Contract on the processing of personal data

concluded in accordance with the provisions of Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46 / EC (hereinafter “the Regulation”), resp. according to the provisions of § 34 of Act no. 18/2018 Coll. on the protection of personal data, as amended (hereinafter referred to as the “Act”) between the Operator and Intermediary.

This Contract on the processing of personal data is an addendum to and forms part of the Service Agreement between Luigi’s Box (“Luigi’s Box” and “Intermediary”) and the party identified as the Customer in the Service Agreement (“Customer” or “Operator”). This Contract sets out the terms that apply to the parties when processing personal data in connection with the provision of the Services.

1. PREAMBLE

1.1 This Data Processing Contract (hereinafter “Contract”) stipulates the conditions for the processing of personal data by the Intermediary on behalf of the Operator in fulfilling the obligations arising from the Contract on the provision of services concluded between the Contracting Parties (hereinafter the “Service Agreement“).

1.2 The subject of the Contract is the Intermediary’s obligation to provide the Operator with services related to digital marketing technologies, the scope of which is agreed upon in the Services Agreement. When providing these services, the personal data of natural persons may be processed on the basis of an instruction from the Operator and the Operator’s obligation to pay the agreed fee to the Intermediary for these services.

2. SUBJECT OF THE CONTRACT

2.1 The subject of this Contract is the authorization of the Intermediary to process personal data of natural persons on behalf of the Operator, exclusively in connection with the provision of services of the Intermediary, which are defined in the Agreement on Services and/or in individual orders of the Operator.

2.2 The Intermediary is entitled to process personal data for the Operator only to the extent, under the conditions and for the purpose agreed with the Operator and in the manner determined by the Regulation, Act, and other generally binding legal regulations (hereinafter collectively referred to “Personal Data Protection Regulations“).

3. PURPOSE AND SCOPE OF PERSONAL DATA PROCESSING

3.1 The purpose of the processing of personal data by the Intermediary is the proper provision of the agreed services in accordance with the Service Agreement and/or the individual order of services (hereinafter referred to as the “Purpose“).

3.2 The categories of data subjects to whom personal data processed under this Contract relate are listed in Annex no. 1 of the Contract.

3.3 The subject of processing includes personal data of the data subjects, which are necessary for the fulfillment of the Purpose and the exact scope of which depends on the nature of the service provided in accordance with the Service Agreement (hereinafter referred to as “Personal Data“); the subject of processing is not a special category of personal data according to Art. 9 Regulations. The types of personal data are listed in Annex No. 1 of the Contract.

3.4 The Intermediary is entitled to process Personal Data only for the specified Purpose and to perform with Personal Data for the Operator only those operations that are necessary for the provision of services and in accordance with the Service Agreement or individual order, and to process Personal Data for the specified Purpose in accordance with documented instructions and instructions of the Operator.

4. RIGHTS AND OBLIGATIONS OF THE OPERATOR

4.1 Operator:

4.1.1 is obliged to process personal data in accordance with the Personal Data Protection Regulations;

4.1.2 is entitled to entrust the Intermediary with the processing of only such Personal Data that has been obtained and processed by the Operator in accordance with the Personal Data Protection Regulations;

4.1.3 is entitled to provide the Intermediary with written (in paper form or electronically) instructions regarding the processing of personal data to achieve the Purpose. Such instructions are binding on the Intermediary provided that the execution of these instructions requires the provision of services in accordance with the Service Agreement or individual service order or if the execution of these instructions requires additional costs on the part of the Intermediary in connection with the execution of these instructions and the Operator pays all incurred costs. The Intermediary will not execute the Operator’s instructions which are in conflict with any provision of this Contract or are in conflict with the Personal Data Protection Legal Regulations;

4.1.4 is always responsible for the processing of Personal Data. If the data subject requests the provision of information on the processing of personal data, the correction or deletion of personal data, objects to the lawfulness of personal data processing or otherwise requests the termination of personal data processing or blocking of personal data, the Operator is obliged to give written (in paper form or electronically) instruction to the Intermediary to take the necessary measures.

5. RIGHTS AND OBLIGATIONS OF THE INTERMEDIARY

5.1 The Intermediary is obliged to:

5.1.1 process Personal Data only in accordance with the written (in paper form or electronically) instructions of the Operator, which are aimed at fulfilling the Purpose and the Service Agreement; these instructions are binding on the Intermediary unless otherwise stated in the Contract;

5.1.2 not to use Personal Data for purposes other than those specified in this Contract and the Service Agreement and not to combine Personal Data with other personal data obtained, registered, or otherwise processed by the Intermediary without the prior written instruction of the Operator, even for the purpose of achieving the same purpose (eg assignment data from own/public databases, etc.);

5.1.3 process only those Personal Data which, in scope and content, correspond to the intended Purpose and are necessary for its achievement;

