This DATA PROCESSING AGREEMENT concluded in accordance with Article 28(3) of Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (the “GDPR“) and Section 34(3) of Act No 18/2018 Coll. on the Protection of Personal Data and on Amendment of Certain Acts as amended (the “Personal Data Protection Act“) (the “Agreement“)
Legal entity that ordered the Processor’s Services via the Processor’s Website on the basis of the General Terms and Conditions (the “Controller“),
ErlaServers s.r.o., having the seat at Veľký diel 3323/1, Žilina 010 08, Slovakia, ID number (IČO): 54 385 504, registered with the Commercial Registry of District Court Žilina, Section: Sro, File No.: 81219/L, email: email@example.com (the “Processor“)
(The Controller and the Processor together hereinafter as the “Parties” and individually as the “Party”)
THE PARTIES HAVE AGREED AS FOLLOWS:
1. Object and Purpose of the Agreement
1.1 Terms beginning with capitals and used in this Agreement that are not defined in this Agreement shall have the meanings as set forth in the Processor’s General Terms and Conditions (the “Terms”) available on the Processor’s Website.
1.2 The Parties have agreed on the wording of the Terms, the subject of which is the provision of cloud platform providing server infrastructure and automated software delivery solution by the Processor to the Controller and related support and management services (the “Services“). For the purposes of this Agreement, the Terms of the Processor and/or the purchase order issued by the Controller and/or any other commercial form of cooperation arrangement between the Controller and the Processor under which the Processor provides the Services to the Controller shall also be deemed to be the Main Agreement (jointly as the “Main Agreement”).
1.3 In providing the Services, the Processor processes personal data on behalf of the Controller, and the Parties intend by this Agreement to ensure that such processing of personal data by the Processor complies with the GDPR and the Personal Data Protection Act.
1.4 The Controller, within the meaning of Article 4 of the GDPR and Section 5 of the Personal Data Protection Act, determines by this Agreement the purposes and gives instructions for the processing of personal data that the Processor will process on their behalf and according to their instructions.
1.5 The Controller also declares that it has complied with Article 28(1) of the GDPR and Section 34(1) of the Personal Data Protection Act and the Processor provides sufficient guarantees that appropriate technical and organizational measures will be taken to ensure that the processing of personal data complies with the legal requirements and that adequate protection of the rights of data subjects is ensured.
1.6 The subject matter and duration of the processing, the nature and purpose of the processing, the method of processing, the categories of data subjects and the scope of the personal data to be processed by the Processor on behalf of the Controller pursuant to this Agreement are set out in Annex 1 to this Agreement.
2.1 Terms used in this Agreement shall have the following meanings:
2.1.1 Personal data means any information relating to an identified or identifiable natural person who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
2.1.2 Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.1.3 Additional processor is any third party that is entrusted by the Processor to process the Controller’s personal data;
2.1.4 Data subject is an identified or identifiable natural person whose personal data is being processed;
2.1.5 Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed;
2.1.6 Applicable data protection legislation within the meaning of this Agreement means Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) and Act No. 18/2018 Coll. on the protection of personal data, or other generally binding legislation that establishes the rights and obligations relating to the protection of personal data;
2.1.7 The Standard Contractual Clauses are the contractual document on the basis of which the transfer of personal data to third countries takes place in accordance with Commission Implementing Decision (EU) 2021/915 of June 4, 2021 on standard contractual clauses between controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (Text with EEA relevance)
2.1.8 Third countries are countries that are not a member state of the European Union or are not a party to The European Economic Area Agreement.
3 Rights and Obligations of the Parties
3.1 Rights and Obligations of the Controller
3.1.1 It is the Controller’s obligation to ensure that the personal data of the data subjects being processed are obtained on the basis of a valid legal basis that authorizes the Controller to process such personal data and to authorize the Processor to process them on the basis of this Agreement.
3.1.2 The Controller is obliged to inform all data subjects about the processing of personal data in connection with the provision of the Services and to provide the data subjects with all information so that the information obligation pursuant to Articles 12 and 13 of the GDPR and Section 19 of the Personal Data Protection Act is fulfilled.
3.1.3 The Controller is obliged to instruct the Processor to process personal data mainly, but not exclusively, through this Agreement. If necessary, any instructions other than those contained in this Agreement may be given by the Controller to the Processor in writing or electronically, including via the Platform or any other communication tool chosen by the Parties (e.g. Slack, etc.).
3.1.4 The Controller shall be entitled to require the Processor to demonstrate compliance with all legal obligations under applicable data protection legislation and under this Agreement, including the implementation of all prescribed security measures for the protection of personal data.
