Data processing agreement

1. Processing of personal data

  • 1.1 INTRODUCTORY PROVISIONS. Marketing Miner s.r.o., reg. ID 062 78 990, tax ID: CZ 06278990, registered office Chelčického 95/15, 370 01 České Budějovice, Czech Republic, registered in the Commercial Register maintained by the County Court in České Budějovice, file no. C 29550 ("Company") provides the Marketing Miner internet application ("Marketing Miner"), available at www.marketingminer.com to its User ("User"), in accordance with the Terms of Service, available from www.marketingminer.com/en/terms-and-conditions ("Terms of Service"). The Company and the User are also referred to herein as the "parties". For the avoidance of doubt, the User means the User and the User as defined in the Terms of Service.
  • 1.2 DATA PROCESSING AGREEMENT. Considering the fact, that personal data will be processed by the Company for the User while providing the Marketing Miner service, the parties enter into this Data Processing Agreement (“DPA”) within the meaning of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC ("GDPR").
  • 1.3 OBLIGATION TO CONCLUDE AN ADDENDUM. The parties agree that, if it will be necessary, in order to comply with the requirements of data protection regulations (which include, for example, Act No. 110/2019 Coll. on the Processing of Personal Data, as amended, and the GDPR; collectively as the "DPR"), they shall, without undue delay upon the request of either party, amend Terms of Service or this DPA to reflect such requirements.
  • 1.4 AUTHORIZATION OF THE COMPANY. The User hereby authorises the Company to process the personal data of the data subjects, while providing the Marketing Miner service. The Company is obliged to process personal data for the User on the basis of the User's instructions and to the extent necessary for the proper performance of the Company's obligations under the Terms of Service.
  • 1.5 DECLARATION OF THE USER. By entering into the DPA, the User confirms that any personal data provided while using the Marketing Miner service is accurate, has been collected in accordance with the DPR, is currently processed by the User in accordance with the DPR and that the User complies with all obligations of the controller under the DPR. The User declares that the processing of personal data, which it entrusts the Company with by this Agreement, has been registered with the Office for Personal Data Protection (hereinafter referred to as the "OPDP") prior to the entering into this DPA, if the respective processing is subject to this obligation.
  • 1.6 CAPITALISED TERMS. Where this DPA uses capitalized terms, such terms shall have the meanings set forth in the Terms of Service, available from www.marketingminer.com/en/terms-and-conditions.

2. Subject matter of the processing, categories of data subjects, types of personal data

  • 2.1 DEFINITION OF PERSONAL DATA. The subject of the processing under this DPA is the personal data of the data subjects, provided by the User while using the Marketing Miner service, and possibly other data provided by third parties on the User's behalf ("Personal Data"). We only process the personal data that you ask us to process, as defined in Terms of Service.
  • 2.2 SPECIAL CATEGORIES OF PERSONAL DATA. User agree that the Marketing Miner service is not intended for the processing of special categories of personal data, as defined in art. 9 of GDPR (“Sensitive data”) and that if the User wishes to use the Marketing Miner service to process Sensitive Data, it must first obtain the Company’s explicit prior written consent and enter into any additional agreements as may be required by the Company.
  • 2.3 DATA SUBJECTS. Data subjects are subjects about whom the User processes personal data through the Marketing Miner service.
  • 2.4 USER'S LIABILITY. The scope of data processing is decided solely by the User, who is also responsible for ensuring that the specified scope of processing complies with the DPR.

3. Nature and purposes of the processing

  • 3.1 NATURE OF THE PROCESSING. The processing of personal data will be carried out in an automated manner.
  • 3.2 PURPOSE OF THE PROCESSING. The purpose of the data processing is defined by the purpose of the Terms of Service, which is proper provision of Marketing Miner service and all related activities.
  • 3.3 LIMITATION OF PURPOSES. The Company acknowledges that it is not entitled to use personal data for any purpose other than as set out in this DPA, i.e. to determine the purposes and/or means of processing and is not entitled to process personal data beyond the scope set out in this DPA.

4. Duration of the processing

  • 4.1 DURATION OF THE PROCESSING. The processing of personal data will be carried out for as long as Marketing Miner services are provided. The Company undertakes to fulfil the User's obligations regarding the protection of personal data for the entire duration of providing the Marketing Miner service, unless the Terms of Service and/or DPA implies that such obligations shall survive its termination.

5. Declarations of the User

  • 5.1 USERS OBLIGATIONS. By entering into the DPA, the User, as the data controller, declares that as of the date of entering into the DPA, it duly fulfils all its obligations under the DPR, in particular that it:
    • 5.1.1 LAWFULLNESS OF PROCESSING. processes personal data for the purposes, to the extent, by the means and in the manner provided for in this DPA lawfully, in particular it has obtained and has in its possession the valid consent of all data subjects to the processing of their personal data, if required by law;
    • 5.1.2 OBLIGATION TO INFORM DATA SUBJECTS. informs data subjects about the processing of their personal data in the manner and to the extent prescribed by the DPR;
    • 5.1.3 PERFORMANCE OF DATA SUBJECT RIGHTS. provides data subjects with possibility to exercise their rights provided by DPR;
    • 5.1.4 DISPOSAL OF PERSONAL DATA. dispose of personal data once the purpose for which they were processed has expired; and undertakes to fulfil these obligations throughout the provision of Marketing Miner service.