5.1.4 process Personal Data in accordance with established personal data processing practices and prevailing standards in the field of information management and in accordance with the Personal Data Protection Regulations;

5.1.5 in the event that it obtains Personal Data on behalf of the Operator, to provide information to the persons concerned in accordance with Art. 13 and 14 of the Regulation; if the Operator requests the use of its own information materials for the purpose of fulfilling the information obligation, it shall provide these materials to the Intermediary without undue delay after the conclusion of this Contract or after the instruction to obtain Personal Data on its behalf;

5.1.6 to provide the Operator with cooperation in the performance of its obligations in relation to the requests of the persons concerned and to assist the Operator in ensuring the fulfillment of obligations pursuant to Art. 32 to 36 Regulations taking into account the nature of the processing and the information available to the Intermediary;

5.1.7 immediately inform the Operator of any request or exercise of the rights of the person concerned and at the same time immediately send the relevant submission of the person concerned and related documentation to the Operator;

5.1.8 in the event of a breach of personal data protection, i.e. in the event of a breach of security measures leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure or disclosure of Personal Data, the Intermediary is obliged to notify the Operator of any breach of Personal Data protection without undue delay after becoming aware of the breach. The written notice under this section shall contain a description of the nature of the personal data breach, the category and approximate number of data subjects and personal data records concerned, a description of the likely consequences of the personal data breach, and a description of the measures taken to remedy the personal data breach. If it is not possible to provide all the above information at the same time, this information may be provided in stages without further undue delay.

5.1.9 immediately inform the Operator about inspections and measures taken by the supervisory authority against the Intermediary, as well as about conducting civil, criminal, or administrative proceedings against the Intermediary, if these relate to the contractual relationship between the Operator and the Intermediary and/or processing of Personal Data under the Contract;

5.1.10 regularly monitor internal processes and technical and organizational measures to ensure that processing within the scope of the Intermediary’s responsibility complies with the requirements of the Personal Data Protection Regulations;

5.1.11 process Personal Data only for the duration of this Contract.

5.2 The Intermediary is also entitled to process Personal Data for purposes that result from special legal regulations or such processing is required by the competent court or administrative authority. In the event that a court or administrative authority orders the Intermediary any measure or operation with Personal Data, the Intermediary is obliged to inform the Operator without undue delay of the delivery of any such request before responding to this request or performing other action concerning processed Personal Data, or as soon as reasonably expected, in the event that the Intermediary is obliged to provide an immediate response to the competent court or administrative authority unless the notification to the Operator would be contrary to special legislation or a decision of a court or administrative authority.

6. SECURITY OF PERSONAL DATA

6.1 The Intermediary will ensure the protection of Personal Data by implementing and documenting security measures in accordance with Art. 28 par. 3 letter c), and Art. 32 Regulations in conjunction with Art. 5 par. 1 and par. 2 Regulations. The security measures to be taken must ensure the protection of Personal Data with a level of security commensurate with the risk posed by the processing to the rights of data subjects and with a view to ensuring the continued confidentiality, integrity, availability, and resilience of processing systems, in order to prevent accidental or unlawful destruction, loss, unauthorized provision, disclosure of Personal Data, unauthorized access to them or any other unauthorized processing operation.

6.2 The Intermediary is obliged to have established risk management with regard to the persons concerned in the sense of the Regulation and also information security risk management with regard to the technical means within which Personal Data is processed. The Operator has the right to request the provision of documentation on the technical and organizational measures taken, no later than 30 days from the sending of the Operator’s request.

6.3 The Intermediary, its employees, and other persons who meet Personal Data through the Intermediary are obliged to maintain confidentiality about them; the duty of confidentiality continues even after the completion of the processing of Personal Data. The Intermediary is entitled to make the Personal Data available to employees or other persons with whom it has a legal relationship only to ensure its obligations in the performance of the Purpose and under the conditions set out in this Contract.

6.4 In the case of providing Personal Data to employees or other persons with whom the Intermediary has a legal relationship, the Intermediary is obliged to inform these persons of the obligation to comply with the provisions of this Article of the Contract and to bind such persons will continue even after the termination of the legal relationship of that person.

6.5 The Intermediary will not provide Personal Data to any third parties unless such disclosure is necessary for:

6.5.1 employees of the Intermediary,

6.5.2 subcontractors according to Art. 8 of the Contract,

6.5.3 third parties, if such provision is required by law or by a valid and enforceable decision of a court or other public authority of the Slovak Republic.

7. OTHER OBLIGATIONS OF THE CONTRACTING PARTIES

7.1 The Contracting Parties undertake to provide each other with the cooperation necessary to comply with the provisions of the Contract and to ensure compliance with the Personal Data Protection Regulations.

7.2 If in connection with the breach of the Operator’s obligation arising from the Contract and/or the Personal Data Protection Regulations, the Intermediary incurs any damage or other harm, the Operator is obliged to compensate the Intermediary for this damage or other damage in full.

