Data Processing Addendum

This Addendum made under Article 28 (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”) is an integral part of the General Terms and Conditions of FaceUp Technology s.r.o., ID: 061 42 630, with registered office at Udolni 567/33, 602 00, Brno, Czech Republic, registered in the Commercial Register kept by the Regional Court in Brno, section C, file 100325 (hereinafter referred to as the “Processor” or “Provider”), which is the author, owner and provider of the mobile and web application “FaceUp” provided via the user interfaces at the internet addresses www.admin.faceup.com or www.report.faceup.com (hereinafter referred to as the “Website”), and/or the mobile application FaceUp available in Google Play and App Store (hereinafter referred to as the “Application”).

This Addendum does not apply to the rights and obligations arisen in connection with normal browsing of the website www.nntb.cz, as such rights and obligations are governed by the Website Use Terms and Rules, and is made, as part of the General Terms and Conditions, for the purpose of protection of personal data during their processing by the Processor solely within the scope of the provision of Services to the Controller, to the extent of rights and obligations arising for the Parties hereto from the GDPR during the processing of personal data within the scope of the provision of Services.

The Processor provides the parties that use the Website and/or Application for the purposes of making use of the Services – that implement this solution into their structure as a solution for reporting undesirable situations, receiving reports from third parties and/or as an internal whistleblowing system for the protection of whistleblowers, and that register themselves through the Website and/or Application (hereinafter referred to as the “Client” or “Controller”) with the Services through which the Provider particularly receives messages (reports) from third parties and subsequently stores them in the Application and makes these data available to the Client via a profile or by sending them in the form of an encrypted document, whereby the Client uses the Provider’s Website and/or Application to handle and administer messages (reports) and to communicate with the whistleblower, and as the case may be, to fulfil obligations under the Whistleblower Protection Act, or if the Client is a school or a similar facility, to prevent and handle bullying or other similar behavior (hereinafter referred to as the “Services”).

The subject of the contractual relationship between the Provider and the Client is, in particular, the obligation of the Provider to allow persons who wish to submit a report to perform an action through a form on the Website and/or the Application (hereinafter referred to as the "Whistleblower") informing the Client of certain facts – usually of an undesirable nature (hereinafter referred to as the "Report") using the Client's access code through a form on the Website and/or the Application to submit such report.

Due provision of Services requires i.a. the processing of personal data of persons working in the Controller’s organization, in particular employees, members of bodies, business partners and whistleblowers who submit a report through the Website, using the access code of the Controller and other parties, if any, cooperating with the Controller; and

This Addendum specifies the extent of personal data that will be processed, the purpose for which they will be processed, the time for which they will be processed, the rights and obligations of the Controller and the Processor, and audits and inspections at the Processor

For the purposes of this Addendum, the processing of personal data means, in particular, their collection, saving on data carriers, use, sorting or combining, blocking and destruction by manual and automated means (e.g. specialized software) to the extent necessary for securing proper provision of Services.

Whenever used in this Addendum, the terms “controller”, “data subject”, “personal data”, “personal data breach“, “processing” and “processor” as well as the terms derived from or related to them have the meaning defined in Article 4 of the GDPR. 

The Parties agree that the personal data processing under this Addendum will be free of charge.

Extent of Personal Data Processing

In accordance with this Addendum the Processor will process personal data of the following categories of data subjects, in particular, within the Application, Website and/or mutual communication or documentation:

1. employees of the Controller;
2. members of bodies of the Controller;
3. business partners of the Controller; 
4. Whistleblowers submitting a Report through the Website, using the Controller’s access code;
5. users of the Website;
6. administrator of the Controller and users of the Controller’s administration;
7. contact persons stated in the Service Agreement; and
8. any other persons cooperating with the Controller.

In accordance with this Addendum the Processor will process the following personal data, in particular, that the Processor obtained for, on behalf or from the Controller in connection with the Processor’s activity and that it will provide or otherwise make available to the Processor:

1. identifying information of data subjects (name and surname, in particular, if provided);
2. contact details of data subjects (mailing address, email address, telephone number, in particular, if provided);
3. information provided in the Report;
4. billing and payment details (account number and bank details, in particular);
5. business details of the data subject;
6. IP address of the data subject;
7. cookies;
8. business activity details; 
9. organization unit or school of the data subject; and
10. details from mutual communication concerning the report.

Purpose and Duration of Processing

The Processor undertakes to process personal data only to the extent necessary for the purpose of due provision of its Services and compliance with its obligations associated with the provision of Services, which is guaranteed by minimum access of the Processor to the personal data, e.g. by means of encryption. No other purpose is agreed and permitted by the Parties.

Personal data will be processed for the duration of the provision of Services, and upon termination of the provision of Services this Addendum terminates without further notice. The Processor’s obligations related to the security and protection of personal data will survive termination of this Addendum and apply until the moment of full destruction or handover of such personal data to another processor as recorded in a record of destruction or handover.

The Processor undertakes, on a written instruction from the Controller and in accordance with the Controller’s decision, to return all personal data to the Controller or erase all their existing copies immediately after termination of the provision of respective Services unless set out otherwise in a legal regulation. The Controller is obliged to give this instruction without undue delay but no later than thirty (30) calendar days after the cessation of this Addendum. If the Controller fails to do so, the Processor may destroy the personal data that were provided to the Processor by the Controller under this Addendum unless the Processor is aware of an obstacle defined in a legal regulation, and will inform the Controller about the destruction immediately afterwards.