6. Obligations of the Company:

  • 6.1 OBLIGATIONS OF THE COMPANY. When processing personal data, the Company is obliged to:
    • 6.1.1 BINDING INSTRUCTIONS. process personal data solely on the basis of documented instructions, provided by the User. For the avoidance of doubt, the processing of personal data in accordance with the Company's obligations agreed under the DPA shall be deemed to be carried out in accordance with the User's instructions. Further instructions are provided through the Portal, when using the respective Tool by the User;
    • 6.1.2 TRANSFER TO THIRD COUNTRIES AND INTERNATIONAL ORGANIZATIONS. follow the instructions of the User regarding the transfer of personal data to a third country or an international organisation, unless such processing is already required by European Union or Member State law, applicable to the Company, in which case the Company shall inform the User of this legal requirement prior to processing, unless such legislation prohibits such information for important reasons of public interest;
    • 6.1.3 CONFIDENTIALITY. ensure that anyone who lawfully processes personal data for the User undertakes to maintain confidentiality or is subject to a legal obligation of confidentiality;
    • 6.1.4 TECHNICAL MEASURES AND EXERCISE OF RIGHTS. assist the User through appropriate technical and organisational measures, where possible, to comply with the User's obligation to respond to requests to exercise the rights of data subjects;
    • 6.1.5 COOPERATION. assist the User with ensuring compliance with the User's obligations to (i) ensure the level of security of processing, (ii) report personal data breaches to the OPDP and, where applicable, to data subjects, (iii) assess the impact on the protection of personal data, and (iv) carry out prior consultation with the OPDP, taking into account the nature of the processing and the information available to the Company;
    • 6.1.6 RETURN AND DELETION. in accordance with the User's decision, either delete all personal data or return it to the User upon termination of performance under the Terms of Service and delete existing copies, unless such storage is required by law;
    • 6.1.7 INFORMATION DUTY. provide the User with all information necessary to demonstrate that the obligations set out in the DPR have been fulfilled; and
    • 6.1.8 AUDITS. allow the User to conduct audits; the parties agree that the User may audit the Company's processing no more than once every 2 years with an independent auditor selected by the User. The costs of the audit under this paragraph shall be borne by the User.
  • 6.2 INSTRUCTIONS, VIOLATING THE LAW. The Company shall immediately inform the User in writing if it believes that the instructions issued by the User violates data protection legislation.
  • 6.3 CONFIDENTIALITY AND TERMINATION OF THE TERMS OF SERVICE. In the event of termination of the Marketing Minerservice, the Company, its employees, and/or authorised third parties who have come into contact with the personal data, shall not be relieved of confidentiality. In such case, the obligation of confidentiality shall continue even after the termination of the Marketing Miner service, regardless of the duration of the relationship of these persons to the Company.
  • 6.4 SECURITY BREACHES. Company shall promptly notify the User of any actual or reasonably suspected personal data breach, but no later than 48 hours after becoming aware of such breach. Any such information will also be promptly reported by the Company through email, available from the Website. The foregoing shall apply primarily, but not exclusively, in cases where the User has a legal obligation under law or the DPR to report a personal data breach. The Company must provide at least the following information:
    • 6.4.1 the date of the breach and its discovery;
    • 6.4.2 the nature, cause and consequences of the breach;
    • 6.4.3 the category and approximate number of involved data subjects;
    • 6.4.4 the scope of affected personal data, involved in the breach;
    • 6.4.5 a description of measures taken to remedy the breach.

7. Sub-processors

  • 7.1 APPROVAL OF SUBPROCESSORS. The User hereby agrees that the Company will use the following categories of sub-processors, when processing the personal data:
    • 7.1.1 hosting providers;
    • 7.1.2 IT service providers.
  • 7.2 NEW SUB-PROCESSORS. If the Company decides to use new categories of sub-processors, other than those defined in paragraph Error! Reference source not found. of this Annex, it shall notify the User thereof without delay, but no later than when such processing commences. The Company undertakes to bind its sub-processors at least to the same extent as in this DPA.
  • 7.3 OBJECTION. User may reasonably object to Company’s use of a new sub-processor, for reasons relating to the protection of Personal Data intended to be processed by such sub-processor, by notifying the Company promptly in writing within seven (7) days after receipt of notification of such sub-processing.

8. Security

  • 8.1 TECHNICAL AND ORGANISATIONAL MEASURES. The Company has adopted and maintains technical and organizational measures to prevent unauthorized or accidental access to personal data, their alteration, destruction or loss, unauthorized transfers, other unauthorized processing, as well as other misuse of personal data.
  • 8.2 EXAMPLES OF MEASURES. The Company has adopted and maintains the following measures to ensure an adequate level of security, including, but not limited to, the following:
    • 8.2.1 the pseudonymisation and encryption of personal data;
    • 8.2.2 the ability to ensure the ongoing confidentiality, integrity, availability and resilience of the processing systems and services - the measures in place and their correct functioning will be regularly reviewed;
    • 8.2.3 the ability to restore the availability of and access to personal data in the event of physical or technical incidents in a timely manner;
    • 8.2.4 regular testing, assessing and evaluating the effectiveness of the technical and organisational measures in place to ensure the security of processing;
    • 8.2.5 a multi-level firewall;
    • 8.2.6 anti-virus protection and control of unauthorised access;
    • 8.2.7 encrypted data transition.
  • 8.3 SECURITY BREACH NOTIFICATION. In the event that the Company discovers a personal data breach, the Company shall notify the User without undue delay.

9. Final provision

  • 9.1 VALIDITY AND EFFECTIVENESS OF THE DPA. This DPA shall be valid and effective from 18.5.2022.
  • 9.2 USE OF TERMS OF SERVICE. To the extent not governed by this DPA, the relationship between Company and User shall be governed by the Terms of Service.