3.1.5 The Controller, or an auditor authorized by the Controller, shall be entitled to carry out an audit or a data protection check on the Processor, within the framework of which they may request from the Processor any information relating to the processing of personal data under this Agreement. The Controller shall give the Processor at least 15 business days’ prior written notice of the planned audit or inspection. The Controller shall reimburse the Processor for all demonstrable costs incurred by the Processor in connection with the performance of the audit or inspection. When conducting an audit or inspection, the Controller shall comply with the Processor’s security and organizational instructions so as not to disrupt or restrict the Processor’s operations.
3.2 Rights and Obligations of the Processor
3.2.1 The Processor shall take all reasonable measures necessary to comply with the legal requirements under applicable data protection legislation and to ensure the protection of the rights of data subjects and shall, in particular but not exclusively, take appropriate technical and organizational measures and process personal data in accordance with the Controller’s instructions and the provisions of this Agreement.
3.2.2 The Processor is obliged to process personal data in accordance with the instructions of the Controller and exclusively to the extent, under the conditions and for the purpose set out by the Controller in this Agreement. The Processor shall confirm the receipt of other instructions from the Controller according to Clause 3.2.3 of this Agreement to the Controller in writing or electronically. The Processor shall notify the Controller without delay and before commencing the processing of Personal Data if it is required to process Personal Data to comply with a legal requirement outside the scope of the Controller’s instructions and such notification is not contrary to the public interest.
3.2.3 The Processor is obliged to inform the Controller without delay if they consider the Controller’s instructions to be contrary to the Applicable data protection legislation or if compliance with those instructions cannot ensure adequate protection of the rights of data subjects.
3.2.4 When processing personal data, the Processor is obliged to act in accordance with the Applicable data protection legislation.
3.2.5 The Processor is responsible for the security of the processing of personal data in accordance with Article 32 of the GDPR and Section 39 of the Personal Data Protection Act and for compliance with the appropriate technical and organizational measures according to Annex 3 of this Agreement.
3.2.6 The Processor is obliged to ensure that only authorized persons have access to the personal data and that they are bound by the obligation of confidentiality and, or, secrecy, which will continue after the processing of the personal data has been completed. The Processor also declares that the authorized persons have been demonstrably informed of their rights and obligations in the processing of personal data arising from the applicable data protection legislation and from this Agreement.
3.2.7 The Processor is obliged to notify the Controller of any breach of the protection of personal data or the impossibility of fulfilling the obligations set out in this Agreement within 72 hours upon becoming aware of the breach. This notification must include at least the probable extent of the damage suffered and the identified extent of the personal data breach.
3.2.8 The Processor shall be obliged to delete or return to the Controller any personal data, or any copies thereof, which have been provided to the Processor for the purposes of the performance under this Agreement within 30 days after the termination of the provision of the Services under the Main Agreement or after the expiry of the necessary time period for their processing specified in Annex 1 to this Agreement.
3.2.9 If the data subject addresses the Processor with his or her request concerning his or her rights relating to the processing of personal data under this Agreement, the Processor shall refer the data subject to the Controller and shall inform the Controller of the request without delay. The Processor shall provide the Controller with assistance in processing the Data Subject’s request in accordance with Article 28(3)(e) GDPR to the extent that the Data Subject’s request cannot be handled by the Controller independently using the information concerning the processing of the Data Subject’s personal data in the context of the provision of the Services available on the Website or on the cloud platform.
3.2.10 The Processor commits to follow the procedure set out in Article 4 of this Agreement when entrusting any third party with the processing of personal data.
3.2.11 The Processor commits to provide the Controller any cooperation necessary to ensure the fulfillment of obligations under Article 32 and Article 36 GDPR and Sections 39 to 43 of the Personal Data Protection Act. If necessary, the Processor shall provide the Controller with cooperation with any obligation arising from the applicable data protection legislation, if such obligation cannot be fulfilled by the Controller without the cooperation of the Processor.
3.2.12 The Processor commits to provide the Controller the necessary cooperation in the event of exercising its right to audit or checkup and to provide the Controller with all necessary information to demonstrate compliance with the obligations established by the applicable data protection legislation and by this Agreement.
4 Additional Processors
4.1 The Controller hereby authorizes the Processor to entrust additional processors with the processing of personal data according to this Agreement.
4.2 The processor is obliged to inform the Controller in writing or electronically of any assignment of another processor within 15 business days. The Processor shall inform the Controller of the assignment of an additional processor via the Platform and by email sent to the contact person of the Controller referred to in clause 8.1 of this Agreement.
