Terms and conditions of Personal Data Processing
Data Processing Agreement according to Article 28 General Data Protection Regulation (EU) 2016/679 (the “Data Processing Agreement”)
1. INTRODUCTORY PROVISIONS
1.1 LMC (as defined below) issues this Data Processing Agreement in the form of an Amendment to the General Terms and Conditions for Businesses (the “GTC”) laying down the contractual relations between businesspersons and LMC entered into in connection with the use of LMC’s electronic systems.
1.2 The provider of LMC Electronic Systems in the countries listed below and a party to this Data Processing Agreement is the relevant company determined as follows (“LMC”):
(a) LMC s.r.o., a limited liability company with its registered office at Menclova 2538/2, Libeň, 180 00 Prague 8, the Czech Republic, ID No. 26441381, entered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 82484, in the case of a service contract (the “Service Contract”) concluded with this company.
(b) LMC POLAND SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ, a limited liability company with its registered office at BL Astoria, Przeskok 2, 00-032 Warsaw, the Republic of Poland, entered into the register of entrepreneurs maintained by the District Court for the capital city of Warsaw in Warsaw, XII Commercial Division of the National Registry Court under entry no. KRS 0000988078, NIP 5252920122, REGON: 522873400, with the share capital in the amount of PLN 300.000, in the case of the Service Contract concluded with this company.
(c) Profesia spol. s r.o., a limited liability company with its registered office at Bratislava - Staré Mesto, Pribinova 19, Postcode 811 09, the Slovak Republic, ID No.: 35 800 861, entered in the Commercial Register maintained by the District Court Bratislava I, Section Sro, Insert 22949/B, in the case of the Service Contract concluded with this company.
1.3 This Data Processing Agreement lays down the rights and obligations of LMC (as defined above) as the Processor and the Client as the Data Controller (jointly referred to as the “Parties”) in relation to the processing of personal data by LMC’s electronic systems based on the GTC and the Service Contract.
1.4 The services provided under the Service Contract include activities during which personal data may be processed by the Processor for the Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation) (the “Regulation”).
1.5 The Parties intend to fulfil all their obligations arising out of the Regulation and any other local law adopted based on the Regulation, as the case may be (the “Applicable Privacy Laws”).
1.6 Under Article 28 of the Regulation, the Controller is obliged to enter into a written agreement with the Processor concerning the processing of personal data, in which the Processor will, inter alia, provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of personal data.
1.7 The Parties enter into this Data Processing Agreement with a view to complying with their respective obligations under the Regulation and the Applicable Privacy Laws to ensure the protection of personal data processed by the Parties during the performance of the Service Contract.
1.8 It is the Parties’ desire that this Data Processing Agreement should cover all the personal data processing activities performed by the Processor for the Controller in connection with the services provided under any Service Contract.
2. SUBJECT MATTER AND PURPOSE OF THE DATA PROCESSING AGREEMENT
2.1 The Processor will process personal data for the Controller which the Controller has acquired or will acquire in connection with its business activities or which the Processor itself will acquire for the Controller for this purpose (“Personal Data”) in the course of provision of the Processor’s services under the Service Contract.
2.2 The purpose of this Data Processing Agreement is to define the scope of rights and obligations of the Parties during the processing of Personal Data. This Data Processing Agreement regulates the Parties’ rights and obligations in providing services under Article 3.1. This Data Processing Agreement applies separately to each service provided under the Service Contract.
2.3 This Data Processing Agreement also defines the scope of the Personal Data to be processed, the purpose of their processing, and the conditions and guarantees to be provided by the Processor to implement appropriate technical and organisational measures to ensure the protection of Personal Data.
3. PERSONAL DATA PROCESSING
3.1 The Processor will process Personal Data according to the documented instructions of the Controller to the extent necessary to fulfil the Processor’s obligations under the Service Contract and for the purpose of their use by the Controller for the Controller’s business, namely:
(a) for management and record keeping of the personal data of the Controller’s job applicants and the Controller’s employees while managing the recruitment process (in particular, the Teamio, Jobs.cz, Práce.cz, Jobote and Práce za rohem / Praca za Rogiem, Techloop, Atmoskop services or any of them), and/or
(b) education of the Controller’s employees through the Seduo service.
