Model personal data processing agreement

PERSONAL DATA PROCESSING AGREEMENT
under the Data Protection Regulation (EU) 2016/679 (the “Regulation”)

(E-shop)
with registered office: (registered office)
CIN: (company identification number), VAT ID: (VAT number)
(hereinafter referred to as the “Administrator”)

Seznam.cz, a.s.

Entry in the Commercial Register: file number B 6493, kept at the Municipal Court in Prague
with registered office: Praha 5 – Smíchov, Radlická 3294/10, PSČ: 15000
IČO (CIN): 26168685, DIČ (VAT): CZ26168685
(hereinafter referred to as “Processor”)

I. Introductory provisions

1. There is a business cooperation between the controller and the processor in which the processor processes, among other things, the personal data listed below (hereinafter referred to as “cooperation”).

2. The Parties intend to regulate the rights and obligations related to the processing of personal data that is or will be carried out in the framework of the cooperation, in particular to define the scope of the personal data to be processed, the purpose and duration of the processing, the conditions for the processing of personal data and the guarantees of the processor in terms of ensuring the protection of personal data.

II. Personal data, purpose and duration of processing

1. The processor processes the following personal data for the controller:

a) e-mail of the customer of the controller’s e-shop and information about the purchase of specific goods; purpose of processing: contacting the customer of the controller’s e-shop by e-mail with an invitation to fill in an e-shop order satisfaction questionnaire; processing time: 230 days; processing operations: collection, storage and use;

b) e-mail of the customer of the controller’s e-shop and information about the purchase of specific goods; purpose of processing: contacting the customer of the controller’s e-shop by e-mail with a request to evaluate the goods purchased in the e-shop; processing period: 230 days; processing operation: collection, storage and use;

2. The Processor will process personal data in accordance with this Agreement, within the scope of cooperation and in accordance with the instructions of the Controller, of which the Processor will keep written records.

3. The Processor will only process personal data for the purposes of this Agreement and only for as long as the lawful reason for the processing exists, but no longer than for the duration of the validity and effectiveness of the cooperation under Article 1 Section 1 of this Agreement.

4. The administrator’s contact person for all questions regarding this Agreement is the account owner set up in the Zboží.cz administration.

5. The contact details of the processor for all questions are: e-mail: dpo@firma.seznam.cz or ochranaudaju@firma.seznam.cz.

III. Obligations of the processor

1. The processor is obliged to process personal data in accordance with the Regulation and legal regulations and bears full responsibility for the lawfulness of the processing of personal data.

2. The processor declares that its organisational structure and internal rules guarantee the lawfulness of the processing of personal data. Where the processor has appointed or appoints a data protection officer, it shall forward the contact details of the data protection officer to the controller without delay.

3. If the data subject exercises his or her rights concerning the personal data and their protection, the processor shall transmit such request to the controller without delay.

4. The processor shall keep records of the activities pursuant to Article 30 Section 2 of the Regulation.

5. The processor is obliged to maintain the confidentiality of personal data.

6. The Processor must ensure that its employees (or other persons who will process personal data for the Processor) will only process personal data under the conditions and to the extent specified by the Processor and in accordance with this Agreement, the Regulation and the law. The Processor shall oblige such persons to maintain the confidentiality of personal data and security measures, the disclosure of which would compromise the security of personal data, even after termination of employment or cooperation with the Processor.

7. The processor shall provide the controller with the necessary cooperation to comply with the controller’s obligations under Part III of the Regulation (rights of data subjects to rectification, erasure, restriction of processing, portability of personal data, right to object, etc.) and Articles 32 to 36 of the Regulation (in particular, obligations to secure the processing of personal data, notification of personal data breaches to the supervisory authority or the data subject, data protection impact assessment, etc.).   

IV. Other processors of personal data

1. The processor is entitled to use other processors.

2. The processing of personal data by a sub-processor may only be carried out provided that the sub-processor is bound by the terms of this Agreement, implements appropriate technical and organisational measures, and the processing of personal data complies with the requirements of the Regulation and legislation and ensures adequate protection of the rights of the data subject. The processor will regularly check the compliance of the further processor with these obligations.

