Data Processing Agreement

1. Introductory provisions

1.1 These terms of processing personal data (the “Data Processing Agreement”) govern the rights and obligations between you as the controller (the “Controller”) and us, Sufio s.r.o., with registered address at Krátka 8, 811 03 Bratislava, Slovak Republic (Company registration number: 45 991 880), as the processor (the “Processor”) in the context of providing the Service on the Website.

1.2 Capitalised terms not defined in this Data Processing Agreement take the meaning assigned to them in the Terms of Service and/or the Privacy Policy.

2. Subject matter, purpose and period of processing

2.1 The Processor will, on behalf of the Controller, process personal data of individuals – the Controller’s customers and/or subscribers (“Data Subjects”) – indicated by the Controller in his invoices created in the context of using the Service on the Processor’s Website, namely: name of the Data Subject’s company, its address (street name, street number, city, postcode, country), company registration number, tax identification number, VAT registration information, other business information (e.g. registration in the business or other register, information about the amount of capital and the amount paid up, etc.), notes about the Data Subject’s company, the name, surname, phone number and email address of the Data Subject or its contact person, and data on the invoiced products and the quantity and price of the products (“Personal Data”).

2.2 The Processor will process the Personal Data of Data Subjects for the purposes of providing the Service for the Controller on the Website.

2.3 The Processor may process the Personal Data on behalf of the Controller throughout the duration of the contract between the Controller and the Processor (i.e. the duration of the Controller’s account with the Service). Within 60 days of achieving the purpose of processing, the Processor will delete or return to the Controller all Personal Data and delete all existing copies unless applicable legislation requires storage of the Personal Data by the Controller.

3. Terms of processing

3.1 The Processor will process the Personal Data in accordance with applicable legislation, in particular, the GDPR and Act No. 18/2018 Coll. on the protection of personal data.

3.2 The Processor will process the Personal Data only on the basis of documented instructions from the Controller, except for cases when required to do so by applicable legislation; in such a case, the Processor will inform the Controller of that legal requirement before processing, unless the relevant legislation prohibits such information on important grounds of public interest.

3.3 The Processor is not authorized to process the Personal Data for a purpose other than that specified by the Controller. The Processor is not authorized to transmit the Personal Data to countries outside the European Union or to third countries that do not guarantee an adequate level of protection.

3.4 The Processor will inform the Controller without delay if the Processor believes that an instruction of the Controller contradicts the GDPR or other legislation relating to the protection of personal data.

4. Specific obligations of the Processor

4.1 The Processor may engage another processor (subcontractor) in the processing of Personal Data, of which the Processor will inform the Controller without undue delay. The Processor will inform the Controller of any intended changes concerning the addition or replacement of other processors, giving the Controller the opportunity to object to such changes at any time. If the Processor engages another processor in the processing of Personal Data, the Processor will impose on that other processor, by means of a contract, the same data protection obligations as set out in this Data Processing Agreement, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. If that other processor fails to fulfill its data protection obligations, the Processor will remain fully liable to the Controller for the performance of that other processor's obligations.

4.2 The Processor undertakes to assist the Controller in assessing the impact of data protection and in prior consultations of supervisory authorities as reasonably deemed necessary by the Controller within the meaning of Articles 35 and 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

4.3 If the Data Subject exercises his or her rights vis-à-vis the Processor within the meaning of Chapter III of the GDPR, the Processor will forward this request to be processed by the Controller. The Processor may inform the Data Subject of forwarding this request to be processed by the Controller. Having taken into account the nature of the processing, the Processor will assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR.

5. Security of Personal Data

5.1 The Processor undertakes to take all measures required under Article 32 of the GDPR, in particular, the Processor undertakes to take appropriate technical and organisational measures taking into account, above all, the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.

5.2 The Processor will provide the Controller at any time at the latter’s request any information required to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, in particular, the obligations to take appropriate technical and organisational measures so that the processing meets the requirements of the GDPR and the protection of the Data Subject’s rights is ensured.

5.3 For the purposes of checking compliance with the obligations laid down in this Data Processing Agreement, the Processor will allow for and contribute to audits, including inspections, conducted by the Controller (or another auditor mandated by the Controller).

5.4 The Processor will comply with the obligation of secrecy of processed Personal Data and will not make available or provide the Personal Data to any third party unless otherwise provided in this Data Processing Agreement. The Processor will ensure that its employees or other persons who are authorized to process or have access to Personal Data are bound by the obligation of secrecy within the meaning of this Article.

6. Final provisions

6.1 This Data Processing Agreement represents the legally binding agreement on the processing of personal data between the Controller and the Processor within the meaning of Article 28 of Regulation (EU) 2016/679 – the General Data Protection Regulation (hereinafter the “GDPR”). The Controller declares that it has read, agrees with without reservation, is bound by and undertakes to abide by this Data Processing Agreement.

6.2 Should any of the provisions of this Data Processing Agreement be found to be or become invalid, ineffective or unenforceable, this will not affect the other provisions and the parties undertake to replace such provisions with valid, effective and enforceable provisions that are closest to the commercial purpose of the original provisions.

6.3 This Data Processing Agreement forms part of the Privacy Policy and the Terms of Service made available on the Processor’s Website.

6.4 This Data Processing Agreement becomes valid and effective on May 25, 2018.

Last updated on May 24, 2018.