Note: Personal Data processing under this Data Processing Agreement takes place only in the scope of services agreed in the Service Contract.
3.2 The Processor will process the Personal Data of job applicants and the Controller’s employees or contractors (“Data Subjects”) within the following scope:
(a) Scope of Personal Data under Article 3.1(a) of the Data Processing Agreement
- Job applicants: first name and surname; date of birth; permanent residence address and contact address; contact details (telephone number, e-mail address); job; confirmation of the interview (when, time, where); reasons for refusal; data contained in the job applicant’s CV; any other data provided by the applicant during the interview; any other data added by the Controller to the relevant applicants.
- Controller’s employees: first name and surname; contact details (telephone number, e-mail address); job; activities carried out in the recruitment management application.
(b) Scope of Personal Data under Article 3.1(b) of the Data Processing Agreement
- Controller’s employees: first name and surname; contact details (e-mail address); job; study data.
3.3 If the Controller provides the Processor with, or if in connection with the Processor’s activities performed for the Controller the Processor otherwise gains access to, any other Personal Data of Data Subjects or if Personal Data of other data subjects are provided to the Processor and at the same time, the Processor acts as a processor of such Personal Data for the Controller, the Processor is obliged to also process and protect that Personal Data in compliance with the requirements of (i) the Regulation (ii) the Applicable Privacy Laws, and (iii) this Data Processing Agreement.
3.4 The Processor will process the Personal Data of Data Subjects until the expiration of this Data Processing Agreement.
3.5 The processing of Personal Data hereunder shall not give rise to any additional fee in addition to the remuneration under the Service Contract.
4. PROCESSOR’S RIGHTS AND DUTIES
4.1 While processing Personal Data, the Processor shall act with due professional care to avoid any violation of the Regulation or the Applicable Privacy Laws.
4.2 If the Processor finds out about a breach of any of the Controller’s obligations under the Regulation, the Processor shall notify the Controller without undue delay.
4.3 While processing Personal Data, the Processor shall adhere to documented instructions from the Controller. The instructions shall be given in accordance with this Data Processing Agreement, mostly via features of the products/services used under the Service Contract. The instructions shall comprise updating, deleting, amending or other handling of Personal Data. No instruction of the Controller may result in an extension of any technical or organisational measures beyond the scope defined in this Data Processing Agreement. The Processor shall inform the Controller about an inappropriate instruction if the Processor, using its due professional care, could ascertain the inappropriate nature of the instruction. The Processor may at its sole discretion refuse to adhere to an instruction that would result in breaching the Regulation or Applicable Privacy Laws.
4.4 The Processor ensures that no Data Subject will suffer any damage to their rights, in particular the right to human dignity, and is also required to take protective measures against unauthorised interference with the private and personal lives of Data Subjects.
4.5 The Processor undertakes to fulfil the information obligation in accordance with Article 13 of the Regulation, unless the Service Contract states otherwise for specific products.
4.6 If the Data Subject requests information regarding the processing of his/her data in accordance with Article 15 of the Regulation, the Processor will provide the Data Subject with identification of the Controller and will refer the Data Subject to exercise the right towards the Controller. The Processor will further proceed in accordance with the Controller’s written instructions.
4.7 The Processor shall notify the Controller of the investigation carried out by a relevant Supervisory Authority and of the result thereof, if it concerns Personal Data processed for the Controller or the parameters of the service provided by the Processor to the Controller, and shall provide the Controller with information that the investigation carried out has affected such parameters. For the avoidance of doubt, requests from a relevant Supervisory Authority concerning the processing of personal data for which no proceedings - control or administrative - have taken place are not considered to be investigations carried out.