V. Security of personal data

1. The processor shall ensure at least the following technical and organisational measures:

a) the processor must ensure that its organisational structure and internal rules of operation comply with the specific requirements for the protection of personal data; the processor must implement and maintain technical and organisational measures and adequate protection of the controller’s personal data in accordance with the Regulation and the legislation;

b) the processor is obliged to ensure that the processor’s access rights to the controller’s personal data, systems and data are adequately protected and that unauthorised persons cannot access and use them;

c) the processor shall ensure regular backups of data relating to personal data processed for or on behalf of the controller; in particular, the processor shall ensure that appropriate measures are taken to protect against data loss, data unavailability or malware; outside this framework, the processor shall not be entitled to make other copies or duplicates of personal data without the prior written consent of the controller;

d) the processor shall ensure sufficient separation of data from the data and access rights of other contractual partners of the processor;

e) the processor is obliged to ensure the following activities:

• pseudonymisation and encryption of personal data;
• measures to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
• measures to restore timely availability and access to personal data in the event of a physical or technical incident;
• a process for regularly testing, evaluating and assessing the effectiveness of technical and organisational measures to ensure processing security;

f) personal data carriers will be located in a locked environment that is sufficiently protected against physical access by all unauthorised persons; access to the servers and databases on which the personal data will be stored will also be protected;

g) access to personal data stored on electronic media shall be restricted exclusively to authorised persons; access shall be granted exclusively by means of individual login data which have been demonstrably issued to authorised persons;

h) remote access to personal data is only allowed from secure endpoint devices via encrypted VPN-type communication with secure multi-factor login;

i) data is anonymised and minimised according to the stated purposes.

2. The Processor shall keep logs of access to personal data and archive them for a period of 6 months after the termination and effectiveness of this Agreement and shall submit these logs to the Controller upon request.

VI. Obligations of the processor in the event of a breach of the Regulation

1. The processor shall inform the administrator without delay:

a) of all facts material to the proper performance of this Agreement;

b) of any personal data breach.

2. The notification of the processor must comply with Article 33 Section 3 of the Regulation.

3. The processor shall cooperate with the controller in the event of enquiries or investigations by supervisory authorities.

VII. Procedure for terminating cooperation

1. After the end of the processing period, the processor is obliged to delete all personal data immediately or return them to the controller, unless the regulation or legal provision requires the storage (archiving) of the personal data.

2. The processor shall not be entitled to rectify, erase or block the personal data provided by the controller unless it is in fulfilment of a contractual obligation or unless the controller instructs it to do so in writing.

3. If personal data transmitted by the controller are stored in the processor’s IT systems, the return of the data to the controller must be in a format capable of migration (i.e. open data in a machine-readable format), upon completion of agreed or necessary activities or at the request of the controller. The deletion of data by the processor must be carried out in such a way as to prevent future reconstruction of the deleted data. A record of the erasure shall be provided to the administrator on request. The administrator shall confirm in writing to the processor the return of the data in a format capable of migration.

4. Upon termination of the cooperation, this Agreement or at the request of the Controller, the Processor shall return to the Controller all documents in its possession, including any personal data processing products developed in connection with this Agreement, or, if so instructed in writing by the Controller, shall ensure their disposal in accordance with the law.

VIII. Final provisions

1. This Agreement shall come into force and effect on the date of its signature by the authorised representatives of both Parties.

2. Issues not expressly covered by this Agreement shall be governed by Act No. 110/2019 Coll., on the processing of personal data, Act No. 111/2019 Coll., amending certain acts with the adoption of the Act on the processing of personal data, and Regulation No. 2016/679 of the European Parliament and of the Council of the EU on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and other generally binding legal regulations of the Czech Republic.

3. This Agreement is concluded for a fixed period of time, namely for the duration of the validity and effectiveness of the contract under which the cooperation referred to in Article I.1 of this Agreement takes place. The termination of the agreement shall not affect the obligation of the processor to take all necessary steps to ensure the protection of personal data until they are deleted or returned to the controller in accordance with Article 3, Section 5 of this agreement.  

4. This Agreement is drawn up in two counterparts, each of which shall have the force of an original. One copy shall be given to each Party upon signature of this Agreement.

In Prague, on (date)

Confirmed in the administration website Zboží.cz (current date and time) by an authenticated user (user).