ANNEX NO. 1
DATA PROCESSING AGREEMENT
This Data Processing Agreement (hereinafter referred to as “DPA“) is concluded pursuant to Article 28 of Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, whereby repealing Directive 95/46/ES (hereinafter referred to as “GDPR“) between:
Luigi’s Box, s.r.o.
with a registered seat at Tallerova 4, 851 01 Bratislava, Slovakia,
registration number: 50 641 671,
registered with the Commercial Register kept by the District Court Bratislava I, Section: Sro, Entry No.:116273/B,
as the Processor
(hereinafter referred to as the
Customer as the Controller
(hereinafter referred to as the
(hereinafter Processor and the Customer mutually referred to as
Parties and each individual party also as the
in the following wording:
- Processor is a provider of web application Luigi’s Box and ancillary services (“Services”) that are made available through its website (luigisbox.com) (“Website”).
- This DPA sets out the terms and conditions for the processing of the personal data (hereinafter referred to as the “Personal Data”) by the Processor on behalf of the Customer under the agreement (hereinafter referred to as the “Agreement”) concluded between the Parties. Pursuant to the Agreement the Customer acquires the Services as defined in the Agreement from the Processor and the Processor provides those Services to the Customer. This may involve the processing of Personal Data by the processor on behalf of the Customer as part of the provision of the relevant Services.
- The Processor acts as a data processor or sub-processor and the Customer acts as a data controller or as a data processor, pursuant to the definitions contained in the data protection laws that shall mean all applicable data protection laws, including but not limited to the GDPR and Act No. 18/2018 Coll. Personal Data Protection Act as amended and the instructions and binding orders of the data protection authorities (hereinafter collectively referred as to the “Data Protection Regulation”).
THE SUBJECT-MATTER OF THE DPA
- The subject-matter of the DPA herein is the authorisation of the Processor to process the Personal Data provided by the Customer and on behalf of the Customer for the purposes agreed in the Agreement and this DPA.
- The Processor is entitled to process Personal Data in the scope of, under conditions and for the purpose agreed with the Customer in the DPA and in the manner permitted under Data Protection Regulation.
PURPOSE AND DESCRIPTION OF PERSONAL DATA PROCESSING
- The purpose of the processing of the Personal Data by the Processor is to enable the performance of the agreed Services pursuant to the Agreement.
- The processing to be carried out by the Processor is as follows:
- the duration of the processing will be throughout the period within which the Processor performs the relevant Services under the Agreement;
- the obligations and rights of the data controller in relation to the processing are set out below.
CUSTOMER’S RIGHTS AND OBLIGATIONS
- The Customer shall:
- process the Personal Data in compliance with the Data Protection Regulation;
- be entitled to give written instructions to the Processor on the processing of Personal Data. Such instructions shall be binding on the Processor on the condition that if the completion of the instructions requires the provision of Services under the Agreement, or result in costs emerging on the Processor’s side, the Customer shall simultaneously pay the applicable service fees costs. The Processor shall not meet any Customer instructions which are contrary to any Sections of this DPA.
- retain the control over the Personal Data. If any data subject requests for information on the processing of Personal Data or requests any other rights under Chapter III of GDPR, the Customer shall immediately instruct the Processor to take the appropriate measures.
PROCESSING OF PERSONAL DATA BY THE PROCESSOR
- In relation to the processing of personal data under this DPA, the Processor shall:
- process the Personal Data (including when making an international transfer) only to the extent necessary in order to provide the Services and then only in accordance with the terms of this DPA, the Agreement, good data processing practices and the Customer’s written instructions, unless otherwise required by Data Protection Regulations;
- shall periodically test, assess and evaluate the effectiveness of its technical and organisational measures;
- immediately notify the Customer if, in the Processor’s opinion, any instruction given to the Processor infringes the Data Protection Regulations;
- where applicable in respect of any Personal Data processed under this DPA, co-operate with and assist in ensuring compliance with:
- Customer’s obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Chapter III of the GDPR, including by notifying Customer of any written subject access requests the Processor receives relating to the Customer’s obligations under the Data Protection Regulations;
- Customer’s obligations under Articles 32 – 36 of the GDPR taking into account the nature of processing and the information available to the Processor;
- provide the Customer with all information necessary to demonstrate compliance with Customer’s obligations set out in this DPA and in the Data Protection Regulation;
- process the Personal Data only during the term of this DPA.
- This DPA shall not prevent the Processor from processing the Personal Data as required by law, regulation or by a competent court or Supervisory Authority. In case a Supervisory Authority or a competent court makes a request concerning the Personal Data, including a request for blocking, deleting, amending the Personal Data, delivering them any information or executing any other actions, the Processor shall, without undue delay, inform the Customer of all such requests prior to any response or other action concerning the Personal Data, or as soon as reasonably possible in case any law or regulation prescribes an immediate response to the Supervisory Authority or a competent court, unless such notice to the Customer is prohibited by the respective law, regulation or order.
- In the event of a personal data breach, i.e., a breach of security leading to accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to the Personal Data, the Processor shall without undue delay notify the Customer via e-mail.
- The Processor shall take appropriate steps to protect the Personal Data after having become aware of a personal data breach under Art. 5.3 hereof, in order to limit any possible detrimental effect to the data subjects. The Processor will cooperate with the Customer to respond to said personal data breach.
- The both Parties hereby undertake to provide each other with mutual cooperation necessary for the fulfilment of provisions in the DPA herein.
- If a breach of the Customer’s obligation stipulated in the DPA and/or Data Protection Regulations results into any damage or loss to the Processor, the Customer is obliged to reimburse the Processor such a loss in its full amount.
