Personal data processing policy

Version valid from 13.5.2019 (updated the point D of the INTRODUCTORY PROVISIONS only):

entered into pursuant to Article 28 General Data Protection Regulation (“Agreement” or “Policy”)

INTRODUCTORY PROVISIONS

(A) LMC s.r.o., with its registered office at Praha 7, Jankovcova 1569/2c, postal code 17000, ID No.: 26441381, entered in the Commercial Register kept by the Municipal Court in Prague, Section C, File 82484 (“LMC”) issues this personal data processing policy in the form of an Amendment to the General Terms and Conditions for Businesses (“GTC”) laying down the contractual relations between business persons and LMC entered into in connection with the use of LMC’s electronic systems.

(B) This Agreement lays down the rights and obligations of LMC as the Processor and the Client as the Data Controller (jointly referred to as the “Parties”) in relation to the processing of personal data by LMC’s electronic systems based on the GTC and a service contract (the “Service Contract”).

(C) The services provided under the Service Contract include activities during which personal data may be processed by the Processor for the Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “Regulation”), directly applicable as of 25 May 2018.

(D) The purpose of the Policy is to duly stipulate all obligations of the Parties arising out of (i) the Regulation, and (ii) the legal Act No. 110/2019 Coll., on Personal Data Protection (the “Personal Data Protection Act”).

(E) Under Article 28 of the Regulation, the Controller is obliged to enter into a written agreement with the Processor concerning the processing of personal data, in which the Processor will, inter alia, provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of personal data; this Policy fulfils the purpose of the written personal data processing agreement.

  1. PURPOSE OF THE AGREEMENT

1.1 The Processor will, within the meaning of Article 4 point (2) of the Regulation as applicable, process for the Controller personal data which the Controller has acquired or will acquire in connection with its business activities or which the Processor itself will acquire for the Controller for this purpose (“Personal Data”), in the course of performance by the Processor of its obligations arising out of the Service Contract.

1.2 The purpose of this Agreement is to define the scope of obligations of the Processor related in particular to ensuring the protection of the Personal Data during their processing.

  1. SUBJECT MATTER OF THE AGREEMENT

2.1 The subject matter of this Agreement is the specification of mutual rights and obligations of the Parties in respect of the processing of Personal Data within the meaning of Article 1.1 of this Agreement.

2.2 This Agreement also defines the scope of the Personal Data to be processed, the purpose of their processing, and the conditions and guarantees to be provided by the Processor to implement appropriate technical and organisational measures to ensure the protection of Personal Data.

  1. PURPOSE AND SCOPE OF PERSONAL DATA PROCESSING

3.1 The Processor will process Personal Data for the Controller to the extent necessary for the fulfilment of Processor’s obligations under the Service Contract and for the purpose of their use by the Controller in the course of the Controller’s business, in particular for management and record keeping of job candidates and employees of the Controller.

3.2 Under this Agreement, the Processor will process Personal Data of job candidates and Controller’s employees (“Data Subjects”) comprising identification information, contact information, work position, data concerning the outcomes of job interviews or references from previous employments, all information contained in the job applicant’s CV, or any other data that the Controller decides to attribute to the Data Subjects or that the Data Subjects themselves have provided. The scope of the data processed depends on the functionality of the product offered by the Controller and may be altered pursuant to the terms specified in Article 9.4 hereof. Processed Personal Data may also comprise information and data gathered when operating a specific LMC’s product as a result of the Data Subjects’ activity (e.g. position data in mobile applications or data on the use of electronic systems).

3.3 If the Controller provides to the Processor, or if in connection with the Processor’s activities performed for the Controller, the Processor otherwise gains access to, any other Personal Data of Data Subjects or if Personal Data of other data subjects are provided to the Processor, the Processor is obliged to also process and protect those Personal Data in compliance with the requirements of (i) the Regulation, (ii) the New Personal Data Protection Act, and (iii) this Agreement.

3.4 The Processor will process the Personal Data of Data Subjects for a period of time which will not exceed the term of this Agreement unless otherwise provided for by special legal regulations.

  1. FEE FOR PROCESSOR’S SERVICES

4.1 The Parties have agreed that for the processing of Personal Data under this Agreement, the Processor will not be entitled to any separate fee, i.e. the fee is already included in the remuneration for the activities conducted under the Service Contract.

  1. PROCESSOR’S RIGHTS AND DUTIES

5.1 While processing Personal Data, the Processor is obliged to proceed with due professional care so as not to do anything that could constitute a violation of the Regulation and/or the New Personal Data Protection Act.

5.2 If the Processor ascertains that the Controller has breached or breaches any of the Controller’s obligations under the Regulation, the Processor shall – under Article 28 point (h) of the second subparagraph of the Regulation as applicable – notify without undue delay the Controller to this effect.

5.3 The Processor is obliged, while processing Personal Data under this Agreement, to adhere to documented instructions from the Controller. The instructions shall be given in accordance with this Agreement (mostly via particular features of the products/services) and the shall comprise updating, deleting, amending or other handling of Personal Data, excluding any instructions broadening the technical and organisational measures not included within the scope of this Agreement. The Processor shall inform the Controller about inappropriateness of an instruction if the Processor, using its due professional care, could ascertain the inappropriate nature of the instruction(s). In such case, the Processor is required to act upon such instructions only at the Controller’s written request.

5.4 The Processor ensures that no Data Subject will suffer any damage to their rights, in particular the right to human dignity, and is also required to take protective measures against unauthorised interference with the private and personal lives of Data Subjects.

5.5 The Processor undertakes to fulfil the information obligation in accordance with Article 13 of the Regulation. If the Data Subject requests information regarding the processing of his/her data in accordance with Article 15 of the Regulation, the Processor will inform the Data Subject of his/her duty to exercise the right towards the Controller. The Processor will further proceed in accordance with the Controller’s written guidelines.

5.6 When the purpose of the processing of Personal Data no longer exists, or the Data Subject makes a request under Article 17 of the Regulation, the Processor is obliged on the basis of and in accordance with the Controller’s instructions, to destroy the Personal Data concerned or transfer them to the Controller.

