Arrangement on the Rights and Obligations of the Provider and the Customer in the Processing of Personal Data of Third Parties under the Agreement

I. Personal Data Processing

1. An integral part of the performance of the Agreement is the processing of personal data within the meaning of Act No. 101/2000 Coll., on personal data protection, and the General Data Protection Regulation (hereinafter referred to as the “GDPR”).

    

2. In order to protect personal data during the processing thereof by the Provider acting in the capacity of the Processor, the Contracting Parties enter into this processing Arrangement under Article 28 of the GDPR.

    

3. The personal data Controller is a person that determines the purposes and means of the processing of personal data. When using the Application, the Customer stores data including personal data in data storages as part of the cloud services provided by the Provider, which results in dual processing of personal data.

    

4. The Provider processes personal data of third parties obtained in the course of the Customer’s business activities stored during the Provider’s performance under the Agreement in data storages as part of the cloud services during the use of the Application by the Customer. The Customer is thus the Controller of these personal data and the Provider is the Processor thereof. This processing is governed by the following provisions of this Arrangement.

    

5. The categories of the personal data processed, as well as other data about such processing, the scope of processing, categories of data subjects and purposes of this processing are determined by the Customer. The Customer acting in the capacity of the Controller has the reporting obligation vis-á-vis subjects in accordance with the rules on personal data protection.

    

6. The Customer acting in the capacity of the Controller authorises the Provider acting in the capacity of the Processor to carry out, for it and in compliance with its instructions, the processing of personal data in connection with the performance of the Agreement, under the terms and conditions set out therein. The Customer and/or its Users enter mainly such personal data in the Application that cannot be determined more accurately, taking into account the wide range of uses of the Application, than by processing the personal data of data subjects by the Provider for the Customer under the Agreement for the duration of the Agreement to the extent of the following personal data:

    

• Identification data (name, surname, date of birth and title);
• Contact data (residence address, email and telephone number);
• Data relating to professional and personal life (education, employment, bank account);
• Data relating to business relationships and customers;
• And other similar categories of personal data not expressly mentioned.

   

7. The data of third parties, whether Customer’s clients or other persons, that the Customer provides to the Provider in connection with the use of the Application, are secured by the Provider according to the current technological possibilities, and the selected data that can be encrypted within the capabilities of the Application and stored by the Customer are encrypted and the Provider has no access to the selected content. However, the Provider does process the personal data of Data Subjects within the meaning of the GDPR, while acting as a processor with respect to them and the Customer acting as the Controller of their personal data.

    

8. The Provider undertakes to process personal data solely for the purposes of storing and ensuring the transfer of data to the storage.

    

9. The Provider is obliged to create a sub-processing relationship and to commission the processing to Amazon Web Services, Inc., and/or to other sub-processors, if necessary for ensuring the operability of the application. However, the Provider is obliged to cause other processors to fulfil the obligations under the Arrangement at least to the same extent as the Provider’s obligations hereunder.

    

10. All persons engaged by the Provider in the processing of personal data shall comply with the GDPR requirements. All employees of the Provider are required, when processing personal data, to maintain confidentiality on the personal data they process while performing their work.

     

11. The Customer acknowledges, confirms and agrees that it assumes full responsibility for the data it enters into the Application.

     

12. In the case of termination of the Agreement, the Provider is obliged to hand over all personal data of Data Subjects to the Customer, or to erase them at request from the Customer.

     

13. Upon termination of the Agreement, i.e. termination of the Customer Account, all entered data shall be removed within 60 days. The Customer is always entitled to request its data and place them in its own storage in order to prevent irreversible loss of the entered data. Neither the Provider nor the authorised processors are liable for any damage incurred by the loss of the data entered into the Application more than 60 days after the termination of the Customer Account.

     

II. RIGHTS AND OBLIGATIONS OF THE CONTRACTING PARTIES

1. The Provider undertakes to comply with any and all obligations arising from the applicable GDPR provisions for the Provider in the processing of personal data.

