Personal Data Protection and GDPR

DATA PROCESSING AGREEMENT

concluded pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), and pursuant to Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain acts between the Customer as Controller and Rewora s. r. o.

CONTRACTING PARTIES


Controller:

The Controller is the Customer under the Master Agreement, i.e. a legal entity or natural person – entrepreneur that has concluded the Master Agreement with the Processor under the GTC and the Order. The Controller's identification details are set out in the Order, user account, billing details or other document forming part of the Master Agreement. The Controller's contact details for the purposes of this Agreement are the contact details stated in the Order, user account or in other notice delivered by the Controller to the Processor.

(hereinafter the "Controller")


and


Processor:

Business name: Rewora s. r. o.

Registered office: Prešovská 40A, 821 02 Bratislava - mestská časť Ružinov,

Company ID: 50 647 652

Registration: registered in the Commercial Register maintained by the Municipal Court Bratislava III, section: Sro, insert no.: 116449/B

(hereinafter the "Processor")


(The Controller and the Processor are hereinafter collectively referred to as the "Contracting Parties" and individually as a "Contracting Party")

1. DEFINITIONS


1.1. Unless otherwise stated in this Agreement, terms beginning with a capital letter shall have the following meaning for the purposes of this Agreement:

1.1.1. "Automated Decision-making" means decision-making in individual cases concerning natural persons based solely on automated processing of Personal Data, including profiling without human intervention;

1.1.2. "Data Subjects" means, for the purposes of this Agreement, natural persons whose personal data are processed, whereby the categories of data subjects, time limits for processing and purposes of processing are defined in Annex No. 1 to this Agreement;

1.1.3. "Authorized Person" means, for the purposes of this Agreement, any natural person who has access to Personal Data (where such person is not a Sub-processor);

1.1.4. "Personal Data" means any information relating to an identified or identifiable natural person; an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, online identifier, or by reference to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person, whereby the Processor shall process on behalf of the Controller exclusively the Personal Data listed in Annex No. 1 to this Agreement;

1.1.5. "Regulation" means, for the purposes of this Agreement, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation);

1.1.6. "Sub-processor" means, for the purposes of this Agreement, another processor engaged by the Processor in the processing of Personal Data on behalf of the Controller;

1.1.7. "Third Country" means, for the purposes of this Agreement, a country that is neither a Member State of the European Union nor a state party to the Agreement on the European Economic Area;

1.1.8. “Office” means, for the purposes of this Agreement, Úrad na ochranu osobných údajov Slovenskej republiky [Office for Personal Data Protection of the Slovak Republic], with its registered office at Galvaniho Business Centrum II, Galvaniho 7/B, Bratislava, Slovak Republic, Company ID No.: 36 064 220;

1.1.9. "Master Agreement" means, for the purposes of this Agreement, the contractual relationship between the Processor as the provider of the Rewora service and the Controller as the customer, which arises in the manner provided for in the GTC, in particular by confirmation of the Order, self-registration, activation of the Services or other demonstrable manner of acceptance under the GTC, including the Order, GTC, Price List, any individual agreement and all their subsequent amendments;

1.1.10. "Act on Personal Data Protection" means, for the purposes of this Agreement, Act No. 18/2018 Coll. on the protection of personal data and on amendments to certain acts, as amended;

1.1.11. "Agreement" means this data processing agreement, including all its annexes, amendments, supplements and other components, which forms an integral part of the Master Agreement.

1.2. Terms used in Section 1.1 of this Agreement in the singular shall also include the plural form and vice versa. The terms Order, GTC, Price List, Services, Platform, Dashboard, Widget, API, Review, Q&A content, Customer Content, Customer and other terms that are not expressly defined in this Agreement shall have the meaning set out in the GTC, unless the context of this Agreement provides otherwise.

1.3. Headings and designations of individual sections in this Agreement are intended for informational and orientation purposes, are not binding and have no effect on the interpretation of the provisions of this Agreement.

2. SUBJECT MATTER OF THE AGREEMENT AND PROCESSING


2.1. Subject matter of the Agreement: The subject matter of this Agreement is the establishment of conditions between the Controller and the Processor regarding the processing of Personal Data related to the Master Agreement and the provision of Rewora Services, for the purpose of ensuring adequate guarantees that the Processor, in connection with the processing of Personal Data on behalf of the Controller, shall implement technical and organisational measures so that such processing meets the requirements primarily of the Regulation and the Act on Personal Data Protection and so that the rights of Data Subjects are protected.

2.2. The Controller and the Processor fully acknowledge that, given the nature of the Services provided through the Platform, in particular when processing Reviews, Q&A content, Customer data, Dashboard user data, integration, technical and operational data, it is necessary for the Controller and the Processor to conclude this Agreement in accordance with Article 28 of the Regulation and the Act on Personal Data Protection.

2.3. The Processor undertakes that it is fully capable and authorised to conclude this Agreement, to be bound by it and, throughout the term of this Agreement, to fulfil all obligations set out therein.

2.4. The Controller and the Processor have agreed that the processing of Personal Data in connection with the Agreement and the Master Agreement shall be carried out in full compliance with the Regulation, the Act on Personal Data Protection and other applicable generally binding legal regulations.

2.5. The Controller and the Processor acknowledge that the Controller is in the position of a controller within the meaning of Article 4(7) of the Regulation and the Processor is in the position of a processor within the meaning of Article 4(8) of the Regulation. When providing the Services under this Agreement, the Processor processes Personal Data exclusively on behalf of the Controller and on the basis of its documented instructions. If the Customer, when using the Services, acts as a processor on behalf of a third party as controller, the Customer declares that it is authorised to entrust the Processor with the processing of Personal Data as a further processor and to give it instructions under this Agreement. The Customer is responsible for ensuring that such entrustment is in compliance with the legal relationship between the Customer and the relevant controller.

2.7. Novation: The Controller and the Processor have agreed that this Agreement shall replace in its entirety all prior agreements, their supplements or other arrangements of the Contracting Parties relating to the conditions of processing and protection of Personal Data in connection with the Master Agreement and the provision of the Services.

2.8. Entrustment of processing to the Processor: By this Agreement, the Controller entrusts the Processor with the processing of Personal Data that the Controller, users of the Controller, Customers or other persons upload, send, make available or otherwise provide through the Platform or in connection with the Services, under the conditions and to the extent agreed in this Agreement.

2.9. Remuneration: Processing of Personal Data under this Agreement by the Processor is performed without separate remuneration; remuneration for the processing of Personal Data is included in the Remuneration for the Services under the Master Agreement, unless the Contracting Parties expressly provide otherwise in the Order or another agreement.

