- Introductory provision
- The purpose of this clause is to set out the rules and conditions for ensuring the protection of personal data processed by the DS (as the processor) for the Client (as administrator) in connection with the performance of the Agreement as well as any other (partial) agreement concluded between the Parties.
- This clause takes into account the legislation in force on the date of its conclusion in the Czech Republic, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on repeal of Directive 95/46/ES (General Data Protection Regulation, hereinafter the "GDPR"), which is effective from 25 May 2018.
- The Parties hereby agree that, if necessary to comply with the requirements of the legislation relating to the protection, processing or transfer of personal data, in particular the Personal Data Processing Act, the GDPR or other regulations (hereinafter the "Data Protection Regulations"), the Parties shall conclude without undue delay a written amendment to this clause taking into account such requirements after the request of either Party.
- Data Management Modes
- The Parties hereby agree that within the performance of the Agreement [respectively each (partial) agreement concluded between the Parties], the following data management systems may occur:
- The data management in systems operated by the Client including, inter alia, personal data, when the Client will enable DS to access systems operated by the Client; and to perform tasks under this Agreement, or other (partial) agreements concluded between the Parties, including the processing of personal data, shall be used by the DS only the system operated by the Client, for whose technical support the Client is responsible (hereinafter referred to as the “Data Management Mode in Client Systems”);
- The management of anonymized data outside the systems operated by the Client, where the Client transmits the anonymized data to the DS so that it does not contain personal data (hereinafter the “Anonymous Data Management Mode”);
- The data management, including personal data, outside the systems operated by the Client, when the Client transmits data to the DS, including personal data, for further processing in systems of the DS (hereinafter the “Data Management Mode in DS systems”).
- Unless otherwise agreed by the Parties, DS's contractual obligations are performed in the Data Management Mode in Client Systems (MS Azure Cloud).
- Anonymous Data Management Mode
- If, on the basis of an agreement between the Parties, the DS fulfills its contractual obligations in the Anonymous Data Management Mode, the Client undertakes to provide the DS with all data in an anonymized form so that it does not in any respect concern the processing of personal data within the meaning of the Data Protection Regulations.
- If, on the basis of an agreement of the Parties, the contractual obligations of the DS are fulfilled under the Anonymous Data Management Mode, the DS shall have no obligations under other provisions of this Article.
- If the obligations of the DS are fulfilled under this Agreement or other (partial) agreements concluded between the Parties in the Data Management Mode in Client Systems and / or in the Data Management Mode in DS systems, the Client, as the administrator, hereby entrusts the DS, as the processor, with the processing of personal data (provided by the Client) within the specified scope and for the specified purposes under this clause, and the DS, as the processor of the personal data, accepts the processing authorization under the terms set out in this clause. The DS is obliged to process personal data for the Client based on his instructions and to the extent necessary for the proper performance of its contractual obligations. The Client undertakes to hand over all instructions to the DS through e-mail communication and / or paper correspondence addressed to the contact details specified in Article V of the Agreement. The Client shall not impose an instruction to the DS that would be contrary to legal regulations. In case the DS receives an instruction from the Client regarding the processing of personal data, which is in conflict with the valid legal regulations, the DS is not bound by such instruction.
- The DS may involve another processor in the processing (resp. the Client grants the DS general consent to engage another processor within the meaning of Article 28 Paragraph 2 of the GDPR), but simultaneously undertakes to inform the Client of such involvement, who may object to the involvement of another processor. The Parties have agreed that information about the involvement of another processor (resp. of changes or replacement of other processors) shall be sent to the Client by the DS prior to the involvement of another processor by means of an e-mail message addressed to the Client's e-mail address specified in Article V hereof. The DS shall impose on its subcontractors, as a personal data processor, the same data protection obligations as set out in this clause.
- Data Subject Categories, Types of Personal Data, Nature and Purpose of Processing
- The DS processes personal data for the Client under this Agreement, resp. other (partial) agreements concluded between the Parties, in the following scope:
Purpose of processing
Scope of Personal Data (Personal Data Types)
Specific categories of personal data
Categories of data subjects
preparation of technical architecture for data analytics and subsequent personalized campaigns (analytical databases, business datamart, analytical stations with analytical tools, visualization tools)
name and surname of natural person, date of birth of natural person
address of natural person or place of business;
transaction and sales history;
information about purchased products and services;
responses to direct campaigns;
Visitors to the Client's website
- DS will process personal information as follows:
- automatically using statistical and analytical methods with the contribution of computer technology,
- manual data processing may occur occasionally.
- DS shall process personal data in electronic form.
- Processing Time
- The processing of personal data shall take place for the duration of the Agreement, resp. other (partial) agreements concluded between the Parties. The Parties undertake to fulfill the obligations relating to the protection of personal data for the entire duration of the Agreement, unless it is apparent from the provisions of the Agreement or from the provisions of legal regulations that the obligations shall continue even after the termination of the effectiveness of the Agreement.