5.7 If any Data Subject believes that the Controller or the Processor processes that Data Subject’s Personal Data in violation of the protection of the Data Subject’s private or personal life or with the law, especially if the Personal Data are inaccurate with regard to the purpose of their processing, and the Data Subject asks the Processor to provide an explanation or remedy the situation, the Processor agrees to inform the Controller to this effect without undue delay.

5.8 The Processor is obliged to notify the Controller of any inspection or an initiation of administrative proceedings concerning the imposition of a remedial measure and/or imposition of a fine carried out by the Office for Personal Data Protection (“Administrative Proceedings”), insofar as the inspection or Administrative Proceedings concerns Personal Data processed for the Controller, or parameters of the service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.

5.9 The Controller is obliged to notify the Processor of any inspection or an initiation of Administrative Proceedings insofar as the inspection or Administrative Proceedings concerns Personal Data processed by the Processor for the Controller, or parameters of the service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.

5.10 The Processor shall inform the Controller about any Personal Data loss or leak (“Personal Data Breach”) without undue delay. The Processor, after informing the Controller, continues providing assistance in dealing with the Personal Data Breach and/or in adopting measures to mitigate any potential adverse effects and to prevent similar occurrences in the future.

5.11 The information under Article 5.10 above includes at least:

(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) a description of the likely consequences of the Personal Data Breach;

(c) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.12 The Processor agrees to allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller acknowledges that carrying out such an audit may not affect third parties’ rights (e.g. other controllers or data subjects), in particular with respect to ensuring confidentiality of personal data. The Controller also acknowledges that carrying out such an audit would be subject to a special agreement upon costs incurred by the Processor and to be paid by the Controller.

5.13 The Processor agrees to assist the Controller in fulfilling the Controller’s obligation to respond to requests for the exercise of the rights of Data Subjects, especially to requests for access to, rectification or erasure of Personal Data, restriction of processing or portability of Personal Data; if it possible to fulfil such obligations via respective features of particular products or services, the Controller may not request unsubstantiated Processor’s cooperation.

  1. GUARANTEES OF TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE PROTECTION OF PERSONAL DATA

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees under Article 32 of the Regulation as applicable, to implement all appropriate technical and organisational measures to ensure protection of Personal Data in the manner described in the Regulation, or other legal regulations in order to exclude the possibility of unauthorised or accidental access to Personal Data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or any other misuse of Personal Data.

6.2 The Processor agrees, in particular, to implement the following organisational and technical measures:

(a) without prejudice to Article 6.3 of this Agreement, if Personal Data are processed by the Processor’s own employees, the Processor will entrust this activity strictly to its selected employees who will be duly advised of their confidentiality duty with regard to Personal Data as well as other obligations they are required to comply with so as not to infringe the Regulation, or this Agreement;

(b) without prejudice to Articles 6.3 and 6.4, not to authorise any third person without prior written authorisation of the Controller to process Personal Data;

(c) to use adequate technical equipment and programmes to exclude unauthorised or accidental access to Personal Data by any persons other than the Processor’s authorised employees;

(d) to store Personal Data in duly secured buildings and rooms;

(e) to store hard-copy documents containing Personal Data at a safe place, and to keep due records regarding any movements of such documents;

(f) to store Personal Data in electronic form on secure servers or data carriers (storages), access to which will only be granted to authorised persons on the basis of access codes or passwords, and to periodically back up the Personal Data;

(g) to ensure that remote transfers of Personal Data will only be carried out by means of a non-public network or by secure transfer via public networks, in particular via network security communication protocol. Taking into account the nature, scope, context and the risks of varying likelihood and severity some of the Personal Data may be transmitted via e-mails;

(h) by appropriate technical means, to ensure the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident in accordance to the parameters for the particular service agreed upon in the Service Contract;

(i) to ensure a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and

(j) upon discontinuation of the processing of Personal Data, the Processor will ensure, as agreed with the Controller, physical destruction of Personal Data, or will transfer the Personal Data to the Controller.

6.3 The Processor may engage another processor (“Other Processor”) to process Personal Data. The Processor, via https://www.lmc.eu/en/supplier-list (“Bulletin Board”) informs the Controller of any and all Other Processors the Processor intends to engage for the processing of Personal Data, of any intended changes concerning the addition or replacement of Other Processors, thereby giving the Controller the opportunity to object to the addition of such Other Processors under the conditions of the Service Contract (see Article 17(3) of LMC General Terms and Conditions for Business available at https://www.lmc.eu/en/general-terms-conditions/). If the Controller disagrees with the engagement of Other Processor against whom the Controller has filled written objections and if in the opinion of the Processor the Other Processor is necessary for the performance of this Agreement, the Controller may terminate this Agreement in accordance with Article 7.2 of this Agreement. The current list of Other Processors is available at the Bulletin Board.

6.4 If the Processor engages Other Processor for carrying out specific processing activities, the same data protection obligations as set out in this Agreement must be imposed on that Other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation.

6.5 The Controller acknowledges that services provided by Other Processors listed at the Bulletin Board may include transferring of Personal Data outside of the EU to countries without adequate level of protection of personal data; such information are stated at the Bulletin Board. To this end, the Processor guaranties that only those Other Processors that implement appropriate safeguard for legitimising personal data transfer by virtue of Articles 44 to 49 of the Regulation are authorised by the Processor for processing Personal Data. To the extent that the appropriate safeguards referred to in previous sentence is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, and the Processor immediately seeks in good faith a suitable alternate safeguard for processing of Personal Data abroad, the Controller waives his right to invoke contractual breach of rules contained in this Article 6.5.

 

6.6 The Processor is obliged to adopt and document the adopted and implemented technical and organisational measures to secure Personal Data in accordance with the Act and other legal regulations.

  1. TERM AND TERMINATION OF THE AGREEMENT

7.1 This Agreement enters into force and effect on the date when signed by both Parties, and will expire on or after the termination of the Service Contract. If the Parties have entered, or will at any time in the future enter, into another agreement under which Personal Data can be processed, this Agreement will expire simultaneously with the expiry of that other agreement or, as the case may be, simultaneously with the expiry of the last of such agreements.