2.10. Categories of Personal Data: The Controller and the Processor have agreed that the subject matter of processing under this Agreement shall be Personal Data of Data Subjects that the Processor will process when providing the Services, in particular when collecting, receiving, storing, processing, moderating, managing, displaying and analytically evaluating Reviews, Q&A content, rating requests, imports, exports, integrations, Dashboard, Widgets, API, reporting, translation, support and related functionalities, which are listed in Annex No. 1 to this Agreement.

2.11. Purpose/subject matter of processing: The Processor is authorised to process Personal Data on behalf of the Controller exclusively for the purpose(s) set out in Annex No. 1 to this Agreement, for purposes arising from the Master Agreement, GTC, Order, Platform settings or other documented instructions of the Controller.

2.12. Instructions of the Controller: The Processor fully acknowledges that without prior express instruction or decision of the Controller, the Processor is not authorised to determine the purposes or means of processing Personal Data and, at the same time, the Processor is not authorised to process Personal Data beyond the scope defined by this Agreement.

2.13. The Processor undertakes to process Personal Data only on the basis of documented instructions of the Controller, including instructions set out in this Agreement, the Master Agreement, GTC, Order, Platform settings, Dashboard or in other electronic communication of the Contracting Parties, whereby the Processor is authorised to process, provide and make available Personal Data exclusively in accordance with this Agreement. The Processor is obliged to document and maintain records of the Controller's instructions to the extent required by the Regulation. If the Processor has reasonable grounds to believe that any instruction of the Controller has or would have the effect of violating the Regulation, the Act on Personal Data Protection or other applicable generally binding legal regulations, the Processor is obliged to notify the Controller of this fact without undue delay at the contact details pursuant to Article 13 of this Agreement.

2.14. Upon instruction of the Controller, the Processor is obliged to rectify, supplement, erase (destroy) or restrict the processing of Personal Data without undue delay and, at the same time, the Processor is obliged to properly document such processing operation. Restriction of processing within the meaning of the preceding sentence means marking stored personal data with the aim of limiting their processing in the future within the scope of Article 18 of the Regulation.

2.15. Processing operations: When performing the Agreement, the Processor is authorised to carry out with Personal Data exclusively such processing operations as are genuinely necessary for the performance of the Processor's obligations under the Master Agreement and this Agreement, in particular the operations listed in Annex No. 1 to this Agreement. The Processor is not authorised to disclose or make Personal Data available to third parties beyond the scope of the Master Agreement, GTC, this Agreement, Platform settings or a statutory obligation, unless the Controller and the Processor agree otherwise in the Agreement, Master Agreement or GTC. For the avoidance of any doubt, the Contracting Parties have agreed that the Processor is also authorised to carry out processing operations arising from the Master Agreement, in particular to anonymise personal data and provide such anonymised data to third parties.

2.16. The Processor is obliged to provide the Controller with adequate cooperation for the proper assessment of the impact of processing operations on the protection of Personal Data, in particular when assessing the impact on the protection of Personal Data, when taking measures to address risks, security measures and mechanisms to ensure the protection of Personal Data, always taking into account the nature of the processing and information available to the Processor.

2.17. Good reputation of the Controller: The Processor processes Personal Data and fulfils obligations agreed in this Agreement in such a manner as not to damage the good reputation of the Controller.

2.18. Good reputation of the Processor: The Controller undertakes to entrust the Processor with such processing operations and to proceed in the processing of personal data in such a manner as not to damage the good reputation of the Processor.

2.19. Rights to Personal Data: The Processor fully acknowledges and agrees that by this Agreement it does not acquire any rights or licences to Personal Data, except for the right to process Personal Data on behalf of the Controller under the conditions set out in this Agreement. This shall not affect the Processor's right to store, process and use properly anonymised and aggregated data pursuant to Section 10.3 of this Agreement and pursuant to the GTC, if such data no longer constitute Personal Data, nor the Processor's right to provide such data to a third party (for remuneration or free of charge).

2.20. Records of processing activities: The Processor is obliged to maintain accurate, clear and complete records of processing activities pursuant to Article 30(2) of the Regulation.

2.21. Cooperation of the Processor with the Office: The Processor is obliged to cooperate with the Office within the scope of supervision pursuant to Article 31 of the Regulation.

2.22. Automated decision-making and profiling: The Processor is not authorised to carry out Automated Decision-making or profiling in connection with Personal Data, unless this is expressly provided for in the Master Agreement, Order, Platform settings or unless the Controller gives the Processor other documented instructions. Routine technical sorting, tagging, moderation, analytics, translation or reporting within the Platform shall not be considered Automated Decision-making if it does not produce legal effects or similarly significant effects vis-à-vis the Data Subject.

2.23. Remote access: If, in connection with the processing of Personal Data under this Agreement, the Processor has remote access to the Controller's information systems or the Controller provides the Processor with access credentials, the Controller is entitled to restrict or revoke such remote access if this does not prevent the proper provision of the ordered Services or unless the Contracting Parties agree otherwise.

3. AUTHORIZED PERSONS


3.1. Processing by Authorized Persons: The Processor is obliged to ensure that each Authorized Person (in particular employees of the Processor and persons entrusted by the Processor) processes such Personal Data exclusively on the basis of documented instructions of the Controller, in compliance with the principles of integrity and confidentiality pursuant to Article 5(1)(f) of the Regulation, unless the law of the European Union or the law of a state party to the Agreement on the European Economic Area provides otherwise.

3.2. Briefing of Authorized Persons and confidentiality: The Processor is obliged to ensure that Authorized Persons are fully familiar with the provisions of the Regulation, applicable provisions of the Act on Personal Data Protection and other applicable generally binding legal regulations governing the protection and processing of Personal Data and that they undertake towards the Processor to maintain confidentiality regarding information they learn in connection with the performance of the subject matter of the Master Agreement and this Agreement, including after termination of employment, civil service, service relationship and other contractual relationship established between the Processor and the Authorized Person. The Processor and Authorized Persons are obliged to maintain confidentiality regarding all Personal Data of Data Subjects that were provided, made available or with which they come into contact in connection with the performance of the Master Agreement and this Agreement. The Controller is fully entitled to request from the Processor documents proving fulfilment of the Processor's obligation under this section of this Agreement.

3.3. Authorized Persons and third parties: The Processor is obliged to ensure that Authorized Persons do not disclose, provide or make Personal Data available to third parties, unless this expressly follows from the provisions of this Agreement, the Master Agreement, instructions of the Controller or if such disclosure, provision or making available is necessary under a generally binding legal regulation for the performance of tasks of a court, law enforcement authorities or other state authorities.

3.4. Other persons with access: The Processor's obligation to ensure confidentiality by Authorized Persons under this Article of this Agreement shall equally apply to natural persons who come into contact with Personal Data at the Processor (for example, persons who manage and secure IT technologies at the Processor).

3.5. Obligation to maintain confidentiality after termination of the Agreement: The Processor's obligations set out in this Article of this Agreement shall continue after termination/end of this Agreement.

