Processing of Personal Data
Arrangement on the Rights and Obligations of the Provider and the Customer in the Processing of Personal Data of Third Parties under the Agreement
I. Personal Data Processing
- An integral part of the performance of the Agreement is the processing of personal data within the meaning of Act No. 101/2000 Coll., on personal data protection, and the General Data Protection Regulation (hereinafter referred to as the “GDPR”).
- In order to protect personal data during the processing thereof by the Provider acting in the capacity of the Processor, the Contracting Parties enter into this processing Arrangement under Article 28 of the GDPR.
- The personal data Controller is a person that determines the purposes and means of the processing of personal data. When using the Application, the Customer stores data including personal data in data storages as part of the cloud services provided by the Provider, which results in dual processing of personal data.
- The Provider processes personal data of third parties obtained in the course of the Customer’s business activities stored during the Provider’s performance under the Agreement in data storages as part of the cloud services during the use of the Application by the Customer. The Customer is thus the Controller of these personal data and the Provider is the Processor thereof. This processing is governed by the following provisions of this Arrangement.
- The categories of the personal data processed, as well as other data about such processing, the scope of processing, categories of data subjects and purposes of this processing are determined by the Customer. The Customer acting in the capacity of the Controller has the reporting obligation vis-á-vis subjects in accordance with the rules on personal data protection.
- The Customer acting in the capacity of the Controller authorises the Provider acting in the capacity of the Processor to carry out, for it and in compliance with its instructions, the processing of personal data in connection with the performance of the Agreement, under the terms and conditions set out therein. The Customer and/or its Users enter mainly such personal data in the Application that cannot be determined more accurately, taking into account the wide range of uses of the Application, than by processing the personal data of data subjects by the Provider for the Customer under the Agreement for the duration of the Agreement to the extent of the following personal data:
- Identification data (name, surname, date of birth and title);
- Contact data (residence address, email and telephone number);
- Data relating to professional and personal life (education, employment, bank account);
- Data relating to business relationships and customers;
- And other similar categories of personal data not expressly mentioned.
II. RIGHTS AND OBLIGATIONS OF THE CONTRACTING PARTIES
- The Provider undertakes to comply with any and all obligations arising from the applicable GDPR provisions for the Provider in the processing of personal data.
- The Provider undertakes to accept, document (and make available upon request) the appropriate technical and organisational measures to ensure the protection of personal data in accordance with Article 32 of the GDPR and to ensure that persons authorised to process personal data are subject to a contractual or statutory obligation of confidentiality.
- The Provider is entitled to engage other contractors as sub-contractors. The Provider is only allowed to engage such sub-contractors who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing complies with the GDPR requirements and has at least the same data protection obligations as those set out in this Arrangement.
- The Provider undertakes to provide the Customer, without undue delay, the necessary cooperation in fulfilling the Customer’s obligations relating to requests for the exercise of the rights of Data Subjects and shall assist it in fulfilling its obligations under Articles 32 to 36 of the GDPR.
- The Provider undertakes to notify the Customer, without undue delay, of any breach of personal data security (accidental or unlawful destruction, loss, alteration, unauthorised disclosure or other processing) and to provide the Customer with all necessary cooperation in order to fulfil the Customer’s obligations to report a breach of the personal data security to the supervisory authority and/or data subjects.
- The information on the breach of security shall include, as far as possible, the following:
- A description of the event, its circumstances and expected causes (preferably the number of documents / carriers / devices affected by the incident and the number of persons affected by the incident, if any);
- The time of the event occurrence;
- The source of information about the event;
- The names of other persons who may possess information about the event;
- A description of the likely consequences of a breach of the personal data security;
- A description of the measures that the Provider has adopted or proposed to be adopted with a view to resolving the given breach of personal data security, including, where appropriate, measures to mitigate possible adverse impacts.
- Initiating any inspection or administrative proceedings in relation to the processing of personal data;
- Any requests or complaints received directly from Data Subjects with regard to personal data (e.g., exercise of the right of access, correction, erasure, limitation of processing, data portability, objections to data processing or automated decision making);
- If the Provider is required by law to process personal data beyond the Customer’s instructions.
III. FINAL PROVISIONS
- The Customer represents that it has read this Arrangement properly, has understood its contents, and the meaning of all provisions and clauses has been sufficiently explained to it and that it accepts them in full and without reservations. The Customer further represents that this Arrangement does not contain any clause or provision that would be incomprehensible or particularly disadvantageous for the Customer or which it could not reasonably anticipate.
- This Arrangement is an integral part of the Agreement and shall enter into force at the day of Agreement conclusion by the authorized representatives of both parties.
AD-IN-ONE Europe a.s., 01/2019