pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (“the Regulation”)

 

Introductory provisions

1.1. Zooza s. r. o. with registered office at Horská 1311/12, Partizánske 958 06, ID No.: 55 083 218, registered in the Commercial Register of the District Court of Trenčín, Section: Sro, Insert 44567/R (hereinafter referred to as “Zooza s. r. o. “) issues these Terms and Conditions for the processing of personal data (“Terms and Conditions” or “Agreement“) in the form of an appendix to the General Terms and Conditions for Projects (“GTC“), which regulate the contractual relations with entrepreneurs, which Zooza s.r.o. enters into in connection with the use of the Internet application under the name Zooza.

1.2. Zooza s.r.o. (as defined above) is the provider of the services associated with the use of the Zooza Application and a party to this Agreement, by virtue of the Zooza Application Use and Services Agreement.

1.3. The GTC are available at www.zooza.sk.

1.4. Pursuant to the GTC and the Zooza Application Use and Service Agreement (“Master Agreement“), this Agreement governs the rights and obligations between Zooza s.r.o. as processor (“Processor“) and Client as data controller (“Data Controller“) of personal data, in connection with the processing of personal data in the Zooza Application.

1.5. The services provided under the Master Agreement include activities involving the processing of personal data on behalf of the Controller, subject to the terms and conditions agreed in this Agreement and other instructions of the Controller.

1.6. In order to ensure the protection of personal data and to comply with the legal obligations arising from the Regulation and § 34 of Act No. 18/2018 Coll. on the Protection of Personal Data, as amended (hereinafter referred to as the “PPA Act”), the Controller and the Processor are, pursuant to Art. 28 of the Regulation are obliged to enter into a written contract or other legal act under EU law or the law of a Member State which binds the Processor to the Controller and which sets out the elements referred to in Art. 28(3), (4) of the Regulation, whereby these Terms and Conditions fulfill the purpose of the said written contract or other legal act within the meaning of the aforementioned.

• Subject matter and duration of the processing of personal data

2.1. The Processor shall process for the Controller personal data which the Controller has obtained or will obtain in connection with its business activities or which the Processor obtains for the Controller for this purpose, in the performance of the Processor’s obligations under the Main Contract.

2.2. The object of this Agreement is to authorize the Processor to process personal data in accordance with Article 28 of the Regulation and § 34 of the OOU on the terms and to the extent agreed in this Agreement.

2.3. The Processor is authorized to process personal data from the date of conclusion of this Agreement for the duration of the Main Agreement. This is without prejudice to Article 11 of this Contract.

• Nature and purpose of the processing of personal data

3.1. The Controller authorizes the Processor to process personal data for him for the following purpose:

(i) registration for courses and/or purchase of products offered by the Operator,

(ii) administering courses organized by the Operator and/or the Operator’s e-shop,

(iii) creating accounts and accessing the Zooza application,

(iv) mediation of the payment gateway,

(v) registering and sending invoices,

(vi) other purposes arising from the Main Agreement.

3.2. The Processor is entitled to process the personal data of the Data Subjects through automated and non-automated means of processing. The Processor is authorized to carry out only such processing operations with personal data as are necessary to achieve the purpose of the processing. In particular, the processor shall be entitled to obtain, sort, organize, arrange, collate, move, search, retrieve, store, update, erase or destroy personal data.

• Categories of data subjects and scope of personal data

4.1. The Controller authorizes the Processor to process the personal data of the following data subjects:

(i) Users of the Zooza application on the website of the Operator, namely customers, clients, potential customers and clients of the Operator, employees, collaborators, former employees and former collaborators of the Operator for whom an account has been created in the Zooza application,

(ii) other data subjects whose processing of personal data is necessary for the purpose of the performance of the Master Agreement or the protection of the rights and legitimate interests of the Operator.

4.2. The Processor is entitled to process personal data provided by the Operator or directly by the data subject to the extent necessary for the performance of the subject matter of this Agreement, the Main Agreement and legal obligations arising from specific legislation. In particular, the Processor is entitled to process the following personal data: title, name and surname, address, date of birth, payment details (VAT ID, VAT ID, IBAN), e-mail address, telephone number, IP address, cookies.