4. PROTECTION AND SECURITY OF PERSONAL DATA


4.1. Security of protection of Personal Data: The Processor is obliged, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as risks of varying likelihood and severity for the rights and freedoms of natural persons, to ensure the protection of Personal Data pursuant to Article 32 of the Regulation and Article 28(3)(c) of the Regulation in conjunction with Article 5 of the Regulation.

4.2. When assessing the appropriate level of security under Section 4.1 of this Agreement, the Processor is obliged to take into account primarily the risks presented by processing, in particular as a result of accidental or unlawful destruction, loss, alteration, unauthorised disclosure of Personal Data that are transmitted, stored or otherwise processed, or unauthorised access to Personal Data. The Processor is at the same time obliged to ensure permanent confidentiality, integrity, availability and resilience of systems within which Personal Data are processed.

4.3. Appropriate technical and organisational measures of the Processor: The appropriate technical and organisational measures that the Processor is obliged to implement for the purpose of ensuring the protection of Personal Data under this Article of this Agreement are in particular the following measures:

4.3.1. Personal Data must be:

4.3.1.1. processed lawfully, fairly and transparently in relation to Data Subjects;

4.3.1.2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;

4.3.1.3. processed adequately, relevantly and limited to what is necessary in view of the purposes for which they are processed;

4.3.1.4. processed accurately and, where necessary, kept up to date; all reasonable steps must be taken to ensure that Personal Data that are inaccurate with regard to the purposes for which they are processed are erased or rectified without undue delay;

4.3.2. pseudonymisation;

4.3.3. encryption;

4.3.4. physical as well as electronic prevention of access to Personal Data by unauthorised persons;

4.3.5. hardware and software security for the protection of Personal Data (in particular protection against malware, firewall, ongoing software updates, backup and the like);

4.3.6. restriction of access to Personal Data primarily to persons who need necessary access for the purpose of performing the Master Agreement and this Agreement;

4.3.7. security incident management;

4.3.8. separation of Personal Data from personal data processed for other purposes;

4.3.9. ongoing training of Authorized Persons in the field of personal data protection;

4.3.10. ability to timely restore availability of Personal Data and access to them in the event of a physical or technical incident;

4.3.11. protection of Personal Data within the meaning of the "privacy by default" and "privacy by design" principles.

4.4. The Processor is authorised to implement further appropriate technical and organisational measures for the purpose of ensuring the protection of Personal Data beyond those listed in Section 4.3 of this Agreement. A specific description of the minimum security measures that the Processor shall implement is set out in Annex 2 to this Agreement.

4.5. The Processor is obliged to ensure that security measures set out in this Article of this Agreement are continuously updated always in line with the current factual state of processing carried out at the Processor as well as in line with current legislation relating to the field of personal data protection. The Processor is obliged to establish a process of regular testing, assessing and evaluating the effectiveness of technical and organisational measures to ensure the security of processing of Personal Data.

4.6. Provision and making available to a third party: The Processor is not authorised to provide or make Personal Data available to a third party without prior instruction or consent of the Controller, except in cases where such obligation arises from a generally binding legal regulation. If provision or making available of Personal Data is required by a third party on the basis of a generally binding legal regulation, the Processor is obliged to inform the Controller thereof prior to such provision or making available, unless such notification is prohibited by the relevant legal regulation. This shall not affect the Processor's right to store, process and use properly anonymised and aggregated data pursuant to Section 10.3 of this Agreement and pursuant to the GTC, if such data no longer constitute Personal Data, nor the Processor's right to provide such data to a third party (for remuneration or free of charge). The Processor is obliged to maintain proper records of each provision of Personal Data to a third party.

4.7. Participation of the Processor in measures of the Controller: The Processor is obliged to assist the Controller in ensuring fulfilment of obligations pursuant to Articles 32 to 36 of the Regulation, taking into account the nature of processing of Personal Data and information available to the Processor.

4.8. Binding nature of security rules on the Processor: The Processor undertakes to comply with its internal security rules, technical documentation, security standards of the Platform and other internal documents relating to the processing of Personal Data and information security. If the Controller requires compliance with its own internal guidelines or special security requirements, such requirements shall be binding on the Processor only to the extent to which the Processor has expressly accepted them by a separate declaration.

5. SUB-PROCESSORS


5.1. The Processor is authorised to engage Sub-processors in the processing of Personal Data who are necessary or reasonably required for the provision of the Services, in particular providers of hosting, cloud infrastructure, email and communication services, technical support, security, analytics, integration, translation and similar services, under the conditions pursuant to this Agreement.

5.2. The Processor expressly declares and undertakes towards the Controller that at the time of conclusion of this Agreement it engages in the processing of Personal Data exclusively those Sub-processors who are listed in Annex No. 1 to this Agreement or in another list of Sub-processors made available by the Processor to the Controller, or those Sub-processors individually approved by the Controller.

5.3. By this Agreement, the Controller grants the Processor general authorisation to engage Sub-processors pursuant to Article 28(2) of the Regulation, to the extent necessary for the proper provision of the Services and operation of the Platform.

5.4. If the Processor intends to engage a new Sub-processor or replace an existing Sub-processor, it is obliged to inform the Controller of such change in an appropriate manner, in particular by publishing an updated list of Sub-processors on the Platform, on the Processor's website, in the GTC or by sending a notice to the Controller's contact details. The notice must contain at least:

5.4.1. identification of the Sub-processor to be engaged in the processing of Personal Data;

5.4.2. scope or category of services in which the Sub-processor is to be engaged in processing;

5.4.3. purpose of engagement in processing;

5.4.4. information on whether, in connection with engagement of the Sub-processor, transfer of Personal Data to a Third Country may occur;

5.4.5. appropriate information on technical and organisational measures or guarantees of the Sub-processor, if relevant given the nature of processing.

5.5. The Controller is entitled, for reasons relating to the protection of Personal Data, to object to engagement of a new Sub-processor within a reasonable period specified in the Processor's notice; if such period is not specified, within five (5) calendar days from the date of the notice. If the Controller does not raise a reasoned objection within this period, it shall be deemed to have consented to engagement of the Sub-processor. The Controller's objection must be duly reasoned by reasons relating to the protection of Personal Data.

5.6. If the Processor engages another Processor – Sub-processor in the processing of Personal Data on the basis of this Agreement, the Processor is obliged to bind such Sub-processor through a contract or other legal act to the same obligations relating to the protection of Personal Data as are set out in this Agreement, in particular by accepting adequate guarantees for the implementation of appropriate technical and organisational measures in such a manner that processing meets the requirements of the Regulation and relevant provisions of the Act on Personal Data Protection. If the Sub-processor fails to fulfil its obligations regarding the protection of Personal Data, the Processor shall remain fully liable towards the Controller for fulfilment of the Sub-processor's obligations to the extent set out in the Regulation and this Agreement.

