Contract on processing of personal data for the provision of services in the field of information technology (hereinafter referred to as the “Contract on SOÚ_IT”) between OperatorBusiness name: LABUDA-ASI s.r.o. Registered office: Obchodná 52/30, 05315 Hrabušice Statutory body: Ľubuša Labudová, Statutor ID No.: 36603970 VAT No.: 2022146665 VAT No.: SK2022146665 Contact for OOU:
(hereinafter referred to as “Operator”) and Intermediaries Business name: Registered office: Registered office: Statutory body: Entry: VAT ID: VAT ID: Contact for OOU: (hereinafter referred to as “Intermediary”)The Operator and the Intermediary are also referred to together as the “Parties“. The processing of personal data (hereinafter also referred to as “Data“) is carried out in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter also referred to as “GDPR”) and Article 34 of Act No. 18/2018 Coll.1. Subject matter and duration of the SOU_IT Contract1.1. The SOU_IT Contract is concluded on the basis of the valid Contract No. XXXXX ( contract between your company/authority and the entity that provides you with IT services) effective from XXX (hereinafter referred to as the “Contract“), to which this document further refers. 1.2. The subject matter of the SOU_IT Contract is to regulate the mutual rights and obligations of the parties in the processing of personal data of data subjects by the Processor on behalf of the Controller and to authorise the Processor to process personal data processed by the Controller in its information systems, to the extent and under the conditions set out below. 1.3 The duration of the SOU_IT Contract and the processing period corresponds to the duration of any contractual relationship of the Operator with the Intermediary in the field of provision of information technology services, in particular: creation of client profiles, e-mail accounts, database management, software changes, server management, etc. 1.4 The Operator is entitled to withdraw from the SOU_IT Contract with immediate effect in the event of:
- Violation of applicable legal regulations regarding the protection of personal data, in particular the GDPR or the Act,
- violation of the contractual provisions on data protection contained in the SOÚ_IT Contract or in the contract,
- breach of technical and organisational measures approved by the Data Controller pursuant to clause 5 of the DPA_IT Agreement,
- termination of the Contract, regardless of the reason, manner and any contestability of the termination,
- if the Intermediary is unwilling or unable to carry out the Operator’s reasonable instructions.
Purpose of the SOU_IT Agreement 2.1 The purpose of the intended processing of personal data by the Processor is defined by the provision of information technology services, in particular: creation of client profiles, e-mail accounts, database management, software changes, server administration, etc. 2.2 The contractually agreed processing of personal data shall be carried out exclusively at the premises of the Controller and/or the Processor, or within a Member State of the European Union (EU) or within a Member State of the European Economic Area (EEA). Any transfer of personal data to a non-EU or non-EEA Member State or to an international organisation requires the prior consent of the Data Controller and will only take place where the specific conditions for transfers under Article 44 et seq. of the GDPR have been met.3. Scope of personal data intended to be processed by the Processor3.1 The subject matter of the processing of personal data includes the following types/categories of data (list/description of data categories):
- surname, first name, title,
- permanent or temporary residence address,
- correspondence address,
- date of birth, birth number,
- e-mail address,
- identification number,
- online identifier,
- IP address, location data,
- signature,
- communication data (e.g. phone, Skype, ICQ, Facebook, Instagram, etc.),
- images, video and audio recordings,
- other personal data necessary to achieve the purpose.
4. Categories of data subjects4.1:
- employees of the Controller,
- former employees of the Controller,
- natural persons whose personal data may be contained in the Controller’s information systems
5.Technical and organisational measures5.1 Declaration by the Controller: The Data Controller declares that it has adopted appropriate technical and organizational measures to ensure the protection of the rights of data subjects and has had draw up by Osobnyudaj.sk, s.r.o. a security documentation declaring the lawful processing of personal data. The controller also declares that it has put in place a transparent system for recording security incidents and any questions from the data subject as well as from other persons. The individual information may be obtained by the data subject directly on the website of the Data Controller and/or the mandatory information is made available for consultation at the registered office of the Data Controller. 5.2 Declaration by the Processor: The Processor declares that it has complied with the GDPR and the Act in the processing of the personal data of the data subjects and has taken appropriate technical and organisational measures to ensure the protection of the rights of the data subjects, in such a way that the rights of the data subjects are not infringed. The Processor also declares that it ensures data security pursuant to Article 28(3)(c) and Article 32 of the GDPR, in particular in relation to Article 5(1) and (2) of the GDPR. The measures taken shall be data security measures and measures which guarantee a level of data protection appropriate to the level of risk of breaches, while maintaining the confidentiality, integrity, availability and resilience of systems. The current state of data processing, the costs of implementation, the nature, scope and purpose of the processing, as well as the likelihood and severity of a risk to the rights and freedoms of natural persons within the meaning of Article 32(1) of the GDPR, must also be taken into account. The Processor declares that its employees – authorised persons who process personal data are duly authorised in writing and bound by the obligation of confidentiality, even after termination of employment within the meaning of Section 79 of the Act.Conditions for processing personal data6.1 The Controller agrees that the Processor may process personal data in electronic and paper form(modify as necessary), subject to the following conditions:
- The Processor is entitled to process personal data solely for the agreed purpose, in the manner and to the extent specified by the Controller, as evidenced by the record of processing activities in the relevant information system (in particular, to obtain, collect, record, organise, structure, store, process or alter, search, browse, use, disclose by transmission, dissemination or otherwise, rearrange or combine, restrict, erase or destroy – modify as appropriate), and is not entitled to transfer such data to any third party. Copies or duplicates of the data may not be made without the knowledge of the Data Controller, except for backup copies that are necessary to ensure the proper processing of the data, as well as data that is required in order to comply with regulatory (archiving) requirements for data retention,
