DATA PROCESSING AGREEMENT

DATA PROCESSING AGREEMENT

 

THIS AGREEMENT (the “Agreement”) is entered into by and between:

 

(1)            recruitis.io s.r.o., with its registered office at Chmelova 357/2, Postal Code 500 03, Hradec Králové, Czech Republic, European Union, corporate ID No.: 275 08 391, registered in the Commercial Register maintained by the Regional Court in Hradec Králové, file No. C 23184 (the “Processor”); and

 

(2)           the customer of the Processor under the Service Agreement (as defined below) (the “Controller”)

 

(hereinafter also referred to as the “Parties” or individually as a “Party”).

 

1.              THE SUBJECT MATTER OF THE AGREEMENT

1.1            The Controller and the Processor have concluded the service agreement (the “Service Agreement”), whereby “Service” means all services and other activities which are to be provided or undertaken pursuant to the Service Agreement, in particular access to the Onboardee service offered on the www.onboardee.io website. This Agreement forms an integral part of the Service Agreement.

1.2           The Controller hereby appoints the Processor to process Personal Data (as defined below) under the terms and conditions and to the extent set forth in this Agreement, and the Processor accepts such appointment.

1.3           The Parties expressly state that this Agreement is a data processing agreement under Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of personal data (“GDPR”), whereby the Controller is the controller in relation to the Personal Data and the Processor is the processor in relation to the Personal Data.

2.             THE PURPOSE AND MANNER OF THE PROCESSING

2.1           The Personal Data is processed by the Processor within the framework and for the purpose of performance of the Service under the Service Agreement as further specified in Annex 1 to this Agreement.

2.2           The Processor is obliged to process Personal Data in the following manner:

2.2.1           the creation and management of the database and files stored on a secured dedicated cloud storage operated by the Processor, or another person contractually authorised by the Processor in accordance with this Agreement, through the storage, editing, archiving and deletion of personal data.

3.             THE EXTENT OF THE PROCESSED DATA

3.1           The type of personal data that the Processor is obliged to process (“Personal Data”) and the categories of data subjects whose Personal Data is processed are specified in Annex 1 to this Agreement.

3.2           The Controller is entitled to create individual categories of data within the Service that the data subject should/may fill in, which may differ from the type of Personal Data listed in Annex 1 to this Agreement. Thus, the Controller sets the extent of data to be collected through the Service. Any personal data collected through the Service within the categories so set shall be deemed to be Personal Data under this Agreement and the Processor shall process it in accordance with the provisions of this Agreement.

3.3           In the event that other personal data of the data subjects listed in Annex 1 to this Agreement is provided by the Controller or is otherwise made available to the Processor in connection with its activities for the Controller or the Processor is provided with personal data of other data subjects, such personal data shall be deemed to be Personal Data under this Agreement and the Processor shall be obliged to process such personal data in accordance with the provisions of this Agreement.

4.             TERM OF THE PROCESSING

4.1           The Processor is authorised to process the Personal Data for the period of the effectiveness of this Agreement, but no longer than for the period that is (in each individual case) strictly necessary for achieving the purpose of the processing according to this Agreement.

5.             SECURITY MEASURES

5.1           The Processor is obliged to adopt all necessary security measures to protect the rights and privacy of the data subjects. In particular, the Processor is obliged to adopt all measures to prevent unlawful or accidental access to Personal Data, their alteration, destruction or loss, unauthorised transmission, other unauthorised processing, as well as other misuse of Personal Data by unauthorised persons. For this purpose, the Processor undertakes to adopt the technical and organisational measures to ensure the protection of Personal Data set out in Annex 2 to this Agreement.

5.2           The Processor is obliged to ensure that its employees are trained on the obligations they have when processing Personal Data under this Agreement, in particular on the obligation to maintain confidentiality of such Personal Data and on the technical and organizational measures to ensure the protection of Personal Data.

6.             OBLIGATIONS OF THE PROCESSOR

6.1           The Processor is obliged to process Personal Data in accordance with applicable law, in particular in accordance with Act No. 110/2019 Coll., on the processing of personal data, as amended (the “Act”) and the GDPR.

6.2           The Processor is obliged to act only upon documented instructions and directions of the Controller. The Processor shall promptly inform the Controller if, in the opinion of the Processor, the Controller’s instructions contravene the GDPR or applicable laws of the European Union or a Member State of the European Union relating to the protection of personal data.

