Data Processing Addendum

The DPA template is ready for signature. If you would like to receive a signed copy from us, please create a ticket in our support portal.

DATA PROCESSING ADDENDUM

within the meaning of sec. 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (the “GDPR”)

(the “Addendum”)

entered on the date referred to below

between

Sykora IT s.r.o.

a company incorporated under the laws of Czech Republic, with its registered office at Veletržní 716/13, Staré Brno, 603 00 Brno, Identification No. (IČO): 061 95 563, registered in the Commercial Register maintained by Regional Court in Brno, File C, Section 100184  (the “Controller”)

and

[●]

with its registered office at [●], registration number [●]

(the “Processor”)

(each as a “Party” and collectively as the “Parties”)

1. Introductory Provisions

   1. Based on the contractual relationship the Processor provides to the Controller the services consisting in [brief description of provided services to be included] (the “Services”). As a part of the performance of the Services, the Controller may provide to the Processor data of his clients, business partners, employees and/or other persons (the “Data Subject”). Such data may include personal data (the “Personal Data”).

2. Subject-matter of ADDENDUM

   1. The subject-matter of the Addendum is the obligation of the Processor to process and protect Personal Data which the Processor accesses while providing the Services in accordance with the terms of this Addendum.  

3. Processing of Data

   1. The Processor shall process Personal Data in the scope and only for the purposes and to the extent necessary to provide the Services in accordance with this Addendum and the Controller’s instructions.

4. Rights and Obligations of Contracting Parties

   1. The Controller is responsible for compliance with all applicable data protection legislation, including requirements with regards to the transfer of Personal Data under this Addendum.

   2. The Controller declares that he has obtained any and all necessary permissions and authorisations necessary to permit the Processor to perform his obligations under this Addendum.

   3. When providing the Services, the Processor undertakes to act as a prudent professional, to act in compliance with the written instructions of the Controller, and in accordance with his interests. 

   4. Under this Addendum, the Processor undertakes:

1. to process Personal Data in the form as obtained from the Controller;

2. not to combine Personal Data which have been received for varying purposes;

3. to preserve Personal Data only for the period necessary for the purpose of their processing.

5. The Processor declares that: 

1. He has assured and will continue to assure adequate technical, personnel and organisational protection of Personal Data and has taken measures in order to prevent unauthorized or incidental access to Personal Data, their alteration, destruction, loss, unauthorized transmission, other unauthorized ways of processing, and other misuse of Personal Data. The specific methods of Personal Data protection are as follows:

• Physical security/ locking

• Access system

• Electronic security system

• Access rights

• Encryption of data

• Regular data back-up

• Back-up power supply system

• Pseudonymization

• Anonymization 

• Removal and erasure

• Compliance with an internal security guideline

2. He has issued and observed detailed internal guidelines and has made relevant agreements in order to assure that his employees and co-workers who will process Personal Data will do so only under the conditions and within the scope defined by the Processor and in compliance with this Addendum and the GDPR;

3. Ensure that all his employees and co-workers involved in the handling of Personal Data: (i) are aware of the confidential nature of the Personal Data and are contractually bound to keep the Personal Data confidential; (ii) have received appropriate training on their responsibilities as a data processor; and (iii) are bound by the terms of this Addendum. 

6. Upon a written request from the Controller, the Processor undertakes to assure the performance of duties towards the Data Subject, in particular, the right of access to Personal Data (that is, informing the Data Subject about processed data), the right to a copy, the right to have personal data rectified, the right of data portability to a structured and machine-readable format, and a right to erasure of Personal Data.  

7. The Processor undertakes to process and to document the technical and organizational measures he has taken in order to protect Personal Data in compliance with the GDPR, where the Processor assures, checks, and is liable for the following issues: 

1. The performance of the instructions concerning the processing of Personal Data by authorized persons who have direct access to the data;

2. Preventing unauthorized persons from accessing Personal Data and data processing means;

3. Preventing unauthorized reading, creating, copying, transmission, modification and erasure of records containing Personal Data;

4. Assuring measures which will enable to establish and verify to whom Personal Data were transferred, who processed the Personal Data, altered them or erased them;

5. Erasing of Personal Data or their return to the Controller once the provision of the Services has terminated, unless the storage of data after the termination of the provided Services is a duty stipulated by legislation, unless the Processor and the Controller agree otherwise.

8. The Processor undertakes to provide the Controller with all information necessary for the documentation that all obligations of the Processor have been met and will allow auditing, including inspections, carried out by the Controller or by an auditor authorized by the Controller.

9. The Processor shall promptly inform the Controller, if in the Processor’s opinion, any of the instructions regarding the processing of Personal Data provided by the Controller, breach any applicable data protection laws.

10. The Processor shall notify the Controller any accidental or unlawful destruction, loss, alteration or unauthorised disclosure or access to any Personal Data without undue delay, but at the latest within 48 hours after the violation occurred. The Processor will take all reasonable measures to secure the Personal Data, to limit the effects of any violation and to assist the Controller in meeting the Controller’s obligations under GDPR.

5. Final Provisions

   1. The Addendum has been made in two counterparts: one counterpart for each Party.

   2. This Addendum shall be valid and effective upon being signed by both Parties.

   3. This Addendum and all obligations arising from or related to this Addendum are governed by Czech law.

   4. Any dispute between the Parties and any contentious claim or issue arising from or related to this Addendum (including issues regarding its validity, effectiveness and interpretation) shall be brought in courts of the Czech Republic.

   5. If any of the provisions of this Addendum is or becomes invalid or if any provisions are missing, the validity of the remaining provisions hereof shall not be affected thereby. The Parties shall agree on such valid provision in lieu of the invalid provision, which will correspond to the meaning and purpose of this Addendum.

   6. The Addendum is made between the Processor and the Controller for the period of providing the Services, unless the Parties agree otherwise, or unless the Processor has a duty to protect personal data also after the end of the period of providing the Services.