4.3. The processor is also entitled to process other personal data of the data subjects insofar as their processing is necessary in relation to the purpose for which they are processed, depending on the functionality of the Zooza application used.

4.4. The Processor undertakes to process only personal data that is adequate, relevant and limited to the extent necessary in relation to the purposes for which it is processed.

4.5. In the event that the Controller provides or the Processor is otherwise provided with personal data of Data Subjects or the Processor is provided with personal data of other Data Subjects in connection with its activities for the Controller, the Processor shall process and protect such personal data in accordance with the requirements under the Regulation, the OOU Act or this Agreement.

• Remuneration

5.1. The Controller and the Processor agree that the Processor shall not be entitled to any special remuneration for the processing of personal data in accordance with this Agreement, or such remuneration shall be included in the price for the processing of personal data in accordance with this Agreement.

6. Rights and Obligations of the Parties

6.1. The Processor is obliged to exercise due professional care when processing personal data so that the processing complies with the Regulation and the OOU Act.

6.2. The Processor and any person acting under the authority of the Processor shall comply with the instructions of the Controller when processing Personal Data under this Agreement, except where required to do so under EU law or the law governing this Agreement. Instructions must be given in accordance with this Contract and shall in particular include instructions to erase, amend or otherwise deal with personal data.

6.3. The controller may only entrust the processor with sufficient guarantees to take appropriate technical and organizational measures to ensure that the processing of personal data complies with the requirements of the Regulation and the OOU Act and to ensure the protection of the data subject’s rights. The consent of the data subject shall not be required to authorize the processor to process personal data pursuant to the first sentence.

6.4. The processor shall in particular process personal data in accordance with this Agreement, the Master Agreement, the Regulation and the OOU Act.

6.5. The Processor shall only process personal data on the basis of documented instructions from the Controller, even if the personal data are transferred to a third country or an international organization, except for transfers pursuant to a special regulation or an international treaty to which the Slovak Republic is bound; in the case of such a transfer, the Processor shall notify the Controller of this requirement before processing the personal data, unless a special regulation or an international treaty to which the Slovak Republic is bound prohibits such notification for reasons of public interest.

6.6. The Processor is obliged to process personal data in accordance with the basic principles of personal data processing, whereby:

1. a) personal data may be processed only in a lawful manner and in such a way as to avoid violating the fundamental rights of the data subject;
2. b) personal data may only be collected for a specifically identified, explicitly stated and legitimate purpose and may not be further processed in a way that is incompatible with that purpose;
3. c) the personal data processed must be adequate, relevant and limited to the necessary extent given for the purpose for which they are processed;
4. d) the personal data must be accurate and kept up to date as necessary;
5. e) the personal data must be kept in a form which permits identification of the data subject at the latest for as long as is necessary for the purpose for which the personal data are processed;
6. f) personal data must be processed in a manner which ensures, through appropriate technical and organizational measures, adequate security of personal data, including protection against unauthorized processing of personal data, unlawful processing of personal data, accidental loss of personal data, erasure of personal data or damage to personal data.

6.7. Taking into account the nature of the processing of personal data, the Processor shall, to the greatest extent possible, cooperate with the Controller by appropriate technical and organizational measures in fulfilling its obligation to take action at the request of the data subject pursuant to Chapter III of the Regulation of Title II of Part Two of the OOU.

6.8. The Processor shall provide the Controller with assistance in ensuring compliance with the obligations under § 39 to 43 of the OOU Act, § 32 to 36 of the Regulation relating to security of processing, notification of personal data breaches, data protection impact assessments and prior consultation, taking into account the nature of the processing of personal data and the information available to the Processor.

