducted by Customer, its affiliates or an independent third party on Customer’s behalf (which will not be a competitor of the Processor) that is subject to reasonable confidentiality obligations.
-
Customer shall pay Teliqon reasonable costs of allowing or contributing to audits or inspections if Customer wishes to conduct more than one audit or inspection every 12 months. Teliqon will immediately refer to Customer any requests received from national data protection authorities that relate to Teliqon's Processing of Customer Personal Data.
-
Teliqon undertakes to cooperate with Controller in its dealings with national data protection authorities and with any audit requests received from national data protection authorities.
-
Personal Data Breach Notification
-
In respect of a Personal Data Breach (actual or reasonably suspected), Teliqon shall:
-
(a) notify Customer of a Personal Data Breach involving Teliqon or a subcontractor without undue delay and it shall be the responsibility of the Controller to inform the Supervisory Authority of such breach within 72 hours of notice by Teliqon;
-
(b) provide reasonable information, cooperation and assistance to Customer in relation to any action to be taken in response to a Personal Data Breach under Data Protection Laws, including regarding any communication of the Personal Data Breach to Data Subjects and national data protection authorities.
-
Subprocessing
-
List of Subprocessors. Customer agrees that Teliqon engages Subprocessors in connection with the provision of the Teliqon Services and that the list of the Subprocessors currently engaged by Teliqon is listed here:___________. Therefore, by entering into this DPA, Customer authorizes Teliqon to engage the Subprocessors mentioned in this list.
-
General authorization. By executing the DPA, Customer further grants Teliqon with a general authorization to engage other Subprocessors, add or replace the Subprocessors in the list. In case the list of Subprocessors is modified by Teliqon, Customer will be informed of any changes via email to the email address associated with Account or via Account interface.
-
Objections. To the extent Data Protection Laws grants Customer the right to object against intended modifications concerning the addition or replacement of the Subprocessors, the Customer may reasonably object to such modification. In case Customer does not send any objection to Teliqon in writing within ten (10) days from receiving the notification, it will be deemed to have agreed to the new Subprocessors. If Customer objects, the Parties agree to negotiate to find a solution that will satisfy both Parties’ interests. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Laws. If the Parties can not find a solution that will satisfy both Parties’ interests, Customer shall terminate usage of the Teliqon Services.
-
Where Teliqon subcontracts its obligations and rights under this DPA it shall do so only by way of a binding written contract with the sub-processor which imposes essentially the same obligations according to Art. 28 GDPR especially with regard to instructions on the sub-processor as are imposed on Teliqon under this DPA.
-
Where the sub-processor fails to fulfil its data protection obligations under the subcontracting agreement, Teliqon shall remain fully liable to Customer for the fulfilment of its obligations under this DPA and for the performance of the sub-processor ‘s obligations.
-
International Data Transfers
-
The Parties agree that when the transfer of Customer Personal Data from Controller to Processor is a Restricted Transfer and applicable Data Protection Laws require that appropriate safeguards are put in place, such transfer shall be subject to the appropriate Standard Contractual Clauses, which shall be deemed incorporated into and form part of this DPA as follows:
-
a. In relation to transfers of Customer Personal Data originating from the EEA and subject to the GDPR, the EU SCCs shall apply, completed as follows:
-
i. Module 2 (Controller to Processor) shall apply where Customer is a Controller and Teliqon is a Processor; and Module 3 (Processor to Processor) shall apply where Customer and Teliqon are Processors;
-
iv. in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Estonian law;
-
v. in Clause 18(b), disputes shall be resolved before the courts of Estonia;
-
vi. Annex I of the EU SCCs shall be deemed completed with the information set out in Appendix 1 to this DPA;
-
vii. Annex II of the EU SCCs shall be deemed completed with the information set out in Appendix 2 to this DPA; and
-
viii. Annex III of the EU SCCs shall be deemed completed with the information set out in Appendix 3 to this DPA.
