1. Processing of personal data
1.1. INTRODUCTORY PROVISIONS
Tabidoo s.r.o., with its registered office at Pernerova 676/51, 186 00 Praha, identification number 060 19 137, registered in the Commercial Register maintained by the Municipal Court in Prague, file no. C 274690 ("Provider") provides the Tabidoo internet application ("Tabidoo"), available at app.tabidoo.cloud to its User ("User"), in accordance with the General Terms and Conditions, available from https://tabidoo.cloud/en/terms-and-conditions ("GTC"). The Provider and the User are also referred to herein as the "parties". For the avoidance of doubt, the User means the User and the User as defined in the GTC.
1.2. DATA PROCESSING AGREEMENT
Considering the fact, that personal data will be processed by the Provider for the User while providing the Tabidoo service, the parties enter into this Data Processing Agreement (“DPA”) within the meaning of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR").
1.4. OBLIGATION TO CONCLUDE AN ADDENDUM
The parties agree that, if it will be necessary, in order to comply with the requirements of data protection regulations (which include, for example, Act No. 110/2019 Coll. on the Processing of Personal Data, as amended, and the GDPR; collectively as the "DPR"), they shall, without undue delay upon the request of either party, amend GTC or this DPA to reflect such requirements.
1.5. AUTHORIZATION OF THE PROVIDER
The User hereby authorises the Provider to process the personal data of the data subjects, while providing the Tabidoo service. The Provider is obliged to process personal data for the User on the basis of the User's instructions and to the extent necessary for the proper performance of the Provider's obligations under the GTC. DECLARATION OF THE USER. By entering into the DPA, the User confirms that any personal data provided while using the Tabidoo service is accurate, has been collected in accordance with the DPR, is currently processed by the User in accordance with the DPR and that the User complies with all obligations of the controller under the DPR. The User declares that the processing of personal data, which it entrusts the Provider with by this Agreement, has been registered with the Office for Personal Data Protection (hereinafter referred to as the "ÚOOÚ") prior to the entering into this DPA, if the respective processing is subject to this obligation.
2. Subject matter of the processing, categories of data subjects, types of personal data
2.1. DEFINITION OF PERSONAL DATA
The subject of the processing under this DPA is the personal data of the data subjects, provided while using the Tabidoo service, and possibly other data provided by third parties on the User's instructions ("Personal Data").
2.2. DATA SUBJECTS
Data subjects are subjects about whom the User processes personal data through the Tabidoo service.
2.3. USER'S LIABILITY
The scope of data processing is decided solely by the User, who is also responsible for ensuring that the specified scope of processing complies with the DPR.
3. Nature and purposes of the processing
3.1. NATURE OF THE PROCESSING
The Provider will process personal data automatically with the help of computer technology, and at the same time manual data processing may occur.
3.2. PURPOSE OF THE PROCESSING
The purpose of the data processing is defined by the purpose of the GTC, which is proper provision of Tabidoo service.
3.3. LIMITATION OF PURPOSES
The Provider acknowledges that it is not entitled to use personal data for any purpose other than as set out in this DPA, i.e. to determine the purposes and/or means of processing and is not entitled to process personal data beyond the scope set out in this DPA.
4. Duration of the processing
4.1. DURATION OF THE PROCESSING
The processing of personal data will be carried out for as long as Tabidoo services are provided. The Provider undertakes to fulfil the User's obligations regarding the protection of personal data for the entire duration of providing the Tabidoo service, unless the GTC and/or DPA implies that such obligations shall survive its termination.
5. Declarations of the User
5.1. USERS OBLIGATIONS
By entering into the DPA, the User, as the data controller, declares that as of the date of entering into the DPA, it duly fulfils all its obligations under the DPR, in particular that it:
5.1.1. LAWFULLNESS OF PROCESSING
processes personal data for the purposes, to the extent, by the means and in the manner provided for in this DPA lawfully, in particular it has obtained and has in its possession the valid consent of all data subjects to the processing of their personal data, if required by law;
5.1.2. OBLIGATION TO INFORM DATA SUBJECTS
informs data subjects about the processing of their personal data in the manner and to the extent prescribed by the DPR;
5.1.3. PERFORMANCE OF DATA SUBJECT RIGHTS
Provides data subjects with possibility to exercise their rights provided by DPR;
5.1.4. DISPOSAL OF PERSONAL DATA
dispose of personal data once the purpose for which they were processed has expired;
and undertakes to fulfil these obligations throughout the provision of Tabidoo service.