    

2. The Provider undertakes to accept, document (and make available upon request) the appropriate technical and organisational measures to ensure the protection of personal data in accordance with Article 32 of the GDPR and to ensure that persons authorised to process personal data are subject to a contractual or statutory obligation of confidentiality.

    

3. The Provider is entitled to engage other contractors as sub-contractors. The Provider is only allowed to engage such sub-contractors who provide sufficient guarantees to implement appropriate technical and organizational measures so that the processing complies with the GDPR requirements and has at least the same data protection obligations as those set out in this Arrangement.

    

4. The Provider undertakes to provide the Customer, without undue delay, the necessary cooperation in fulfilling the Customer’s obligations relating to requests for the exercise of the rights of Data Subjects and shall assist it in fulfilling its obligations under Articles 32 to 36 of the GDPR.

    

5. The Provider undertakes to notify the Customer, without undue delay, of any breach of personal data security (accidental or unlawful destruction, loss, alteration, unauthorised disclosure or other processing) and to provide the Customer with all necessary cooperation in order to fulfil the Customer’s obligations to report a breach of the personal data security to the supervisory authority and/or data subjects.

    

6. The information on the breach of security shall include, as far as possible, the following:

    

• A description of the event, its circumstances and expected causes (preferably the number of documents / carriers / devices affected by the incident and the number of persons affected by the incident, if any);
• The time of the event occurrence;
• The source of information about the event;
• The names of other persons who may possess information about the event;
• A description of the likely consequences of a breach of the personal data security;
• A description of the measures that the Provider has adopted or proposed to be adopted with a view to resolving the given breach of personal data security, including, where appropriate, measures to mitigate possible adverse impacts.
  
  
7. If the Provider cannot provide the information at once, it is entitled to provide it gradually without undue delay.

8. All communication within the Service is encrypted by SSL. The Customer hereby confirms that this encryption method is considered safe enough.
9. The Provider shall provide the Customer with the necessary cooperation in communicating with the supervisory authority and, as instructed by the Customer, shall cooperate in preparing the replies to the supervisory authority regarding the processing operations carried out by the Provider.
10. The Provider is further obliged, without undue delay, to notify the Customer of:
    • Initiating any inspection or administrative proceedings in relation to the processing of personal data;
    • Any requests or complaints received directly from Data Subjects with regard to personal data (e.g., exercise of the right of access, correction, erasure, limitation of processing, data portability, objections to data processing or automated decision making);
    • If the Provider is required by law to process personal data beyond the Customer’s instructions.

11. The Provider shall provide the Customer, at its request, with all the information and documents needed to demonstrate that it has fulfilled the obligations set out in this processing agreement and shall allow the Customer or a person authorised thereby to carry out its duties.

12. The Provider undertakes that following the termination of the Agreement for any cause, it shall, at the Customer’s request, erase the personal data or enable to the Customer to take over them, in accordance with the Customer’s instructions, unless the relevant legislation requires the data to be stored.

13. The Contracting Parties agree that the Customer, as the data Controller is obliged to ensure that the Data Subjects are provided with all the rights they have with respect to it within the meaning of the GDPR. If a Data Subject turns to the Provider with its request, the Provider is obliged, without undue delay, to submit the Data Subject’s request to the Customer and to notify the Data Subject of the request that has been submitted to the Customer as the Controller.
    
    

    III. FINAL PROVISIONS

1. The Customer represents that it has read this Arrangement properly, has understood its contents, and the meaning of all provisions and clauses has been sufficiently explained to it and that it accepts them in full and without reservations. The Customer further represents that this Arrangement does not contain any clause or provision that would be incomprehensible or particularly disadvantageous for the Customer or which it could not reasonably anticipate.

2. This Arrangement is an integral part of the Agreement and shall enter into force at the day of Agreement conclusion by the authorized representatives of both parties.

AD-IN-ONE Europe a.s., 01/2019