-
b. In relation to transfers of Customer Personal Data originating Switzerland and subject to the Swiss DPA, the EU SCCs as implemented under sub-paragraph (a) above will apply with the following modifications and constitute the Swiss SCCs:
-
i. references to Regulation (EU) 2016/679; shall be interpreted as references to the Swiss DPA;
-
ii. references to specific Articles of Regulation (EU) 2016/679; shall be replaced with the equivalent section of the Swiss DPA;
-
iii. references to “EU”, “Union”, “Member State”, and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law”;
-
iv. the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);
-
v. Clause 13(a) and Part C of Annex I are not used and the “competent supervisory” is the Swiss Federal Data Protection Information Commissioner;
-
vi. references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection Information Commissioner” and “applicable courts of Switzerland”;
-
vii. in Clause 17, the Standard Contractual Clauses shall be governed by the laws of Switzerland; and
-
viii. Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
-
ix. Annex I of the Swiss SCCs shall be deemed completed with the information set out in Appendix 1 to this DPA;
-
x. Annex II of the Swiss SCCs shall be deemed completed with the information set out in Appendix 2 to this DPA; and
-
xi. Annex III of the Swiss SCCs shall be deemed completed with the information set out in Appendix 3 to this DPA.
-
In relation to transfers of Personal Data originating from the UK and subject to the UK GDPR, the UK SCCs shall apply.
-
For the purposes of descriptions in the SCCs, You agree that You are the “data exporter” and We are the “data importer”.
-
The Parties agree that if the Standard Contractual Clauses are replaced, amended or no longer recognized as valid under Data Protection Laws, or if a Supervisory Authority and/or Data Protection Laws requires the adoption of an alternative transfer solution, the data exporter and data importer will: (i) promptly take such steps requested including putting an alternative transfer mechanism in place to ensure the processing continues to comply with Data Protection Laws; or (ii) cease the transfer of Customer Personal Data and at the data exporter’s option, delete or return the Customer Personal Data to the data exporter.
-
Data return and destruction
-
At Customer’s written request, Teliqon will give the Customer, or a third party nominated in writing by Customer, a copy of or access to all or part of the Customer Personal Data in its possession or control in the format and on the media reasonably specified by the Customer.
-
Upon termination of the Agreement for any reason, Teliqon may, or at the Customer’s written direction will, securely delete or destroy or, if directed in writing by the Customer, return and not retain, all or any of the Customer Personal Data related to this DPA in its possession or control within 60 (sixty) days upon receipt of Customer’s written direction or termination of the Agreement. For the purposes of this clause 13.2 Customer Personal Data shall be considered deleted or destroyed where it is put beyond further use of Teliqon.
-
If any law, regulation, or government or regulatory body requires Teliqon to retain any documents or materials or Customer Personal Data that Teliqon would otherwise be required to return or destroy, it will notify the Customer in writing of that retention requirement, giving details of the documents, materials or Customer Personal Data that it must retain, the legal basis for retention, and establishing a specific timeline for deletion or destruction once the retention requirement ends.
-
Teliqon will certify in writing to Customer that it has destroyed or returned the Customer Personal Data, as the case may be, promptly upon written request by Customer.
-
Term and Termination
-
This DPA becomes effective upon Customer’s access or usage of the Teliqon Services. It shall continue to be in full force and effect as long as Teliqon is Processing Customer Personal Data pursuant to the Agreement and shall terminate automatically thereafter.
-
Where amendments are required to ensure compliance of this DPA or an Appendix with Data Protection Laws, the Parties shall make reasonable efforts to agree on such amendments upon request of the Controller. Where the Parties are unable to agree upon such amendments, either Party may terminate Customer’s use of the Teliqon Services with thirty (30) days written notice to the other Party.
-
Miscellaneous
-
In case of any conflict, the provisions of this DPA shall take precedence over the provisions of any other agreement with Teliqon.
-
No Party shall receive any remuneration for performing its obligations under this DPA except as explicitly set out herein or in another agreement.
-
Where this DPA requires a “written notice” such notice can also be communicated via email to the other Party. Notices shall be sent to Teliqon at and Customer at the email address with which they signed up.
-
Any supplementary agreements or amendments to this DPA must be made in writing and signed by both Parties.
-
Should individual provisions of this DPA become void, invalid or non-viable, this shall not affect the validity of the remaining conditions of this DPA.
The following Appendices forms an integral part of this DPA:
APPENDIX 1
TO THE STANDARD CONTRACTUAL CLAUSES
A. DETAILS OF THE PROCESSING OF PERSONAL DATA
Data exporter
The data exporter is Customer of Teliqon Communications OÜ.
Data importer
The data importer is Teliqon Communications OÜ.
Data subjects
The Personal Data transferred concern the following categories of Data Subjects:
Data exporter’s Authorised User(s) and other Data Subjects, whose Personal Data is transferred by Customer to Teliqon in relation to the Teliqon Services usage. The Personal Data that the data exporter will transfer to the data importer is determined and controlled solely by the data exporter. The data importer will receive this Personal Data in the form of Customer Personal Data that the data exporter instructs it to Process in the course of the Teliqon Services provision.
Categories of data
The Personal Data transferred concern the following categories of data:
Customer Personal Data: As defined in Section 1 (“Definitions”) of this Agreement.
Special categories of personal data (if appropriate)
No Special Categories of Personal Data shall be transferred as part of Customer Personal Data.
Processing operations
The Personal Data transferred will be subject to the following basic Processing activities:
Teliqon must Process the data collected from or for Customer or in connection with the Teliqon Services provided to Customer solely to provide the Teliqon Services.
Teliqon intends to use the service of the subcontractors for Processing of Personal Data as defined under this DPA.
B. COMPETENT SUPERVISORY AUTHORITY
In respect of the SCCs:
Module 2: Transfer Controller to Processor
Module 3: Transfer Processor to Processor
Where Customer is the data exporter, the supervisory authority shall be the competent supervisory authority that has supervision over the Customer in accordance with Clause 13 of the SCCs.
APPENDIX 2
TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
As of the effective date of this DPA, Teliqon, when Processing Customer Personal Data on behalf of Customer implemented and maintains the following technical and organizational security measures for the Processing of such Customer Personal Data:
Physical Access Controls: Teliqon shall take reasonable measures to prevent physical access, such as secured buildings and offices, to prevent unauthorized persons from gaining access to Customer Personal Data.
System Access Controls: Teliqon shall take reasonable measures to prevent Customer Personal Data from being used without authorization. These controls shall vary based on the nature of the Processing undertaken and may include, among other controls, authentication via passwords and/or two-factors authentication, documented authorization processes, documented change management processes and/or, logging of access on several levels.
Data Access Controls: Teliqon shall take reasonable measures to provide that Customer Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Customer Personal Data to which they have the privilege of access; and, that Customer Personal Data cannot be read, copied, modified or removed without authorization in the course of Processing.
Transmission Controls: Teliqon shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Customer Personal Data by means of data transmission facilities is envisaged so Customer Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport. Customer Personal Data is encrypted in transit via industry standard TLS. Customer Personal Data is encrypted at rest by Teliqon’s Subprocessors and managed services providers such as Amazon Web Services Inc.
Input Controls: Teliqon shall take reasonable measures to provide the ability to check and establish whether and by whom Customer Personal Data has been entered into data processing systems, modified or removed.
Human Resources Security: All Teliqon employees, agents and contractors are informed about the security measures required while dealing with the Customer Personal Data and have non-disclosure agreements concluded before gaining access to Customer Personal Data.
Vendor Management: Teliqon shall maintain vendor verification measures to ensure that appropriate security controls are in place.
APPENDIX 3
LIST OF SUB-PROCESSORS
As set out in Section 11 of this DPA.
APPENDIX 4
UK SCCs
The UK SCCs shall stand included as an addendum to the EU SCCs set implemented under Clause 12 of this DPA.
Part 1: Tables
For data transfers from the United Kingdom that are subject to the UK SCCs, the UK SCCs will be deemed entered into (and incorporated into this Data Processing Addendum by this reference) and completed as follows:
-
1. In Table 1 of the UK SCCs, the Parties’ details and key contact information shall be for Teliqon as defined under the Agreement, and for Customer as specified in billing details or other related documentation.
-
2. In Table 2 of the UK SCCs, information about the version of the Approved EU SCCs, modules and selected clauses which this UK SCC is appended to shall be Module 2 and Module 3.
-
3. In Table 3 of the UK SCCs:
-
3.1. Annex 1A: List of Parties: Parties are as set forth in Appendix I.A.
-
3.2. Annex 1B: Description of Transfer: Description of Transfer is as set forth in Appendix I.A.
-
3.3. Annex II: Technical and organisational measures including technical and organisational measures to ensure the security of the data: TOMs are as set forth in Appendix 2.
-
3.4. Annex III: List of Sub processors: Sub processors are as set forth in Appendix 3.
-
4. In Table 4 of the UK SCCs, both the data importer and the data exporter may end the UK SCCs in accordance with the terms of the UK SCCs.
Part 2: Mandatory Clauses
Mandatory Clauses of the Approved Addendum issued by the ICO and laid before Parliament in accordance with s119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.
-

Contact us
You can always send us a message or email. Weʼd be happy to help you out.