This Data Processing Agreement (hereinafter referred to as “Agreement”) is concluded in accordance with section 6 Act No.101/2000 Col., on data protection and on amendments to certain acts; and in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), between:
ZONER software, a.s., company ID: 494 37 381, registered address in Brno, Nove sady 583/18, postcode 602 00, which is registered in the Commercial Register at the Regional Court in Brno, Section B, Insert No. 5824, the contact e-mail address: admin@zoner.cz, as the processor on one side (hereinafter referred to as the "Processor")
and
by the customer, who is the controller of the personal data, on the other (hereinafter referred to as "Data Controller").
[CompanyName] [Street]
[City]
[Country]
[ICO]
II. Introductory Provisions
1. The Data Controller declares that he or she
a) used and/or is interested in using ZONER software, a.s. cloud and/or hosting service, which enable the Data Controller to directly or indirectly save his customer data onto a ZONER software, a.s. device (hereinafter referred to as “Services”);,
b)
also intends to store natural persons' personal data – his customers or other persons – related to his business activities onto a ZONER software, a.s. device;
c)
he has informed the Processor of the personal details specification, which will be stored onto a ZONER software, a.s. device.
2.
Personal data means any information about an identified or identifiable natural person (hereinafter referred to as the "data subject"). An identifiable natural person means an individual who can be identified directly or indirectly, in particular by reference to a particular identifier such as name, identification data, location data, network identifier or one or more specific physical, physiological, genetic, psychological, economic, cultural or the social identity of this individual.
3.
The purpose of this Agreement is to regulate the reciprocal rights and obligations of the contracting parties related to personal data processing, which will be done for the Data Controller in connection with the provision of Services, on the basis of which, customers' personal data will be saved onto the Data Controller´s device.
4.
The Data Controller notes that
a)
the use of the software by third parties represents a risk for data processing which the Data Controller is unable to prevent fully;
b)
the choice of software used by the server administrator determines the way data are processed and the technical and organisational measures for personal data protection,
c)
if the software is used by a third party, the Processor is not a complete processor of personal data, as is the case with the exclusive use of his software.
5.
In the case of a hosting service that manages the web site of the Data Controller, the Data Controller´s data is stored on the device - the Processor's server. If these data contain the Data Controller's or other person's customers' personal data, processing the personal data is the responsibility of the Data Controller. Data storage is secured by encryption, and access is physically and technically restricted to this stored data so that it cannot be misused.
6. In the case of the cloud service through which ZONER software, a.s. rents and makes the virtual server accessible to the Data Controller, the Data Controller's data are stored on the device - the server of the Processor. If these data contain the Data Controller's or other person's customers' personal data, processing the personal data is the responsibility of the Data Controller. Data storage is secured by encryption, and access to the data is physically and technically restricted so that it cannot be misused.
III. Subject Matter of the Agreement
The subject matter of this Agreement is the regulation of the rights and obligations of the parties related to the protection of personal data and other matters governed by this Agreement.
The payment for processing personal data under this Agreement is already included in the payment for the provision of services.
IV. Processing of Personal Data
1.
Based on this Agreement, the Data Controller authorises the Processor to process the personal data which the Data Controller controls.
2.
The Processor undertakes to process the personal data of subjects, namely customers and other persons whose data the Data Controller is authorised to control.
3.
The Processor is authorized to process personal data in a manner other than that agreed in this Agreement only on the basis of documented instructions from the Data Controller. The Processor is required to inform the Data Controller without delay if, in his opinion, a Data Controller's instruction is contrary to the data protection legislation.
4.
The Processor processes personal data of subjects in order to fulfil the contractual relationship with the Data Controller, specifically for the purpose of providing the services ordered on the basis of a separate Agreement governing the rights and obligations related to the provided service.
5.
The Processor expressly declares that any processing of personal data under this Agreement will be solely for the purpose of providing a service to the Data Processor, not for his or her own use or the need of third parties.
6.
The Processor is obliged to process personal data in electronic form, using his information technology.
7.
The Processor is obliged to process personal data, which are in particular:
a)
personal identification data (e.g. name, surname, date of birth or birth number if processed);
b)
address-related personal information (such as address of permanent residence, address of the point of delivery, telephone, e-mail address);
c)
photographs,
d) other (e.g. bank details),
and the specification of the personal data categories in a particular case shall be communicated to the Processor by the Data Controller in a document called the ZONER Software Privacy Policy, a.s.
[1].
V. Conditions of Personal Data Processing
1.
The Processor is not entitled to involve any other processor to process personal data under this Agreement without the prior specific written or prior general written permission of the Data Controller. In the case of general written permission, the Processor is required to inform the Data Controller of any intended changes to the acceptance or replacement of the processors and is obliged to give the Data Controller the opportunity to object to these changes. If the controller objects, the processor is obliged to respect these objections.
