Data Processing Agreement
Last updated: April 20, 2020
Subject and Purpose of the Agreement
This Agreement defines rights and duties of the Parties during such Personal Data processing under the terms of Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation). When the data processing is not subject to the Regulation, this agreement shall not apply.
Personal Data Processing
The Processor shall be entitled to process for the Controller the following Personal Data of Controller’s website users (hereinafter as “User”):
- Name and surname
- E-mail address
- IP and location
- Browser and operation system information
- other information provided by the User
(hereinafter referred to as the “Personal Data”).
The Processor shall process the Personal Data only for the purpose of providing Service and only on documented instructions from the Controller. The Processor takes into account that in the case of breach of this provision the Processor shall be considered as a controller of Personal Data.
The Controller makes the Personal Data accessible to the Processor by the means of the Service, i.e. the Ybug software is run, stored and backed up on the Processor’s data servers and any interaction made by the Users within the Ybug software is being processed by the Processor.
The Personal Data will be processed (saved) for the period set by the Controller. The Processor informs the Controller that any period longer than 12 months may be considered as an infringement of the Regulation.
Rights and Duties of the Contracting Parties
The Processor undertakes to implement and maintain appropriate technical and organisational measures to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access. Having regard to the state of the art and cost of their implementation, as well as the nature, scope, context, and purposes for Processing the Personal Data the Processor agrees that such measures shall ensure a level of security appropriate to the risks to and the nature of the Personal Data.
The Processor also undertakes:
- to process the Personal Data only in such form, in which they were transferred to it by the Controller;
- to process the Personal Data only for the purpose defined hereby and solely to the extent necessary for fulfilment of such purpose;
- not to merge Personal Data obtained for different purposes;
- to keep the Personal Data only for the period set by the Controller;
- upon discovery of any security breach regarding the Personal Data immediately take action to mitigate the risk to the Personal Data and provide the Controller with full and prompt cooperation and assistance in relation to Controller‘s investigation of the security breach and Controller‘s compliance with the Regulation related to such security breach.
The Processor shall be obliged to ensure that the employees and other persons authorized by the Processor to process the Personal Data processed them only in the scope and for the purpose under this Agreements and under the Regulation.
The Processor and the Controller undertake to observe, when processing the Personal Data on the basis hereof, duties set by the Regulation and other generally binding legal regulations relating to such activities.
The Processor undertakes upon the Controller´s call to repair, update, delete or transfer the Personal Data under the Controller´s instruction without undue delay after such call.
When fulfilling the duties herefrom the Processor shall be obliged to proceed with professional care, observe the Controller´s instructions and act in accordance with interests of the Controller.
The Controller agrees that the Processor shall be entitled to charge another processor with processing of the Personal Data without additional express particular permission of the Controller (hereinafter referred to as the “Sub-processor”). The Processor shall inform the Controller on all Sub-processors that it intends to charge with processing of the Personal Data and thus it provides the Controller with opportunity to express its objections to admission of such Sub-processors. If the Controller does not express its objections to the Sub-processors within three business days, the Processor shall be entitled to charge such Sub-processor with processing of the Personal Data. If the Processor involves the Sub-processor so that it carried out certain processing activities, the same duties for protection of the Personal Data must be imposed on the Sub-processor by an agreement, as are stated in this Agreement and in the Regulation. If the mentioned Sub-processor does not fulfil its duties regarding the data protection, the Processor shall be liable to the Controller for fulfilment of the duties of such Sub-processor.
The Processor currently charges with processing these following Sub-processors:
- FastComet Inc., 350 Townsend Street, San Francisco, CA 94107, USA
- Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg
- BunnyWay d.o.o. Škofjeloška cesta 13 1215, Medvode, Slovenia
The Processor undertakes to provide the Controller with any and all information necessary for proving that the duties stipulated by this Agreement or by the Regulation relating to the personal data were fulfilled and allow the Controller or third party bound towards the Controller by duty of confidentiality, to carry out an audit in the reasonable scope. Such audit must be notified well in advance, at least 30 days in advance and it must not intervene unreasonably in the Processor’s activities. Controller and Processor bear their costs related to such Audit.
The Personal Data will not be subject to any transfers from a Member State of the EU to a third country outside the EU.
Term of the Agreement
This Agreement shall be effective for the period of effectiveness of the Services contract.
In the case of any termination of the Agreement or termination of the Personal Data processing, the Processor shall be obliged to return or liquidate immediately the Personal Data provided to it on the basis hereof.
Any change or amendment hereto must be agreed on by both Contracting Parties.
Invalidity of any of provisions hereof shall not affect validity of other provisions hereof.
The Contracting Parties undertake to provide each other with all the necessary assistance and data to secure effective implementation hereof, in particular in the case of dealing with the Office for Personal Data Protection or other public authorities.
In the case that the contractual relation established hereby contains an international element, the Parties agree that this Agreement shall be governed by the Czech law.
In the case of disputes arisen herefrom, the Contracting Parties agree that all disputes shall be resolved by competent courts in the Czech Republic.
Need a signed copy? Click here to download the pre-signed DPA.