7.2 The Controller may terminate this Agreement by notice with a notice period of three (3) days in the event that the Processor breaches any of its obligations under the Regulation or the New Personal Data Protection Act , and fails to remedy that breach within fifteen (15) days of a written request from the Controller or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.3 The Processor may terminate this Agreement by notice with a notice period of three (3) days in the event that the Controller breaches its obligations under the Regulation or the New Personal Data Protection Act, and the Controller fails to remedy that breach within fifteen (15) days of the Processor’s notification under Article 5.2 of this Agreement or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.4 Either of the Parties may terminate this Agreement by notice for convenience with a notice period of three (3) months running from the first day of the month after the month in which the notice was delivered to the other Party.

7.5 Upon termination under Articles 7.2 to 7.4 of this Agreement, the Processor will be obliged, at a written request delivered to the Controller no later than on the date of termination of this Agreement, to return all the processed Personal Data to the Controller or to destroy them in accordance with Article 5.6 of this Agreement. If the request referred to in the previous sentence is not made by the Controller, the Processor will destroy the Personal Data of the Data Subject on the day of termination of this Agreement or of the Service Contract, if no other agreement is concluded.

7.6 Upon termination of this Agreement, the Processor is obliged to comply with all the obligations stemming from the Regulation and/or the New Personal Data Protection Act aimed in particular at preventing any unauthorised processing of Personal Data until their transfer by the Processor to the Controller in accordance with the Controller’s instructions or until their safe destruction by the Processor.

7.7 Termination of this Agreement constitutes a circumstance that renders impossible all or any of the specific types of activities carried out by the Processor for the Controller on the basis of the Service Contract which also entail the processing of Personal Data.

7.8 The obligation to maintain confidentiality of Personal Data will survive termination of this Agreement.

 

 

  1. Contact details

8.1 All notifications including those on the fulfillment of the information obligation under Articles 5.10 and 5.11 of the Agreement shall be deemed to have been duly served if delivered in person or by post to the address of the other Party’s headquarters or e-mail:

Controller´s e-mail: contact e-mail of the main user, entered in the registration form which the Controller has set up in the Electronic System of the Processor

Processor’s e-mail: dpo@lmc.eu

8.2 The Controller may request a change of the address for the delivery of notifications pursuant to Article 8.1 of this Agreement via an e-mail sent to dpo@lmc.eu.

  1. FINAL PROVISIONS

9.1 Legal relations, obligations, rights and duties arising from this Agreement, including amendments hereto, will be governed by and interpreted in accordance with the law of the Czech Republic, in particular by the Act No. 89/2012 Coll., the Civil Code, as amended (“the Civil Code”).

9.2 If any provision of this Agreement is held by a court of competent jurisdiction or any other authority to be invalid, ineffective, putative or unenforceable, such provision will be deemed to be deleted from this Agreement and the remaining provisions of this Agreement will continue in full force and effect, unless it can be assumed from the nature or content of that provision or the circumstances under which it was concluded that it cannot be severed from the rest of this Agreement. In such case, the Parties will execute such amendments to this Agreement to achieve the same or, if not possible, the closest possible effect to the effect of the original invalid, ineffective, putative or unenforceable provision.

9.3 The Parties agree to settle any dispute that may arise out of or in connection with the performance of this Agreement amicably. If the Parties fail to settle a dispute amicably within thirty (30) days, either of the Parties can refer the dispute to the competent Czech court of law in accordance with applicable legal regulations.

9.4 Any supplements to or modifications of this Agreement may be made solely in the form of written amendments, numbered in ascending order, signed by authorised representatives of both Parties. The scope of personal data processed, as laid down in Article 3.2 hereof, may be extended or otherwise modified depending on the functionality of the product concerned without the need to execute an amendment to this Agreement or to the GTC.

9.5 For purposes of execution of this Agreement, the Parties exclude application of Section 1740(3) of the Civil Code, under which a contract is entered into even in the absence of full concurrence of the expressions of will of the respective parties.

9.6 The Parties have agreed to exclude the application of Section 1978(2) of the Civil Code, which stipulates that the lapse of a grace period results in an automatic rescission of this Agreement.

9.7 The terms not specified in detail herein have the meaning defined in the GTC or the Service Agreement.

9.8 This Policy is binding upon the Parties pursuant to the rules laid down in the GTC.

 

 

Version valid from 9.10.2018 to 13.5.2019

 

entered into pursuant to Article 28 General Data Protection Regulation (“Agreement” or “Policy”)

INTRODUCTORY PROVISIONS

(A) LMC s.r.o., with its registered office at Praha 7, Jankovcova 1569/2c, postal code 17000, ID No.: 26441381, entered in the Commercial Register kept by the Municipal Court in Prague, Section C, File 82484 (“LMC”) issues this personal data processing policy in the form of an Amendment to the General Terms and Conditions for Businesses (“GTC”) laying down the contractual relations between business persons and LMC entered into in connection with the use of LMC’s electronic systems.

(B) This Agreement lays down the rights and obligations of LMC as the Processor and the Client as the Data Controller (jointly referred to as the “Parties”) in relation to the processing of personal data by LMC’s electronic systems based on the GTC and a service contract (the “Service Contract”).

(C) The services provided under the Service Contract include activities during which personal data may be processed by the Processor for the Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “Regulation”), directly applicable as of 25 May 2018.

(D) The purpose of the Policy is to duly stipulate all obligations of the Parties arising out of (i) the Regulation, and (ii) the legal regulation amending certain provisions of the Regulation that will repeal and replace the Act No. 101/2000 Coll., on Personal Data Protection, as amended  from and after 25 May 2018 (the “New Personal Data Protection Act”).

(E) Under Article 28 of the Regulation, the Controller is obliged to enter into a written agreement with the Processor concerning the processing of personal data, in which the Processor will, inter alia, provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of personal data; this Policy fulfils the purpose of the written personal data processing agreement.

  1. PURPOSE OF THE AGREEMENT

1.1 The Processor will, within the meaning of Article 4 point (2) of the Regulation as applicable, process for the Controller personal data which the Controller has acquired or will acquire in connection with its business activities or which the Processor itself will acquire for the Controller for this purpose (“Personal Data”), in the course of performance by the Processor of its obligations arising out of the Service Contract.

1.2 The purpose of this Agreement is to define the scope of obligations of the Processor related in particular to ensuring the protection of the Personal Data during their processing.

  1. SUBJECT MATTER OF THE AGREEMENT

2.1 The subject matter of this Agreement is the specification of mutual rights and obligations of the Parties in respect of the processing of Personal Data within the meaning of Article 1.1 of this Agreement.

