This DATA PROCESSING ADDENDUM concluded in accordance with Article 28(3) of Regulation (EU) No 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation) (the "GDPR") and Section 34(3) of Act No 18/2018 Coll. on the Protection of Personal Data and on Amendment of Certain Acts as amended (the "Personal Data Protection Act") (the "DPA")
BETWEEN:
Client as identified in the Contract (hereinafter referred to as the
"Controller"),
and
Provider as identified in the Terms of Service (the "Processor")
(The Controller and the Processor together hereinafter as the “Parties” and individually as the “Party”)
THE PARTIES HAVE AGREED AS FOLLOWS:
1.1. This DPA shall form an integral part of the Contract and Terms of Service and shall cover processing of Personal Data by the Processor on behalf of the Controller for the purposes of provision of Services by the Processor to the Controller based on the Contract. By accepting the Terms of Service and concluding the Contract, the Parties also accept and enter into this DPA.
1.2. When providing the Services, the Processor processes Personal Data on behalf of the Controller, and the Parties intend by this DPA to ensure that such processing of Personal Data by the Processor complies with the GDPR and the Personal Data Protection Act.
1.3. The Controller, within the meaning of Article 4 of the GDPR and Section 5 of the Personal Data Protection Act, determines by this DPA the purposes and gives instructions for the processing of Personal Data that the Processor will process on their behalf and according to their instructions.
1.4. The Controller also declares that (i) it has complied with Article 28(1) of the GDPR and Section 34(1) of the Personal Data Protection Act, and (ii) the Processor provides sufficient guarantees ensuring that appropriate technical and organizational measures will be used and maintained during the processing of Personal Data by the Processor in order to comply with the applicable legal requirements and to ensure adequate protection of the rights of data subjects.
1.5. The subject matter and duration of the processing of Personal Data, the nature and purpose of the processing, the method of processing, the categories of data subjects and the scope of the Personal Data to be processed by the Processor on behalf of the Controller pursuant to this DPA are set out in Annex 1 to this DPA.
2.1. Terms beginning with capitals and used in this DPA that are not defined in this DPA shall have the meanings as set forth in the Processor’s Terms of Service.
2.2. Terms used in this DPA shall have the following meanings:
2.2.1. Additional processor is any third party that is entrusted by the Processor to process the Controller's Personal Data;
2.2.2. Data subject is an identified or identifiable natural person whose Personal Data is being processed;
2.2.3. Personal Data means any information which is part of Client Data and relates to an identified or identifiable natural person, who can be identified, directly or indirectly;
2.2.4. Personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed;
2.2.5. Processing means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;
2.2.6. Standard Contractual Clauses are the contractual document on the basis of which the transfer of Personal Data to third countries takes place in accordance with Commission Implementing Decision (EU) 2021/915 of June 4, 2021 on standard contractual clauses between controllers and processors pursuant to Article 28(7) of Regulation (EU) 2016/679 of the European Parliament and of the Council and Article 29(7) of Regulation (EU) 2018/1725 of the European Parliament and of the Council (Text with EEA relevance)
2.2.7. Third countries are countries that are not a member state of the European Union or are not a party to The European Economic Area Agreement.
3.1. Rights and Obligations of the Controller
3.1.1 Controller shall ensure that the Personal Data is obtained and processed based on a valid legal basis that enables the Controller to authorize the Processor to process Personal Data on the basis of this DPA for the purpose of use of Services by the Controller.
3.1.2 The Controller shall inform affected data subjects about the processing of their Personal Data in connection with the provision of the Services and to provide the data subjects with relevant information so that the information duty pursuant to Articles 12 and 13 of the GDPR and Section 19 of the Personal Data Protection Act is fulfilled.
3.1.3 The Controller instructs the Processor to process Personal Data based on this DPA and the Contract. If necessary, any instructions other than those contained in the DPA and the Contract may be given by the Controller to the Processor electronically in writing, including via the Platform or any other communication tool agreed between the Parties.
3.1.4 The Controller may require the Processor to demonstrate compliance with all legal obligations under Data Protection Laws and under this DPA, including the implementation of agreed technical and organizational measures for the protection of Personal Data.
3.1.5 The Controller, or an independent third-party auditor authorized by the Controller, is entitled to carry out an data protection audit of the Processor. The Processor shall have the right to oppose and reject the auditor selected by the Controller based on justified grounds (e.g., due to competition or conflict of interest). If the Processor rejects the auditor, the Parties will endeavor to find an auditor who meets the requirements of both Parties. The Controller and the auditor determined by the Controller may request from the Processor information relating to the processing of Personal Data under this DPA. The Controller shall give the Processor at least 30 days' prior written notice of the planned audit, including the information about the scope of audit. The Controller shall reimburse the Processor for all demonstrable costs incurred by the Processor in connection with the performance of the audit based on the then-current pricing fees of the Processor. When conducting an audit, the Controller shall comply with the Processor's security and organizational instructions in order not to disrupt or restrict the Processor's operations or infringe obligations of the Processor towards its other customers and third parties. Upon request of the Processor, the Controller and the auditor shall enter into a non-disclosure agreement with the Processor covering subject matter of the audit and information obtained by the Controller and the auditor during the audit.