2.
When the Processor engages another processor to carry out certain processing activities on behalf of the Data Controller, he shall be bound by an agreement to the same data-protection obligations as those set out in this Agreement, in particular, to provide sufficient guarantees as to the introduction of appropriate technical and organizational measures so that the processing complies with the requirements of the legislation. If the other processor fails to fulfil his data protection obligations, the original Processor shall be responsible for the other processor´s obligations.
3.
To fulfil the conditions of this Agreement and taking into account the state of the technology, the costs of execution, the nature, the scope, the context and the purpose of the processing, as well as the various and potentially different risks to the rights and freedoms of natural persons, the Processor together with the Data Controller is obliged to take suitable technical and organisational measures to ensure a level of security appropriate to the risk involved and, within the framework of these requirements, undertakes to adopt and continuously improve measures to
a)
ensure the continued confidentiality, integrity, availability and resilience of processing systems and services;
b)
ensure the ability to restore access to personal data in a timely manner in the event of physical or technical incidents;,
c)
ensure the process of regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures in place to ensure processing security.
4.
When assessing the suitable security level, the Processor is in particular obliged to take into account the risks the processing represents, especially random or illegal destruction, loss, changes, enabling unauthorised access to the handed over, saved or otherwise processed personal data, or accessing them without authorisation.
5.
The Processor and the Data Controller cooperate to take measures to ensure that any natural person authorised by the Data Controller or Processor and who has access to personal data processes these personal data only on the Data Controller's request, unless they are requested to do so by a legal regulation.
6.
The Processor hereby undertakes:
a) to process personal data exactly as he obtains them;
b) to help the Data Controller by suitable technical and organisational measures, where possible, in order to fulfil the Data Controller's obligation to react to the request to exercise the rights of the data subject established by law,
c)
to assist the Data Controller in ensuring compliance with his obligations laid down by the legislation with regard to the security of personal data, taking into account the nature of the processing and the information available to the processor,
d)
to treat personal data as protected data and process personal data only under the conditions and to the extent stipulated by law and this Agreement,
e)
to prevent unauthorized or accidental access to, modification, destruction or loss of personal data, unauthorized transmission, unauthorized processing or other misuse of personal data. This obligation prevails even after the personal data has been processed,
f)
to take technical and organizational measures to ensure the required protection of personal data, in particular the security of premises and rooms in which personal data processing takes place, n particular by restricting access rights, security advances, anti-virus protection,etc ) and to renew these measures on a regular basis according to technological developments,
g)
to keep throughout the period of this Agreement's validity, a record of technical and organizational measures for the protection of personal data,
h)
to inform the staff of the Processor responsible for fulfilling this contract of the extent of the personal data processing and to train them on the obligation to maintain confidentiality of personal data and security measures, the disclosure of which would jeopardize the security of personal data, and to ensure that the confidentiality obligation of such persons persists even after the legal relations with the Data Controller end;
i)
to ensure that subjects of the data do not suffer in their personal rights during the processing of personal data,
j)
as soon as the purpose for which the personal data are processed or, on the basis of the Data Controller's delivered instruction, to destroy the personal data immediately;
k)
not to collect personal data received for other purposes;
l)
to process personal data in accordance with legal regulations,
m)
to provide the Data Controller with all the information necessary to demonstrate compliance with the legal obligations relating to the processing of personal data by the Processor, and to allow audits, including inspections carried out by the Data Controller or other auditor contributing to these audits entrusted by the Data Controller.
7.
The Data Controller hereby undertakes:
a)
to ensure the subject's personal data for processing are gained with their consent or for reasons stated by law without their consent;
b)
to ensure the Processor's safe access to personal data;
c)
to provide the Processor with the cooperation needed to fulfil this Agreement.
VI. The Time of Personal Data Processing
1.
The contracting parties agree that personal data processing in accordance with this Agreement is to be done by the Processor for the duration of the Agreement on Provision of Services on the bases of which Data Controller's customers' personal data are saved onto the Processor's device. When the provision of services ends, this agreement ceases to exist.
2.
In accordance with the Data Controller's decision, the Processor is obliged to either erase or return all personal data to the Data Controller after processing-related services are terminated and to delete existing copies, unless the law requires the storage of such personal data.
On the day of [Confirmed] parties affix their respective signatures
On behalf of the Controller:
[CompanyName]
[Street]
[City]
[Country]
[ICO]
On behalf of the Processor (electronically signed):
ZONER software, a.s.
Nove sady 18
Brno
Czech republic
49437381