2.2 This Agreement also defines the scope of the Personal Data to be processed, the purpose of their processing, and the conditions and guarantees to be provided by the Processor to implement appropriate technical and organisational measures to ensure the protection of Personal Data.

  1. PURPOSE AND SCOPE OF PERSONAL DATA PROCESSING

3.1 The Processor will process Personal Data for the Controller to the extent necessary for the fulfilment of Processor’s obligations under the Service Contract and for the purpose of their use by the Controller in the course of the Controller’s business, in particular for management and record keeping of job candidates and employees of the Controller.

3.2 Under this Agreement, the Processor will process Personal Data of job candidates and Controller’s employees (“Data Subjects”) comprising identification information, contact information, work position, data concerning the outcomes of job interviews or references from previous employments, all information contained in the job applicant’s CV, or any other data that the Controller decides to attribute to the Data Subjects or that the Data Subjects themselves have provided. The scope of the data processed depends on the functionality of the product offered by the Controller and may be altered pursuant to the terms specified in Article 9.4 hereof. Processed Personal Data may also comprise information and data gathered when operating a specific LMC’s product as a result of the Data Subjects’ activity (e.g. position data in mobile applications or data on the use of electronic systems).

3.3 If the Controller provides to the Processor, or if in connection with the Processor’s activities performed for the Controller, the Processor otherwise gains access to, any other Personal Data of Data Subjects or if Personal Data of other data subjects are provided to the Processor, the Processor is obliged to also process and protect those Personal Data in compliance with the requirements of (i) the Regulation, (ii) the New Personal Data Protection Act, and (iii) this Agreement.

3.4 The Processor will process the Personal Data of Data Subjects for a period of time which will not exceed the term of this Agreement unless otherwise provided for by special legal regulations.

  1. FEE FOR PROCESSOR’S SERVICES

4.1 The Parties have agreed that for the processing of Personal Data under this Agreement, the Processor will not be entitled to any separate fee, i.e. the fee is already included in the remuneration for the activities conducted under the Service Contract.

  1. PROCESSOR’S RIGHTS AND DUTIES

5.1 While processing Personal Data, the Processor is obliged to proceed with due professional care so as not to do anything that could constitute a violation of the Regulation and/or the New Personal Data Protection Act.

5.2 If the Processor ascertains that the Controller has breached or breaches any of the Controller’s obligations under the Regulation, the Processor shall – under Article 28 point (h) of the second subparagraph of the Regulation as applicable – notify without undue delay the Controller to this effect.

5.3 The Processor is obliged, while processing Personal Data under this Agreement, to adhere to documented instructions from the Controller. The instructions shall be given in accordance with this Agreement (mostly via particular features of the products/services) and the shall comprise updating, deleting, amending or other handling of Personal Data, excluding any instructions broadening the technical and organisational measures not included within the scope of this Agreement. The Processor shall inform the Controller about inappropriateness of an instruction if the Processor, using its due professional care, could ascertain the inappropriate nature of the instruction(s). In such case, the Processor is required to act upon such instructions only at the Controller’s written request.

5.4 The Processor ensures that no Data Subject will suffer any damage to their rights, in particular the right to human dignity, and is also required to take protective measures against unauthorised interference with the private and personal lives of Data Subjects.

5.5 The Processor undertakes to fulfil the information obligation in accordance with Article 13 of the Regulation. If the Data Subject requests information regarding the processing of his/her data in accordance with Article 15 of the Regulation, the Processor will inform the Data Subject of his/her duty to exercise the right towards the Controller. The Processor will further proceed in accordance with the Controller’s written guidelines.

5.6 When the purpose of the processing of Personal Data no longer exists, or the Data Subject makes a request under Article 17 of the Regulation, the Processor is obliged on the basis of and in accordance with the Controller’s instructions, to destroy the Personal Data concerned or transfer them to the Controller.

5.7 If any Data Subject believes that the Controller or the Processor processes that Data Subject’s Personal Data in violation of the protection of the Data Subject’s private or personal life or with the law, especially if the Personal Data are inaccurate with regard to the purpose of their processing, and the Data Subject asks the Processor to provide an explanation or remedy the situation, the Processor agrees to inform the Controller to this effect without undue delay.

5.8 The Processor is obliged to notify the Controller of any inspection or an initiation of administrative proceedings concerning the imposition of a remedial measure and/or imposition of a fine carried out by the Office for Personal Data Protection (“Administrative Proceedings”), insofar as the inspection or Administrative Proceedings concerns Personal Data processed for the Controller, or parameters of the service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.

5.9 The Controller is obliged to notify the Processor of any inspection or an initiation of Administrative Proceedings insofar as the inspection or Administrative Proceedings concerns Personal Data processed by the Processor for the Controller, or parameters of the service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.

5.10 The Processor shall inform the Controller about any Personal Data loss or leak (“Personal Data Breach”) without undue delay. The Processor, after informing the Controller, continues providing assistance in dealing with the Personal Data Breach and/or in adopting measures to mitigate any potential adverse effects and to prevent similar occurrences in the future.

5.11 The information under Article 5.10 above includes at least:

(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) a description of the likely consequences of the Personal Data Breach;

(c) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

5.12 The Processor agrees to allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller acknowledges that carrying out such an audit may not affect third parties’ rights (e.g. other controllers or data subjects), in particular with respect to ensuring confidentiality of personal data. The Controller also acknowledges that carrying out such an audit would be subject to a special agreement upon costs incurred by the Processor and to be paid by the Controller.

5.13 The Processor agrees to assist the Controller in fulfilling the Controller’s obligation to respond to requests for the exercise of the rights of Data Subjects, especially to requests for access to, rectification or erasure of Personal Data, restriction of processing or portability of Personal Data; if it possible to fulfil such obligations via respective features of particular products or services, the Controller may not request unsubstantiated Processor’s cooperation.

  1. GUARANTEES OF TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE PROTECTION OF PERSONAL DATA

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees under Article 32 of the Regulation as applicable, to implement all appropriate technical and organisational measures to ensure protection of Personal Data in the manner described in the Regulation, or other legal regulations in order to exclude the possibility of unauthorised or accidental access to Personal Data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or any other misuse of Personal Data.