7.3 If any damage or other harm occurs in connection with the breach of the Broker’s obligation arising from the Contract and/or the Personal Data Protection Regulations, the Broker is obliged to compensate the Operator for this damage or other damage in full.

8. SUBCONTRACTORS

8.1 The Operator agrees that the Intermediary may involve other intermediaries in the performance of processing activities that it performs for the Operator within the provision of services based on the Service Agreement or on the basis of an individual order (hereinafter referred to as the “Subcontractor“).

8.2 The Intermediary is entitled to involve the Subcontractor in the performance of processing activities under clause 8.1 of the Contract if it enters into a written agreement with it, which imposes on the Subcontractor the same obligations regarding personal data protection as the Intermediary towards the Operator under this Contract. If the Subcontractor fails to fulfill its obligations under this Contract regarding the protection of personal data, the Intermediary is fully liable to the Operator for the Subcontractor’s failure to fulfill these obligations.

8.3 The Intermediary shall notify the Operator in advance of any changes in connection with the addition or replacement of other Subcontractors. If the Operator does not express its disagreement in writing within 15 calendar days after being informed of the given change, the Intermediary may use a new Subcontractor. If the Operator disagrees within the specified period, the Intermediary shall make reasonable efforts to change the Subcontractor. If the Intermediary is unable to make such changes within 60 calendar days, the Operator may terminate this Contract in writing within 30 days from notification of non-change of Subcontractor (or from the date of notification of change of Subcontractor if the Intermediary has not informed the Operator about securing a replacement Subcontractor). The Operator may terminate this Contract by written notice with a notice period of one month from the date of delivery of the notice If the Operator does not notify the Intermediary of the termination of the Contract within the specified period, it is considered that it agrees with the use of the originally proposed Subcontractor.

9. CONTROL POWERS OF THE OPERATOR

9.1 If requested by the Operator, the Intermediary shall enable the Operator or the Independent Third Party Auditor authorized by the Operator to perform control in the Personal Data Processing Systems; this control is limited to the assessment of compliance with the obligations under this Contract and in no circumstances may it cover access to any data of other intermediary customers. The date of the inspection must always be agreed in advance, at least ten (10) working days before the planned inspection.

9.2 The Intermediary informs the Operator if, in its opinion, the Operator’s instructions violate the Personal Data Protection Regulations. If the Operator insists on the fulfillment of an instruction which, in the opinion of the Intermediary, violates the Personal Data Protection Regulations, the Intermediary reserves the right not to execute such an instruction, as well as the right to withdraw from the Contract.

10. TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES

10.1 The contractually agreed processing of Personal Data is performed by the Intermediary in a Member State of the European Union or in a state forming the European Economic Area.

10.2 The transfer of Personal Data to a state located in the territory of a state other than the state specified in clause 10.1 of the Contract may only take place with the prior written consent of the Operator and subject to the special conditions set out in Art. 44 to 50 Regulations.

11. PERSONAL DATA PROCESSING TIME

11.1 The Intermediary is entitled to start processing Personal Data in accordance with the Contract at the earliest from the effective date of this Contract and also the Service Agreement, and its authorization to process lasts for the entire duration of this Contract.

11.2 This Contract lasts until the Service Agreement expires.

12. RETURN OR DELETE PERSONAL DATA

12.1 Upon termination of the Contract, the Intermediary is obliged to delete or return to the Operator or a third party designated by the Operator all Personal Data based on special instructions of the Operator. If the Operator requests the return of Personal Data, it is obliged to reimburse the Intermediary for the costs incurred in connection with the return of Personal Data.

12.2 If the Operator does not provide the Intermediary with any instructions in connection with the deletion or return of Personal Data within 15 calendar days from the expiry of the Contract, the Intermediary shall send a written request to the Operator requesting the Operator to send instructions to delete or return Personal Data within 15 calendar days. If the Operator does not provide written instructions within this additional period and does not reimburse the costs incurred in the case of returning Personal Data, it is valid that the Intermediary is entitled to delete all Personal Data.

12.3 The obligation to return or delete Personal Data does not affect the information that the Intermediary is obliged to keep based on generally binding legal regulations even after the expiry of the Contract and Service Agreement.

12.4 At the request of the Operator, the Intermediary will confirm in writing the deletion or return of Personal Data.

13. FINAL PROVISIONS

13.1 This Contract replaces all previous agreements between the Operator and the Intermediary concerning the protection of personal data.

13.2 Legal relations of the contracting parties, which are not further regulated by this Contract, are governed by the relevant provisions of the Regulation, the Act, and Act no. 513/1991 Coll. of the Commercial Code as amended and other relevant legal regulations of the Slovak Republic.

13.3 The Contracting Parties declare that they have read the Contract carefully before concluding it, understand its content, and, confirm that the Contract corresponds to their real and free will, and that the Contract was not concluded under duress or under noticeably unfavorable conditions.