1.1. Under this Data Processing DPA (hereinafter the “DPA”) the Processor processes personal data provided by the Controller for the purposes of provision of Customerscore.io service (hereinafter the “Service”)
1.2. The DPA is made in light of the requirements set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter the “GDPR”) and other applicable legislation. Unless explicitly provided otherwise in this DPA, definitions used in this DPA shall have the same meaning as set out in the GDPR. This DPA is based on the requirements set out in Article 28 of the GDPR.
1.3. The Parties agree that within the meaning of Article 4(7) of the GDPR, the Controller is the controller of personal data entrusted for processing to the Processor hereunder. Only the Controller shall decide on the purposes and means of processing the personal data. The Processor is the entity referred to in Article 28 of the GDPR.
1.4. The Processor shall process personal data to the extent and according to the rules as set forth in this DPA, the GDPR, and other applicable legislation.
1.5. The Processor shall process personal data with professional care in order to provide legal, organizational and technical protection of the Controller's interests in connection with the processing of personal data according to this DPA.
1.6. The scope of personal data entrusted for processing under this DPA, the categories of data subjects, nature and purpose of the processing and duration of processing are defined in Schedule 1 hereto.
1.7. The personal data entrusted to the Processor under this DPA shall be processed for the purpose set out in Section 1.1. The Controller represents and guarantees that it has acquired all necessary consents from the data subjects for the processing of their personal data, if needed.
1.8. The Processor guarantees that it has appropriate technical and organizational measures in place to meet the requirements of the GDPR and that it will ensure protection of the rights of the data subjects.
1.9. Other terms used in this DPA are given the same meaning as those used and defined in the Customerscore.io’s Terms and Conditions.
2.1. The Processor may engage a third party for processing of personal data under this DPA (hereinafter the “Sub-Processor”), provided that the Processor has notified the Controller in writing of such Sub-Processor, including any intended changes concerning the addition or replacement of the Sub-Processors, and the Controller has not objected thereto within 30 days of notification. If the Controller does not object, the Sub-Processor is considered approved by the Controller. The Processor shall maintain and update (as necessary) a list of all Sub-Processors used for the processing of personal data on behalf of the Controller under this DPA. All Sub-Processors that are detailed in Schedule 1 hereto are expressly approved by the Controller as of execution of this DPA. The list of Sub-Processors can be also found here. The Processor shall inform the Controller about changes in the list of Sub-Processors
2.2. The Processor shall enter into a written agreement with every approved Sub-Processor, under which the Sub-Processor shall undertake obligations corresponding to those undertaken by the Processor under this DPA. The Processor shall always remain liable for its Sub-Processor’s performance and obligations as for its own.
2.3. The Controller might also explicitly authorize a Sub-Processor by taking necessary steps by connecting third-party application or service in the interface of the Service.
2.4. Where the Processor engages a Sub-Processor in a country outside the European Union (hereinafter the “EU”) and/or the European Economic Area (hereinafter the “EEA”), the Controller hereby authorizes the Processor to sign EU approved standard contractual clauses for the transfer of personal data with the Sub-Processor in the name and on behalf of the Controller in respect of such transfer of personal data to a third country.
2.5. If the Controller objects to a new Sub-Processor notified by the Processor, the Controller may terminate this DPA with immediate effect by a written notice delivered to the Processor within 30 days of delivery of the notification to the Controller provided that the Processor insists on engaging the new Sub-Processor. If the Controller does not deliver a written termination notice to the Processor in accordance with the previous sentence, the Sub-Processor is considered approved by the Controller regardless of the Controller’s objection and the Processor may engage such Sub-Processor for the processing of any personal data on behalf of the Controller under this DPA. The Controller will not unreasonably object to any addition or replacement of a Sub-Processor.
3.1. The Processor shall process the personal data only on documented instructions from the Controller, including any transfer of data to third countries or international organizations.
3.2. The Parties agree that this DPA, together with Schedule 1 hereto, constitutes a documented instruction within the meaning of Section 3.1. above.
3.3. The Controller’s instructions may be updated from time to time when so requested by the Controller or if so required under applicable law.
3.4. The Controller may further express the instruction by taking necessary steps connecting third-party application or service (other data processors) in the interface of the Service. In such a case, the Processor acts as a sub-processor.
3.5. The Processor shall take steps to ensure that any natural person acting under its authority who has access to personal data does not process them except on instructions from the Controller, unless he or she is required to do so by the applicable law.
3.6. The Controller expressly approves that the Processor (and approved Sub-Processors) may transfer or authorize the transfer of personal data to countries outside the EU and/or the EEA. If personal data processed under this DPA is transferred from a country within the EEA to a country outside the EEA, the Parties shall ensure that the personal data are adequately protected. To achieve this, the Parties shall, unless agreed otherwise, rely on EU approved standard contractual clauses for the transfer of personal data.
4.1. Unless agreed or provided otherwise, the Processor shall not disclose any personal data entrusted to it, whether directly or indirectly.
4.2. The Processor shall ensure that the Processor's employees and other persons authorized to process the personal data shall be obligated to keep confidential all personal data obtained in connection with data processing under this DPA or are under an appropriate statutory obligation of confidentiality.
