Data processing agreement

This Data Processing Agreement (this “DPA”) is entered between Plexcom, s.r.o. (“Plexcom”, “we”) and Customer (“Customer”, “you”), together referred as “The Parties”. This agreement (“DPA”) is part of the Terms of ServicePrivacy Policy and other relevant policies (the “Agreement”). Customer agreeing to these terms enters in this DPA on their own behalf to the extent required under applicable Data Protection Regulations and Laws and to the extent Plexcom processes Customer Data as instructed by the Controller (as defined in Section 1).

In the course of providing the Services to the Customer, Plexcom may Process Customer Data on behalf of the Customer. The Parties agree to comply with the following provisions with respect to any Customer Data, each acting reasonably and in good faith.

1. DEFINITIONS

“Agreement” means the Terms of Service and other relevant policies announced on our website, together with your Order for the purchase of Services and the Order confirmation sent by Plexcom.

“Order” means any Customer’s order for the purchase of the respective services.

“Site” means the Plexcom website and all services we offer through our website.

“Services” means any hosting services we offer and the Customer has purchased that could involve the processing of Personal Data by Plexcom.

“Partner” means any entity that directly or indirectly controls, is controlled by or is under common control with the Plexcom subject entity.

“Control,” for the purpose of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Additional Products” means any features, products, software, programs, add-ons, plugins, scripts, tools or any other third-party software or content that are not part of the Services but that may be accessible via the Plexcom User Area or the Control Panel, installed by the Customer or otherwise for the usage of the Services.

“Controller” means the natural person or the legal entity which, alone or jointly with others, determines the purposes and means of the processing of customer data.

“Affiliate” means, as to any entity, any other entity that, directly or indirectly, controls, is controlled by, or is under common control with such entity through majority ownership.

“Data Protection Law” means any and all data protection laws and regulations that apply to the Processing of Personal Data by Plexcom under the Agreement.

“Data Subject” means an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

“Plexcom” means the Plexcom entity which is a party to this DPA, as specified in the section, a company registered and existing under the laws of Strážkovice, Czech Republic, with address: Pod Rafandou 906, 391 81 Veselí nad Lužnicí, Czech Republic.

“Personal Data” means any data that: (a) is deemed “personal data” or “personal information” (or other analogous variations of such terms) under Data Protection Law; and (b) that Customer submits using the Services for Plexcom to Process on Customer’s behalf.

“Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

“Process” or “Processing” means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

“Standard Contractual Clauses” means the standard contractual clauses annexed to the EU Commission Decision 2010/87/EU of 5 February 2010 for the transfer of personal data to processors established in third countries, the text of which is available at: https://eurlex.europa.eu/legal-content/en/TXT/?uri=CELEX%3A32010D0087.

“Subprocessor” means any Processor engaged by Plexcom.

2. DATA PROCESSING AND PROTECTION

This DPA applies when Plexcom processes Customer’s data for which Plexcom will act as “processor” or “service provider” (or other analogous variations of such terms) under Data Protection Law.

2.1. Limitations on Use

Plexcom will process Personal Data only: (a) in a manner consistent with documented instructions from Customer, including (i) to provide the Services, (ii) as permitted under the Agreement, including as specified in Attachment 1 to this DPA, and (iii) consistent with other reasonable instructions of Customer; and (b) with prior notice (unless notice is legally prohibited), as required by applicable law. Without limiting the foregoing, Plexcom will not collect, retain, use, or disclose the Personal Data for any purpose other than as necessary for the specific purpose of performing the Services, including not collecting, retaining, using, or disclosing the Personal Data for a commercial purpose other than providing the Services.

2.2. Confidentiality

Plexcom will ensure that persons authorized by Plexcom to Process any Personal Data are subject to appropriate confidentiality obligations.

2.3. Security

Plexcom will protect Personal Data in accordance with requirements under Data Protection Law, including by implementing appropriate technical and organizational measures designed to protect Personal Data against Personal Data Breach.

2.4. Return or Disposal

At the choice of Customer, delete or return (or will enable Customer to delete or retrieve) all Personal Data after the end of the provision of Services (unless applicable law requires Plexcom to store any Personal Data).

2.5. Customer Obligations

Customer will not instruct Plexcom to perform any Processing of Personal Data that violates any Data Protection Law. Plexcom may suspend Processing based upon any Customer instructions that Plexcom reasonably suspects violate Data Protection Law. Subject to the cooperation of Plexcom as specified in this DPA, Customer will be solely responsible for safeguarding the rights of Data Subjects. Customer will promptly notify Plexcom about any faults or irregularities in the Processing by Plexcom discovered by Customer.

3. DATA PROCESSING ASSISTANCE

3.1. Data Subject’s Rights Assistance

Taking into account the nature of the Processing of Personal Data by Plexcom under the Agreement, Plexcom will provide reasonable assistance to Customer by appropriate technical and organizational measures, insofar as possible and as necessary, for the fulfilment of Customer’s obligations to respond to requests for exercising Data Subject’s rights under Data Protection Law (including Chapter III of the GDPR, as applicable) with respect to Personal Data solely to the extent Customer does not have the ability to address such Data Subject request without such assistance.

3.2. Security Assistance

To assist Customer in its efforts to ensure compliance with the security requirements under Data Protection Law including Article 32 of the GDPR, Plexcom shall implement and maintain technical and organizational measures to protect Customer Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access.

3.3. Data Protection Impact Assessment Assistance

Taking into account the nature of Plexcom’s Processing of Personal Data and the information available to Plexcom, Plexcom will provide reasonable assistance to Customer as required for Customer to comply with its obligations under Articles 35 and 36 of the GDPR in connection with Plexcom’s Processing of Personal Data under the Agreement.

3.4. Personal Data Breach Notice and Assistance

Plexcom will notify Customer without undue delay after becoming aware of a Personal Data Breach. Taking into account the nature of Processing and the information available to Plexcom, Plexcom will provide reasonable assistance to Customer as may be necessary for Customer to satisfy any notification obligations required under Data Protection Law (including Articles 33 or 34 of the GDPR) related to any Personal Data Breach.

4. AUDITS

Plexcom will allow for and contribute to audits as follows:

(а) Once every 12 months, Customer may request to review a summary of Plexcom’s SOC audit report regarding the Processing activities covered by this DPA;

(б) Customer or a third party auditor reasonably acceptable to Plexcom may conduct an on-site audit of Plexcom’s processing activities as required by a supervisory authority or Data Protection Law. Such on-site audit must (i) be scheduled on at least 45 days advance notice at a mutually agreed date and time; (ii) occur during Plexcom’s normal business hours; (iii) be permitted only to the extent required to assess Plexcom’s compliance with this DPA; (iv) comply with the policies, procedures, and other restrictions reasonably imposed by Plexcom and, if applicable, the Subprocessor; and (v) not unreasonably interfere with Plexcom’s business activities. Customer’s auditor will not be entitled to access information subject to third-party confidentiality obligations. Customer will provide written communication of any audit findings to Plexcom, and the results of the audit will be the confidential information of Plexcom.

5. SUBPROCESSORS

Customer authorizes Plexcom to use Plexcom’s Affiliates and third-party subprocessors to Process Personal Data in connection with the provision of Services to Customer (“Subprocessor”). Plexcom will impose data protection obligations upon any Subprocessor that are no less protective than those included in this DPA. Plexcom shall remain liable to Customer for a Subprocessor’s failure to fulfill its data protection obligations.

6. DATA TRANSFERS

Personal Data may be transferred to any country in which Plexcom or its Subprocessors maintain facilities. This Section 6 only applies to the transfer of Personal Data from the European Economic Area (“EEA”) to a third country that has not been deemed adequate by the European Commission (for transfers from the EEA).

6.1. Data Transfers from Customer to Plexcom

For Personal Data transferred from the EEA Plexcom will conduct the transfer: (a) pursuant to the Standard Contractual Clauses; or (b) any other data transfer mechanism permitted under Data Protection Law, such as binding corporate rules. For purposes of the Standard Contractual Clauses, the following terms will apply: (i) Customer and Plexcom will be deemed to have executed the Standard Contractual Clauses as of the effective date of this DPA; (ii) Customer will be referred to as the “Data Exporter” and Plexcom will be referred to as the “Data Importer” in the clauses with relevant company name and address details from the Agreement being inserted accordingly; (iii) details in Attachment 1 to this DPA will be used to complete Appendix 1 of those clauses, as appropriate.

6.2 Plexcom Data Transfers to Subprocessors

If Plexcom transfers Personal Data to a Subprocessor then Plexcom shall enter into the Standard Contractual Clauses with the Subprocessor on Customer’s behalf, and the Subprocessor will be the “data importer” and the Customer will be the “data exporter”.

7. MISCELLANEOUS

7.1 If there is a conflict (a) the terms of this DPA will prevail over the terms of the Agreement and (b) the Standard Contractual Clauses will prevail over this DPA. Except for the matters covered by this DPA, all terms of the Agreement, remain in effect. Capitalized terms not defined in this DPA have the same meaning as in the Agreement. Except as otherwise stated in the Agreement, this DPA and the Standard Contractual Clauses will automatically terminate upon the termination or expiration of the Agreement.

Attachment 1 – Scope of Processing

Subject-Matter and Duration of Processing

Plexcom Processes Personal Data for the subject matter specified under the Agreement and until the Agreement terminates or expires, unless otherwise agreed upon by the parties in writing. In particular, the subject matter is determined by the Service(s) to which Customer subscribes and the data which Customer uploads to the Service.

Nature and Purpose of Processing (including Processing Operations)

The nature and purpose of Processing is determined by the Service(s) to which Customer subscribes and the data which Customer uploads to the Service.

For instance:

  1. Data Integration Cloud Services Process data uploaded to the Service, including Personal Data if uploaded, to connect, transform, and integrate data, applications, and processes across on-premise and cloud systems.
  2. Data Management, Quality, and Governance Cloud Services Process data uploaded to the Service, including Personal Data if uploaded, to help Customer understand and enrich data, to help ensure that data are relevant and trustworthy, and to help optimize compliance and business value from data.
  3. Infrastructure Hosting Services Process data uploaded to the Service, including Personal Data if uploaded, in accordance with the function performed by the Plexcom software product that Plexcom is hosting for Customer.

Types of Personal Data

Customer controls the types of Personal Data uploaded via the Services for Processing. Plexcom may Process postal addresses, email addresses, and/or telephone numbers, in accordance with the specific Service to which Customer subscribes.

Special Categories of Personal Data None anticipated, but Customer controls the types of Personal Data processed via the Services.

Categories of Data Subjects Customer controls the categories of Data Subjects to which the Personal Data relates. For instance, Customer may Process via the Services Personal Data that relates to its current or prospective customers, employees or business partners.