3.2. Rights and Obligations of the Processor
3.2.1 The Processor shall take commercially reasonable measures necessary to comply with the Data Protection Laws and to ensure the protection of the rights of data subjects and shall, in particular, take appropriate technical and organizational measures and process Personal Data in accordance with the Controller's instructions and the provisions of this DPA and the Contract.
3.2.2 The Processor shall process Personal Data in accordance with the instructions of the Controller and exclusively to the extent, under the conditions and for the purpose set out by the Controller in this DPA and the Contract. The Processor shall confirm the receipt of other instructions from the Controller according to Clause 3.2.3 of this DPA to the Controller electronically in writing. The Processor shall notify the Controller without delay before commencing the processing of Personal Data if it is required to process Personal Data to comply with a legal requirement outside the scope of the Controller's instructions and such notification is not contrary to the public interest or to the applicable laws. For avoidance of any doubt the Parties confirm that this provision does not exclude the right of the Processor to process Personal Data for its own purposes as an independent controller in accordance with the respective provisions of the Terms of Service.
3.2.3 The Processor is obliged to inform the Controller without delay if they consider the Controller's instructions to be contrary to the Data Protection Laws or if compliance with those instructions cannot ensure adequate protection of the rights of data subjects. The Controller acknowledges that the instructions contrary to the Data Protection Laws may cause disruption or suspension of the provision of Services under the Contract without raising the liability against the Processor.
3.2.4 When processing Personal Data, the Processor is obliged to act in accordance with the Data Protection Laws.
3.2.5 The Processor is responsible for the security of the processing of Personal Data in accordance with Article 32 of the GDPR and Section 39 of the Personal Data Protection Act and for compliance with the appropriate technical and organizational measures according to Annex 3 of this DPA.
3.2.6 The Processor is obliged to ensure that only authorized persons and third parties have access to the Personal Data and that they are bound by the obligation of confidentiality and, or, secrecy, which will continue after the processing of the Personal Data has been completed. The Processor also declares that the authorized persons have been informed of their obligations under the Data Protection Laws and this DPA with respect to the processing of Personal Data.
3.2.7 The Processor is obliged to notify the Controller of any Personal data breach occurred to Personal Data in relation to the provision of Services without undue delay upon becoming aware of Personal data breach. The Processor will provide the Controller with the information about Personal data breach as required by Data Protection Laws at the moment and if the information is available to the Processor. Notification of the Controller about Personal data breach by the Processor does not constitute admission of any liability of the Processor for Personal data breach.
3.2.8 The Processor shall delete any Personal Data, or any copies thereof within 90 days after the termination of the provision of the Services under the Contract or after the lapse of the processing period required by the applicable laws. The Processor will delete Personal Data or return Personal Data to the Controller prior the period mentioned in the previous sentence only upon request of the Controller, and so within the timeframe agreed with the Controller, unless such Personal Data deletion does not contravene the applicable laws. The Controller agrees to use functionalities of the Platform to proceed with deletion of Personal Data or return of Personal Data and only if the available functionalities do not provide the Controller with the possibility to delete or return Personal Data, the Controller will approach the Processor with the respective request.
3.2.9 If the data subject addresses the Processor with the request concerning rights relating to the processing of Personal Data under the Contract and this DPA, the Processor shall refer the data subject to the Controller and shall inform the Controller of such request without delay. The Processor shall provide the Controller with assistance in processing the data subject's request in accordance with Article 28(3)(e) GDPR to the extent that the data subject's request cannot be handled by the Controller independently using the functionalities of the Platform and the information about the processing of the Personal Data in the context of the provision of the Services available to the Controller.
3.2.10 The Processor commits to follow the procedure set out in Article 4 of this DPA when entrusting any third party with the processing of Personal Data.
3.2.11 The Processor commits to provide the Controller with commercially reasonable support to ensure the fulfillment of obligations under Article 32 and Article 36 GDPR and Sections 39 to 43 of the Personal Data Protection Act, if such obligation cannot be fulfilled by the Controller independently, without requesting the support from the Processor.
3.2.12 The Processor commits to provide the Controller with the commercially reasonable support in the event of exercising its right to audit and to provide the Controller with the information to demonstrate compliance with the obligations established by the Data Protection Laws and by this DPA under the conditions as agreed in sections 3.1.4 and 3.1.5 of this DPA.