6.2 The Processor agrees, in particular, to implement the following organisational and technical measures:

(a) without prejudice to Article 6.3 of this Agreement, if Personal Data are processed by the Processor’s own employees, the Processor will entrust this activity strictly to its selected employees who will be duly advised of their confidentiality duty with regard to Personal Data as well as other obligations they are required to comply with so as not to infringe the Regulation, or this Agreement;

(b) without prejudice to Articles 6.3 and 6.4, not to authorise any third person without prior written authorisation of the Controller to process Personal Data;

(c) to use adequate technical equipment and programmes to exclude unauthorised or accidental access to Personal Data by any persons other than the Processor’s authorised employees;

(d) to store Personal Data in duly secured buildings and rooms;

(e) to store hard-copy documents containing Personal Data at a safe place, and to keep due records regarding any movements of such documents;

(f) to store Personal Data in electronic form on secure servers or data carriers (storages), access to which will only be granted to authorised persons on the basis of access codes or passwords, and to periodically back up the Personal Data;

(g) to ensure that remote transfers of Personal Data will only be carried out by means of a non-public network or by secure transfer via public networks, in particular via network security communication protocol. Taking into account the nature, scope, context and the risks of varying likelihood and severity some of the Personal Data may be transmitted via e-mails;

(h) by appropriate technical means, to ensure the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident in accordance to the parameters for the particular service agreed upon in the Service Contract;

(i) to ensure a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and

(j) upon discontinuation of the processing of Personal Data, the Processor will ensure, as agreed with the Controller, physical destruction of Personal Data, or will transfer the Personal Data to the Controller.

6.3 The Processor may engage another processor (“Other Processor”) to process Personal Data. The Processor, via https://www.lmc.eu/en/supplier-list (“Bulletin Board”) informs the Controller of any and all Other Processors the Processor intends to engage for the processing of Personal Data, of any intended changes concerning the addition or replacement of Other Processors, thereby giving the Controller the opportunity to object to the addition of such Other Processors under the conditions of the Service Contract (see Article 17(3) of LMC General Terms and Conditions for Business available at https://www.lmc.eu/en/general-terms-conditions/). If the Controller disagrees with the engagement of Other Processor against whom the Controller has filled written objections and if in the opinion of the Processor the Other Processor is necessary for the performance of this Agreement, the Controller may terminate this Agreement in accordance with Article 7.2 of this Agreement. The current list of Other Processors is available at the Bulletin Board.

6.4 If the Processor engages Other Processor for carrying out specific processing activities, the same data protection obligations as set out in this Agreement must be imposed on that Other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation.

6.5 The Controller acknowledges that services provided by Other Processors listed at the Bulletin Board may include transferring of Personal Data outside of the EU to countries without adequate level of protection of personal data; such information are stated at the Bulletin Board. To this end, the Processor guaranties that only those Other Processors that implement appropriate safeguard for legitimising personal data transfer by virtue of Articles 44 to 49 of the Regulation are authorised by the Processor for processing Personal Data. To the extent that the appropriate safeguards referred to in previous sentence is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, and the Processor immediately seeks in good faith a suitable alternate safeguard for processing of Personal Data abroad, the Controller waives his right to invoke contractual breach of rules contained in this Article 6.5.

 

6.6 The Processor is obliged to adopt and document the adopted and implemented technical and organisational measures to secure Personal Data in accordance with the Act and other legal regulations.

  1. TERM AND TERMINATION OF THE AGREEMENT

7.1 This Agreement enters into force and effect on the date when signed by both Parties, and will expire on or after the termination of the Service Contract. If the Parties have entered, or will at any time in the future enter, into another agreement under which Personal Data can be processed, this Agreement will expire simultaneously with the expiry of that other agreement or, as the case may be, simultaneously with the expiry of the last of such agreements.

7.2 The Controller may terminate this Agreement by notice with a notice period of three (3) days in the event that the Processor breaches any of its obligations under the Regulation or the New Personal Data Protection Act , and fails to remedy that breach within fifteen (15) days of a written request from the Controller or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.3 The Processor may terminate this Agreement by notice with a notice period of three (3) days in the event that the Controller breaches its obligations under the Regulation or the New Personal Data Protection Act, and the Controller fails to remedy that breach within fifteen (15) days of the Processor’s notification under Article 5.2 of this Agreement or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.4 Either of the Parties may terminate this Agreement by notice for convenience with a notice period of three (3) months running from the first day of the month after the month in which the notice was delivered to the other Party.

7.5 Upon termination under Articles 7.2 to 7.4 of this Agreement, the Processor will be obliged, at a written request delivered to the Controller no later than on the date of termination of this Agreement, to return all the processed Personal Data to the Controller or to destroy them in accordance with Article 5.6 of this Agreement. If the request referred to in the previous sentence is not made by the Controller, the Processor will destroy the Personal Data of the Data Subject on the day of termination of this Agreement or of the Service Contract, if no other agreement is concluded.

7.6 Upon termination of this Agreement, the Processor is obliged to comply with all the obligations stemming from the Regulation and/or the New Personal Data Protection Act aimed in particular at preventing any unauthorised processing of Personal Data until their transfer by the Processor to the Controller in accordance with the Controller’s instructions or until their safe destruction by the Processor.

7.7 Termination of this Agreement constitutes a circumstance that renders impossible all or any of the specific types of activities carried out by the Processor for the Controller on the basis of the Service Contract which also entail the processing of Personal Data.

7.8 The obligation to maintain confidentiality of Personal Data will survive termination of this Agreement.

 

 

  1. Contact details

8.1 All notifications including those on the fulfillment of the information obligation under Articles 5.10 and 5.11 of the Agreement shall be deemed to have been duly served if delivered in person or by post to the address of the other Party’s headquarters or e-mail:

Controller´s e-mail: contact e-mail of the main user, entered in the registration form which the Controller has set up in the Electronic System of the Processor

Processor’s e-mail: dpo@lmc.eu

8.2 The Controller may request a change of the address for the delivery of notifications pursuant to Article 8.1 of this Agreement via an e-mail sent to dpo@lmc.eu.