SAFETY OF PERSONAL DATA
- The Processor shall ensure the protection of Personal data by implementing and documenting security measures pursuant to the Art. 28 (3) (c) and Art. 32 of GDPR and Art. 5 (1) and (2) of GDPR. The security measures to be implemented must ensure the protection of Personal Data with a level of security that is appropriate to the risks that are presented by the processing of the rights of the data subjects and in order to ensure continuing confidentiality, integrity, availability and resistance of the processing systems in order to prevent any accidental or unlawful destruction, loss, unauthorised disclosure, publication of the Personal data, unauthorised access to it or any other unauthorised processing operation.
- The Processor, its employees and other persons who has access to the Personal data through the Processor are obliged to maintain all due confidentiality; such duty of confidentiality shall continue even after the processing of Personal data has terminated. The Processor is entitled to make the Personal data available to its employees or other persons with whom it has a legal relationship with only to ensure fulfilling the duties in order to achieve the Purpose and under the terms and conditions set out in this Agreement.
- In the case of the provision of the Personal data to the employees or other persons with whom the Processor has a legal relationship with, the Processor is obliged to instruct such persons to comply with the provisions of this article of the DPA and to oblige such persons to be bound by the confidentiality obligation to the same extent as the Processor, while such duty of confidentiality shall continue even after the legal relationship with the person.
- The Processor will not provide the Personal data to any third parties, except when such provision is necessary for:
- the Processor’s employees,
- the subcontractors under the Article 8 of the DPA,
- the third parties, if such provision is required by law or by a lawful and enforceable court decision or other public authority body of the Slovak Republic.
OTHER OBLIGATIONS OF THE CONTRACTING PARTIES
- Both contractual parties hereby undertake to provide each other with mutual cooperation necessary for the fulfilment of provisions in the DPA herein to ensure compliance with the GDPR.
- If a breach of the Customer’s obligation stated in the DPA and/or the GDPR results into any damage or loss to the Processor, the Customer is obliged to reimburse the Processor such loss or other damage in its full amount.
- If a breach of the Processor’s obligation stated in the DPA and/or the GDPR results into any damage or loss, the Processor is obliged to reimburse the Customer such loss or other damage in its full amount.
- The Customer acknowledges and agrees that the Processor may engage third-party sub-processors in connection with the processing of Personal Data within the sphere of the Agreement. The Processor respects the conditions referred to in Art. 28 (2) and (3) of the GDPR engaging sub-processors.
- The Processor remains responsible for the Personal Data processing activities of its sub-processors as if the processing activities were carried out by the Processor itself and for this purpose it shall conclude with each subcontractors a written contract that imposes to the subcontractors the same data protection obligations as set out for the Processor in this DPA.
CONTROLLER POWERS OF THE CUSTOMER
- The Processor is obliged to provide the Customer with all the information and documentation necessary to prove the performance of obligations of the Processor as stipulated in Data Protection Regulation.
- At any time during the term of this DPA, the Customer and/or a recognised, independent third party auditor appointed by the Customer shall have the right to perform audits of the Processor’s and it’s sub-processors’ facilities in accordance with the Agreement. However, any audit pursuant to this DPA shall be limited to assessing the Processor’s compliance with its obligations under this DPA and shall not extend to granting access to any data of other Customers processed by the Processor or data related to the usage of security measures by the Processor.
TRANSFER OF PERSONAL DATA TO THIRD COUNTRIES
- The processing of Personal Data is exercised by the Processor within area of the EU/EEA member states. If it is necessary for the providing of the Services, the Personal Data may be transferred outside the EU/EEA territory provided that in such respective transfer the specific conditions stipulated under Article 44- 50 of GDPR are followed.
DURATION OF THE DATA PROCESSING
- The Processor is authorised to start processing the Personal data under the DPA at the earliest from the date of the effective date of this DPA as well as the Agreement and its processing authorisation shall be valid for the entire duration of this DPA.
- This DPA shall be valid only for the duration of the Agreement.
RETURN OR DELETION OF PERSONAL DATA
- Upon termination of the DPA, the Processor is obliged to delete or return to the Customer or a third party designated by the Customer all Personal data based on the Customer’s specific instructions. In case the Customer requests the return of the Personal data, the Customer is required to reimburse the Processor for the costs incurred in connection with the return of the Personal data.
- If the Customer fails to provide the Processor with any instructions regarding the deletion or return of the Personal data within 15 calendar days of the expiration of the Agreement, the Processor shall send to the Customer a written request by which the Processor requests sending instructions for the deletion or return of the Personal data within 15 calendar days. If the Customer does not provide written instructions within this additional period and does not pay the costs incurred in case of the return of the Personal data, then the Processor is entitled to delete all the Personal data.
- The obligation to return or delete the Personal data does not affect the Personal data that the Processor is required to keep for the purpose of compliance with generally binding legal obligations even after the termination of the Agreement.
- Upon Customer’s request, the Processor shall confirm to the Customer in writing that the deletion of Personal Data has been accomplished.
- This DPA shall be governed by the same substantive law and have the same jurisdiction like the applicable substantive law and jurisdiction has been agreed in the Agreement.
- All terms and definitions used in this DPA herein have the same meaning as terms and definitions used in the Agreement unless otherwise expressly stated.
- The Parties declare that prior to the concluding hereof, they have carefully read the DPA, understood its contents and attest that it is executed of their true and free will and that the DPA was not concluded in duress or under grossly unfavourable terms.
- The DPA comes into force and shall become effective upon the conclusion of the Agreement.