6.3           The Processor is obliged to process the Personal Data only to the extent, for the period and for the purposes stated in this Agreement.

6.4           The above-mentioned limitation does not apply in cases where the Processor is obliged to provide the Personal Data or part thereof to a third party on the basis of applicable laws.

6.5           The Processor may not transfer the Personal Data outside the Member States of the European Union without the prior written consent or instructions of the Controller. In the event that the Controller has its registered office or establishment in a third country in connection with whose activities the Personal Data is processed, the Controller hereby consents to the transfer of Personal Data by the Processor to the Controller to such a third country. For such a case, in order to ensure the protection of the Personal Data transferred to a third country for which the European Commission has not issued an adequacy decision, the Controller and the Processor hereby enter into standard contractual clauses as set out in Annex 4 to this Agreement.

6.6           The Processor is authorised to process the Personal Data outside the Member States of the European Union only on the basis of prior written instructions of the Controller.

6.7           Upon termination of this Agreement, the Processor shall, upon written instructions of the Controller, transfer all Personal Data to the Controller via the Service where practicable and, upon written instructions of the Controller, delete all Personal Data from its systems or databases. If the Controller does not instruct the Processor to delete the Personal Data within 30 days of termination of this Agreement, the Processor shall delete all Personal Data. With respect to termination of the Parties’ cooperation in processing of Personal Data, the Processor shall proceed as instructed and in accordance with reasonable requests of the Controller.

6.8          If required by data protection laws, the Processor shall keep at its own expense full and accurate records of the processing of the Personal Data. The Processor shall furthermore, during the term of this Agreement, allow the Controller to inspect the processing of the Personal Data carried out by the Processor by providing the Controller with remote access to its systems used for the processing of the Personal Data at any time during its normal business hours to the extent necessary to carry out the inspection, in particular, the Processor may make available to the Controller for inspection the documentation regarding the security measures implemented by the Processor. The Controller is also entitled to perform or request a penetration test on the Processor’s systems used for the processing of the Personal Data. The Controller shall notify the Processor in writing of its intention to carry out the inspection at least five (5) business days before the date of the inspection, and in the case of a request for a penetration test, the Controller shall send a written request for a penetration test to the Processor at least fifteen (15) business days before the date of such test. Each Party shall bear its own costs of conducting the said inspection, but in the case of a penetration test, the Controller shall bear all costs of such test. If the Controller requires more than one inspection per year, the Controller shall bear all costs associated with such additional inspections.

7.             PARTICIPATION OF OTHER PERSONS IN THE PROCESSING

7.1            The Processor is entitled to provide Personal Data to another person for processing only on the basis of the written consent of the Controller and provided that the Processor enters into an agreement on the processing of Personal Data with such other person under the same conditions as set out in this Agreement, in particular the conditions relating to the provision of sufficient guarantees in the implementation of appropriate technical and organizational security measures.

7.2           The Controller hereby grants general consent to engage sub-processors in the processing of Personal Data and also agrees to the authorisation of sub-processors in accordance with Clause 7.3 and Annex 3 of this Agreement. The Processor shall inform the Controller of any intended changes concerning the engagement or replacement of sub-processors at least twenty (20) days in advance. The Controller shall be entitled to provide written reasoned objections to the notified changes within ten (10) days of the Processor’s notification. If the Controller fails to do so, it shall be deemed to have no objection.

7.3           Sub-processors engaged in the processing of the Personal Data as of the date of this Agreement are listed in Annex 3 to this Agreement.

8.             THE PROCESSOR’S COOPERATION

8.1           The Processor is obliged to provide the Controller with all assistance necessary for fulfilment of the purpose of this Agreement, protection of Personal Data from misuse and for compliance with applicable legislation when processing the Personal Data, in particular in the performance of the Controller’s obligations under Articles 32 to 36 of the GDPR.

8.2          The Processor is obliged to provide the Controller, at its own expense, upon request and within the time period provided by the Controller, with such information as the Controller may require for the purpose of fulfilling its obligations towards data subjects, including the obligation to provide access to Personal Data, or obligations arising from a remedial measure or other instruction of a supervisory authority (the “Authority”).

8.3          The Processor shall notify the Controller (and deliver copies of relevant documents to the Controller) of any requests, complaints, notifications or any other form of communication it receives from data subjects, the Authority or any public authority in connection with the processing of the Personal Data under this Agreement. The Processor shall be entitled to respond to the above only with the prior consent and on the basis of the instructions of the Controller.