5.7. Following Section 5.6 of this Agreement, the Processor undertakes, upon request of the Controller, to provide appropriate information demonstrating fulfilment of the Processor's obligations in relation to Sub-processors. Copies of contracts with Sub-processors shall be provided by the Processor only to the extent that is appropriate and necessary to demonstrate fulfilment of the requirements of Article 28 of the Regulation; copies may redact commercial, technical, security or pricing information that does not relate to the processing of Personal Data.

5.8. The Processor is obliged to maintain an up-to-date overview of engaged Sub-processors and enable the Controller to become familiar with changes in the list of Sub-processors in an appropriate manner. The Controller acknowledges that refusal of a Sub-processor who is objectively necessary for the provision of the Services may result in impossibility of providing the relevant Service or entitlement of the Contracting Parties to terminate the affected part of the Master Agreement.

5.9. The Processor undertakes that neither the Processor itself nor other Sub-processors shall provide or make Personal Data available to recipients in a Third Country or carry out transfer of Personal Data to a Third Country, unless the conditions pursuant to Articles 44 to 49 of the Regulation, this Agreement and relevant instructions of the Controller are fulfilled.

6. ENSURING THE RIGHTS OF DATA SUBJECTS


6.1. Measures for exercise of rights of Data Subjects: The Processor is obliged, after taking into account the nature of processing, to assist the Controller to the greatest extent possible by appropriate technical and organisational measures in fulfilling its obligation to respond to requests for exercise of rights of Data Subjects set out in Articles 15 to 22 of the Regulation.

6.2. If a Data Subject exercises any of the rights set out in Articles 15 to 22 of the Regulation, or the Act on Personal Data Protection, with the Processor in any form, the Processor is obliged to inform the Controller thereof without undue delay, at the latest within ten (10) business days, at the contact details pursuant to Article 13 of this Agreement, unless the nature of the request or available data allow identification of the relevant Controller. The Processor is not authorised to assess/evaluate the legitimacy of requests, submissions and other enquiries of Data Subjects or to take other measures except those set out in this Agreement, unless the Controller decides otherwise or gives the Processor other instructions. The condition set out in the preceding sentence shall not apply if the Data Subject faces imminent harm to their rights and/or freedoms, in which case the Processor is obliged without undue delay to take all appropriate and temporary measures to minimise the threat of imminent harm to the rights and freedoms of Data Subjects to the greatest extent possible.

6.3. Record of exercise of rights of Data Subjects: If a Data Subject exercises their right set out in the Regulation, or the Act on Personal Data Protection, in person, electronically or through the Platform, the Processor is obliged to prepare or retain an appropriate record of exercise of such right (in particular identification of the Data Subject, which right was exercised, which Personal Data such right relates to, which processing activity or Platform functionality it relates to, what is being requested) and make such record or its content available to the Controller without undue delay.

6.4. If possible according to the nature of the request (exercise of right), the Processor is obliged without undue delay to inform the Data Subject that their request (exercise of right) has been notified and forwarded to the Controller (in particular requests/exercise of rights submitted in person or electronically). The Processor is obliged to provide the Controller with all cooperation and relevant documents in connection with handling all requests, submissions and complaints of Data Subjects in connection with Personal Data.

6.5. Protection of rights of Data Subjects during processing: The Processor undertakes that processing of Personal Data under this Agreement shall be carried out in such a manner as not to interfere with the rights and legally protected interests of Data Subjects (in particular personality rights and privacy).

7. PROCEDURE IN THE EVENT OF A PERSONAL DATA BREACH


7.1. Notification of a personal data breach: The Processor fully acknowledges that the Controller is obliged under the conditions set out in Articles 33 and 34 of the Regulation to notify a personal data breach. The Processor is authorised to notify a personal data breach primarily to the Controller.

7.2. The Processor is obliged to notify the Controller of each personal data breach without undue delay, at the latest within forty-eight (48) hours after becoming aware of such breach, at the contact details pursuant to Article 13 of this Agreement, whereby the Processor is at the same time obliged to describe the relevant personal data breach to an appropriate extent, in particular to state the number of Data Subjects affected by the breach, when the Processor became aware of the breach, the nature and causes of the breach, identify the information system and/or processing activities/operations to which the breach relates, describe the likely consequences of the relevant breach and describe all measures taken to mitigate potential adverse consequences of the breach on the part of the Processor.

7.3. In the event of a personal data breach, the Processor is obliged without undue delay to take appropriate remedial measures to minimise the personal data breach to the greatest extent possible and, at the same time, the Processor is obliged to provide the Controller without undue delay with all relevant information requested by the Controller in connection with the personal data breach. The Processor is at the same time obliged to provide the Controller with all cooperation necessary to eliminate the consequences of the personal data breach.

8. TRANSFER TO THIRD COUNTRIES


8.1. The Processor is not authorised, without fulfilment of the conditions pursuant to Articles 44 to 49 of the Regulation, to transfer Personal Data to a Third Country or make Personal Data available to a recipient in a Third Country. If, within the provision of the Services or use of Sub-processors, transfer of Personal Data to a Third Country takes place, such transfer must be listed in Annex No. 1 to this Agreement or in the list of Sub-processors and must be based on an appropriate mechanism pursuant to the Regulation, in particular on an adequacy decision, standard contractual clauses or another permissible exception. As of the effective date of this Agreement, the Processor does not carry out transfer of Personal Data outside the EEA, except in cases listed in the current list of Sub-processors.

8.2. Transfer on the basis of consent, instruction or decision of the Controller: If, on the basis of specific consent, instruction or decision of the Controller, the Processor is authorised to transfer Personal Data also to a Third Country in which an adequate level of protection is not guaranteed, the Processor is obliged to comply with the conditions set out in Articles 44 to 49 of the Regulation as well as further conditions of the Regulation so that such transfer meets the requirements of this Agreement and appropriate security standards of the Processor.

9. AUDIT/CONTROL OF PERSONAL DATA PROTECTION

9.1. Information regarding protection of Personal Data: The Processor acknowledges that pursuant to Article 28(3)(h) of the Regulation it is obliged to provide the Controller with all information necessary to demonstrate fulfilment of its obligations set out in this Agreement and to enable audit as well as inspection carried out by the Controller or another auditor entrusted by the Controller, and the Processor is at the same time obliged to provide the Controller with adequate cooperation.

9.2. Provision of information and documents: The Processor is obliged, upon request of the Controller, to provide the Controller with information and documentation necessary to demonstrate that the Processor fulfils obligations set out in this Agreement, in the Regulation and in the Act on Personal Data Protection, to an appropriate extent and taking into account protection of confidential information, security of the Platform and rights of third parties. Information and documentation pursuant to the preceding sentence shall be provided by the Processor within a reasonable period, as a rule within fourteen (14) business days from delivery of the request, and in the event of a personal data breach without undue delay. The Contracting Parties acknowledge that the Processor is not obliged to provide the Controller with information and documentation necessary to demonstrate that the Processor fulfils obligations set out in this Agreement, in the Regulation and in the Act on Personal Data Protection in the case of duly unjustified repeated and/or vexatious requests.