  1. FINAL PROVISIONS

9.1 Legal relations, obligations, rights and duties arising from this Agreement, including amendments hereto, will be governed by and interpreted in accordance with the law of the Czech Republic, in particular by the Act No. 89/2012 Coll., the Civil Code, as amended (“the Civil Code”).

9.2 If any provision of this Agreement is held by a court of competent jurisdiction or any other authority to be invalid, ineffective, putative or unenforceable, such provision will be deemed to be deleted from this Agreement and the remaining provisions of this Agreement will continue in full force and effect, unless it can be assumed from the nature or content of that provision or the circumstances under which it was concluded that it cannot be severed from the rest of this Agreement. In such case, the Parties will execute such amendments to this Agreement to achieve the same or, if not possible, the closest possible effect to the effect of the original invalid, ineffective, putative or unenforceable provision.

9.3 The Parties agree to settle any dispute that may arise out of or in connection with the performance of this Agreement amicably. If the Parties fail to settle a dispute amicably within thirty (30) days, either of the Parties can refer the dispute to the competent Czech court of law in accordance with applicable legal regulations.

9.4 Any supplements to or modifications of this Agreement may be made solely in the form of written amendments, numbered in ascending order, signed by authorised representatives of both Parties. The scope of personal data processed, as laid down in Article 3.2 hereof, may be extended or otherwise modified depending on the functionality of the product concerned without the need to execute an amendment to this Agreement or to the GTC.

9.5 For purposes of execution of this Agreement, the Parties exclude application of Section 1740(3) of the Civil Code, under which a contract is entered into even in the absence of full concurrence of the expressions of will of the respective parties.

9.6 The Parties have agreed to exclude the application of Section 1978(2) of the Civil Code, which stipulates that the lapse of a grace period results in an automatic rescission of this Agreement.

9.7 The terms not specified in detail herein have the meaning defined in the GTC or the Service Agreement.

9.8 This Policy is binding upon the Parties pursuant to the rules laid down in the GTC.

 

 

 

Version valid until 8.10.2018

entered into pursuant to Section 6 of Act No. 101/2000 Coll., on Personal Data Protection and on Amendments to Certain Acts, as amended (“Agreement” or “Policy”)

INTRODUCTORY PROVISIONS

(A) LMC s.r.o., with its registered office at Praha 7, Jankovcova 1569/2c, postal code 17000, ID No.: 26441381, entered in the Commercial Register kept by the Municipal Court in Prague, Section C, File 82484 (“LMC”) issues this personal data processing policy in the form of an Amendment to the General Terms and Conditions for Businesses (“GTC”) laying down the contractual relations between business persons and LMC entered into in connection with the use of LMC’s electronic systems.

(B) This Agreement lays down the rights and obligations of LMC as the Processor and the Client as the Data Controller (jointly referred to as the “Parties”) in relation to the processing of personal data by LMC’s electronic systems based on the GTC and a service contract (the “Service Contract”).

(C) The services provided under the Service Contract include activities during which personal data may be processed by the Processor for the Controller within the meaning of Act No. 101/2000 Coll., on Personal Data Protection, as amended (the “Act”), or, where applicable, within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (the “Regulation”), directly applicable as of 25 May 2018.

(D) The purpose of the Policy is to duly stipulate all obligations of the Parties arising out of (i) the Act, (ii) the Regulation, and (iii) the legal regulation amending certain provisions of the Regulation that will repeal and replace the Act from and after 25 May 2018 (the “New Personal Data Protection Act”).

(E) Under Section 6 of the Act and Article 28 of the Regulation, the Controller is obliged to enter into a written agreement with the Processor concerning the processing of personal data, in which the Processor will, inter alia, provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of personal data; this Policy fulfils the purpose of the written personal data processing agreement.

1. PURPOSE OF THE AGREEMENT

1.1 The Processor will, within the meaning of Section 4(e) of the Act, and Article 4 point (2) of the Regulation as applicable, process for the Controller personal data which the Controller has acquired or will acquire in connection with its business activities or which the Processor itself will acquire for the Controller for this purpose (“Personal Data”), in the course of performance by the Processor of its obligations arising out of the Service Contract.

1.2 The purpose of this Agreement is to define the scope of obligations of the Processor related in particular to ensuring the protection of the Personal Data during their processing.

2. SUBJECT MATTER OF THE AGREEMENT

2.1 The subject matter of this Agreement is the specification of mutual rights and obligations of the Parties in respect of the processing of Personal Data within the meaning of Article 1.1 of this Agreement.

2.2 This Agreement also defines the scope of the Personal Data to be processed, the purpose of their processing, and the conditions and guarantees to be provided by the Processor to implement appropriate technical and organisational measures to ensure the protection of Personal Data.

3. PURPOSE AND SCOPE OF PERSONAL DATA PROCESSING

3.1 The Processor will process Personal Data for the Controller to the extent necessary for the fulfilment of Processor’s obligations under the Service Contract and for the purpose of their use by the Controller in the course of the Controller’s business, in particular for management and record keeping of job candidates and employees of the Controller.

3.2 Under this Agreement, the Processor will process Personal Data of job candidates and Controller’s employees (“Data Subjects”) comprising identification information, contact information, work position, data concerning the outcomes of job interviews or references from previous employments, all information contained in the job applicant’s CV, or any other data that the Controller decides to attribute to the Data Subjects or that the Data Subjects themselves have provided. The scope of the data processed depends on the functionality of the product offered by the Controller and may be altered pursuant to the terms specified in Article 9.4 hereof. Processed Personal Data may also comprise information and data gathered when operating a specific LMC’s product as a result of the Data Subjects’ activity (e.g. position data in mobile applications or data on the use of electronic systems).

3.3 If the Controller provides to the Processor, or if in connection with the Processor’s activities performed for the Controller, the Processor otherwise gains access to, any other Personal Data of Data Subjects or if Personal Data of other data subjects are provided to the Processor, the Processor is obliged to also process and protect those Personal Data in compliance with the requirements of (i) the Act, (ii) the Regulation, (iii) the New Personal Data Protection Act, and (iv) this Agreement.

3.4 The Processor will process the Personal Data of Data Subjects for a period of time which will not exceed the term of this Agreement unless otherwise provided for by special legal regulations.

