PERSONAL DATA PROCESSING AGREEMENT

("Agreement")

This agreement covers processing of personal data within the service YourPass and lays down the rights and obligations related to processing of personal data between you (the "Data Controller") and our company YOUR PASS, s.r.o., seated at Prague 4 - Chodov, Türkova 2319/5b, district the capital city of Prague, zip code 149 00, identification No.: 24809888, file number: C 176332 kept with the Municipal court in Prague, or the company YOUR PASS GmbH seated at Edisonstraße 63, 12459 Berlin-Oberschöneweide, Steuer-Nr.: 301/5855/0673, USt-IdNr: DE31725081, registered with the Amtsgericht Charlottenburg (Berlin) HRB 194946 B or another the company from the YourPass group of companies with which you have entered into an agreement (the "Data Processor"; the Data Controller and the Data Processor together also referred to as the "Parties").

PREAMBLE:

(A) Starting from May 25, 2018, the rights and obligations of the Parties are governed by the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (the "Regulation");

(B) The Data Controller as the customer and the Data Processor as the service provider have concluded an agreement under which the Data Processor will provide services to the Data Controller related to the use of the Yourpass system (the "Main Agreement");

(C) In the course of fulfilling its obligations under the Main Agreement, the Data Processor processes certain personal data as a processor for the Data Controller;