9.3. Audit of security of protection of Personal Data: The Processor is obliged, upon request of the Controller, to enable the Controller, persons entrusted by the Controller and auditors of the Controller to carry out inspection or audit to the extent necessary to verify whether the Processor fulfils obligations set out in this Agreement, the Regulation, relevant provisions of the Act on Personal Data Protection and other applicable generally binding legal regulations relating to the protection and processing of personal data. The audit shall be carried out primarily in the form of assessment of documents, questionnaire, security confirmations, certifications or remote inspection; physical inspection of premises or systems of the Processor shall be carried out only in justified cases and after prior agreement of the Contracting Parties. Within the audit or inspection under this section of this Agreement, the Processor is obliged to provide the Controller in particular:

9.3.1. documents relating to the protection and processing of Personal Data to an appropriate extent (in particular relevant security policies, records of processing activities, description of technical and organisational measures, incident records and other documents relating to the processing of Personal Data);

9.3.2. adequate cooperation in verifying technical and organisational measures of the Processor and its Sub-processors, if necessary given the nature and scope of processing;

9.3.3. cooperation of the contact person or other person responsible at the Processor for the protection and processing of Personal Data.

The Processor is obliged to enable the Controller, persons entrusted by the Controller and auditors of the Controller to carry out an audit or inspection under this section of this Agreement within a reasonable period, as a rule within thirty (30) calendar days from delivery of the request; in the event of a personal data breach affecting the Controller, the Processor must do so without undue delay. Audit and inspection must not unreasonably interfere with the Processor's activities, security of the Platform, rights of other customers of the Processor or rights of third parties. The Controller is entitled to request an audit or inspection under this Article of this Agreement at most once per calendar year; in the event of a personal data breach caused by the Processor, the Controller may request a further audit without limitation. Costs incurred by the Controller in connection with the audit shall be borne by the Controller and ordinary costs incurred by the Processor in connection with the audit shall be borne by the Processor, unless the Contracting Parties agree otherwise. If it is demonstrated within the inspection or audit that the personal data breach was caused or brought about by the Processor, the Contracting Parties shall settle accounts pursuant to Article 12 of this Agreement and the Master Agreement.

9.4. Confidentiality during audit or inspection: The Controller is obliged to maintain confidentiality regarding all facts it learns during an audit or inspection carried out under this Article of this Agreement. Confidentiality pursuant to the preceding sentence shall not apply to information and documents that the Controller and Data Subjects will need to exercise their rights vis-à-vis the Processor, Sub-processor and other third parties.

9.5. Inspection by state authorities: The Processor is obliged without undue delay to inform the Controller of each inspection by a state authority at the Processor or Sub-processors relating to Personal Data processed on behalf of the Controller, as well as of all results and measures that were imposed or adopted in connection with such inspection, unless such notification is prohibited by the relevant legal regulation.

10. PROCESSING PERIOD


10.1. Commencement of processing of Personal Data: The Processor is authorised to process Personal Data on behalf of the Controller under this Agreement from the date this Agreement enters into effect, or from the date of commencement of provision of the Services under the Master Agreement, whichever occurs earlier.

10.2. Limitation of processing period: The Controller and the Processor have expressly agreed that the period of processing of Personal Data is limited for the duration of the Master Agreement, or for the period during which the Processor performs activities under the conditions set out in the Master Agreement, however at the longest for the duration of the purpose of processing or for the period necessary to fulfil statutory obligations, protection of rights of the Processor, resolution of security incidents, audit records and demonstration of fulfilment of obligations. This shall not affect the Processor's right to store, process and use properly anonymised and aggregated data pursuant to Section 10.3 of this Agreement and pursuant to the GTC, if such data no longer constitute Personal Data, nor the Processor's right to provide such data to a third party (for remuneration or free of charge).

10.3. Unless the Controller decides otherwise or gives the Processor other instructions, without undue delay after termination or other end of the Master Agreement or after the Processor ceases to perform activities under the Master Agreement, the Processor is obliged, at the Controller's choice, to return Personal Data to the Controller or erase (destroy) all Personal Data including their copies, unless the law of the European Union or the law of a Member State requires retention of Personal Data. The Controller hereby grants the Processor documented instruction and authorisation to create from data processed within the provision of Services and to store, process and use after termination of the Master Agreement anonymised or aggregated data derived from Customer Content and from processing within the provision of Services, in particular aggregated statistics, metrics, model outputs, reports, benchmarks, categorisations and other derived data files, free of charge, for the purposes of creating and developing a knowledge base, new Platform functionalities, improvement and development of the Services and Platform, ensuring quality, security and abuse prevention, analytics and statistical evaluations and commercial use including making available or providing such anonymised data or outputs created from them to third parties for remuneration. Only data that no longer constitute Personal Data and cannot be attributed to a specific natural person even with reasonable effort shall be considered anonymised data. The Processor is obliged to ensure that anonymisation is carried out prior to any making available or provision to third parties. If a certain output, despite being labelled as anonymised or aggregated, constitutes Personal Data, the Processor may process it only in compliance with the Regulation and on the relevant legal basis. Provisions on handling Personal Data and their erasure shall not be affected thereby.

10.4. The Processor's obligation to provide the Controller with cooperation for the purpose of ensuring continuity of processing of Personal Data pursuant to Section 10.3 of this Agreement shall be deemed fulfilled if the Processor enables the Controller to export Personal Data through the Platform or hands over Personal Data to the Controller in an appropriate structured format, if technically possible given the nature of the Service. The Processor's obligation to erase (destroy) Personal Data pursuant to Section 10.3 of this Agreement shall be deemed fulfilled if the Processor carries out erasure according to its standard technical and security procedures and, upon request of the Controller, provides appropriate confirmation.

10.5. Confirmation of erasure (destruction): The Processor is obliged, upon request of the Controller, without undue delay to confirm in writing or electronically to the Controller the erasure (destruction) of Personal Data pursuant to Section 10.3 of this Agreement, if such confirmation can be reasonably provided given the technical settings of the Platform and the nature of the Services.

11. TERM OF THE AGREEMENT AND SANCTIONS


11.1. Validity and effectiveness of the Agreement: This Agreement enters into validity and effectiveness upon conclusion/acceptance of the Agreement and conclusion of the Master Agreement, confirmation of the Order, activation of the Services, self-registration of the Controller or other demonstrable manner of acceptance under the GTC, whichever of these moments occurs first.