8.4          The Processor shall provide the Controller with reasonable assistance in the event that any proceedings are brought (or threatened to be brought) before the Authority, a court or other public authority in connection with the processing of the Personal Data under this Agreement. In the event that such proceedings are commenced, the Processor shall be entitled to take any action only with the consent and on the instructions of the Controller.

8.5           The Processor shall inform the Controller of any serious problems or difficulties in the performance of this Agreement, as well as of any serious circumstances relating to an actual or threatened breach of the obligations under this Agreement. In such event, the Processor shall take such measures to ensure the adequate protection of the Personal Data.

8.6          The Processor shall notify the Controller of any personal data breach (the “Security Breach”) without undue delay, and no later than seventy-two (72) hours from the moment the Processor or its employees become aware of the Security Breach, and shall provide the Controller with a detailed description of the Security Breach, including the categories and approximate amount of Personal Data concerned and the categories and approximate number of data subjects concerned, or the identity of the data subjects concerned by the Security Breach, if known, and any other information that the Controller or a supervisory authority may request. The Processor agrees to take action immediately, at its own expense, to: (i) investigate the Security Breach, (ii) identify, prevent and mitigate the effects of such Security Breach, and (iii) provide reasonable assistance to the Controller in notifying the Security Breach to a supervisory authority and/or data subjects. The Processor agrees to communicate and cooperate with the Controller in connection with the Security Breach and will provide the Controller with updates on the status until the matter is concluded.

9.             METHOD OF TRANSMISSION OF PERSONAL DATA

9.1           The Parties agree that the contact persons for the purposes of the Parties’ regular communication in the performance of this Agreement shall be:

(a)               for the Controller listed in the Service system settings;

(b)              for the Processor: Štěpán Bartyzal tel: +420602123898, e-mail: stepan@onboardee.io.

10.          DECLARATION OF THE CONTROLLER

10.1         The Controller declares that it has complied with applicable law whilst collecting Personal Data and that it has obtained the consent of the data subjects in the cases provided for by the Act and the GDPR and has complied with all legal requirements in relation to the Authority.

10.2        The Controller declares that it will provide the Processor with all assistance necessary for fulfilment of the purpose of this Agreement, protection of Personal Data from misuse and for compliance with applicable legislation when processing the Personal Data.

11.           CONFIDENTIALITY OF THE INFORMATION

11.1          The provisions of this Agreement are confidential and none of the Parties is allowed to provide or disclose them to any third parties without the prior written consent of the other Party. This restriction for disclosure does not apply to:

11.1.1          information requested by the legislation, or a decision granted by the respective public authority; the Party that is obliged to such disclosure, must provide maximum effort to inform the other Party about such disclosure; or

11.1.2          information provided to the professional advisors of both Parties if they are bound by the confidentiality obligation at least in the extent stipulated under this Agreement.

12.          TERM OF THE AGREEMENT

12.1         This Agreement is concluded for the period of effectiveness of the Service Agreement, but no longer than necessary for achieving the purpose of the processing.

12.2        This Agreement can be terminated only based on the grounds stated in the Service Agreement or by applicable law.

13.          FINAL PROVISIONS

13.1         Except as otherwise expressly provided in this Agreement, each Party shall bear all costs and expenses incurred by it in connection with the execution and performance under this Agreement.

13.2        None of the rights or obligations under this Agreement may be assigned or transferred without the prior written consent of the other Party.

13.3        The ineffectiveness or invalidity of any provision of this Agreement at its whole or only a part of it shall not affect the effectiveness or validity of the remainder of this Agreement. In case any of the provisions of this Agreement becomes invalid or void for any reason, the Parties shall inform each other and agree on a legally acceptable solution to achieve the commercial objectives contained in such invalid and/or void provisions of this Agreement.

13.4        This Agreement can be only amended validly and with effect by form of written amendments accepted by both Parties.

13.5        Pursuant to Section 562(1) of Act No. 89/2012 Coll., the Civil Code, as amended, the written form of any legal act under this Agreement, i.e., in particular amendment, instruction or consent under this Agreement, shall be maintained even in the case of a legal act made by electronic or other technical means enabling capturing its content and the identification of the person acting.

13.6        No failure to exercise nor any delay by either Party in exercising any right under this Agreement and no form of conduct between the Parties shall be construed or work as a waiver of such right, nor shall any single or partial exercise of any right preclude any other or further exercise thereof or the exercise of any other right.