6. Obligations of the Provider
6.1. OBLIGATIONS OF THE PROVIDER
When processing personal data, the provider is obliged to:
6.1.1. BINDING INSTRUCTIONS
process personal data solely on the basis of documented instructions, provided by the User. For the avoidance of doubt, the processing of personal data in accordance with the Provider's obligations agreed under the DPA shall be deemed to be carried out in accordance with the User's instructions;
6.1.2. TRANSFER TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS
follow the instructions of the User regarding the transfer of personal data to a third country or an international organisation, unless such processing is already required by European Union or Member State law, applicable to the Provider, in which case the Provider shall inform the User of this legal requirement prior to processing, unless such legislation prohibits such information for important reasons of public interest;
ensure that anyone who lawfully processes personal data for the User undertakes to maintain confidentiality or is subject to a legal obligation of confidentiality;
6.1.4. TECHNICAL MEASURES AND EXERCISE OF RIGHTS
assist the User through appropriate technical and organisational measures, where possible, to comply with the User's obligation to respond to requests to exercise the rights of data subjects;
assist the User with ensuring compliance with the User's obligations to (i) ensure the level of security of processing, (ii) report personal data breaches to the ÚOOÚ and, where applicable, to data subjects, (iii) assess the impact on the protection of personal data, and (iv) carry out prior consultation with the ÚOOÚ, taking into account the nature of the processing and the information available to the Provider;
6.1.6. RETURN AND DELETION
in accordance with the User's decision, either delete all personal data or return it to the User upon termination of performance under the GTC and delete existing copies, unless such storage is required by law;
6.1.7. INFORMATION DUTY
provide the User with all information necessary to demonstrate that the obligations set out in the DPR have been fulfilled; and
allow the User to conduct audits; the parties agree that the User may audit the Provider's processing no more than once every 2 years with an independent auditor selected by the User. The costs of the audit under this paragraph shall be borne by the User.
6.2. INSTRUCTIONS, VIOLATING THE LAW
The Provider shall immediately inform the User in writing if it believes that the instructions issued by the User violates data protection legislation.
6.3. CONFIDENTIALITY AND TERMINATION OF THE GTC
In the event of termination of the Tabidoo service, the Provider, its employees, and/or authorised third parties who have come into contact with the personal data, shall not be relieved of confidentiality. In such case, the obligation of confidentiality shall continue even after the termination of the Tabidoo service, regardless of the duration of the relationship of these persons to the Provider.
6.4. SECURITY BREACHES
Provider shall promptly notify the User of any actual or reasonably suspected personal data breach, but no later than 48 hours after becoming aware of such breach. Any such information will also be promptly reported by the Processor through telephone, available from the Website. The foregoing shall apply primarily, but not exclusively, in cases where the User has a legal obligation under law or the DPR to report a personal data breach. The Provider must provide at least the following information:
the date of the breach and its discovery;
the nature, cause and consequences of the breach;
the category and approximate number of involved data subjects;
the scope of affected personal data, involved in the breach;
a description of measures taken to remedy the breach.
7.1. APPROVAL OF SUBPROCESSORS.
The User hereby agrees, that the Provider will use the following categories of sub-processors, when processing the personal data:
vultr.com. (https://www.vultr.com) Unless otherwise required, EU datacentres are used.
aws (https://aws.amazon.com). Unless otherwise required, EU datacentres are used.
master.cz (https://masterdc.com). Unless otherwise required.
IT services provider;
Mailchimp. (https://mailchimp.com) Optional.
Postmark. (https://postmarkapp.com) Optional.
Backblaze. (https://www.backblaze.com) Unless otherwise required, EU datacentres are used.
7.2. NEW SUB-PROCESSORS
If the Provider decides to use new categories of sub-processors, other than those defined in paragraph 7.1 of this Annex, it shall notify the User thereof without delay, but no later than when such processing commences. The Provider undertakes to bind its sub-processors at least to the same extent as in this DPA.
8.1. TECHNICAL AND ORGANISATIONAL MEASURES
The Provider has adopted and maintains technical and organizational measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfers, other unauthorized processing, as well as other misuse of personal data.
8.2. EXAMPLES OF MEASURES
The Provider has adopted and maintains the following measures to ensure an adequate level of security, including, but not limited to, the following:
the pseudonymisation and encryption of personal data;
the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services - the measures in place and their correct functioning will be regularly reviewed;
the ability to restore the availability of and access to personal data in the event of physical or technical incidents in a timely manner;
regular testing, assessing and evaluating the effectiveness of the technical and organisational measures in place to ensure the security of processing;
a multi-level firewall;
anti-virus protection and control of unauthorised access;
encrypted data transition.
8.3. SECURITY BREACH NOTIFICATION
In the event that the Provider discovers a personal data breach, the Provider shall notify the User without undue delay.
9. Final provision
9.1. VALIDITY AND EFFECTIVENESS OF THE DPA
This DPA shall be valid and effective from 9/1/2021.
9.2. USE OF GTC
To the extent not governed by this DPA, the relationship between Provider and User shall be governed by the GTC.