4. FEE FOR PROCESSOR’S SERVICES

4.1 The Parties have agreed that for the processing of Personal Data under this Agreement, the Processor will not be entitled to any separate fee, i.e. the fee is already included in the remuneration for the activities conducted under the Service Contract.

5. PROCESSOR’S RIGHTS AND DUTIES

5.1 While processing Personal Data, the Processor is obliged to proceed with due professional care so as not to do anything that could constitute a violation of the Act, in particular Section 5 of the Act in combination with Section 7 of the Act, or violation of the Regulation and/or the New Personal Data Protection Act as of the date specified in Article 8.1 of this Agreement.

5.2 If the Processor ascertains that the Controller has breached or breaches any of the Controller’s obligations under the Act or the Regulation, the Processor shall – under Section 8 of the Act, or under Article 28 point (h) second sentence of the Regulation as applicable – notify without undue delay the Controller to this effect. If the Controller does not remedy the breach within 15 days of the written notification, the Processor may cease the processing of Personal Data.

5.3 The Processor is obliged, while processing Personal Data under this Agreement, to adhere to documented instructions from the Controller. The instructions shall be given in accordance with this Agreement (mostly via particular features of the products/services) and the shall comprise updating, deleting, amending or other handling of Personal Data, excluding any instructions broadening the technical and organisational measures not included within the scope of this Agreement. The Processor shall inform the Controller about inappropriateness of an instruction if the Processor, using its due professional care, could ascertain the inappropriate nature of the instruction(s). In such case, the Processor is required to act upon such instructions only at the Controller’s written request.

5.4 In accordance with Section 10 of the Act, the Processor ensures that no Data Subject will suffer any damage to their rights, in particular the right to human dignity, and is also required to take protective measures against unauthorised interference with the private and personal lives of Data Subjects.

5.5 The Processor may (but is not obliged to) fulfil the obligation to provide information to Data Subjects in accordance with Section 11 of the Act (or Article 13 of the Regulation) and may (but is not obliged to) provide information to Data Subjects in accordance with Section 12 of the Act (or Article 15 of the Regulation) upon Data Subject’s request.

5.6 When the purpose of the processing of Personal Data no longer exists, or the Data Subject makes a request under Section 21 of the Act, or under Article 17 of the Regulation, the Processor is obliged by virtue of Section 20 of the Act, on the basis of and in accordance with the Controller’s instructions, to destroy the Personal Data concerned or transfer them to the Controller.

5.7 If any Data Subject believes that the Controller or the Processor processes that Data Subject’s Personal Data in violation of the protection of the Data Subject’s private or personal life or with the law, especially if the Personal Data are inaccurate with regard to the purpose of their processing, and the Data Subject asks the Processor to provide an explanation or remedy the situation within the meaning of Section 21 of the Act, the Processor agrees to inform the Controller to this effect without undue delay.

5.8 The Processor is obliged to notify the Controller of any inspection or an initiation of administrative proceedings concerning the imposition of a remedial measure and/or imposition of a fine carried out by the Office for Personal Data Protection (“Administrative Proceedings”), insofar as the inspection or Administrative Proceedings concerns Personal Data processed for the Controller, or parameters of the service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.

5.9 The Controller is obliged to notify the Processor of any inspection or an initiation of Administrative Proceedings insofar as the inspection or Administrative Proceedings concerns Personal Data processed by the Processor for the Controller, or parameters of the service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.

5.10 The Processor shall inform the Controller about any Personal Data loss or leak (“Personal Data Breach”) without undue delay. The Processor, after informing the Controller, continues providing assistance in dealing with the Personal Data Breach and/or in adopting measures to mitigate any potential adverse effects and to prevent similar occurrences in the future.

5.11 The information under Article 5.10 above includes at least:

(a) a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;

(b) a description of the likely consequences of the Personal Data Breach;

(c) a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

6. GUARANTEES OF TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE PROTECTION OF PERSONAL DATA

6.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees under Section 13(1) of the Act, and under Article 32 of the Regulation as applicable, to implement all appropriate technical and organisational measures to ensure protection of Personal Data in the manner described in the Act, the Regulation, or other legal regulations in order to exclude the possibility of unauthorised or accidental access to Personal Data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or any other misuse of Personal Data.

6.2 The Processor agrees, in particular, to implement the following organisational and technical measures:

(a) without prejudice to Article 6.3 of this Agreement, if Personal Data are processed by the Processor’s own employees, the Processor will entrust this activity strictly to its selected employees who will be duly advised of their confidentiality duty with regard to Personal Data as well as other obligations they are required to comply with so as not to infringe the Act, the Regulation, or this Agreement;

(b) without prejudice to Articles 6.3 and 6.4, not to authorise any third person without prior written authorisation of the Controller to process Personal Data;

(c) to use adequate technical equipment and programmes to exclude unauthorised or accidental access to Personal Data by any persons other than the Processor’s authorised employees;

(d) to store Personal Data in duly secured buildings and rooms;

(e) to store hard-copy documents containing Personal Data at a safe place, and to keep due records regarding any movements of such documents;

(f) to store Personal Data in electronic form on secure servers or data carriers (storages), access to which will only be granted to authorised persons on the basis of access codes or passwords, and to periodically back up the Personal Data;

(g) to ensure that remote transfers of Personal Data will only be carried out by means of a non-public network or by secure transfer via public networks, in particular via network security communication protocol. Taking into account the nature, scope, context and the risks of varying likelihood and severity some of the Personal Data may be transmitted via e-mails;

(h) by appropriate technical means, to ensure the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident in accordance to the parameters for the particular service agreed upon in the Service Contract;

(i) to ensure a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing; and

(j) upon discontinuation of the processing of Personal Data, the Processor will ensure, as agreed with the Controller, physical destruction of Personal Data, or will transfer the Personal Data to the Controller.

6.3 The Processor may engage another processor (“Other Processor”) to process Personal Data. The Processor, via https://www.lmc.eu/en/supplier-list (“Bulletin Board”) informs the Controller of any and all Other Processors the Processor intends to engage for the processing of Personal Data, of any intended changes concerning the addition or replacement of Other Processors, thereby giving the Controller the opportunity to object to the addition of such Other Processors under the conditions of the Service Contract. Besides Other Processors to whom the Controller had no objections, the Processor will not engage any third party to process Personal Data. The actual list of Other Processors is available at the Bulletin Board.