- Rights and Obligations of the Client
- The Client undertakes to ensure that the data processed by the DS are always obtained and processed by the DS in accordance with the Data Protection Regulations. In particular, the Client undertakes to ensure that:
- all data processed by him shall be processed under the proper legal title of processing of personal data and the given legal title of processing of personal data enables the DS to process personal data under this Agreement,
- the Client shall provide the data subjects with any mandatory communications imposed on them by the Data Protection Regulations;
- the Client shall maintain proper records of personal data processing activities within the meaning of Article 30 Paragraph 2 of the GDPR;
- the Client shall comply with all legal obligations arising for him/her, as for the controller of personal data from the GDPR and other legal regulations.
- In the event that personal data are processed in the Data Management Mode in Client Systems: The Client declares that in the case of the processing of personal data in the Data Management Mode in Client Systems, the level of security corresponding to the risk for data subjects' freedom rights is fully ensured. The Client is responsible for ensuring that his systems, where data, including personal data, are processed, comply with all requirements of the Data Protection Regulations, in particular concerning assurance of continued confidentiality, integrity, availability and resilience of such systems. In the event of any threat to the Client's systems, which may affect the performance of contractual obligations of the DS, the Client shall immediately notify the DS thereof.
- The Client acknowledges and agrees that, in the case of the processing of personal data in the Data Management Mode in DS Systems, the encrypted data of the Client will be stored on the Microsoft Azure Data Cloud under the terms and conditions specified on the website of the respective provider. Another external data storage service provider may be involved under the terms of Article 4.2 of this clause. The DS undertakes to inform the Client on a specific data storage provider upon request. The Client undertakes to ensure that the legal title of the processing of personal data legally allows the storage of data with an external data storage provider and that all information obligations are met in relation to the data subjects.
- Obligations of the DS
- Regardless of the data management mode, the DS undertakes not to process the acquired personal data for its own purposes, in particular not to store, copy, print, transcribe, modify or make excerpts or copies by no means.
- The DS is obliged while processing personal data:
- to process personal data solely on the basis of documented Client's instructions and in accordance with the principles of communication under the Agreement;
- to follow the Client's instructions regarding the transfer of personal data to a third country or international organization, unless such processing is already imposed by the law of the European Union or the Member State applicable to the DS; in such a case, the DS shall inform the Client of this legal requirement before the processing commences, unless such legislation prohibits such disclosure for important reasons of public interest;
- to ensure that persons authorized to process personal data undertake confidentiality or are subject to a statutory obligation of confidentiality;
- to involve another processor in the processing only under the conditions specified in Article 4.2 of this clause;
- to take into account the nature of the processing and assist the Client through appropriate technical and organizational measures, as far as possible, to fulfill the Client's obligation to respond to requests for the exercise of data subjects' rights;
- to assist the Client in ensuring the appropriate level of processing security, in reporting personal data breaches to the supervisory authority and, eventually, to data subjects while assessing the impact on the protection of personal data and carrying out prior consultation with the supervisory authority;
- In the event that personal data are processed in the Data Management Mode in DS systems: to delete all personal data or return it to the Client upon termination of service in according to the Client's decision and to delete existing copies if EU law or Member State does not require the storage of such personal data; and
- to provide the Client, at the Client's request, with all information necessary to prove that the obligations set out in Article 28 of the GDPR have been fulfilled and to enable audits, including inspections, carried out by the Client or other auditor authorized by the Client.
- In relation to the processing of personal data, the DS records all categories of processing activities performed for the Client, which include:
- the name and contact details of the DS and the Client and any representative of the Client or DS and the data protection officer;
- the category of processing performed for the Client;
- information on the possible transfer of personal data to a third country or international organization; and
- a general description of the technical and organizational security measures. In this context, the Client undertakes to provide the DS with a description of the technical and organizational measures adopted by the Client for the purpose of processing personal data in the Data Management Mode in Client systems on the effective date of this Agreement. The Client further undertakes to inform the DS immediately of any change in these technical and organizational measures.
The DS undertakes, based on a written request from the Client, to make the records kept by the DS accessible to the Client.
- Security of Personal Data
- In the event that personal data are processed in the Data Management Mode in Client Systems, the DS undertakes to comply with technical and organizational measures adopted by the Client for the purposes of data processing in these systems, with which the Client undertakes to demonstrably acquaint the DS. These measures will always include the following:
- ensuring that only authorized persons use the Client's systems;
- providing protection of the access data to the Client's systems;
- sufficient physical and software security of devices from which authorized persons shall access the Client's system.
- In the event that personal data are processed in the Data Management Mode in DS systems, the DS undertakes to adopt and maintain, in particular, the following measures to ensure the necessary level of security, to the extent appropriate to the risk of interference with the data subject's rights and freedoms, including eventually:
- implementing pseudonymization and encryption of personal data;
- ensuring the continuing confidentiality, integrity, availability and resilience of processing systems and services and regular checks of the measures in place and their proper functioning;
- ensuring the ability to restore and access personal data in a timely manner in the event of physical or technical incidents;
- establishing and ensuring the process of periodic testing, assessment and evaluation of the effectiveness of technical and organizational measures in place to ensure the safety of processing;
- providing protection of the information system perimeter, for example by a multi-level firewall;
- ensuring that only authorized DS persons shall gain access to personal data and data carriers;
- ensuring a high level of physical security of personal data servers, e.g. personal data servers are locked in a server room or data center.
- If the DS detects a breach of personal data security, it will notify the Client without undue delay.