4.3 The controller shall have the right to object to the assignment of the additional processor within 10 days from the date of receipt of the information on the assignment of the additional processor. If the Controller does not exercise this right, the Parties shall consider that the Controller agrees to the assignment of the additional processor. The Controller also undertakes to exercise its right to object only in justified cases. The Controller acknowledges that the exercise of the right to object to the entrustment of another processor may result in the impossibility of processing personal data pursuant to this Agreement and, therefore, the impossibility of providing the Services. In the event that the Controller exercises the right to object to the commissioning of an additional processor and the Processor is unable to provide the Services to the Controller as a result, the Controller acknowledges and agrees that the Controller shall not be entitled to any claims against the Processor in respect of such inability of the Processor other than those expressly granted to the Controller in the Main Agreement, in particular, the Controller shall not be entitled to claim any additional compensation or a refund of the fee for the Services already paid for.
4.4 The Processor shall ensure that the additional processor to whom an authorization has been granted in accordance with the paragraphs above is bound by the same obligations regarding the protection of personal data as the Processor has undertaken under this Agreement.
4.5 The Processor shall be directly liable to the Controller for any damages caused by the processing of personal data under this Agreement by the additional processor.
4.6 At the time of conclusion of this Agreement, the Processor has entrusted the processing of personal data under this Agreement to the additional processors listed in Annex 2 of this Agreement, to which the Controller agrees.
5 Transfer of Personal Data to Third Countries
5.1 The Processor shall be entitled to transfer personal data processed under this Agreement to third countries only if it ensures that the level of protection of personal data after such transfer corresponds to the minimum level of protection under this Agreement and the Applicable data protection legislation. The Processor shall ensure that adequate security and protection measures are complied with in accordance with this Agreement and the applicable data protection legislation and that the rights of data subjects are not compromised and shall enter into standard contractual clauses for the purposes of such transfer in the relevant wording.
6 Liability for Damages
6.1 The Processor is obliged to compensate the Controller for any damage incurred as a result of a breach of the provisions of this Agreement or the provisions of the applicable legislation on the protection of personal data by the Processor or by persons for whose actions the Processor is liable under this Agreement or generally binding legislation.
6.2 The Processor may be released from liability under this article of the Agreement if they prove that the damage was not caused by the Processor.
6.3 The limitation of liability provisions agreed by the Parties in the Main Agreement shall apply for the purposes of this Agreement.
7 Duration and Termination of the Agreement
7.1 This Agreement shall be valid and effective from the date of its signing by the Parties and shall terminate on the date of termination of the Main Agreement. If necessary, this Agreement shall remain in force after the termination of the Main Agreement for the necessary period of further processing of personal data required for the termination of the Main Agreement.
7.2 The Controller shall have the right to immediately terminate this Agreement and the Main Agreement if the Processor breaches its obligations under this Agreement or under applicable data protection legislation and fails to rectify such breach within 10 days of being notified of such breach by the Controller, or within such other period as may be agreed by the Parties.
7.3 The Controller shall be entitled to terminate this Agreement without giving any reason by giving 1-month written notice, commencing on the first day of the month following the month in which the written notice is received by the Processor.
8 Contact Persons
8.1 The Parties have stipulated that the following persons are authorized to communicate on behalf of the respective Party for matters arising out of this Agreement:
Contact details of the Controller:
Name and surname: Erik Laco
Phone number: +421902299632
Contact details of the Processor:
8.2 In the event of any change regarding the above contact persons, the Party concerned shall immediately inform the other Party of such change.
9 Final Provisions
9.1 If any contract, other binding document or agreement entered into between the Parties contains provisions relating to the protection of personal data in the processing of personal data in the provision of the Services, on the effective date of this Agreement, such provisions shall cease to be valid and effective and the processing of personal data between the Controller and the Processor shall be governed solely by the provisions of this Agreement.
9.2 The rights and obligations not expressly provided for in this Agreement shall be governed by the relevant provisions of generally binding legislation of the Slovak Republic.
9.3 In case of a dispute arising out of this Agreement, the Parties agree that such disputes shall be resolved primarily by mutual negotiations between the representatives of the Parties, and if the dispute is not resolved by negotiations, the Parties shall refer the dispute to the court of the Slovak Republic having jurisdiction in the subject matter and place of the dispute.
9.4 The following annexes are an integral part of this Agreement:
Annex 1: Specification of the processing of personal data by the Processor on behalf of the Controller
Annex 2: Agreed additional processor(s) authorized by the Processor
Annex 3: Technical and organizational measures to ensure the security of personal data
9.5 This Agreement may be amended only by agreement of the Parties in the form of written amendments to the Agreement.
9.6 The Parties declare that their legal capacity and freedom to enter into this Agreement, as well as their capacity to perform related legal acts is not limited or excluded by anything and that they have read this Agreement, understand its contents and that they conclude this Agreement freely and seriously, that it has not been concluded under unfavorable terms or under duress, and attach their signatures as proof thereof.