13.7         This Agreement is executed in English.

13.8        Any dispute, claim or disagreements arising out of or in connection with this Agreement which are the subject of a dispute between the Parties (including questions relating to its validity, effectiveness and interpretation) will be referred for resolution to the relevant court in the Czech Republic.

13.9        This Agreement and any non-contractual obligations arising out of or in connection with it shall be governed by and construed in accordance with Czech law, without regard to its conflict of laws provisions.

Annex 1

PERSONAL DATA PROCESSING

 

Categories of data subjects	Type of personal data	Purposes of processing
Potential employees of the Controller	Name, surname, birth number, gender	Operating the Onboardee tool, including: ·       setting up and managing the Controller’s (and its employees’) access to the Account within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io) ·       setting up and managing access of employees, potential employees, former employees, contractors, potential contractors, and former contractors to the Sub-Accounts within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io)
	Personal email address, personal phone number
	Health insurance company, bank details
	Link to personal profile on LinkedIn and other relevant social networks, CV in various electronic formats (.doc, .pdf etc.), photographs, response to the job offer (cover letter, so called motivation letter), relevant information about the interview process and the outcome
	Documents stored in the Onboardee service, details of the digital contract signature (IP address, SMS, timestamp, browser type, operating system)
	Onboardee service access details
Employees of the Controller	Name, surname, maiden name, birth number, date of birth, birthplace, gender, academic degree, identity card number, date of issue and expiry date of identity card, nationality/citizenship, photograph, marital status	Operating the Onboardee tool, including: ·       setting up and managing the Controller’s (and its employees’) access to the Account within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io) ·       setting up and managing access of employees, potential employees, former employees, contractors, potential contractors, and former contractors to the Sub-Accounts within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io)
	Personal email address, work email address, personal phone number, home address, correspondence address
	Diploma of the highest education achieved, skills, work permit
	Job position/role, commencement date
	Records of working hours
	Performance and other materials related to job performance and evaluation, career plans
	Health data, health insurance company, emergency contact
	Payroll details, bank details
	Documents stored in the Onboardee service, details of the digital contract signature (IP address, SMS, timestamp, browser type, operating system)
	Onboardee service access details
Former employees of the Controller	Name, surname	Operating the Onboardee tool, including: ·       setting up and managing the Controller’s (and its employees’) access to the Account within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io) ·       setting up and managing access of employees, potential employees, former employees, contractors, potential contractors, and former contractors to the Sub-Accounts within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io)
	Personal e-mail address
	Personal data of the former employee that the employer is obliged to record or has a legitimate interest in recording
	Documents stored in the Onboardee service, details of the digital contract signature (IP address, SMS, timestamp, browser type, operating system)
	Onboardee service access details
Potential contractors of the Controller	Name, surname, business name, identification number (IČO), tax identification number (DIČ), information in the commercial register	Operating the Onboardee tool, including: ·       setting up and managing the Controller’s (and its employees’) access to the Account within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io) ·       setting up and managing access of employees, potential employees, former employees, contractors, potential contractors, and former contractors to the Sub-Accounts within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io)
	Personal email address, personal phone number, address
	Bank details, billing details
	Documents stored in the Onboardee service, details of the digital contract signature (IP address, SMS, timestamp, browser type, operating system)
	Onboardee service access details
Contractors of the Controller	Name, surname, business name, identification number (IČO), tax identification number (DIČ), photograph, information in the commercial register	Operating the Onboardee tool, including: ·       setting up and managing the Controller’s (and its employees’) access to the Account within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io) ·       setting up and managing access of employees, potential employees, former employees, contractors, potential contractors, and former contractors to the Sub-Accounts within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io)
	Personal email address, personal phone number, address
	Bank details, billing details
	Documents stored in the Onboardee service, details of the digital contract signature (IP address, SMS, timestamp, browser type, operating system)
	Onboardee service access details
Former contractors of the Controller	Name, surname	Operating the Onboardee tool, including: ·       setting up and managing the Controller’s (and its employees’) access to the Account within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io) ·       setting up and managing access of employees, potential employees, former employees, contractors, potential contractors, and former contractors to the Sub-Accounts within the Service (as defined in the Onboardee Terms of Use available at www.onboardee.io)
	Personal e-mail address
	Personal data of the former contractor that the contractual partner is obliged to record or has a legitimate interest in recording
	Documents stored in the Onboardee service, details of the digital contract signature (IP address, SMS, timestamp, browser type, operating system)
	Onboardee service access details

 

For the storage of Personal Data, the Processor uses the rental of virtual servers from Amazon Web Services EMEA SARL, exclusively in data centres in the EU, unless the Controller requests the Processor to use data centres outside the EU.