4.1. The Controller hereby authorizes the Processor to entrust additional processors with the processing of Personal Data according to this DPA.
4.2. The Processor shall inform the Controller via email sent to the contact person of the Controller referred to in the Registration Form of any engagement of another processor at least 15 business days in advance.
4.3. The Controller shall have the right to object to the engagement of the additional processor within 10 days from the day of receipt of the notification of the additional processor. If the Controller does not exercise this right, it is considered by the Parties that the Controller agrees with the engagement of the additional processor. The Controller undertakes to exercise its right to object to the new additional processor only in reasonably justified cases. The Controller acknowledges that the exercise of the right to object to the engagement of another processor may result in the impossibility of processing Personal Data pursuant to this DPA and, therefore, the impossibility of provision of the Services under the Contract. In such an event the Parties agree that the Controller is not entitled to raise any claims against the Processor other than those expressly granted to the Controller in the Contract in relation to the inability of the Processor to provide the Services due to reasons caused by the Controller. In particular, the Controller shall not be entitled to claim any additional compensation or a refund of the fee for the Services already paid for.
4.4. The Processor shall ensure that the additional processor to whom an authorization has been granted in accordance with the paragraphs above is bound by at least materially similar obligations regarding the protection of Personal Data as the Processor has undertaken under this DPA.
4.5. The Processor shall be directly liable to the Controller for actions of its additional processors when processing Personal Data under this DPA.
4.6. At the time of conclusion of this DPA, the Processor has entrusted the processing of Personal Data under this DPA to the additional processors listed in Annex 2 of this DPA, to which the Controller agrees.
5.1. The Processor is entitled to transfer Personal Data processed under this DPA to third countries only if the third country provides adequate level of data protection as required by the Data Protection Laws and if it ensures that the level of protection of Personal Data after such transfer corresponds to the level of protection under this DPA. The Processor shall ensure that adequate security and protection measures are complied with in accordance with this DPA and the Data Protection Laws and that the rights of data subjects are not compromised. For the purpose of such transfer, the Processor agrees to enter into the relevant module of the Standard Contractual Clauses with the respective third party located in the third country to which Personal Data is transferred.
5.2. When the Controller is located outside EU/EEA and the data is transferred by the Controller to the Processor, which is located in the EU Member state, the Parties agree to enter into a Module 2 of the Standard Contractual Clauses. The Parties agree that the information set out in the annexes of this DPA serves for the purpose of completing the annexes of Module 2 of the Standard Contractual Clauses, while following choices shall apply for the purpose of filling in the body of the Module 2 of the Standard Contractual Clauses:
5.2.1 Clause 9 (a): option 2 shall apply;
5.2.2 Clause 11: the optional language shall not apply;
5.2.3 Clause 17: option 1 shall apply and the Standard Contractual Clauses shall be governed by Slovak law;
5.2.4 Clause 18(b): disputes shall be resolved by the courts of the Slovak Republic.
6.1. The limitation of liability as agreed in the Contract and Terms of Service shall apply for the purposes of this DPA.
6.2. The Processor may be released from liability under this article of the DPA if the Processor proves that the damage was not caused by the Processor.
7.1. This DPA shall be valid and effective from the date of its signing by the Parties and shall terminate on the date of termination of the Contract. If necessary, the DPA shall remain in force after the termination of the Contract for the period necessary for further processing of Personal Data, if required so based on the applicable laws.
7.2. The Controller shall have the right to terminate this DPA under the same conditions as applicable for the Contract.
8.1. The Parties have stipulated that the following persons are authorized to communicate on behalf of the respective Party for matters arising out of this DPA:
8.1.1 Contact details of the Controller as provided by the Controller in the Registration Form, unless Parties agree otherwise.
8.1.2
Contact details of the Processor:
Name and surname: Viktor Magic
Phone number: 00421908361361
E-mail: dpa@nicereply.com
8.2. In the event of any change regarding the above contact persons, the Party concerned shall immediately inform the other Party of such change.
9.1. If any contract, other binding document or agreement entered into between the Parties contains provisions relating to the protection of Personal Data in the processing of Personal Data in the provision of the Services, on the effective date of this DPA, such provisions shall cease to be valid and effective and the processing of Personal Data between the Controller and the Processor shall be governed solely by the provisions of this DPA.
9.2. The rights and obligations not expressly provided for in this DPA shall be governed by the relevant provisions of generally binding legislation of the Slovak Republic.
9.3. In case of a dispute arising out of this DPA, the Parties agree that such disputes shall be resolved primarily by mutual negotiations between the representatives of the Parties, and if the dispute is not resolved by negotiations, the Parties shall refer the dispute to the court of the Slovak Republic having jurisdiction in the subject matter and place of the dispute.