4.8 The Controller shall notify the Processor of any inspection or an initiation of administrative proceedings concerning imposing a remedial measure and/or imposing of a fine carried out by a relevant Supervisory Authority (“Administrative Proceedings”), insofar as the inspection or Administrative Proceedings concerns (i) Personal Data processed by the Processor for the Controller, or (ii) parameters of the service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.
4.9 The Processor shall inform the Controller about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data transmitted, stored or otherwise processed (“Personal Data Breach”) without undue delay. After informing the Controller, the Processor shall provide the Controller with assistance in dealing with the Personal Data Breach and/or in adopting measures to mitigate any potential adverse effects and to prevent similar occurrences in the future.
4.10 The notification on Personal Data Breach must include at least:
(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
(b) a description of the likely consequences of the Personal Data Breach;
(c) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.
4.11 The Processor agrees to allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller acknowledges that carrying out such an audit may not affect third parties’ rights (e.g. other controllers or data subjects), in particular with respect to ensuring the confidentiality of personal data. The Controller also acknowledges that carrying out such an audit would be subject to a special agreement regarding costs incurred by the Processor which shall be paid by the Controller.
4.12 The Processor will assist the Controller in fulfilling the Controller’s obligation to respond to requests for the exercise of the rights of Data Subjects, especially to requests for access to, rectification or erasure of Personal Data, restriction of processing or portability of Personal Data; if it possible to fulfil such obligations via features of particular products or services, the Controller may not request unsubstantiated cooperation from the Processor.
4.13 The Processor agrees to assist the Controller in securing the obligations stipulated in the Regulation, in particular the obligation to secure the processing of Personal Data, report events of Personal Data Breach, secure data protection impact assessment or prior consultation with the Supervisory Authority, with regard to the nature of the processing and of the information available to the Processor.
5. GUARANTEES OF TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE PROTECTION OF PERSONAL DATA
5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees under Article 32 of the Regulation, to implement all appropriate technical and organisational measures to ensure the protection of Personal Data in the manner described in the Regulation or other applicable laws to exclude the possibility of unauthorised or accidental access to Personal Data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or any other misuse of Personal Data.
5.2 The Processor agrees to implement the following organisational and technical measures:
(a) without prejudice to Article 5.3 of this Data Processing Agreement, if Personal Data are processed by the Processor’s own employees, the Processor will entrust this activity strictly to its selected employees who will be instructed to process Personal Data, duly advised of their confidentiality duty with regard to Personal Data as well as other obligations they are required to comply with so as not to infringe the Regulation or this Data Processing Agreement;
(b) without prejudice to Articles 5.3 and 5.4, not to authorise any third person without prior written authorisation of the Controller to process Personal Data;
(c) to use adequate technical equipment and programmes to exclude unauthorised or accidental access to Personal Data by any persons other than the Processor’s authorised employees;
(d) to store Personal Data in duly secured buildings and rooms;
(e) to store hard-copy documents containing Personal Data in a safe place, and to keep due records regarding any movements of such documents;
(f) to store Personal Data in electronic form on secure servers or data carriers (storages), access to which will only be granted to authorised persons on the basis of access codes or passwords, and to periodically back up the Personal Data;
(g) to ensure that remote transfers of Personal Data will only be carried out by means of a non-public network or by secure transfer via public networks, in particular via network security communication protocol. Taking into account the nature, scope, context and the risks of varying likelihood and severity some of the Personal Data may be transmitted via e-mails;
(h) to ensure by appropriate technical means the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident in accordance to the parameters for the particular service agreed upon in the Service Contract;
(i) to ensure a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
5.3 The Processor may engage another processor (“Other Processor”) to process Personal Data (general authorisation). The Processor will inform the Controller by e-mail sent to the Controller's address (Article 7.1) and via
(a) https://www.lmc.eu/cs/seznam-dodavatelu, if the Service Contract was concluded with LMC with its registered office in the Czech Republic,
(b) https://www.lmc.eu/pl/lista-dostawcow, if the Service Contract was concluded with LMC with its registered office in the Republic of Poland,
(c) https://www.lmc.eu/sk/zoznam-dodavatelov, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic,
(d) https://www.lmc.eu/en/supplier-list, representing an informative English translation of the Bulletin Board (in case of discrepancies, the relevant language version under letters (a) to (c) above shall prevail),
(“Bulletin Board”) of any new Other Processors the Processor intends to engage for the processing of Personal Data or any intended changes concerning Other Processors. The Controller shall have the opportunity to object to the addition of a new Other Processors under the conditions of the Service Contract. In case of objections, Article 17(3) of the GTC applies. If the Controller submitted objections in writing against a specific Other Processor and if the Processor considers the Other Processor necessary for the performance of this Data Processing Agreement or the Service Contract, the Controller may terminate this Data Processing Agreement according to Article 6.2 of this Data Processing Agreement. The current list of Other Processors is available on the Bulletin Board.
