This Addendum made under Article 28 (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”) is an integral part of the General Terms and Conditions of FaceUp Technology s.r.o., ID: 061 42 630, with registered office at Udolni 567/33, 602 00, Brno, Czech Republic, registered in the Commercial Register kept by the Regional Court in Brno, section C, file 100325 (hereinafter referred to as the “Processor” or “Provider”), which is the author, owner and provider of the mobile and web application “FaceUp” provided via the user interfaces at the internet addresses www.admin.faceup.com or www.report.faceup.com (hereinafter referred to as the “Website”), and/or the mobile application FaceUp available in Google Play and App Store (hereinafter referred to as the “Application”).
This Addendum does not apply to the rights and obligations arisen in connection with normal browsing of the website www.nntb.cz, as such rights and obligations are governed by the Website Use Terms and Rules, and is made, as part of the General Terms and Conditions, for the purpose of protection of personal data during their processing by the Processor solely within the scope of the provision of Services to the Controller, to the extent of rights and obligations arising for the Parties hereto from the GDPR during the processing of personal data within the scope of the provision of Services.
The Processor provides the parties that use the Website and/or Application for the purposes of making use of the Services – that implement this solution into their structure as a solution for reporting undesirable situations, receiving reports from third parties and/or as an internal whistleblowing system for the protection of whistleblowers, and that register themselves through the Website and/or Application (hereinafter referred to as the “Client” or “Controller”) with the Services through which the Provider particularly receives messages (reports) from third parties and subsequently stores them in the Application and makes these data available to the Client via a profile or by sending them in the form of an encrypted document, whereby the Client uses the Provider’s Website and/or Application to handle and administer messages (reports) and to communicate with the whistleblower, and as the case may be, to fulfil obligations under the Whistleblower Protection Act, or if the Client is a school or a similar facility, to prevent and handle bullying or other similar behavior (hereinafter referred to as the “Services”).
The subject of the contractual relationship between the Provider and the Client is, in particular, the obligation of the Provider to allow persons who wish to submit a report to perform an action through a form on the Website and/or the Application (hereinafter referred to as the "Whistleblower") informing the Client of certain facts – usually of an undesirable nature (hereinafter referred to as the "Report") using the Client's access code through a form on the Website and/or the Application to submit such report.
Due provision of Services requires i.a. the processing of personal data of persons working in the Controller’s organization, in particular employees, members of bodies, business partners and whistleblowers who submit a report through the Website, using the access code of the Controller and other parties, if any, cooperating with the Controller; and
This Addendum specifies the extent of personal data that will be processed, the purpose for which they will be processed, the time for which they will be processed, the rights and obligations of the Controller and the Processor, and audits and inspections at the Processor
For the purposes of this Addendum, the processing of personal data means, in particular, their collection, saving on data carriers, use, sorting or combining, blocking and destruction by manual and automated means (e.g. specialized software) to the extent necessary for securing proper provision of Services.
Whenever used in this Addendum, the terms “controller”, “data subject”, “personal data”, “personal data breach“, “processing” and “processor” as well as the terms derived from or related to them have the meaning defined in Article 4 of the GDPR.
The Parties agree that the personal data processing under this Addendum will be free of charge.
In accordance with this Addendum the Processor will process personal data of the following categories of data subjects, in particular, within the Application, Website and/or mutual communication or documentation:
In accordance with this Addendum the Processor will process the following personal data, in particular, that the Processor obtained for, on behalf or from the Controller in connection with the Processor’s activity and that it will provide or otherwise make available to the Processor:
The Processor undertakes to process personal data only to the extent necessary for the purpose of due provision of its Services and compliance with its obligations associated with the provision of Services, which is guaranteed by minimum access of the Processor to the personal data, e.g. by means of encryption. No other purpose is agreed and permitted by the Parties.
Personal data will be processed for the duration of the provision of Services, and upon termination of the provision of Services this Addendum terminates without further notice. The Processor’s obligations related to the security and protection of personal data will survive termination of this Addendum and apply until the moment of full destruction or handover of such personal data to another processor as recorded in a record of destruction or handover.
The Processor undertakes, on a written instruction from the Controller and in accordance with the Controller’s decision, to return all personal data to the Controller or erase all their existing copies immediately after termination of the provision of respective Services unless set out otherwise in a legal regulation. The Controller is obliged to give this instruction without undue delay but no later than thirty (30) calendar days after the cessation of this Addendum. If the Controller fails to do so, the Processor may destroy the personal data that were provided to the Processor by the Controller under this Addendum unless the Processor is aware of an obstacle defined in a legal regulation, and will inform the Controller about the destruction immediately afterwards.
The Processor undertakes:
The Controller (or its authorized auditors) shall be entitled to carry out reasonable audits and/or inspections necessary to verify the Processor’s compliance with this Addendum upon prior written request, which must be delivered to the Processor at least one month in advance. The Processor undertakes to allow reasonable audits and inspections to take place and to provide all necessary assistance to the Controller in carrying them out.
The Controller is obliged, for so long as its employees or its authorized auditors are at the Processor’s premises during any such audit or inspection, to prevent (or if this is not possible, at least minimize) any damage, personal injury or disruption to the Processor’s premises, equipment, employees and business.
The Processor is entitled to claim reimbursement from the Controller for the necessary costs associated with the audits and inspections carried out at the Processor, as well as reimbursement for any lost time of the Processor and of the Processor’s employees involved in the audit or inspection, or for any downtime in their work caused by the audit or inspection, namely in the lump sum of 60€/hour/person.
The Processor is not obliged to allow access to its premises for the purposes of such an audit or inspection: