INTRODUCTORY PROVISIONS 1.1. These data processing terms (the “Processing terms”) are an integral part of the Agreement concluded between You and Us. 1.2. Unless otherwise specified in these Processing terms, the terms used herein shall have the same meaning as set out in the T&C. 1.3. In the course of providing Services, the We may process Your personal data (or data of Your employees and other persons accessing the Services as authorised persons) as data controller, and We inform You of such processing in Part A of these Processing terms. In addition however, We processes data about Your employees as a processor of personal data for You, in which case the rules for processing personal data are set out in Part B of these Processing terms. 1.4. Terms such as personal data, personal data controller, personal data processor or personal data processing shall have the meanings set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR”). 1.5. You warrant and confirm that, in accordance with data protection legislation, where You provide personal data to Us, You inform Your employees, agents, representatives and other persons the We will handle their personal data.
PART A - WE AS DATA CONTROLLER
INFORMATION ON THE PROCESSING OF PERSONAL DATA 2.1. We, as the personal data controller, hereby inform You how We will process the personal data of Your employees, workers and other data subjects in connection with Agreement, whereby We act as the controller in respect of the personal data of the above-mentioned persons who have been granted a user account to access the Services as person authorised by You as an administrator. This Part A does not apply to the processing of personal data of other employees, workers and other data subjects using Services based on access You provided them with, as these are covered by Part B of the Processing Conditions. 2.2. In the event of any queries in relation to the processing of personal data, You may contact Us by email set in T&C. 2.3. We shall process identification data (first and last name, IP address) and contact data (e-mail) in connection with our mutual cooperation, as well as data necessary for the establishment of a user account for the Yours authorized person and other personal data obtained in connection with communication with the You. The scope will depend on the scope of cooperation. 2.4. The purpose of the processing of the aforementioned personal data will be, in particular, the performance of the mutual contractual obligation within the meaning of Article 6(1)(b) GDPR, i.e., the registration and management of the user account within the Services, the provision of mediation and the provision of communication in connection with the performance of contractual obligations. At the same time, We will process personal data for the purpose of fulfilling legal obligations, in particular accounting and tax obligations within the meaning of Article 6(1)(c) GDPR. We may also need the personal data for possible protection against complaints, claims and other requests from You (or individual employees). In this case, We will process the personal data on the basis of legitimate interest, which consists in the protection of legal claims pursuant to Article 6(1)(f) GDPR. The purpose of the processing may also be to ensure security on the basis of a legitimate interest pursuant to Article 6(1)(f) GDPR. 2.5. Personal data pursuant to Part A of the Processing terms may be shared with other recipients, which include, for example, Our employees, workers and other external service providers, in particular Amazon and Microsoft, as they provide us with servers and Stripe. Some personal data, that are shared with Amazon, Microsoft or other server provider (if We will use different one), can be transferred to third countries, as those companies have their servers even in the USA. This transfer is always covered by standard contractual clauses, as well as by security measures provided by these companies, as We are using only companies, that are taking security very seriously. 2.6. We will store the personal data according to Part A of the Processing terms for the duration of the user account and subsequently for 1 month after the account is cancelled. If You decide, during this 1 month period, that You want to use Services again, We can restore Your account to its original settings. We will also store some of the personal data, that are necessary for the protection of Our legal claims for the duration of the limitation period. 2.7. Data subjects under Part A of the Processing terms have the right to access personal data, the right to rectification, the right to erasure, the right to restriction of data processing, the right to object to processing, the right to data portability and the right to lodge a complaint about the processing of personal data. These rights may be exercised directly by You on behalf of the data subject, however, You shall inform the data subject of the processing.
Part B – WE AS DATA CONTROLLER
DATA PROCESSING TASKS AND GUIDELINES 3.1. In connection with the Services, We also provide the activities of storing personal data, of analysis of personal data, making personal data available to You, and other activities described in Part B of the Processing terms. You hereby expressly authorise Us to process personal data as a personal data processor to the extent and in accordance with Part B of the Processing terms. 3.2. You and Us undertake to comply with our obligations under the applicable laws and regulations that apply to the processing of personal data. 3.3. Where You act as a processor of personal data, You warrant that the relevant controller has approved Yours instructions and actions in relation to the personal data, including the authorisation of Us as an additional processor. 3.4. We shall process personal data as a processor in accordance with the terms and conditions set out in Part B of the Processing terms and on the basis of any other documented written instructions given by You in relation to the provision of the Services. An instruction given via the email address specified in the T&C shall also be deemed to be a written instruction.
FOR HOW LONG WE PROCESS PERSONAL DATA? 4.1. The rule is simple, We will process Personal Data only for the duration of the provision of Services under the Agreement or until all personal data are deleted by Us according to these Processing terms. However, each individual set of data gathered by Services will be processed only for 9 days. We will store account settings and identification data of users that Your administrator entered into Services, for the period of 1 month after the account is cancelled, so those data can be restored in case You will start use Our services again.
WHY WE PROCESS PERSONAL DATA AND HOW WE DO THAT? 5.1. For the purposes of providing the Services, We will process personal data in electronic form through Services or through other means determined by You, while the subject-matter of the processing will be viewing personal data, storage of personal data, analysis of Personal Data and other activities necessary for providing the Services.
TYPES OF PERSONAL DATA 6.1. The following personal data may be processed in accordance with those Processing terms: a) identification data (name, surname, IP address); b) log data; c) contact data (e-mail) d) other data that will be made available in connection with the provision of the Service.