- The Processor may entrust another processor (hereinafter referred to as the “Sub-Processor”) with the processing of personal data only on the basis of the specific written consent of the Controller; when engaging another processor to carry out specific processing activities on behalf of the Controller, the Controller shall impose on the Sub-Processor the same obligations regarding the protection of personal data,
- The Processor shall only process personal data on the basis of written instructions from the Controller,
- The Processor is obliged to implement measures to ensure the level of security of the processing of personal data in accordance with Article 32 of the GDPR,
- The Processor is obliged to provide assistance to the Controller in ensuring compliance with the obligations in the area of personal data security in accordance with Articles 32 to 36 of the GDPR, as well as assistance in complying with the Controller’s obligations to respond to requests for the exercise of the data subject’s rights set out in Chapter III of the GDPR,
- The Processor is obliged to delete the personal data or return the personal data to the Controller after the termination of the provision of services related to the processing of personal data, based on the Controller’s decision and to delete existing copies,
- The Processor is obliged to provide the Controller with the information necessary to demonstrate compliance with the contractual obligations and to provide assistance in the context of the audit of personal data protection and control by the Controller or an auditor commissioned by the Controller,
- The Processor may not arbitrarily rectify, erase or restrict the processing of data processed on behalf of the Controller, it may only do so on the basis of documented instructions from the Controller. In the event that the data subject directly requests the Processor to rectify, erase, restrict the processing or exercise any other right against the Processor, the Processor shall promptly forward the data subject’s request to the Controller,
- Unless otherwise provided for in a specific regulation, upon termination of the contractual relationship, but at the latest upon termination of the contract on the basis of which the SOP_IT Contract is concluded – the Processor shall return any documents received, the prepared outputs of processing and use of the data, as well as an inventory of the data relating to the contractual relationship with the Data Controller, or destroy them with the consent of the Data Controller, in accordance with the relevant provisions on data protection. The same shall apply to test and defective data materials. Upon request, a record of the deletion of the data shall be handed over to the Data Controller.
7 Other agreed terms and conditions 7.1 The Controller has agreed the following terms and conditions with the Processor:
- The Processor is obliged to secure personal data against theft, loss, damage, unauthorised access, alteration and dissemination. To this end, it shall take appropriate technical, organisational and personnel measures,
- The Controller shall be entitled to require the Processor to demonstrate that it has implemented all prescribed security measures to protect personal data,
- where the Data Controller has designated a data protection officer (“DPO”) to ensure the protection of the rights of data subjects, the contact details of the DPO shall be provided to the Processor,
- if the Processor has a data protection officer (“DPO”) designated to ensure the protection of the rights of data subjects, the contact details of the DPO must be provided to the Controller,
- The Processor shall inform the Controller without undue delay if the Controller considers its instruction to be in breach of data processing legislation. In such a case, the Processor shall be entitled to suspend the execution of the relevant instructions until the Controller confirms or changes them,
- the other conditions set out in Article 28 of the GDPR.
8. Liability of the Processor8.1 If the Processor breaches the SOU_IT Agreement and determines itself the means and purposes of processing the personal data provided to it as a Processor, it shall be deemed to be the controller in relation to such processing and shall be solely liable for such processing. 8.2 The Processor shall be solely liable for any breach by the Processor’s Sub-Processors of their obligations regarding the protection of personal data under the SOU_IT Agreement or the GDPR or the Act. 8.3. If the Data Controller receives a fine in connection with a proven breach of the obligations of the Processor (or its Sub-Processors) under the SOU_IT Agreement, it undertakes to compensate for the damages incurred or to provide appropriate (monetary) compensation. The Intermediary also undertakes, in accordance with Section 725 of Act No. 513/1991 Coll., Commercial Code, to indemnify the Operator in the full amount of the fine, damages or appropriate (monetary) compensation awarded.9. Final Provisions9.1 The SOU_IT Contract shall enter into force on the date of its signature and come into force on 25.5.2018 or on the date of its signature, if the date of signature is later than 25.5.2018. 9.2 The SOU_IT Contract shall be governed by the law of the Slovak Republic. The relevant provisions of the GDPR Regulation, the Act as well as all applicable laws of the Slovak Republic shall apply to legal relations not expressly provided for herein. 9.3 Disputes concerning or related to the SOU_IT Contract, the Parties undertake to first resolve by agreement. 9.4 In the event that any of the provisions of the Agreement on SOP_IT become invalid or ineffective, or in the event that any of the provisions of the Agreement on SOP_IT conflict with the applicable law as a result of legislative changes, the validity and effectiveness of the remaining provisions of the Agreement on SOP_IT shall not be affected thereby. 9.5 Instead of an invalid or ineffective provision, those provisions of generally applicable law which most closely approximate the invalid or ineffective provision of the SJU_IT Contract in their meaning and purpose shall apply as contractually agreed. 9.6 The ILO_IT Contract shall be drawn up in 2 copies in the Slovak language, with each Party receiving one copy. The JIT Agreement may be amended only by written amendments signed by both Parties. 9.7 The Parties declare and confirm that they have familiarised themselves with all the provisions set out in this Agreement on the JU_IT, that they have understood them, that they have understood their content, that they are the result of their mutual agreement according to their free will, that they have not been agreed upon in an emergency or under manifestly unfavourable conditions, that they agree with its content and that they sign it with their own handwriting as a sign of their agreement. At …………………………, on ……………………….. _______________________ Operator In …………………………, on ………………………. _______________________ Sprostredkovateľ