If, within the performance of this Agreement any other (partial) agreement concluded between the Parties (including agreements for the provision of Additional Services or Cloud Services), occurs processing of personal data of individuals and other acquired information, the Parties undertake to proceed in accordance with this Agreement and further under the Personal Data Clause, which constitutes Appendix 2 and is an integral part of this Agreement, as well as of any (partial) agreement concluded between the Parties.

1. Each Party (i) shall dispose of all information contained in this Agreement, respectively, received as a result of the conclusion of this Agreement or the performance of the obligations resulting therefrom and in connection with negotiations on the conclusion of this Agreement, as strictly confidential information (hereinafter the "Confidential Information") and (ii) without prior written consent of the Party concerned shall not disclose such Confidential Information or otherwise reveal it to any third party, shall not reproduce, copy, or use for itself, for a third party, or in any way other than as agreed in this Agreement, resp., following its purpose. This also applies to information about the sole existence of the Agreement.
2. Obligation to maintain confidentiality under Article VII of this Agreement does not apply to the appropriate extent in the following cases: (i) a statement of Confidential Information is required by a court, legal regulations, decisions of a state administration body or other regulatory authority or body supervision in accordance and on the basis of the law; (ii) Confidential Information is or becomes publicly available another way than as a result of the unauthorized disclosure contrary to this Agreement; (iii) communication of Confidential Information to expert advisors, associates, or business partners of the parties for the purpose of performing this Agreement provided that the recipients of the Confidential Information are bound by the obligation of confidentiality to at least the same extent as set out in Article VII of this Agreement and the other Party has given prior written consent to acquire such entities (however, the condition of consent of the other Party is not given in cases of legal representation of the Parties  to exercise their rights and claims under this Agreement).
3. In addition, the DS takes note in particular of the fact that it will gain access while providing Service to the Client's information which is confidential and constitutes the Client's business secret, or also information / data regarding which the Client is liable for specific legal obligations and responsibilities (in particular, personal data, event. also technical - organizational measures concerning the processing and protection of personal data). The DS also acknowledges that Confidential Information (including personal data) is essential for the Client strategic and commercial value, and that breach of the obligation to protect Confidential Information, incl. their disclosure / access to third parties, their distribution, reproduction / copying or any use other than for fulfillment of this Agreement, is capable of causing considerable or critical damage to the Client. Anyone participating in the performance of this Agreement (especially employees or subcontractors under the terms of this Agreement) representing the DS is obliged to commit in writing to confidentiality / protection of Confidential Information in the same the extent to which the DS is bound by this Agreement itself; if the persons violates (or any of them) confidentiality / obligation to protect information, the DS shall be responsible for the actions of these persons to the same extent as a breach of the confidentiality obligation would be committed by the DS itself.
4. No Party shall be entitled to make publicly available or make accessible to a third party or make or have any communication with media about any matters relating to this Agreement and performance of the Parties under this Agreement without the prior written consent of the other Party. This is without prejudice to the arrangement of Article 7.6.
5. Both Parties are entitled to publicize without the consent of the other Party by appropriate means of preserving goodwill / reputation of the other Party, and without committing unfair competition or any other infringement, the information in the form of "brief reference information" about the DS being a service provider for the Client, including the use of the Client / DS logo and the contact - reference person of the Client.
6. Obligations under this Article VII shall continue to exist after termination of this Agreement for at least 10 years from the date of the termination.

1. Introductory provision

1. The purpose of this clause is to set out the rules and conditions for ensuring the protection of personal data processed by the DS (as the processor) for the Client (as administrator) in connection with the performance of the Agreement as well as any other (partial) agreement concluded between the Parties.
2. This clause takes into account the legislation in force on the date of its conclusion in the Czech Republic, in particular Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and on repeal of Directive 95/46/ES (General Data Protection Regulation, hereinafter the "GDPR"), which is effective from 25 May 2018.
3. The Parties hereby agree that, if necessary to comply with the requirements of the legislation relating to the protection, processing or transfer of personal data, in particular the Personal Data Processing Act, the GDPR or other regulations (hereinafter the "Data Protection Regulations"), the Parties shall conclude without undue delay a written amendment to this clause taking into account such requirements after the request of either Party.

1. Data Management Modes

1. The Parties hereby agree that within the performance of the Agreement [respectively each (partial) agreement concluded between the Parties], the following data management systems may occur:

1. The data management in systems operated by the Client including, inter alia, personal data, when the Client will enable DS to access systems operated by the Client; and to perform tasks under this Agreement, or other (partial) agreements concluded between the Parties, including the processing of personal data, shall be used by the DS only the system operated by the Client, for whose technical support the Client is responsible (hereinafter referred to as the “Data Management Mode in Client Systems”);
2. The management of anonymized data outside the systems operated by the Client, where the Client transmits the anonymized data to the DS so that it does not contain personal data (hereinafter the “Anonymous Data Management Mode”);
3. The data management, including personal data, outside the systems operated by the Client, when the Client transmits data to the DS, including personal data, for further processing in systems of the DS (hereinafter the “Data Management Mode in DS systems”).