CATEGORIES OF DATA SUBJECTS 7.1. Personal data will cover the following categories of data subjects: a) Your employees and Your workers; b) other data subjects about which You have obtained personal data and which was transmitted to Us in connection with the provision of the Services.
RIGHTS AND OBLIGATIONS 8.1. We declare and undertake to: a) if We become aware of a breach or impending breach of the security of personal data, accidental or unlawful destruction, loss, alteration or unauthorized provision or disclosure of the processed personal data, immediately, but no later than 48 (forty-eight) hours, inform You in writing and describe as best as possible the resulting or imminent security risk, informing You of appropriate measures to prevent or minimize the breach of the security of the Service and taking all necessary measures to minimize damage; b) personal data shall be secured in accordance with Article 9 of these Processing terms; c) personal data will be processed only in accordance with those Processing terms or on the basis of Your other written instructions; d) assist You in implementing and maintaining appropriate technical and organizational measures to secure personal data, reporting personal data breaches to the supervisory authority or data subject, assessing the data protection impact assessment and in previous consultations with the supervisory authority; e) ensure cooperation with You through appropriate technical and organizational measures, no later than 14 (fourteen) days after Your request has been made, in order to fulfil Your obligation to respond to requests for the exercise of the rights of the data subject; f) provide You, at request, without delay, but not later than 14 (fourteen) days after Your request has been made, with all the cooperation necessary to prove that the personal data are sufficiently organizationally and technically secured. 8.2. If We receive any request from the data subject in relation to personal data which relates to those personal data and purposes within which We act as a processor of personal data, We shall inform the data subject to contact You directly with the request. You shall be responsible for handling such request. We shall provide all necessary assistance for the processing of the data subjects’ rights, but only to the extent of the personal data processed during provision of Services. 8.3. You agree that We will involve other processors for the processing of personal data and, if these other processors are involved, We ensure that they comply with the same data protection obligations as those set out in this Processing terms. You expressly agree that We will involve server providers (e.g. Amazon, Microsoft) and Our employees who provide services to Us under a cooperation or similar agreement. Some personal data, that are shared with Amazon or Microsoft or other server provider (if We will use different one), can be transferred to third countries, as those companies have their servers even in the USA. This transfer is always covered by standard contractual clauses, as well as by security measures provided by these companies, as We are using only companies, that are taking security very seriously. 8.4. Should We involve other processors not listed in those Processing terms, We will inform You in advance and, if necessary, allow You to object to such involvement. If You do not object even within 14 (fourteen) days of the notification of the involvement of the additional processor, We shall involve the additional processor in the processing of the Personal Data. If You object, We shall evaluate the objection and, if We find it to be justified, We shall not involve the additional processor. 8.5. We shall enable You or a person authorized by You to check (including audit or inspection) compliance with this Processing terms, in particular the obligations for processing Personal Data arising therefrom, and shall contribute to such checks as reasonably instructed by You or the person checking. 8.6. You are obliged to send any request for an audit exclusively to the e-mail address [•]. Upon receipt of the audit request, You and Us will agree in advance on: (a) the possible date of the audit, security measures and how to ensure compliance with confidentiality obligations during the audit, and (b) the expected beginning, scope and duration of the audit. In the event that no agreement is reached within 30 days from the date of submission of the application, the terms of the audit shall be determined by Us. 8.7. We may object in writing against any auditor appointed by You, if the auditor is not sufficiently qualified in Our opinion, is not independent, is in a competitive position with Us or is otherwise obviously unsuitable. On the basis of the objection raised, You are obliged to appoint another auditor or to carry out the audit Yourself. 8.8. You are responsible for fulfilling all obligations in relation to the processing of personal data, in particular for properly informing data subjects about the processing of personal data, obtaining consent to the processing of personal data, if necessary, processing requests of data subjects about the realization of their rights (such as the right to information, access, rectification, erasure, restriction of processing, object, etc.). 8.9. If You provide Us with personal data, that are not necessary for the provision of Services, We will not process them for any purpose. However, due to the fact that We are not able to control this, You are responsible for any personal data that You send to Us.
HOW DO WE SECURE PERSONAL DATA? 9.1. We have taken the following measures and undertakes to maintain them to ensure the security of the processing of personal data throughout the processing process. 9.2. Organisational measures: a) We and Our workers are regularly trained on the principles of data protection and cybersecurity; b) We and Our staff are also obliged to confidentiality in connection with the processing of personal data; c) We have a policy of working with personal data, where only selected workers are allowed to access personal data; 9.3. Technical measures: a) using sufficiently strong passwords when working with personal data; b) only a secure connection is used to access the infrastructure; c) personal data are persisted in the AWS RDS service, secured by transparent encryption; d) personal data are secured in transit by standard TLS; e) endpoints are secured by the AWS Application Load Balancer with the use of WAF. 9.4. We will take such technical, personnel and other necessary measures to prevent unauthorized or accidental access to, alteration, destruction or loss of personal data, unauthorized transfers, other unauthorized processing or other misuse of personal data. 9.5. We shall ensure appropriate technical and organisational measures to provide a level of security appropriate to the risk, taking into account the state of the art, the nature, scope, context and purposes of the processing, as well as the different likely and differently serious risks to the rights and freedoms of natural persons.
WHAT WILL HAPPEN IN THE END? 10.1. Upon termination of the Agreement, regardless of the manner and reason for its termination, We will, after the expiry of 1 month, permanently destroy the personal data on all devices and media outside the devices and media owned or used by You, except where storage of the personal data is required by the law of the Czech Republic or the European Union.
FINAL WORDS 11.1. The limitation of liability as set out in T&C will apply also on processing of personal data as set out in those Processing terms.