6.9. The Processor shall, at the time of obtaining the personal data, provide the data subject with the information pursuant to § 19 of the OOU and § 13 of the Regulation, on the basis of an information document drawn up by the Controller for this purpose and provided to the Processor. The Controller shall be responsible for the provision of information to data subjects. The Processor is obliged to provide the Controller with assistance in exercising the data subject’s rights within the meaning of § 21 to 28 and §  41 of the OOU and within the meaning of Chapter III and Article 34 of the Regulation. The Processor shall notify the Controller without undue delay of any exercise of rights by the data subject, who shall process the request or, where appropriate, entrust the processing of the request to the Processor.

6.10. As soon as the purpose for which the personal data were processed has ceased to exist, or at the request of the data subject pursuant to Article 17 of the Regulation, the Processor shall, on the basis of the instructions of the Controller, destroy the personal data or transfer the personal data to the Controller.

6.11. The Processor is required to keep a record of the categories of processing activities it has carried out on behalf of the Controller in accordance with § 37 of the OOU and Article 30(2) of the Regulation.

6.12. The Processor is obliged to inform the Controller without undue delay if it considers that the Controller’s instructions violate the OOU Act, the Regulation, a special regulation or an international treaty to which the Slovak Republic is bound concerning the protection of personal data.

7. Security of processing

7.1. The processor is obliged to ensure the security of personal data. The processor shall protect personal data against damage, destruction, loss, alteration, unauthorized access and disclosure, disclosure or communication, as well as against any other impermissible means of processing.

7.2. The processor shall take appropriate technical and organizational measures, having regard to the state of the art, the cost of implementing the measures, the nature, scope, context and purpose of the processing of personal data and the risks of varying likelihood and severity to the rights of natural persons, to ensure a level of security appropriate to that risk, which may include, in particular:

1. pseudonymisation and encryption of personal data,

1. b) ensuring the continued confidentiality, integrity, availability and resilience of personal data processing systems,
2. c) a process for restoring the availability of and access to personal data in the event of a physical or technical incident,
3. d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of the processing of personal data,

7.3. The processor is obliged to put in place, before processing personal data and during the processing of personal data, a specifically designed personal data protection system consisting of the adoption of appropriate technical and organizational measures, in particular in the form of pseudonymisation, to effectively implement adequate safeguards for the protection of personal data and to comply with the basic principles pursuant to § 6 to 12 of the OOU Act and Article 5 of the Regulation.

7.4. The processor is obliged to put in place standard personal data protection, which consists in the adoption of appropriate technical and organizational measures to ensure that personal data are processed only for a specific purpose, that the amount of personal data collected and the scope of processing, the retention period and the availability of personal data are minimized. The controller is obliged to ensure that personal data are not accessible by default to an unlimited number of natural persons without the intervention of the natural person.

7.5. The Processor is obliged to provide the Controller with assistance in ensuring compliance with the obligations under § 39 to 43 of the OOU and § 32 to 36 of the Regulation, taking into account the nature of the processing of personal data and the information available to the Processor.

7.6. The Processor shall, when processing personal data by non-automated means, in particular:

1. a) not to allow third parties access to the personal data,
2. b) not to leave documents containing personal data freely accessible outside lockable premises or outside lockable cabinets and drawers,
3. c) store documents containing personal data in lockable cabinets or drawers,
4. d) when printing documents containing personal data, ensure that they are not accessible to third parties,
5. e) lock cabinets, drawers and rooms containing documents containing personal data.

7.7. When processing personal data by automated means, the processor shall in particular:

1. a) place the means for processing personal data (in particular PCs, laptops, storage media, etc.) in lockable premises,
2. b) ensure that third parties do not have access to the means for processing personal data, in particular that they are password-protected and that they are not left in a publicly accessible place by an authorized person,
3. c) ensure that the technical means are protected by antivirus protection,
4. d) not to use public communication systems and not to download programs from the Internet.

7.8. The Processor is obliged to notify the Controller of a personal data breach without undue delay after becoming aware of it.

