Data Processing Addendum

(hereinafter the “Addendum”)

This Addendum made under Article 28 (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”) is an integral part of the General Terms and Conditions of FaceUp Technology s.r.o., ID: 061 42 630, with registered office at Udolni 567/33, 602 00, Brno, Czech Republic, registered in the Commercial Register kept by the Regional Court in Brno, section C, file 100325 (hereinafter the “Processor” or “Provider”), which is the author, owner and operator of a product, through which, in particular, messages (reports) from third parties (whistleblowers) are received, stored and further processed in a specified manner via a form on the website (report.faceup.com) and/or in the Processor’s application (available through Google Play and App Store) (hereinafter the “Product”).

Introductory Provisions

This Addendum does not apply to the rights and obligations arisen in connection with general browsing of the website www.faceup.com, as such rights and obligations are governed by the Website Use Terms and Rules, and is made, as part of the General Terms and Conditions, for the purpose of protection of personal data during their processing by the Processor solely within the scope of the provision of the Product to the Controller, to the extent of rights and obligations arising for the Parties hereto from the GDPR during the processing of personal data within the scope of the provision of the Product.

The Processor provides a complex solution to persons who use the Product as a tool for dealing with adverse reports, receiving notifications from third parties and/or the internal whistleblower protection notification system and who register via the Processor's website and/or application (hereinafter the “Client” or “Controller”), by means of which the Provider, in particular, receives messages (reports) from third parties and subsequently stores, processes and makes them available to the Client via a profile or by sending them in the form of an encrypted document, whereby the Client uses the Product to handle and administer messages (reports) and communicate with the whistleblower, and also to comply with obligations under the Whistleblower Protection Act or where the Client is a school or other similar establishment to prevent and deal with bullying or other similar behavior.

The subject of the contractual relationship between the Provider and the Client is the obligation of the Processor (as the operator of the Product) to allow persons who wish to make a report via a form on the Processor’s website and/or application (hereinafter the “Whistleblower”) informing the Controller of certain facts – usually of an undesirable nature (hereinafter the “Report”) to make such Report via the Processor’s website and/or application.

The use of the Product involves the processing of personal data of persons working in the Controller’s organization, in particular employees, members of company bodies, business partners, Whistleblowers, as well as other persons cooperating with the Controller, if any, who submit a Report via the website and/or the Processor’s application.

This Addendum specifies the extent of personal data that will be processed free of charge, the purpose for which they will be processed, the time for which they will be processed, the rights and obligations of the Controller and the Processor, and audits and inspections at the Processor.

For the purposes of this Addendum, the processing of personal data means, in particular, their collection, saving on data carriers, use, sorting or combining, blocking and destruction by manual and automated means (e.g. specialized software) to the extent necessary for securing proper provision of the Product.

Whenever used in this Addendum, the terms “controller”, “data subject”, “personal data”, “personal data breach“, “processing” and “processor” as well as the terms derived from or related to them have the meaning defined in Article 4 of the GDPR.

Extent of Personal Data Processing

In accordance with this Addendum, the Processor will process mainly personal data of the following categories of data subjects the context of the use of the Processor’s website and/or application or from mutual communication or documentation:

1. employees of the Controller;
2. members of bodies of the Controller;
3. business partners of the Controller; 
4. Whistleblowers who submit a Report;
5. users of the Processor’s website and/or application;
6. administrator and administration users (admin.faceup.com) of Controller ;
7. contact persons stated in the Product provision agreement; and
8. any other persons cooperating with the Controller.

Under this Addendum, the Processor shall process, in particular, the following personal data, which the Processor has obtained for, on behalf, or from the Controller in connection with its activities and which the Controller transfers or otherwise provides to the Processor for this purpose:

1. identifying information of data subjects (name and surname, in particular, if provided);
2. contact details of data subjects (mailing address, email address, telephone number, in  particular, if provided);
3. information provided in the Report;
4. billing and payment details (account number and bank details, in particular);
5. business details of the data subject;
6. IP address of the data subject;
7. cookies;
8. business activity details; 
9. organization unit or school of the data subject; and
10. details from mutual communication concerning the report.

Purpose and Duration of Processing

The Processor undertakes to process personal data only to the extent necessary for the proper provision of the Product and to ensure its obligations in providing the Product, which is guaranteed by the Processor’s minimal access to personal data, for example by means of encryption. No other purpose of processing is agreed or permitted.

Personal data are processed for the period of provision of the Product, and this Addendum is terminated when the Product is ceased to be provided. Upon termination of this Addendum; however, the obligations of the Processor concerning the security and protection of personal data do not cease to exist until their official and complete disposal or their official handover to a different processor.

The Processor undertakes, upon the Controller’s written request, to return all personal data to the Controller or delete all existing copies thereof immediately upon the termination of the provision of the Product and/or upon the termination of this Addendum in accordance with the Controller’s decision unless applicable laws and regulations stipulate otherwise. The Controller is obligated to give such a direction without undue delay, but no later than thirty (30) calendar days as of the termination hereof. In the event the Controller fails to do so, the Processor shall be entitled to dispose of the personal data provided by the Controller to the Processor under this Addendum unless the Processor is aware of any statutory obstacles thereto and to inform the Controller of the disposal without undue delay thereafter.

Rights and Obligations of the Controller and the Processor 

The Controller:

(a) undertakes to take, prior to disclosing personal data or making them available to the Processor, such steps to secure that the disclosing of the personal data or making them available will not constitute a breach of applicable and effective privacy and data protection laws;

(b) declares and guarantees to the Processor that all the personal data the processing of which is the subject of the Product and/or this Addendum were obtained and are processed by the Controller in accordance with legal regulations, mainly but not exclusively the GDPR and Act No. 110/2019 of the Collection of Laws of the Czech Republic (Coll.), on the Processing of Personal Data, as amended.