11.2. The Controller and the Processor have agreed that this Agreement shall remain in force for the duration of the Master Agreement. In the event of expiry, end of effectiveness of the Master Agreement or in the event of any termination of the Master Agreement, this Agreement shall automatically terminate (ex nunc), unless this Agreement terminates earlier for other reasons or unless the Contracting Parties agree otherwise; this shall not affect provisions of this Agreement which by their nature survive after end of processing, in particular the obligation of confidentiality, cooperation, return or erasure of Personal Data, authorisation to use anonymised data pursuant to Section 10.3 of this Agreement, liability provisions and dispute resolution provisions.

11.3. Cases of termination: The Processor and the Controller have agreed that, apart from cases provided for by law and cases provided for elsewhere in the Master Agreement, the Controller is entitled to terminate the affected part of the Services or withdraw from this Agreement and from the Master Agreement also in the following cases, i.e. if:

11.3.1. the Processor, despite notice from the Controller, processes Personal Data in breach of the Controller's instruction/instructions; or

11.3.2. the Processor, despite notice from the Controller, processes Personal Data for a purpose other than that set out in this Agreement or as determined by the Controller; or

11.3.3. the Processor, despite notice from the Controller, processes Personal Data beyond the scope set out in this Agreement; or

11.3.4. the Processor caused a personal data breach; or

11.3.5. the Processor permitted processing of Personal Data by a Sub-processor beyond the scope permitted in Article 5 of this Agreement; or

11.3.6. the Processor or Sub-processor did not enable the Controller to carry out an audit or inspection under the conditions set out in Article 9 of this Agreement;

11.3.7. the Processor, despite notice from the Controller, continues to breach any of its obligations set out in this Agreement; or

11.3.8. the Processor, despite notice from the Controller, continues to breach any of its obligations set out in the Regulation, the Act on Personal Data Protection or in another applicable generally binding legal regulation relating to personal data protection.

11.4. Right of the Processor to terminate: The Processor is entitled to terminate this Agreement and the relevant part of the Master Agreement if the Controller, despite written notice from the Processor, materially breaches obligations under this Agreement or the Regulation, with an appropriate notice period of not less than thirty (30) days.

11.5. Contractual penalties: The Contracting Parties have agreed that breach of obligations under this Agreement does not give rise to a claim for a contractual penalty, unless a contractual penalty is expressly agreed in the Order, Master Agreement or another special written agreement of the Contracting Parties. This shall not affect a claim for compensation for damage or other claims pursuant to the Regulation, the Act on Personal Data Protection, the Master Agreement or generally binding legal regulations.

11.6. Claims after termination of the Agreement: Termination of this Agreement or other end of this Agreement shall not affect the Contracting Parties' claim for compensation for damage or other claims if such claim arose prior to termination/end of the Agreement, nor shall it affect the Processor's obligations to maintain confidentiality regarding Personal Data and obligations pursuant to Article 10 of this Agreement.

12. LIABILITY AND COMPENSATION FOR DAMAGE


12.1. The Processor is responsible for ensuring that processing of Personal Data shall, to the extent carried out by the Processor, comply with the requirements set out in this Agreement, in the Regulation and in the Act on Personal Data Protection.

12.2. The Controller is responsible for ensuring that Personal Data were obtained in compliance with applicable legal regulations, that it has a proper legal basis for processing such Personal Data and that it has provided Data Subjects with all information within the meaning of the Regulation.

12.3. If the Processor breaches an applicable legal regulation or provisions of this Agreement and thereby causes damage to the Controller, it is obliged to compensate the Controller for direct damage to the extent set out in the Regulation, the Act on Personal Data Protection, the Master Agreement and generally binding legal regulations, whereby the Processor's total liability for damage under this Agreement is limited to the aggregate amount of Remuneration paid by the Controller to the Processor for twelve (12) months preceding the event giving rise to liability for damage; this limitation shall not apply in the case of intentional conduct or gross negligence of the Processor or in cases where its exclusion is required by the relevant legal regulation. If the Controller pays a Data Subject, supervisory authority or other entitled entity monetary performance due to proven breach of obligations of the Processor, the Processor is obliged to compensate the Controller for damage thus incurred and reasonably incurred costs to the extent they were caused by breach of obligations of the Processor.

12.4. If the Controller breaches an applicable legal regulation or provisions of this Agreement and thereby causes damage to the Processor, it is obliged to compensate the Processor for direct damage to the extent set out in the Regulation, the Act on Personal Data Protection, the Master Agreement and generally binding legal regulations. If the Processor pays a Data Subject, supervisory authority or other entitled entity monetary performance due to proven breach of obligations of the Controller, the Controller is obliged to compensate the Processor for damage thus incurred and reasonably incurred costs to the extent they were caused by breach of obligations of the Controller.

12.5. Exclusion of indirect damage: The Processor shall not be liable for indirect damage, lost profit, loss of revenue, loss of data, loss of goodwill or any other indirect, consequential or special damage, even if the Processor was previously informed of the possibility of such damage arising. This exclusion shall not apply in the case of intentional conduct or gross negligence of the Processor or in cases where its exclusion is prohibited by the relevant legal regulation.

12.6. Force majeure: The Processor shall not be liable for non-performance or delayed performance of obligations under this Agreement if caused by circumstances excluding liability pursuant to Section 374 of the Commercial Code or another applicable legal regulation (force majeure), i.e. an event that occurred independently of the will of the Processor, the occurrence of which the Processor could not prevent even with professional care that may fairly be required of it, and which includes in particular natural disasters, armed conflicts, pandemics, large-scale cyberattacks by third parties or infrastructure outages beyond the control of the Processor. The Processor is obliged to inform the Controller of the occurrence of such event without undue delay and to make reasonable efforts to minimise impacts.

12.7. The Processor is obliged to provide the Controller with adequate cooperation in any proceedings before a court, the Office or another public authority body commenced against the Controller in connection with processing of Personal Data under this Agreement, to the extent such proceedings relate to fulfilment of obligations of the Processor under this Agreement.

12.8. The Processor is obliged within forty-eight (48) hours to notify the Controller that it has received a summons or court or administrative order of a public authority body requesting access to Personal Data processed on behalf of the Controller, or their submission, unless such notification is prohibited by a generally binding legal regulation or decision of the competent authority.

12.9. The Processor shall not be liable for the lawfulness, accuracy, adequacy, completeness, scope or content of Personal Data, Customer Content, Reviews, Q&A content or other data uploaded, imported, made available or published by the Controller, its users, Customers or third parties, unless the breach arose as a result of breach of obligations of the Processor under this Agreement or the Regulation.

13. CONTACT DETAILS FOR THE PURPOSES OF PERSONAL DATA PROTECTION


13.1. Contact details regarding protection of Personal Data: The Controller and the Processor have agreed that the following contact details shall apply to all communication relating to the protection of Personal Data under this Agreement:

13.1.1. Controller:

13.1.1.1. contact person, telephone contact and email stated in the Order or user account, or other contact details notified to the Processor.

