These Data Processing Terms are part of the Agreement, concluded between the Customer and the RainFellows s.r.o. (the Provider). RainFellows s.r.o. (the Provider) and the Customer may jointly be referred to as the “Parties” and individually as a “Party”.
By concluding the Agreement, the Customer confirms that it has read the Data Processing Terms, acquainted itself with the contents hereof, understands the Data Processing Terms and agrees with them.
If the Customer is a legal entity, then the acting natural person who is concluding the Agreement with the Provider and agrees with the Data Processing Terms on behalf of the Customer also declares that he/she is
authorised to conclude the Agreement and accept the Data Processing Terms on the Customer’s behalf.
1.1. The meaning of the capitalised terms is defined in the table below unless expressly stipulated otherwise.
|GDPR||Regulation (EU) 2016/679 of the European Parliament and of the Council of|
27 April 2016 on the protection of natural persons with regard to the
processing of personal data and on the free movement of such data, and
repealing Directive 95/46/EC.
|Data Processing Terms||These Data Processing Terms of Rainfellows.|
|Provider||RainFellows s.r.o., Id. No.: 28137736, with its registered office at Masarykovo náměstí 38/21, Moravská Ostrava, 702 00 Ostrava, Czech Republic, registered in the Commercial Register kept by the Regional Court in Ostrava, under File No. C 56878.|
|Services||Training of agile (or lean) methodology, practical problem-solving workshops (employment of various managerial styles), consultancy for managers (personal development, improvement of managerial skills – mentoring),|
workshops and consultancy regarding knowledge management, project management, leadership.
|Agreement||The Agreement concluded between the Customer and the Provider on the basis of which the Provider shall provide Services to the Customer and the Customer shall pay the agreed price to the Provider.|
|Customer||The entity who concluded the Agreement with the Provider.|
2. INTRODUCTORY PROVISIONS
2.1. As part of the provision of the Services, personal data of the Customer’s data subjects may be processed. The Data Processing Terms stipulates the rules for processing of personal data by the Provider as the processor of personal data in the sense of Art. 28 of GDPR.
3. DUTIES AND INSTRUCTIONS REGARDING DATA PROCESSING
3.1. The Parties acknowledge and agree that:
- The Provider is the processor of personal data of the Customer’s data subjects;
- The Customer is the controller or possibly the processor of personal data of the Customer’s data subjects; and
- Both parties agree to perform their obligations following from the applicable legal regulations regarding processing of personal data of the Customer’s data subjects.
3.2. If the Customer acts as the processor, the Customer guarantees to the Provider that the competent controller has agreed to its instructions and activities regarding personal data of the Customer’s data subjects, including the authorisation of the Provider as another processor.
3.3. The Provider shall only process personal data of the Customer’s data subjects in accordance with the applicable legal regulations and for the purpose of: a) providing the Customer with Services, and b) as indicated in other written instructions by the Client.
4. DURATION OF PERSONAL DATA PROCESSING
4.1. The Provider shall only process the personal data of the Customer’s data subjects for the duration of provision of Services according to the Agreement or until the Provider deletes all personal data of data
subjects according to this Data Processing Terms.
5. NATURE AND PURPOSE OF PERSONAL DATA PROCESSING
5.1. For the purposes of providing the Services to the Customer, the Provider shall process personal data of the Customer’s data subjects; both in electronic as well as analogue format.
5.2. The purpose of processing of the personal data is providing Services to the Customer.
6. TYPES OF PERSONAL DATA
6.1. The following categories of personal data shall be subject to processing according to this Data Processing Terms:
- contact details;
- identification details; and
- details regarding the relationship of the training participants to the Customer.
7. CATEGORIES OF DATA SUBJECTS
7.1. The Customer’s data subjects shall include the following categories of data subjects:
- the Customer’s employees;
- other data subjects, whose personal data are processed for the purpose of Service provision by the Provider to the Customer, and whose personal data were submitted by the Customer to the Provider for processing for the same reason.