 

Annex 2

TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE PROTECTION OF PERSONAL DATA

1.              Statutory obligations of the Processor

1.1            The Processor is obliged:

(a)           to prevent any unauthorised persons to access to Personal Data and means for their processing;

(b)           to prevent any unauthorized reading, creating, copying, transferring, modifying or deleting of records containing Personal Data; and

(c)            to adopt measures enabling to identify and verify to whom the Personal Data were transferred.

1.2           In the area of automatic processing of Personal Data, the Processor is also obliged:

(a)           to ensure that the systems for automatic processing of Personal Data are used only by authorised persons;

(b)           to ensure that the natural persons authorised to use systems for automatic processing of Personal Data have access only to the personal data corresponding to their authorisation and on the basis of specific user authorisations established exclusively for these persons;

(c)            to make electronic records enabling to identify and verify when, by whom and for what reason the Personal Data was recorded or otherwise processed; and

(d)           to prevent any unauthorised access to data carriers.

2.             Specific measures Processor to ensure the protection of Personal Data

                  The information stored in the Processor’s information system shall be made available to the Processor’s employees or other persons working with the Processor on the basis of a contract only if it is necessary for the performance of their work and subject to appropriate security measures.

                  Each employee or other worker of the Processor is identified by a username and subsequently authorised by a password before entering the Service. Access is only permitted from the Processor’s computers, which are also secured by username and password and the contents of the disk are encrypted in case of loss.

                  Personal Data may only be transferred between the Controller and the Processor in a secure form (physical security or encryption depending on the type of transfer) and adequate measures must be adopted against their loss, misuse, or unauthorised manipulation.

                  Employees or other workers of the Processor are obliged to follow the internal instructions, procedures, and regulations of the Processor.

                  Automatic processing of Personal Data is carried out by the Processor on devices that are protected against unauthorized external interference, accidental access, or other misuse in the following manner:

(a)           Personal Data is processed on servers on which a standard security architecture based on the consistent application of access rights (ACLs) is implemented.

(b)           The Mongo databases on which Personal Data is stored are secured with their own access rights and all accesses to them are again monitored and security records are created of important events. The DB and DWH servers are physically and systemically dedicated to the needs of the Processor only.

(c)            In case of failure and subsequent data recovery, data backups are asymmetrically encrypted already on the source servers (db/dwh), for backup purposes no data (not only Personal Data) outside the production environment of active DB servers is located in open form.

(d)           The Processor shall allow the Controller to use an enhanced level of access security for its employees (users) to the Service through two-factor authorisation. The Processor shall directly or through subcontractors provide access to the systems exclusively by two-factor authorisation. The Processor, including its subcontractors, shall comply with its own internal guidelines in addition to the relevant legislation (in particular GDPR, PCI DSS).

(e)           For more information on how Amazon Web Services EMEA SARL and its products, including its virtual centres, comply with the GDPR, please visit the following websites:

https://aws.amazon.com/blogs/security/all-aws-services-gdpr-ready/
https://aws.amazon.com/premiumsupport/knowledge-center/gdpr-compliance/
https://aws.amazon.com/compliance/gdpr-center/

Annex 3

SUB-PROCESSORS

 

As of the date of this Agreement, third parties/sub-processors engaged in the processing of the Personal Data are as follows:

Name	Address	Description of processing
Amazon Web Services EMEA SARL	38 Avenue John F. Kennedy, L-1855, Luxembourg	Rental of virtual servers exclusively in data centres within the EU, unless the Controller requests the Processor to use data centres outside the EU
Stripe Payments Europe, Limited	C/O A&L Goodbody, Ifsc, North Wall Quay Dublin 1., Dublin 1, Dublin	Provision of payment services and payment gateway

 

Changes to the list of sub-processors can only be made in accordance with Clause 7.2 of this Agreement.

 

Annex 4

STANDARD CONTRACTUAL CLAUSES

 

(MODULE 4 - PROCESSOR TO CONTROLLER)

 

SECTION I

Clause 1

Purpose and scope

	The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) for the transfer of personal data to a third country.
	The Parties: (i)            the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and (ii)           the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’) have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).
(c)	These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.
(d)	The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.