1. Unless otherwise agreed by the Parties, DS's contractual obligations are performed in the Data Management Mode in Client Systems (MS Azure Cloud).

1. Anonymous Data Management Mode

1. If, on the basis of an agreement between the Parties, the DS fulfills its contractual obligations in the Anonymous Data Management Mode, the Client undertakes to provide the DS with all data in an anonymized form so that it does not in any respect concern the processing of personal data within the meaning of the Data Protection Regulations.
2. If, on the basis of an agreement of the Parties, the contractual obligations of the DS are fulfilled under the Anonymous Data Management Mode, the DS shall have no obligations under other provisions of this Article.

1. Entrustment

1. If the obligations of the DS are fulfilled under this Agreement or other (partial) agreements concluded between the Parties in the Data Management Mode in Client Systems and / or in the Data Management Mode in DS systems, the Client, as the administrator, hereby entrusts the DS, as the processor, with the processing of personal data (provided by the Client) within the specified scope and for the specified purposes under this clause, and the DS, as the processor of the personal data, accepts the processing authorization under the terms set out in this clause. The DS is obliged to process personal data for the Client based on his instructions and to the extent necessary for the proper performance of its contractual obligations. The Client undertakes to hand over all instructions to the DS through e-mail communication and / or paper correspondence addressed to the contact details specified in Article V of the Agreement. The Client shall not impose an instruction to the DS that would be contrary to legal regulations. In case the DS receives an instruction from the Client regarding the processing of personal data, which is in conflict with the valid legal regulations, the DS is not bound by such instruction.
2. The DS may involve another processor in the processing (resp. the Client grants the DS general consent to engage another processor within the meaning of Article 28 Paragraph 2 of the GDPR), but simultaneously undertakes to inform the Client of such involvement, who may object to the involvement of another processor. The Parties have agreed that information about the involvement of another processor (resp. of changes or replacement of other processors) shall be sent to the Client by the DS prior to the involvement of another processor by means of an e-mail message addressed to the Client's e-mail address specified in Article V hereof. The DS shall impose on its subcontractors, as a personal data processor, the same data protection obligations as set out in this clause.

1. Data Subject Categories, Types of Personal Data, Nature and Purpose of Processing

1. The DS processes personal data for the Client under this Agreement, resp. other (partial) agreements concluded between the Parties, in the following scope:

Purpose of processing

Scope of Personal Data (Personal Data Types)

Specific categories of personal data

Categories of data subjects

preparation of technical architecture for data analytics and subsequent personalized campaigns (analytical databases, business datamart, analytical stations with analytical tools, visualization tools)

name and surname of natural person, date of birth of natural person

address of natural person or place of business;

telephone number;

e-mail;

transaction and sales history;

information about purchased products and services;

web behavior;

responses to direct campaigns;

none

Client Customers

Client Employees

Visitors to the Client's website

1. DS will process personal information as follows:

1. automatically using statistical and analytical methods with the contribution of computer technology,
2. manual data processing may occur occasionally.

1. DS shall process personal data in electronic form.

1. Processing Time

1. The processing of personal data shall take place for the duration of the Agreement, resp. other (partial) agreements concluded between the Parties. The Parties undertake to fulfill the obligations relating to the protection of personal data for the entire duration of the Agreement, unless it is apparent from the provisions of the Agreement or from the provisions of legal regulations that the obligations shall continue even after the termination of the effectiveness of the Agreement.

1. Rights and Obligations of the Client

1. The Client undertakes to ensure that the data processed by the DS are always obtained and processed by the DS in accordance with the Data Protection Regulations. In particular, the Client undertakes to ensure that:

1. all data processed by him shall be processed under the proper legal title of processing of personal data and the given legal title of processing of personal data enables the DS to process personal data under this Agreement,
2. the Client shall provide the data subjects with any mandatory communications imposed on them by the Data Protection Regulations;
3. the Client shall maintain proper records of personal data processing activities within the meaning of Article 30 Paragraph 2 of the GDPR;
4. the Client shall comply with all legal obligations arising for him/her, as for the controller of personal data from the GDPR and other legal regulations.