9.4. The following annexes are an integral part of this DPA:
Annex 1: Specification of the processing of
Personal Data by the Processor on behalf of the Controller
Annex 2: Agreed additional processor(s)
authorized by the Processor
Annex 3: Technical and organizational measures
to ensure the security of Personal Data
9.5. This DPA may be amended only by agreement of the Parties in the form of written amendments to the DPA.
9.6. The Parties declare that their legal capacity and freedom to enter into this DPA, as well as their capacity to perform related legal acts is not limited or excluded by anything and that they have read this DPA, understand its contents and that they conclude this DPA freely and seriously, that it has not been concluded under unfavorable terms or under duress.
1.
Parties:
Data Exporter: Provider acting as data processor (details of Provider as available in the Terms of Service
and in section 8.1 of the DPA)
Data Importer: Client acting as data controller (details of Client available in the Contract and in
section 8.1 of the DPA)
2. Subject and purpose of the processing of Personal Data:
Personal Data shall be processed by the Processor for the purpose of providing the Services to the Controller in accordance with the terms of the Contract.
3. Method of Processing Personal Data:
Personal Data shall be processed on the Platform, when the Controller uses Software. In particular, Personal Data can be collected, recorded, structured, used, altered, retrieved, deleted and stored to create and use Results focusing in particular to the
- customer satisfaction,
- customer effort score,
- net promoter score and
- tracking the quality of the customer support.
4. Period of processing of Personal Data:
The Personal Data will be processed for the duration of the Parties' cooperation under the Agreement and in accordance with the time period determined pursuant to Article 7 of this DPA.
5. Categories of Data Subjects:
Employees, representatives, associates, agents, customers, and partners of the Controller and Controller’s customers
6. Scope of processing of Personal Data of data subjects:
- Name and surname
- Email address
- Phone number
- Business address
- IP address
- Internal identification number
- Content of the reviews, feedbacks, questionnaires submitted by the Controller and Controller’s customers
7. The scope of the processing of special categories of Personal Data of data subjects:
No special categories of Personal Data are subject to processing.
The Parties agree that for processing of Personal Data under the DPA the Processor is authorized to engage and use additional processors as listed in the table below:
Sub-processor | Location | Purpose (provided services) |
---|---|---|
Amazon Web Services EMEA SARL |
38 avenue John F. Kennedy, L-1855 Luxembourg |
On-demand cloud computing platform |
Mailchimp c/o The Rocket Science Group, LLC |
675 Ponce De Leon Ave NE Suite 5000 Atlanta, GA 30308 USA |
Email services provider a) survey distribution via email b) Nicereply’s notifications to controller’s account users |
Google LLC |
1600 Amphitheater Parkway in Mountain View, California, USA |
Account administration |
HelpScout PBC |
100 City Hall Plaza, 5th Floor Boston, MA 02108, USA |
Customer support (Help Desk software) |
Functional Software, Inc. dba Sentry |
45 Fremont Street 8th Floor San Francisco, CA 94105, USA |
Application monitoring/error tracking. |
When processing personal data under this DPA, the Processor undertakes to comply with the technical and organizational measures as follows:
Access Controls
We employ strong authentication mechanisms in combination with password vaults.
Encryption
Sensitive data is encrypted both in transit and at rest using robust encryption algorithms and secure key
management practices.
System and Network Security
We employ Firewalls, Intrusion Prevention systems (IDS), and Antivirus and Malware Software.
Secure Development Practices:
We follow secure coding practices, such as but not limited to: OWASP TOP10, code reviews, and testing,
static source code vulnerability scanning, strong authentication and authorization mechanisms, secure
third-party libraries, and secure logging.
Incident response and management
We maintain an incident response plan and follow documented incident response policies including data
breach notification to the Controller without undue delay where a breach is known or reasonably suspected
to affect Client Personal Data.
Data backup and recovery
We implement regular and automated backup procedures.
Employee Training and Awareness
We provide security awareness training to employees to educate them about security best practices, social
engineering threats, and their responsibilities in safeguarding data and systems.
Physical security
All data is securely stored in AWS data centers
Patch management
We implement a process for the timely and regular application of security patches and updates to operating
systems, software, and firmware to address known vulnerabilities.
Workstation protection
We employ processes to enforce usage of end-user devices in compliance with security standards such as but
not limited to: screen saver, antivirus software, firewall software, and appropriate patch levels.
Privacy by design
We incorporate Privacy by Design principles for systems and enhancements at the earliest stage of
development as well as educate all employees on security and privacy.
No more personal data is collected than is necessary for the respective purpose.
The list provided above is not explicit and the Data Processor is entitled to take any additional technical and organizational measures in order to ensure safe personal data processing.