4.3. The Processor shall maintain confidentiality of all information related to the entrusting of data and all personal data entrusted during the performance of this DPA, during such performance and after expiration or termination of this DPA, for an indefinite period of time.
5.1. The Processor shall implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk. Security measures that are or may be employed by the Processor as of execution of this DPA are listed in Schedule 1 hereto.
6.1 As further set out in Chapter III of the GDPR, the data subject has certain rights (e.g., information and access to personal data, rectification and erasure, restriction of processing, data portability, right to object and certain rights in relation to automated decision-making). The Controller is obliged to facilitate the exercise of these data subject rights under the GDPR.
6.2. The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is commercially reasonable, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in the GDPR and other applicable legislation. ln particular, the Processor shall assist the Controller to ensure that the personal data are kept in a form which permits identification of data subjects for no longer than it is necessary for the purposes for which the personal data are processed.
7.1. As further set out in Articles 32 to 36 of the GDPR, the Controller has certain obligations (e.g., notification of data breach to the supervisory authority, communication of data breach to the data subject, making a data protection impact assessment and prior consultation with the supervisory authority in certain cases).
7.2. The Processor shall notify the Controller without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed (personal data breach), and the Processor shall assist the Controller in ensuring compliance with obligations set out in Section 7.1. above.
8.1. The Processor shall, at the choice of the Controller, delete or return all the personal data to the Controller at the end of the performance of activity relating to processing (i.e., labeling and machine learning of neural networks of the Processor), and delete any existing copies unless applicable law requires storage of the personal data.
9.1. The Processor shall make available to the Controller all information and documents necessary to demonstrate compliance with the obligations laid down in this DPA, applicable legislation and the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
10.1. Neither the Processor nor the Controller shall be entitled to any compensation for carrying out its obligations under this DPA.
11.1.The Parties acknowledge that they each respectively are liable, accountable and responsible in their respective roles as controller and processor under the requirements set forth in the GDPR and other applicable legislation and this DPA.
11.2. The Controller is fully responsible for compliance of the instructions, requests and recommendations issued to the Processor with the determined purpose of the processing and any applicable legislation including the GDPR. The Controller declares and guarantees to the Processor that determined purpose of the processing according to this DPA is lawful and in accordance with Article 6 of the GDPR.
11.3. Where the Sub-Processor fails to fulfil its obligations as specified in this DPA and the applicable law, the Processor shall remain fully liable to the Controller for the performance and non-performance of the Sub-Processor's obligations.
11.4. Each Party shall promptly notify the other Party of any proceedings, in particular administrative or court proceedings, relating to personal data processing within the scope of each of the data sets provided to the Processor, and of any administrative decision or judgment concerning the processing of that data, as well as of any inspections pertaining to personal data processing within the scope of a set of data.
11.5. If any third party brings a legal action against the Processor and/or the Controller in connection with any infringement of the personal data processing rules, the Parties shall cooperate in order to take appropriate legal measures aimed, in particular, at having the competent court dismiss or reject such third-party claim, lodging an appeal or entering into a settlement agreement, or other legal measures.
12.1. The DPA shall be valid for an indefinite period of time, but no longer than is necessary for the purposes for which the personal data are processed.
12.2. ln the event of a material breach of any provision of the DPA or the applicable law by one of the Parties, the other Party will be entitled to terminate the DPA with an immediate effect.
13.1. This DPA and any related legal relationships existing between the Parties shall be governed by the laws of the Czech Republic. Any disputes related to this DPA arising between the Parties shall be resolved by the courts of general jurisdiction in the Czech Republic.
14.1. If any provision hereof is deemed to be invalid or unenforceable for any reason, all other provisions shall remain in force and the Parties shall be obliged to replace such invalid (unenforceable) provisions at the request of either Party with a provision which is valid and the economic effect of which is as close as possible to the economic effect of the replaced provision.
14.2. The DPA constitutes the entire agreement between the Parties with respect to its subject matter and shall supersede any and all previous negotiations, both written and oral, between the Parties related to the subject matter hereof. The Parties have neither made nor will rely on any representations, undertakings, agreements or assurances which are not included herein.
14.3. Neither Party shall be entitled to assign any of its rights and obligations under the DPA to any entity/ third party without prior consent of the other Party made in writing, otherwise shall be null and void. The above provision shall not apply to the affiliates of the Parties.
14.4. This DPA is executed in two counterparts, one for each Party.
14.5. The following schedules shall form an integral part hereof:
Schedule 1- Instructions
The following personal data will be processed by the Processor:
Data relating to individuals provided to the Processor by (or at the direction of) the Controller, e.g.:
The following categories of data subjects will be included in the processing:
The Processor shall implement appropriate technical and organizational measures in accordance with Article 32 of the GDPR to ensure a level of security appropriate to the risk, which may include as appropriate:
The Processor shall at the request of Controller provide a description of its technical and organizational measures unless such description has already been provided to the Controller.
Predict and reduce customer churn. Retain high-value clients. Skyrocket your MRR.