13.1.2. Processor:

13.1.2.1. contact person, telephone contact and email stated on the Platform, on the Processor's pages or other contact details notified to the Controller.

13.2. Change of contact details: A Contracting Party is obliged without undue delay to notify the other Contracting Party of each change of contact details stated in Section 13.1 of this Agreement. Change of contact details of the Processor may also be made by updating this Agreement, GTC, Platform or the Processor's website.

14. SERVICE OF DOCUMENTS


14.1. Conditions of service: Service of any documents under this Agreement or in connection with this Agreement between the Contracting Parties shall, unless this Agreement provides otherwise in another section, mean service of a document electronically to the contact details stated in Article 13 of this Agreement, through the Platform or Dashboard, service at the registered office address of the Contracting Party, if known, service through the user account or another manner of service pursuant to the GTC or Master Agreement. A message shall be deemed served on the 3rd day after its dispatch to the addressee; this shall not apply if the Contracting Party proves that the document was not served on it. Special periods pursuant to Articles 5, 7, 9 and 15 of this Agreement shall be governed by special provisions of those Articles; this shall not affect the general regulation of service under this Article.

14.2. Language of communication: All documents, notices and correspondence that the Contracting Parties are to make under this Agreement shall be in the Slovak language.

15. FINAL PROVISIONS


15.1. Contractual prevention: The Contracting Parties undertake to refrain from any conduct that would result in frustration of the possibility of performing their obligations under this Agreement. If in the future, for any reason, frustration of the possibility of performing their obligations were to occur, the Contracting Parties shall notify each other of this fact with sufficient advance notice.

15.2. Conflict of the Agreement with the Master Agreement: In the event of conflicts between provisions of this Agreement and provisions of the Master Agreement, provisions of this Agreement shall prevail in matters of processing and protection of Personal Data. In other matters, provisions of the Master Agreement, Order or GTC shall prevail in the order of precedence pursuant to the GTC.

15.3. Amendments to the Agreement: This Agreement may be amended or supplemented in the manner provided for in the GTC or Master Agreement, in particular by publishing an updated text of this Agreement on the Processor's website, on the Platform or by delivering notice to the Controller. Amendments that materially affect processing of Personal Data, in particular from the perspective of security of Personal Data, shall enter into effect vis-à-vis the Controller at the earliest upon expiry of a reasonable period after notice, unless a legal regulation or urgent security need requires earlier effectiveness, whereby a reasonable period means a period of 7 days after notice of amendments to the Controller. The Controller has, in the case of amendments that materially affect processing of Personal Data, in particular from the perspective of security of Personal Data, the right to object to the new text of the Agreement or specific amendments within the above-mentioned period, by way of duly reasoned objections. In the event of timely objection by the Controller against such amendments, such amendments shall not be effective vis-à-vis the Controller and either Contracting Party is entitled to withdraw from this Agreement if the Contracting Parties do not agree otherwise. Annex No. 1 and Annex No. 2 to this Agreement may also be updated unilaterally by the Processor if the update corresponds to the actual scope of the Services, technical and organisational measures or the list of Sub-processors.

15.4. Legal succession: Rights and obligations set out in this Agreement shall pass also to legal successors of the Controller and the Processor.

15.5. Severability clause: Each provision of this Agreement shall be interpreted in such a manner as to be effective and valid under the applicable legal order of the Slovak Republic. If any provisions of this Agreement were to be invalid already at the time of its conclusion, or if they become invalid later after conclusion of this Agreement, the validity of the remaining provisions of this Agreement shall not be affected. Invalid provisions of this Agreement shall be replaced by provisions of the Regulation, relevant provisions of the Act on Personal Data Protection and other valid legal regulations of the Slovak Republic that are closest in content and purpose to the content and purpose pursued by this Agreement.

15.6. Jurisdiction of courts: The Contracting Parties have agreed that courts of the Slovak Republic shall have exclusive jurisdiction to resolve any disputes arising between the Contracting Parties in connection with this Agreement.

15.7. Electronic acceptance: This Agreement shall not be drawn up in paper counterparts and does not require signature of the Contracting Parties. The Controller accepts this Agreement in the manner pursuant to the GTC and Master Agreement, in particular by confirmation of the Order, self-registration, activation of the Services, use of the Platform or other demonstrable manner of acceptance.

15.8. Final declaration: By accepting this Agreement, the Controller confirms that it has duly familiarised itself with its provisions, that they are clear and understandable to it and that it expresses its free and serious will to entrust the Processor with the processing of Personal Data under the conditions set out in this Agreement. 15.9. This English version is provided solely as a translation of the Slovak version of the document Personal Data Processing Agreement. The Slovak version is the original, binding and authoritative version. In the event of any discrepancy, inconsistency, ambiguity or interpretation issue arising from or in connection with this English translation, the Slovak version shall be the sole decisive and legally binding version.

ANNEX NO. 1 TO THE DATA PROCESSING AGREEMENT

(particulars of processing of Personal Data)


Purpose of processing:

  • Provision of Rewora Services under the Master Agreement, GTC and Order, in particular collection, receiving, storing, processing, moderation, management, display and analytical evaluation of product Reviews, store reviews, Google Shopping reviews, Q&A content, product advisory, discussion forum, rating requests, Dashboard, Widgets, API, integrations, data imports and exports, reporting, analytical, translation, support and consulting services, Hotspots and other ordered functionalities of the Platform.


Categories of data subjects:

  • Customers of the Controller, persons asking questions or leaving Reviews, persons mentioned in Reviews, Q&A content, answers, discussion posts or other Customer Content, Dashboard users and user account users of the Controller, contact persons of the Controller, employees and collaborators of the Controller, or other natural persons whose Personal Data the Controller makes available to the Processor when using the Services.


Categories of Personal Data:

  • Ordinary personal data to the extent necessary for the provision of the Services, in particular name, surname, email address, telephone number, order identifier, date and time of order, data on purchased product or service, product identifiers, content of Review, rating, question, answer, discussion post, response of the Controller, username or other identifier, IP address, technical identifiers, logs, data on use of the Platform, data on opt-out or objection to sending requests, communication and operational data and other data uploaded or made available by the Controller, its users or Customers within the Services.


Form of processing:

  • Automated and non-automated, electronic and technical, through the Platform, Dashboard, Widgets, API, integration solutions, databases, cloud and infrastructure services, support tools and Authorized Persons of the Processor.


Further Processors (Sub-processors)

AC PM, LLC (ActiveCampaign)

Registered office: 1 N Dearborn St, Suite 500, Chicago, IL 60602, USA


Hetzner Online GmbH

Registered office: Industriestr. 25, 91710 Gunzenhausen, Germany

Company ID: HRB 6089, Amtsgericht Ansbach


Shopify International Limited

Registered office: 2nd Floor Victoria Buildings, 1-2 Haddington Road, Dublin 4, D04 XN32, Ireland

Company ID: 560279


Shoptet, a.s.