5.4 If the Processor engages an Other Processor for carrying out specific processing activities, the same data protection obligations as set out in this Data Processing Agreement must be imposed on that Other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation.
5.5 The Controller acknowledges that services provided by Other Processors listed in the Bulletin Board may include transferring of Personal Data outside of the EU. The Processor guarantees that any such transfer will comply with the Regulation and Applicable Privacy Laws. To the extent that the appropriate safeguards allowing transfer outside the EU legally compatible with the Regulation are subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, and the Processor immediately seeks in good faith a suitable alternate safeguard for processing of Personal Data abroad, the Controller waives its right to invoke contractual breach of rules contained in this Article 5.5.
5.6 The Processor is obliged to adopt and document the adopted and implemented technical and organisational measures to secure Personal Data in accordance with the Regulation and Applicable Privacy Laws.
6. TERM AND TERMINATION OF THE DATA PROCESSING AGREEMENT
6.1 This Data Processing Agreement becomes valid and effective when signed by both Parties and will expire on or after the termination of the Service Contract. If the Parties have entered, or will at any time in the future enter, into another agreement under which Personal Data can be processed, this Data Processing Agreement will expire simultaneously with the expiry of that other agreement or, as the case may be, simultaneously with the expiry of the last of such agreements.
6.2 The Controller may terminate this Data Processing Agreement by a 3-day notice if the Processor breaches any of its obligations under the Regulation or the Applicable Privacy Laws, and the Processor fails to remedy that breach within 15 days following a written request of the Controller or if the Controller objects in writing against engaging a new Other Processor and such Other Processor is under fully discretionary representation of the Processor necessary for the performance of the Service Contract.
6.3 The Processor may terminate this Data Processing Agreement by a 3-day notice if the Controller breaches its obligations under the Regulation or the Applicable Privacy Laws, and the Controller fails to remedy that breach within 15 days following the Processor’s notification under Article 4.2 or if the Controller objects in writing against engaging a new Other Processor and such Other Processor is under fully discretionary representation of the Processor necessary for the performance of the Service Contract.
6.4 Unless the Service Contract states otherwise for specific products, when the Service Contract or this Data Processing Agreement terminates, the purpose of Personal Data processing otherwise expires, the consent (if applicable) is withdrawn by the Data Subject or the Data Subject makes a request under Article 17 of the Regulation, the Processor shall, according to the Controller’s instructions, destroy the Personal Data concerned, or transfer them to the Controller and destroy the Personal Data in its possession. The Controller’s instruction for the destruction or transfer of Personal Data must be delivered to the Processor at the latest as of the day of termination of the Service Contract or this Data Processing Agreement, or, if such occurs prior to termination of the Service Contract or the Data Processing Agreement, within 10 days after the Controller or Processor (whichever occurs later) is informed about the expiry of the purpose of Personal Data processing, withdrawal of the consent or delivery of the request under Article 17 of the Regulation, otherwise the Processor will destroy the Personal Data of the Data Subject on the day of termination of this Data Processing Agreement or the Service Contract or upon the lapse of the aforementioned deadlines.