7.9. The notification pursuant to paragraph 7.8. of this Article shall include in particular:

1. a) a description of the nature of the personal data breach, including, if possible, the categories and approximate number of data subjects affected and the categories and approximate number of personal data records affected,
2. b) the contact details of the responsible person or other point of contact where more information can be obtained,
3. c) a description of the likely consequences of the personal data breach,
4. d) a description of the measures taken or proposed by the Data Controller to remedy the personal data breach, including, if necessary, measures to mitigate its potential adverse effects.

7.10. The Processor is required to implement and document the technical and organizational measures adopted and implemented to ensure the protection of personal data in accordance with the Regulation and the OOU.

7.11. The Controller and the Processor shall take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to personal data processes that data only on the instructions of the Controller, except where required to do so under EU or Member State law.

8. Authorisation of another intermediary

8.1. The Processor shall comply with the terms and conditions for the involvement of an additional processor in the processing operations as set out in this Agreement, the Regulation and the OOU Act.

8.2. The Processor shall not entrust the processing of personal data to another processor without the prior specific written consent of the Controller or the general written consent of the Controller.

8.3. The Controller hereby grants the Processor general written consent to entrust another processor with the processing of personal data.

8.4. The Processor is obliged to inform the Controller in advance of the entrustment of the additional processor or its replacement by sending a notification by electronic mail to the Controller’s email address notified to the Processor. The Controller shall have the right to object to such changes.

8.5. If the Processor engages another processor to carry out specific processing activities on behalf of the Controller, the Processor shall impose on that other processor, by contract or other legal act, the same obligations relating to the protection of personal data as those set out in this Agreement or in any other legal act between the Controller and the Processor, in particular the provision of sufficient guarantees to take appropriate technical and organizational measures to ensure that the processing of personal data complies with the requirements of this Agreement, the Regulation and the OOU Act. The Processor shall be liable to the Controller if the other processor fails to comply with its data protection obligations.

9. Silence

9.1. The Processor is obliged to maintain confidentiality of all facts and information of which it has become aware in the performance of this Agreement and the processing of personal data under the authority of the Controller. The obligation of confidentiality shall survive the termination of this Agreement.

9.2. The Processor is obliged to ensure that the persons authorized to process personal data undertake to keep confidential the information of which they have become aware, unless they are bound by a duty of confidentiality under a specific law.

10. Audit

10.1. The Processor shall provide the Controller with the information necessary to demonstrate compliance with its obligations under this Agreement, the Regulation and the OOU Act.

10.2. The Processor shall allow the Controller to carry out a personal data protection audit and shall also allow the Controller or an auditor appointed by the Controller to carry out an audit and provide the necessary cooperation in carrying out these activities.

10.3. The Parties agree that the Controller shall be entitled to carry out a data protection audit and inspection:

1. a) In the event of a suspected breach of this Agreement, the Regulation or the OOU Act,
2. b) in the event of a data breach,
3. c) in the event of a request by the data subject pursuant to the OOU or the Regulation.

10.4. The Data Controller is obliged to inform the Processor of the date of the audit or inspection by a notice sent by post or e-mail, at least 7 days in advance. The Operator shall confirm the date of the audit or inspection without undue delay or propose another date so that the audit takes place no later than 14 days from the date of sending the notification. If the Intermediary does not confirm the date of the audit or inspection, the Operator shall be deemed to have agreed to the date.

10.5. The audit or inspection shall take place at the headquarters or premises of the Intermediary, unless the parties agree on another place for the audit.

10.6. The Processor shall ensure the presence of the responsible person, or other person in charge of the data protection agenda, and other persons necessary to provide complete information on the protection of personal data.

11. Duration of the Contract

11.1. This Contract shall come into force and effect on the date of the Main Contract and shall terminate on the termination of the Main Contract, unless otherwise specified later in this Contract.

11.2. This Contract may be terminated prior to the expiry of the Main Contract:

1. by agreement of the Parties in writing,

1. b) by termination by one of the Parties,
2. c) by withdrawal from the Contract.

11.3. Either of the Parties shall be entitled to terminate this Contract without giving any reason. Termination must be in writing and delivered to the other Party by post or by electronic mail to the email address notified to the other Party. The period of notice shall be one month and shall commence on the first day of the calendar month following the month in which the notice of termination is given to the other Party.