Registered office: Dvořeckého 628/8, Břevnov, 169 00 Praha 6, Czech Republic

Company ID: 28935675


OpenAI Ireland Ltd

Registered office: 1st Floor, The Liffey Trust Centre, 117-126 Sheriff Street Upper, Dublin 1, D01 YC43, Ireland

Company ID: 737350


Microsoft Ireland Operations Limited

Registered office: One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland

Company ID: 256796


Atlassian Pty Ltd

Registered office: Level 6, 341 George Street, Sydney NSW 2000, Australia

Company ID: ACN 102 443 916


SolarWinds Worldwide, LLC

Registered office: 7171 Southwest Parkway, Building 400, Austin, TX 78735, USA

Company ID: Delaware file no. 4069736


Google Ireland Limited

Registered office: Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland

Company ID: 368047


SmartBase s. r. o.

Registered office: Zimná 14181/2, 974 05 Banská Bystrica, Slovak Republic

Company ID: 47348071


NEOSHIP s.r.o.

Registered office: Miletičova 23, 821 09 Bratislava - Ružinov, Slovak Republic

Company ID: 50286820


RAYNET s.r.o.

Registered office: Hlavní třída 6078/13, Poruba, 708 00 Ostrava, Czech Republic

Company ID: 26843820


Other instructions of the Controller for the Processor:

  • The Processor is authorised to process Personal Data only for the purposes of providing the Services under the Master Agreement, GTC, Order, Platform settings and this Agreement.
  • The Controller is obliged to ensure that it transfers to the Processor only Personal Data that are necessary and lawful for the given purpose.
  • The Processor is authorised to publish or display Reviews, Q&A content and other outputs only according to Platform settings, GTC, Order or instructions of the Controller.


Processing period

  • For the duration of the Master Agreement, at the longest for the duration of the purpose of processing and subsequently for the period necessary to fulfil statutory obligations, handling of complaints, audit and security records, protection of rights of the Processor and fulfilment of obligations under this Agreement.
  • The Processor is authorised to use properly anonymised and aggregated data pursuant to Section 10.3 of this Agreement also after the end of the processing period stated in this section, the Agreement and the Master Agreement


Processing of special category PD

  • Special categories of personal data pursuant to Article 9 of the Regulation shall not be processed within the Services.
  • The Controller must not upload to the Platform special category Personal Data or data relating to criminal convictions and offences, unless the Contracting Parties expressly agree otherwise in writing and the conditions pursuant to the Regulation and the Act on Personal Data Protection are fulfilled.
  • The Controller is obliged to ensure that Data Subjects are informed that they must not upload special categories of Personal Data to Q&A, Reviews or on other platforms.


Form of processing of personal data

  • to collect, receive, record, store, organise, structure, search, browse, use, combine, analyse, moderate, sort, tag, translate, display, publish, make available according to Platform settings, import, export, transfer, back up, archive, restrict, rectify, erase, anonymise, aggregate and otherwise process to the extent necessary for the provision of the Services.

ANNEX NO. 2 TO THE DATA PROCESSING AGREEMENT

(Technical and organisational measures including technical and organisational measures to ensure data security)


Measures to ensure permanent confidentiality, integrity, availability and resilience of processing systems and services:

  • Regular updating of security systems and software. Use of reasonably available and resilient infrastructure. Access to systems is managed on the basis of the principle of least privilege (Least Privilege).


Measures aimed at pseudonymisation and encryption of personal data

  • Encryption of data in transit using secure communication protocols.
  • Appropriate pseudonymisation or data minimisation, if possible given the purpose and functionality of the Services.
  • Local media or devices on which Personal Data are temporarily located must be appropriately encrypted or protected by a comparable security measure.


Measures for timely restoration of availability of personal data and access to them in the event of a security incident

  • Regular backup of data to an appropriate extent. Use of infrastructure or cloud services with appropriate availability.


Measures for protection of data during storage

  • Encryption of backed-up data
  • Multi-factor authentication for access to data.
  • Access to data resources is granted only to authorised and instructed persons.


Measures for protection of data during their transfer

  • Use of encrypted communication protocols.
  • Protection against Man-in-the-Middle attacks by implementing mechanisms such as HSTS (HTTP Strict Transport Security).


Measures for identification of users, logging and granting of user permissions

  • Access to systems is managed on the basis of the principle of least privilege (Least Privilege).
  • Regular audit of user accounts and their permissions.


Processes of regular testing, assessing and evaluating the effectiveness of technical and organisational measures for the purpose of ensuring security of processing

  • Regular vulnerability scanning and regular review of security policies


Measures to ensure physical security (physical security of premises where personal data are processed)

  • Personal Data are processed primarily in electronic systems and cloud infrastructure.
  • Physical access to workplaces, devices and documentation of the Processor is appropriately restricted.


Measures to ensure recording of security incidents and other events

  • Established process for recording, assessment and resolution of security incidents and personal data breaches including escalation and notification of the Controller pursuant to this Agreement.


Measures to ensure system configuration including default configuration

  • Default configurations pursuant to the "Security by Design" principle.
  • Automated policies for verification of configuration changes and their approval


Description of specific technical and organisational measures that the Processor shall implement in order to be able to provide assistance to the Controller.

  • The Processor has established a procedure for providing cooperation to the Controller in handling rights of Data Subjects, incidents, audits and requests of public authority bodies.
  • The Processor has designated a contact person for communication with the Controller in the field of personal data protection. [add contact person/process]


Measures to enable data portability and ensure their erasure

  • Provision of data in a structured and machine-readable format (e.g. JSON or CSV).
  • Implementation of processes for secure erasure of data including overwriting of data on storage media and possible physical destruction of media


Measures to ensure limited retention of data

  • Data are stored only for the period determined by the Controller, Master Agreement, this Agreement or legal regulations.
  • The Processor stores Personal Data only to the extent necessary for the provision of the Services, fulfilment of statutory obligations, security purposes, audit records and protection of rights.


Measures to ensure minimisation of personal data

  • Collection and processing of only data necessary for the given purpose (data minimization).
  • The Controller is obliged not to transfer to the Processor data beyond what is necessary for the provision of the Services.


Measures for internal management of information systems and their security

  • Ensuring appropriate briefing or training of persons who have access to Personal Data.
  • Definition of rules for access management, updates, incidents, backup and changes in systems.


Measures to ensure accountability in the processing of personal data

  • The Processor maintains or can, upon request, reasonably demonstrate records of instructions of the Controller, scope of Authorized Persons, assigned accesses, incidents and carried out return or erasure of Personal Data to the extent required by the Regulation.


Measures for certification/security of processes and products

  • not applicable
Don't miss any news

Sign up for the newsletter and receive notifications about similar articles directly to your email inbox.

By subscribing to our mailing list, you agree to the processing of your data personal data only for this purpose.