  1. SUBJECT OF PROCESSING
    1. The Data Controller tasks the Data Processor with processing personal data under the conditions and to the extent specified in this Agreement. The Data Processor undertakes to carry out the processing of personal data under the authorization from the Data Controller in accordance with the Regulation, other relevant legal regulations and this Agreement.
    2. The personal data processed under this Agreement will be handed over to the Data Processor by the Data Controller, namely via the Yourpass system.
  2. NATURE AND PURPOSE OF PROCESSING
    1. The Data Processor will process the personal data manually and in an automated manner while the Data Processor will have access to the data of individuals - customers or employees of the Data Controller as part of technical support activities. The data will not be altered, made available, collected, passed on to third parties, etc. without express instructions of the Data Controller.
    2. The Data Processor will process personal data solely for the purpose of performing the Main Agreement.
  3. TYPE OF PERSONAL DATA AND CATEGORY OF DATA SUBJECTS
    1. The Data Processor will process the personal data of the following categories of data subjects: workers, members and customers of the Data Controller who use cards in the Yourpass system.
    2. The Data Processor will process the following categories of personal data:
      1. identification of an individual
      2. other information that the Data Controller enters into the Yourpass system.
  4. DURATION OF PROCESSING
    1. The Data Processor will process the personal data during the term of the Main Agreement.
  5. ZÁRUKY ZPRACOVATELE
    1. The Data Processor will process personal data only on the basis of documented guidelines of the Data Controller, including in relation to the transfer of personal data to a third country or international organization unless such processing is already provides for by the laws of the European Union or of the Czech Republic; in which case the Data Processor will inform the Data Controller on this legal requirement before starting the processing, unless such legislation prohibit such disclosure for important public interest reasons.
    2. The Data Processor shall ensure that persons authorized to process the personal data are bound by a duty of confidentiality or are subject to a statutory duty of confidentiality.
    3. The Data Processor undertakes to adopt and enforce all appropriate technical and organizational measures in accordance with Article 32 of the Regulation and other relevant legislation, taking into account the state of the art of technology, the costs of implementation, the nature, scope, context and purpose of the processing and the various likely and unlikely risks (probability of occurrence) to the rights and freedoms of natural persons to ensure the level of security of personal data relevant to the risk, in particular:
      1. so that no unauthorized access to or disclosure of personal data processed based on this Agreement can occur; and
      2. to prevent accidental or unlawful alteration, loss or destruction of personal data processed based on this Agreement.
    4. In accordance with Article 5.3, the Data Processor undertakes in particular to ensure:
      1. storage of documents and data carriers containing personal data in safe locations; and
      2. securing against unauthorized access the premises of the Data Processor in which the personal data under this Agreement are processed.
    5. The Data Processor will not task another processor to process the data without prior consent of the Data Controller. If the Data Processor involves another processor to perform certain processing activities on behalf of the Data Controller with the consent of the Data Controller, this other processor shall be subject to the same data protection obligations as set out in this Agreement, in particular providing adequate safeguards with regard to the introduction of appropriate technical and organizational measures so that the processing meets the requirements of the Regulation and other relevant legislation. If the additional processor fails to comply with its data protection obligations, the Data Processor is responsible to the Data Controller for meeting the obligations of the other processor. However, the Data Controller expressly agrees that the Data Processor will engage its primary IT solution vendor in processing of the personal data, namely the company YOUR SYSTEM, spol. s r.o., with its registered office at Prague 4 - Chodov, Türkova 2319/5b, postal code 14900, ID No: 00174939, File No. C 72 kept by the Municipal Court in Prague, as well as suppliers of cloud solutions, such as Amazon Web Services, Inc. or its affiliates providing Amazon Cloud Services.
    6. The Data Processor will take into account the nature of the personal data processed and will assist the Data Controller by appropriate technical and organizational measures - as far as possible - to meet the Data Controller's duty to respond to data subjects' requests for exercise of the rights set out in Chapter III of the Regulation.
    7. The Data Processor will assist the Data Controller in ensuring compliance with the obligations under Articles 32 to 36 of the Regulation, taking into account the nature of the processing and the information available to the Data Processor.
    8. In accordance with the guidance of the Data Controller, the Data Processor shall either delete or return all the personal data to the Data Controller after termination of the provision of the services associated with processing and shall delete its existing copies unless the applicable law requires the storage of such personal data.
    9. The Data Processor will provide all necessary information to demonstrate that the obligations set out in Article 28 of the Regulation will have been met and will enable audits and contribute to successful finalization of audits, including inspections carried out by the Data Controller or an auditor appointed by the Data Controller. The Data Processor shall immediately inform the Data Controller if, in its opinion, an order violates the Regulation or other privacy laws.
    10. Unless otherwise agreed, the personal data hereunder will be processed in the territory of the Member States of the European Economic Area.
  6. OTHER RIGHTS AND OBLIGATIONS OF THE PARTIES
    1. The Parties undertake to inform each other any without delay of any circumstances relevant to the cooperation under this Agreement, including information about the commencement of an inspection by the Office or another data protection authority, its subject matter and course, and shall cooperate with each other in the performance of this Agreement.
    2. The Data Processor will keep documentation regarding the processing of personal data under this Agreement and the technical and organizational measures taken to ensure the protection of the personal data.
  7. REPRESENTATIONS OF THE DATA PROCESSOR
    1. The Data Controller declares that it has obtained the personal data in accordance with the Regulation and other generally binding legal regulations and has fulfilled all the obligations under the Regulation so that personal data can be processed and handed over to the Data Processor so that the Data Processor can properly exercise its rights and obligations arising from this Agreement.
    2. If the aforementioned statement of the Data Controller proves to be false or misleading, the Data Controller undertakes to pay the Data Controller damages which arise to the Data Controller within the meaning of Section 2890 et seq. of the Civil Code.
  8. CONFIDENTIALITY OF INFORMATION
    1. The provisions of this Agreement are confidential and none of the Parties may disclose nor make available the same to any third party without the prior written consent of the other Party. This limitation does not apply to the disclosure of information:
      1. required by the law or by a decision issued by the competent authority; the Party required to make such a disclosure must make every effort to inform the other Party before disclosing the information; or
      2. made to professional advisers to any of the Parties, provided they are bound by a confidentiality obligation at least to the same extent as under this Agreement.
    2. The Data Processor undertakes to keep confidential all the facts that it learns during and in connection with the fulfilment of its obligations under this Agreement; this obligation survives the termination or expiration of this Agreement.
  9. TERM OF THE AGREEMENT
    1. This Agreement becomes valid and effective on the day it is duly signed by both the Parties.
    2. Tato Agreement is concluded for the term of the Main Agreement.
    3. Neither Party may withdraw from nor otherwise unilaterally terminate this Agreement otherwise than as expressly provided in this Agreement. The Parties explicitly exclude the application of applicable law provisions that otherwise may create the right of any of the Parties to withdraw from this Agreement.
  10. FINAL PROVISIONS
    1. This Agreement can only be validly and effectively changed by means of amendments explicitly approved by both the Parties.
    2. This Agreement as well as any non-contractual obligations arising out of or in connection herewith are governed by and must be interpreted in accordance with Czech law, regardless of the conflict of law provisions.
    3. The ineffectiveness or nullity of any provision of this Agreement, wholly or in part, does not affect the effectiveness or validity of the remainder of this Agreement.
    4. No rights or obligations of this Agreement can be assigned or transferred without the prior written consent of the other Party.