The Processor undertakes:

(a) to comply with applicable and effective data protection and privacy laws, in particular, but not exclusively, the GDPR and Act No. 110/2019 Coll., on personal data processing, as amended ;

(b) to process personal data only based on the documented instructions of the Controller, including the transfer of personal data to third countries or international organizations, unless such processing is already required by legal regulations of the European Union or its Member State applicable to the Processor;

(c) to maintain the confidentiality of all personal data provided or made available to the Processor by the Controller or which it acquires in connection with the provision of the Product to the Controller, with the exception of their transfer to sub-processors and service providers of the Processor;

(d) to ensure that all its employees, members of its bodies and its business partners with authorized access to the processed personal data (or with the authorization to process them) undertake to comply with adequate confidentiality obligations, or that they are duly informed of their statutory obligation of confidentiality, if applicable, before taking the first action in connection with the provision of the Product;

(e) to always apply technical and organizational measures to protect the processed personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access to the personal data, which must be proportionate to the risks, of various likelihood and severity, to the rights and freedoms of natural personal whose personal data are being processed, taking into account the current technology, costs of their implementation and the nature, scope, context and purpose of the processing, possibly including measures for pseudonymization and encryption of the processed personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services, the ability to restore the availability of and access to the personal data processed in a timely manner in the event of physical or technical incidents, and the process for regular testing, assessment and evaluation of the effectiveness of the implemented technical and organizational measures ensuring the security of the processing;

(f) to provide the Controller with such cooperation, assistance and information as the Controller may reasonably request and the Processor is reasonably able to provide to allow the Controller to comply with its obligations under the applicable and effective legal regulations on the protection of personal data and privacy and to cooperate with the relevant authorities in connection with the processed personal data, including, if applicable, providing support to the Controller where relevant to the nature of the processing by the Processor;

(g) not to engage any sub-processor in the processing without the prior specific or general written consent of the Controller. In the case of general written consent, the Processor undertakes to inform the Controller of any intended changes concerning the engagement of a sub-processor or replacement thereof, thereby giving the Controller the opportunity to object to such changes. The following entities are expressly permitted as processors and sub-processors:

1. Google LLC (web analytics and online marketing tools);
2. Facebook Ireland Ltd. (online marketing tools);
3. Hotjar, Inc. (web analytics tools);
4. ECOMAIL.CZ, s.r.o. (online marketing tools);
5. Pipedrive Inc. (CRM tools);
6. Microsoft Corporation (online marketing tools);
7. Seznam.cz, a.s. (online marketing tools);
8. Imper CZ s.r.o., operator of the Leady.cz website (online marketing tools);
9. Crisp IM (customer support tools); and
10. including any other newly engaged processors and sub-processors, if any, of which the Processor notifies the Controller in writing, including by email, where the Controller is entitled to object to such new processors and sub-processors and the Processor is obligated to take such objections into account;

(h) to entrust with the processing of personal data only the processors and sub-processors which provide a sufficient level of security of personal data at least to the extent required by the applicable and effective legal regulations on the protection of personal data and privacy;

(i) to promptly notify the Controller in writing and in reasonable detail if the Processor becomes aware or reasonably suspects that a personal data breach or another serious incident which compromises or exposes a significant weakness in the security of personal data has occurred while in its possession or control (hereinafter the “Personal Data Security Incident”);

(j) in the event of a Personal Data Security Incident:

1. to take all reasonable steps to identify and address the root cause of the Personal Data Security Incident and thereby eliminate or exclude the risk of recurrence and occurrence of similar Personal Data Security Incidents;
2. to take such steps as the Controller may reasonably request and the Processor may reasonably take to help the Controller address the adverse consequences of the Personal Data Security Incident and to ensure compliance with the Controller's obligations under applicable and effective data protection and privacy laws; and
3. to report promptly and regularly to the Controller on the measures taken and their results;

(k) to disclose to the Controller any information it may reasonably request; 

(l) to promptly notify the Controller in writing if the Processor believes that compliance with the Controller's instruction may violate applicable and effective data protection and privacy laws. 

Audits and Inspections at the Processor

The Controller (or its authorized auditors) shall be entitled to carry out reasonable audits and/or inspections necessary to verify the Processor’s compliance with this Addendum upon prior written request, which must be delivered to the Processor at least one month in advance. The Processor undertakes to allow reasonable audits and inspections to take place and to provide all necessary assistance to the Controller in carrying them out.

The Controller is obliged, for so long as its employees or its authorized auditors are at the Processor’s premises during any such audit or inspection, to prevent (or if this is not possible, at least minimize) any damage, personal injury or disruption to the Processor’s premises, equipment, employees, and business.

The Processor is entitled to claim reimbursement from the Controller for the necessary costs associated with the audits and inspections carried out at the Processor, as well as reimbursement for any lost time of the Processor and of the Processor’s employees involved in the audit or inspection, or for any downtime in their work caused by the audit or inspection, namely in the lump sum of 60€/hour/person.

The Processor is not obliged to allow access to its premises for the purposes of such an audit or inspection:

1. to individuals who do not provide adequate proof of identity and authorization;
2. outside normal business or operating hours at such premises, unless it is an urgent audit or urgent inspection, of which the Controller is obliged to give notice to the Processor prior to the commencement of the audit or inspection outside normal business or operating hours; or
3. in the case of more than one audit or inspection per two calendar years.

Final Provisions

This Addendum is concluded for a fixed term, for the duration of the provision of the Product.