6.4 If the Processor engages Other Processor for carrying out specific processing activities, the same data protection obligations as set out in this Agreement must be imposed on that Other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Act and the Regulation.

6.5 The Controller acknowledges that services provided by Other Processors listed at the Bulletin Board may include transferring of Personal Data outside of the EU to countries without adequate level of protection of personal data; such information are stated at the Bulletin Board. To this end, the Processor guaranties that only those Other Processors that implement appropriate safeguard for legitimising personal data transfer by virtue of Articles 44 to 49 of the Regulation or Section 27 of the Act are authorised by the Processor for processing Personal Data. To the extent that the appropriate safeguards referred to in previous sentence is subsequently modified, revoked, or held in a court of competent jurisdiction to be invalid, and the Processor immediately seeks in good faith a suitable alternate safeguard for processing of Personal Data abroad, the Controller waives his right to invoke contractual breach of rules contained in this Article 6.5.

6.6 The Processor is obliged under Section 13(2) of the Act to adopt and document the adopted and implemented technical and organisational measures to secure Personal Data in accordance with the Act and other legal regulations.

7. TERM AND TERMINATION OF THE AGREEMENT

7.1 This Agreement enters into force and effect on the date when signed by both Parties, and will expire on or after the termination of the Service Contract. If the Parties have entered, or will at any time in the future enter, into another agreement under which Personal Data can be processed, this Agreement will expire simultaneously with the expiry of that other agreement or, as the case may be, simultaneously with the expiry of the last of such agreements.

7.2 The Controller may terminate this Agreement by notice with a notice period of three (3) days in the event that the Processor breaches any of its obligations under this Agreement, and fails to remedy that breach within fifteen (15) days of a written request from the Controller or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.3 The Processor may terminate this Agreement by notice with a notice period of three (3) days in the event that the Controller breaches its obligations under the Act, the Regulation or the New Personal Data Protection Act, and the Controller fails to remedy that breach within fifteen (15) days of the Processor’s notification under Article 5.2 of this Agreement or if the Controller objects to engaging Other Processor in written and such Other Processor is, under fully discretionary representation of the Processor, necessary for the performance of the Service Contract.

7.4 Either of the Parties may terminate this Agreement by notice for convenience with a notice period of three (3) months running from the first day of the month after the month in which the notice was delivered to the other Party.

7.5 Upon termination under Articles 7.2 to 7.4 of this Agreement, the Processor will be obliged to return all the processed Personal Data to the Controller or destroy them in accordance with Article 5.6 of this Agreement.

7.6 Upon termination of this Agreement, the Processor is obliged to comply with all the obligations stemming from the Act, and after the date mentioned in Article 8.1 of this Agreement also the obligations stemming from the Regulation and/or the New Personal Data Protection Act aimed in particular at preventing any unauthorised processing of Personal Data until their transfer by the Processor to the Controller in accordance with the Controller’s instructions or until their safe destruction by the Processor.

7.7 Termination of this Agreement constitutes a circumstance that renders impossible all or any of the specific types of activities carried out by the Processor for the Controller on the basis of the Service Contract which also entail the processing of Personal Data.

7.8 The obligation to maintain confidentiality of Personal Data will survive termination of this Agreement.

8. PROVISIONS RELATED TO THE REGULATION TAKING EFFECT

8.1 The Controller and the Processor will adopt, by 25 May 2018 at the latest, personal data protection measures stipulated in the Regulation and in the New Personal Data Protection Act.

8.2 After the date mentioned in Article 8.1 of this Agreement, the Processor agrees to assist the Controller in fulfilling the Controller’s obligation to respond to requests for the exercise of the rights of Data Subjects, especially to requests for access to, rectification or erasure of Personal Data, restriction of processing or portability of Personal Data; if it possible to fulfil such obligations via respective features of particular products or services, the Controller may not request unsubstantiated Processor’s cooperation.

8.3 After the date mentioned in Article 8.1 of this Agreement, the Processor agrees to allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller acknowledges that carrying out such an audit may not affect third parties’ rights (e.g. other controllers or data subjects), in particular with respect to ensuring confidentiality of personal data. The Controller also acknowledges that carrying out such an audit would be subject to a special agreement upon costs incurred by the Processor and to be paid by the Controller.

8.4 After the date mentioned in Article 8.1 of this Agreement, all the terms and provisions of this Agreement will remain in force and effect, provided that obligations resulting from a reference to the Act, in particular those introduced by the words “within the meaning of”, “in compliance with”, “in accordance with”, “pursuant to”, “under” and the like, will be interpreted in accordance with the applicable provisions of the Regulation laying down obligations whose nature is closest to the obligations under the of the Act.

9. FINAL PROVISIONS

9.1 Legal relations, obligations, rights and duties arising from this Agreement, including amendments hereto, will be governed by and interpreted in accordance with the law of the Czech Republic, in particular by the Act and Act No. 89/2012 Coll., the Civil Code, as amended.

9.2 If any provision of this Agreement is held by a court of competent jurisdiction or any other authority to be invalid, ineffective, putative or unenforceable, such provision will be deemed to be deleted from this Agreement and the remaining provisions of this Agreement will continue in full force and effect, unless it can be assumed from the nature or content of that provision or the circumstances under which it was concluded that it cannot be severed from the rest of this Agreement. In such case, the Parties will execute such amendments to this Agreement to achieve the same or, if not possible, the closest possible effect to the effect of the original invalid, ineffective, putative or unenforceable provision.

9.3 The Parties agree to settle any dispute that may arise out of or in connection with the performance of this Agreement amicably. If the Parties fail to settle a dispute amicably within thirty (30) days, either of the Parties can refer the dispute to the competent Czech court of law in accordance with applicable legal regulations.

9.4 Any supplements to or modifications of this Agreement may be made solely in the form of written amendments, numbered in ascending order, signed by authorised representatives of both Parties. The scope of personal data processed, as laid down in Article 3.2 hereof, may be extended or otherwise modified depending on the functionality of the product concerned without the need to execute an amendment to this Agreement or to the GTC.

9.5 The terms not specified in detail herein have the meaning defined in the GTC or the Service Agreement.

9.6 This Policy is binding upon the Parties pursuant to the rules laid down in the GTC.