Rights and Obligations of the Controller and the Processor

The Controller:

1. undertakes to take, prior to disclosing personal data or making them available to the Processor, such steps to secure that the disclosing of the personal data or making them available will not constitute a breach of applicable and effective privacy and data protection laws;
2. declares and guarantees to the Processor that all the personal data the processing of which is the subject of the Services and/or this Addendum were obtained and are processed by the Controller in accordance with legal regulations, mainly but not exclusively the GDPR and Act No. 110/2019 of the Collection of Laws of the Czech Republic (Coll.), on the Processing of Personal Data, as amended.

The Processor undertakes:

1. to comply with applicable and effective privacy and data protection laws, mainly but not exclusively the GDPR and Act No. 110/2019 Coll., on the Processing of Personal Data, as amended, in relation to processing personal data
2. to process personal data only on the basis of documented instructions from the Controller, including issues of transfer of personal data to a third country or an international organization, unless such processing is already required by the European Union or Member State law to which the Processor is subject;
3. to maintain the confidentiality of all personal data provided or disclosed to the Processor by the Controller, or which the Processor will learn in connection with the provision of services to the Controller, except for the transfer of such data to sub-processors and service providers of the Processor;
4. to ensure that all of the Processor’s employees, members of the Processor’s bodies and the Processor’s business partners with authorized access to (or authority to process) the personal data processed undertake to observe appropriate confidentiality conditions or are duly informed of their legal obligation of confidentiality, if applicable, before fulfillment the first task in connection with the provision of Services;
5. to apply at all times technical and organizational measures to protect personal data processed against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, which must be proportionate to the risks of varying likelihood and severity to the rights and freedoms of the individuals whose data are processed, taking into account the state of the art, the cost of implementation and the nature, scope, context and purpose of the processing, including, where appropriate, measures for pseudonymization and encryption of the personal data processed, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services, the ability to restore the availability of and access to the personal data processed in a timely manner in the event of physical or technical incidents, and the process of regular testing, assessment and evaluation of the effectiveness of the technical and organizational measures in place to ensure the security of the processing;
6. to provide the Controller with such assistance, aid and information as the Controller reasonably requests and the Processor is reasonably able to provide to enable the Controller to comply with its obligations under applicable and effective privacy and data protection laws and to cooperate with the competent authorities in relation to the personal data processed, including, where appropriate, providing support to the Controller where relevant to the nature of the processing by the Processor;
7. not to involve any other processor in the processing without the prior specific or general written permission of the Controller. In the case of general written permission, the Processor undertakes to inform the Controller of any intended changes concerning the admission of additional processors or their replacement, thus giving the Controller the opportunity to object to these changes. The following entities are expressly permitted processors and sub-processors
   1. Amazon Web Services, Inc. (infrastructure tools);
   2. Google LLC (analytics tools);
   3. tawk.to, Inc. (customer support tools);
   4. Sentry, Inc. (error reporting tools);
   5. ECOMAIL.CZ, s.r.o (online marketing tools);
   6. possibly other newly engaged processors and sub-processors, whom the Processor will notify the Controller of in writing, including by email, where the Controller has the right to object to these new processors and sub-processors, and the Processor is obliged to take these objections into account;
8. to only entrust the processing of personal data processed to other processors or sub-processors which provide a sufficient level of security of personal data at least to the extent required by the applicable and effective data protection and privacy laws;
9. to promptly notify the Controller in writing and in reasonable detail as soon as the Processor becomes aware or reasonably suspects that there has been a personal data breach or other serious incident that compromises or exposes a material weakness in the security of personal data while in the Processor’s possession or control (hereinafter referred to as the “Personal Data Security Incident”);
10. in the event of a Personal Data Security Incident:
    1. to take all reasonable steps to identify and address the root cause of the Personal Data Security Incident and thereby eliminate or exclude the risk of recurrence and occurrence of similar Personal Data Security Incidents;
    2. to take such steps as the Controller may reasonably request and the Processor may reasonably take to help the Controller address the adverse consequences of the Personal Data Security Incident and to ensure compliance with the Controller's obligations under applicable and effective data protection and privacy laws; and
    3. to report promptly and regularly to the Controller on the measures taken and their results;
11. to disclose to the Controller any information it may reasonably request; 
12. to promptly notify the Controller in writing if the Processor believes that compliance with the Controller's instruction may violate applicable and effective data protection and privacy laws.

Audits and Inspections at the Processor

The Controller (or its authorized auditors) shall be entitled to carry out reasonable audits and/or inspections necessary to verify the Processor’s compliance with this Addendum upon prior written request, which must be delivered to the Processor at least one month in advance. The Processor undertakes to allow reasonable audits and inspections to take place and to provide all necessary assistance to the Controller in carrying them out.

The Controller is obliged, for so long as its employees or its authorized auditors are at the Processor’s premises during any such audit or inspection, to prevent (or if this is not possible, at least minimize) any damage, personal injury or disruption to the Processor’s premises, equipment, employees and business.

The Processor is entitled to claim reimbursement from the Controller for the necessary costs associated with the audits and inspections carried out at the Processor, as well as reimbursement for any lost time of the Processor and of the Processor’s employees involved in the audit or inspection, or for any downtime in their work caused by the audit or inspection, namely in the lump sum of 60€/hour/person.

The Processor is not obliged to allow access to its premises for the purposes of such an audit or inspection:

1. to individuals who do not provide adequate proof of identity and authorization;
2. outside normal business or operating hours at such premises, unless it is an urgent audit or urgent inspection, of which the Controller is obliged to give notice to the Processor prior to the commencement of the audit or inspection outside normal business or operating hours; or
3. in the case of more than one audit or inspection per two calendar years.