11.4. The Operator shall be entitled to terminate this Agreement if the Intermediary has breached its obligations under this Agreement, the Regulation or the OOU Act. The Processor shall be entitled to withdraw from this Agreement if the Controller insists on the Processing of Personal Data by the Processor as instructed, even if the Processor has informed the Controller without undue delay, in accordance with clause 6.12 of this Agreement, that it considers that the Controller’s instruction violates the OOU Act, the Regulation, a specific regulation or an international treaty to which the Slovak Republic is bound relating to the protection of personal data.

11.5. The Processor shall be entitled to process the personal data of the Data Subjects within the meaning of clause 4.1 only for the duration of this Agreement.

11.6. Upon termination of this Agreement, the Processor shall, at the Operator’s discretion, erase all original documents in written form containing personal data and all documents in electronic form containing personal data, all scans of documents, records, databases and backups to the extent related to the subject matter of this Agreement and the Master Agreement, or return them to the Operator and delete existing copies. Those documents in paper and electronic form that have not been handed over to the Operator shall be destroyed by the Intermediary without undue delay.

11.7. The Processor shall have the same obligations as under clause 11.6 in the event of termination of the provision of services relating to the processing of personal data.

12. Declaration of the Parties

12.1. The Controller declares that, in selecting the Processor, it has acted in accordance with the Regulation and the OOU Act, taking care to ensure that the Processor provides sufficient guarantees to take technical and organizational measures to ensure that the processing of personal data complies with the requirements under the Regulation and the OOU Act.

12.2. The Processor declares that it provides sufficient guarantees to take technical and organizational measures to ensure that the processing of personal data complies with the requirements under this Agreement, the Regulation and the OOU Act.

13. Right to compensation and liability

13.1. The Processor shall be liable for damages caused by the processing of personal data if it has failed to comply with its obligations under § 34 to 37, § 39, 40(3), § 44, § 45, § 51(3) of the OOU Act, or if it has acted in excess of or contrary to the Controller’s instructions which were in accordance with the OOU Act.

13.2. The Intermediary may be released from liability under paragraph 1 of this Article if it proves that it did not cause the damage.

13.3. If the Operator has paid compensation in full in accordance with § 38(4) of the OOU Act, it shall be entitled to claim from the Intermediary that part of the compensation which corresponds to its share of liability for damages under the conditions set out in paragraph 1 of this Article.

14. Final provisions

14.1. Legal relations, obligations, rights and duties arising from this Agreement, as well as any amendments thereto and its interpretation shall be governed by the legal regulations of the Slovak Republic, in particular the OOU Act, Act No. 513/1991 Coll., the Commercial Code as amended, and the Regulation.

14.2. The Parties undertake to resolve any dispute arising in connection with the performance of this Contract preferably amicably. In the event of failure to reach an amicable settlement, each of the Parties shall be entitled to resolve the aforementioned disputes through the courts of law, with the courts of the Slovak Republic having exclusive jurisdiction to decide on any disputes relating to this Contract, including contracts related thereto.

14.3. Any amendments to this Contract may be made only in the form of a written amendment signed by both Parties. The scope of the personal data processed pursuant to clause 4.2 of this Agreement may be extended or otherwise changed according to the functionality used in the Zooza application without the need to enter into an amendment to this Agreement or the GTC.

14.4. Terms not further defined in this Agreement but referred to herein shall have the meanings set forth in the GTC and the Master Agreement.

14.5. In the event that any provision of this Contract, or part thereof, is or becomes invalid, ineffective and/or unenforceable, the validity, effectiveness and/or enforceability of the remaining provisions of the Contract shall not be affected as if the Contract had been entered into without such invalid provisions.

14.6. In entering into this Contract, the Parties declare that this Contract is an expression of their true intentions, their contractual expressions are sufficiently clear and certain and their freedom of contract is not limited.

14.7. These Terms and Conditions shall come into force and effect on 15.2.2023.

Zooza s.r.o.