1. In the event that personal data are processed in the Data Management Mode in Client Systems: The Client declares that in the case of the processing of personal data in the Data Management Mode in Client Systems, the level of security corresponding to the risk for data subjects' freedom rights is fully ensured. The Client is responsible for ensuring that his systems, where data, including personal data, are processed, comply with all requirements of the Data Protection Regulations, in particular concerning assurance of continued confidentiality, integrity, availability and resilience of such systems. In the event of any threat to the Client's systems, which may affect the performance of contractual obligations of the DS, the Client shall immediately notify the DS thereof.
2. The Client acknowledges and agrees that, in the case of the processing of personal data in the Data Management Mode in DS Systems, the encrypted data of the Client will be stored on the Microsoft Azure Data Cloud under the terms and conditions specified on the website of the respective provider. Another external data storage service provider may be involved under the terms of Article 4.2 of this clause. The DS undertakes to inform the Client on a specific data storage provider upon request. The Client undertakes to ensure that the legal title of the processing of personal data legally allows the storage of data with an external data storage provider and that all information obligations are met in relation to the data subjects.

1. Obligations of the DS

1. Regardless of the data management mode, the DS undertakes not to process the acquired personal data for its own purposes, in particular not to store, copy, print, transcribe, modify or make excerpts or copies by no means.
2. The DS is obliged while processing personal data:

1. to process personal data solely on the basis of documented Client's instructions and in accordance with the principles of communication under the Agreement;
2. to follow the Client's instructions regarding the transfer of personal data to a third country or international organization, unless such processing is already imposed by the law of the European Union or the Member State applicable to the DS; in such a case, the DS shall inform the Client of this legal requirement before the processing commences, unless such legislation prohibits such disclosure for important reasons of public interest;
3. to ensure that persons authorized to process personal data undertake confidentiality or are subject to a statutory obligation of confidentiality;
4. to involve another processor in the processing only under the conditions specified in Article 4.2 of this clause;
5. to take into account the nature of the processing and assist the Client through appropriate technical and organizational measures, as far as possible, to fulfill the Client's obligation to respond to requests for the exercise of data subjects' rights;
6. to assist the Client in ensuring the appropriate level of processing security, in reporting personal data breaches to the supervisory authority and, eventually, to data subjects while assessing the impact on the protection of personal data and carrying out prior consultation with the supervisory authority;
7. In the event that personal data are processed in the Data Management Mode in DS systems: to delete all personal data or return it to the Client upon termination of service in according to the Client's decision and to delete existing copies if EU law or Member State does not require the storage of such personal data; and
8. to provide the Client, at the Client's request, with all information necessary to prove that the obligations set out in Article 28 of the GDPR have been fulfilled and to enable audits, including inspections, carried out by the Client or other auditor authorized by the Client.

1. In relation to the processing of personal data, the DS records all categories of processing activities performed for the Client, which include:

1. the name and contact details of the DS and the Client and any representative of the Client or DS and the data protection officer;
2. the category of processing performed for the Client;
3. information on the possible transfer of personal data to a third country or international organization; and
4. a general description of the technical and organizational security measures. In this context, the Client undertakes to provide the DS with a description of the technical and organizational measures adopted by the Client for the purpose of processing personal data in the Data Management Mode in Client systems on the effective date of this Agreement. The Client further undertakes to inform the DS immediately of any change in these technical and organizational measures.

The DS undertakes, based on a written request from the Client, to make the records kept by the DS accessible to the Client.

1. Security of Personal Data

1. In the event that personal data are processed in the Data Management Mode in Client Systems, the DS undertakes to comply with technical and organizational measures adopted by the Client for the purposes of data processing in these systems, with which the Client undertakes to demonstrably acquaint the DS. These measures will always include the following:

1. ensuring that only authorized persons use the Client's systems;
2. providing protection of the access data to the Client's systems;
3. sufficient physical and software security of devices from which authorized persons shall access the Client's system.

1. In the event that personal data are processed in the Data Management Mode in DS systems, the DS undertakes to adopt and maintain, in particular, the following measures to ensure the necessary level of security, to the extent appropriate to the risk of interference with the data subject's rights and freedoms, including eventually:

1. implementing pseudonymization and encryption of personal data;
2. ensuring the continuing confidentiality, integrity, availability and resilience of processing systems and services and regular checks of the measures in place and their proper functioning;
3. ensuring the ability to restore and access personal data in a timely manner in the event of physical or technical incidents;
4. establishing and ensuring the process of periodic testing, assessment and evaluation of the effectiveness of technical and organizational measures in place to ensure the safety of processing;
5. providing protection of the information system perimeter, for example by a multi-level firewall;
6. ensuring that only authorized DS persons shall gain access to personal data and data carriers;
7. ensuring a high level of physical security of personal data servers, e.g. personal data servers are locked in a server room or data center.

1. If the DS detects a breach of personal data security, it will notify the Client without undue delay.