Clause 2

Effect and invariability of the Clauses

(a)

These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b)

These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.

Clause 3

Third-party beneficiaries

Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions: (i)            Clause 1, Clause 2, Clause 3, Clause 6, Clause 7; (ii)           Clause 8.1 (b) and Clause 8.3(b); (iii)         [Intentionally left blank]; (iv)          [Intentionally left blank]; (v)           Clause 13; (vi)          Clause 15.1(c), (d) and (e); (vii)        Clause 16(e); and (viii)       Clause 18.

Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

Clause 4

Interpretation

(a)	Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.
(b)	These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.
(c)	These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

Clause 5

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 6

Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.

Clause 7

Docking clause

(a) An entity that is not a Party to these Clauses may, with the agreement of the Parties, accede to these Clauses at any time, either as a data exporter or as a data importer, by completing the Appendix and signing Annex I.A.

(b) Once it has completed the Appendix and signed Annex I.A, the acceding entity shall become a Party to these Clauses and have the rights and obligations of a data exporter or data importer in accordance with its designation in Annex I.A.

(c) The acceding entity shall have no rights or obligations arising under these Clauses from the period prior to becoming a Party.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8

Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.

8.1      Instructions

(a)	The data exporter shall process the personal data only on documented instructions from the data importer acting as its controller.
(b)	The data exporter shall immediately inform the data importer if it is unable to follow those instructions, including if such instructions infringe Regulation (EU) 2016/679 or other Union or Member State data protection law.
(c)	The data importer shall refrain from any action that would prevent the data exporter from fulfilling its obligations under Regulation (EU) 2016/679, including in the context of sub-processing or as regards cooperation with competent supervisory authorities.
(d)	After the end of the provision of the processing services, the data exporter shall, at the choice of the data importer, delete all personal data processed on behalf of the data importer and certify to the data importer that it has done so, or return to the data importer all personal data processed on its behalf and delete existing copies.

 

8.2     Security of processing

(a)	The Parties shall implement appropriate technical and organisational measures to ensure the security of the data, including during transmission, and protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature of the personal data, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects, and in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.
(b)	The data exporter shall assist the data importer in ensuring appropriate security of the data in accordance with paragraph (a). In case of a personal data breach concerning the personal data processed by the data exporter under these Clauses, the data exporter shall notify the data importer without undue delay after becoming aware of it and assist the data importer in addressing the breach.
(c)	The data exporter shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

8.3     Documentation and compliance

(a)	The Parties shall be able to demonstrate compliance with these Clauses.
(b)	The data exporter shall make available to the data importer all information necessary to demonstrate compliance with its obligations under these Clauses and allow for and contribute to audits.

Clause 9

Use of sub-processors

[Intentionally left blank].

Clause 10

Data subject rights

The Parties shall assist each other in responding to enquiries and requests made by data subjects under the local law applicable to the data importer or, for data processing by the data exporter in the EU, under Regulation (EU) 2016/679.

Clause 11

Redress

(a)	The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

Clause 12

Liability

	Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.
	Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.
	Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.
	The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.
	The data importer may not invoke the conduct of a processor or sub-processor to avoid its own liability.

Clause 13

Supervision

[Intentionally left blank].

SECTION III – LOCAL LAWS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC AUTHORITIES

Clause 14

Local laws and practices affecting compliance with the Clauses

 (a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards;

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a).

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation. The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.

Clause 15

Obligations of the data importer in case of access by public authorities

15.1 Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c)Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.).

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e)Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.

15.2 Review of legality and data minimisation

(a)The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request.

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.

SECTION IV – FINAL PROVISIONS

Clause 16

Non-compliance with the Clauses and termination

(a)	The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.
(b)	In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).
(c)	The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where: (i)            the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension; (ii)           the data importer is in substantial or persistent breach of these Clauses; or (iii)         the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses. In these cases, it shall inform the competent supervisory authority of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.
(d)	Personal data collected by the data exporter in the EU that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall immediately be deleted in its entirety, including any copy thereof. The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.
(e)	Either Party may revoke its agreement to be bound by these Clauses where: (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.

Clause 17

Governing law

These Clauses shall be governed by the law of a country allowing for third-party beneficiary rights. The Parties agree that this shall be the law of the Czech Republic.

Clause 18

Choice of forum and jurisdiction

Any dispute arising from these Clauses shall be resolved by the courts of the Czech Republic.