6.5 Upon termination of this Data Processing Agreement, the Processor shall comply with the Regulation and/or the Applicable Privacy Laws, particularly with regard to preventing any unauthorised use of Personal Data until their transfer by the Processor to the Controller in accordance with the Controller’s instructions or until their safe destruction by the Processor.
6.6 Termination of this Data Processing Agreement renders impossible all or any of the services under the Service Contract.
6.7 The obligation to maintain confidentiality of Personal Data will survive termination of this Data Processing Agreement.
7. CONTACT DETAILS
7.1 All notifications including Personal Data Breach notification may be delivered in person or by post to the address of the other Party's headquarters or e-mail:
The Controller’s e-mail: contact e-mail of the Main User, entered in the registration form provided by the Controller in the Processor’s electronic system, or contact e-mail of the Controller’s authorised employee given in the Seduo Administrator Account, or the contact e-mail specified in the Service Contract, or another e-mail with the highest level of authorization within the specific service used.
The Processor’s e-mail: dpo@lmc.eu
7.2 The Controller may request a change of the address for the delivery of notifications via an e-mail sent to dpo@lmc.eu.
8. FINAL PROVISIONS
8.1 Legal relations, obligations, rights and duties arising from this Data Processing Agreement, including amendments hereto, will be governed by and interpreted in accordance with the laws of the country in which the Processor has its registered office. The contractual matters between Controller and the Processor not expressly stipulated in this Data Processing Agreement are governed by the provisions of the GTC available at
(a) https://www.lmc.eu/cs/vseobecne-obchodni-podminky, if the Service Contract was concluded with LMC with its registered office in the Czech Republic;
(b) https://www.lmc.eu/pl/ogolne-warunki-handlowe, if the Service Contract was concluded with LMC with its registered office in the Republic of Poland;
(c) https://www.lmc.eu/sk/vseobecne-obchodne-podmienky, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic.
8.2 An informative English translation of the GTC is available at https://www.lmc.eu/en/general-terms-conditions. In case of discrepancies between the English version and the language version under Article 8.1 of this Data Processing Agreement, the relevant language version under Article 8.1 of this Data Processing Agreement hereof shall prevail.
8.3 If any provision of this Data Processing Agreement is held by a court of competent jurisdiction or any other authority to be invalid, ineffective, putative or unenforceable, such provision will be deemed to be deleted from this Data Processing Agreement and the remaining provisions of this Data Processing Agreement will continue in full force and effect, unless it can be assumed from the nature or content of that provision or the circumstances under which it was concluded that it cannot be severed from the rest of this Data Processing Agreement. In such case, the Parties will execute such amendments to this Data Processing Agreement to achieve the same or, if not possible, the closest possible effect to the effect of the original invalid, ineffective, putative or unenforceable provision.
8.4 The Parties agree to settle any dispute that may arise out of or in connection with the performance of this Data Processing Agreement amicably. If the Parties fail to settle a dispute amicably within 30 days, either of the Parties can refer the dispute to the competent court of law in accordance with applicable law.
8.5 The scope of personal data processed, as laid down in Article 3.2 hereof, may be extended or otherwise modified depending on the functionality of the product concerned without the need to change this Data Processing agreement or the GTC.
8.6 For purposes of execution of this Data Processing Agreement or any amendments thereto, the Parties agree that a contract is entered into only based on a full agreement on the wording of this Data Processing Agreement.
8.7 The terms not specified in detail herein have the meaning defined in the GTC or the Service Contract.
8.8 This Data Processing Agreement is binding upon the Parties pursuant to the rules laid down in the GTC.
8.9 This Data Processing Agreement is valid and effective from
(a) 1. 1. 2023, if the Service Contract was concluded with LMC with its registered office in the Czech Republic.
(b) 1. 1. 2023, if the Service Contract was concluded with LMC with its registered office in the Republic of Poland.
(c) 1. 1. 2023, if the Service Contract was concluded with LMC with its registered office in the Slovak Republic.