8. RIGHTS AND OBLIGATIONS OF THE PARTIES
8.1. The Provider hereby represents and agrees that:
- should the Provider learn about a breach or a potential breach of security of personal data, an accidental or unlawful destruction, loss, change, or an unauthorized provision or disclosure of the personal data being processed, the Provider shall immediately, but no later than within 24 (twenty four) hours, inform the Customer in writing, describing in the best possible manner the existing or potential security threat, providing information on suitable measures on how to avoid or minimise the breach, and shall also take all measures necessary to minimise the damage;
- the Provider shall only process personal data within the EU or the EEA;
- personal data shall be secured in accordance with Article 9 hereof;
- the Provider shall only process personal data in accordance with this Data Processing Terms or on the basis of other instructions demonstrably provided by the Customer;
- the Provider shall provide the Customer with assistance in introducing and maintaining suitable technical and organisational measures to secure personal data, in reporting of personal data
breaches to the supervisory authority or the data subject, in evaluating of the impact on the protection of personal data, and in prior consultations with the supervisory authority;
- the Provider shall assist the Controller by appropriate technical and organisational measures with the view to fulfil the Customer’s obligation to respond to requests for exercising the data subject’s rights, not later than within 14 (fourteen) days of the Customer’s request;
- the Provider shall without delay, but no later than within one week, provide the Customer with all co-operation necessary to prove that technical and organisational measures are in place to ensure appropriate security of the personal data.
8.2. Should the Provider receive any request from the Customer’s data subject regarding his/her personal data during the processing of personal data of the Customer’s data subjects, the Provider shall inform the data subject that such request needs to be resolved directly with the Customer. The Customer is responsible for resolving such requests.
8.3. The Provider agrees not to commission any other processor for the processing of personal data without prior written consent of the Customer, with the exception of external instructors; and, should such other processors be commissioned, to ensure that they comply with the same data protection obligations as those stipulated in the Data Processing Terms.
8.4. The Provider is obliged to enable the Customer or any person authorised thereby to check (including by means of an audit or inspection) compliance with this Data Processing Terms, especially with the obligations concerning personal data processing arising herefrom, and shall provide co-operation during such checks based on justified instructions of the Customer or the person performing the check.
8.5. The Customer is obliged to send any request for audit exclusively to the e-mail address of the Provider firstname.lastname@example.org. After receiving a request for audit, the Provider and the Customer shall
agree in advance on the following: (a) the possible date of the audit, security measures and the methods of maintaining confidentiality during the audit; and (b) the expected commencement, scope and duration of the audit, the security measures and the methods of maintaining confidentiality during the audit.
8.6. The Provider may object in writing to any auditor engaged by the Customer if the Provider believes the auditor is not sufficiently qualified, is not independent, is competing with the Provider or is otherwise
clearly unsuitable. Based on such an objection, the Customer is obliged to engage a different auditor or perform the audit itself.
8.7. The Customer is responsible for the performance of all duties related to the processing of personal data of the Customer’s data subjects, in particular for proper informing the Customer’s data subjects of the
processing of their personal data, obtaining consent to the processing of the personal data of the Customer’s data subjects, if required, processing requests of the data subjects concerning the exercise of their rights (such as the right to information, access, rectification, erasure, restriction of processing, object, etc.). Furthermore, the Customer is responsible for the performance of all notification obligations towards the supervisory authority in relation to the processing of personal data of the Customer’s data subjects, in particular for notification of any personal data breach.
8.8. The Customer is solely responsible for getting acquainted with this Data Processing Terms and for evaluation of the security measures in place and the obligations of the Provider with regard to the Customer’s needs, in particular in relation to security obligations of the Customer following from generally binding legal regulations.
9. PERSONAL DATA SECURITY
9.1. The Provider put in place and agrees to apply the following measures to ensure security of processing of personal data for the whole duration of their processing:
- Organisational Measures:
- the Provider’s employees shall be regularly instructed on the principles of personal data safety and on cyber security;
- the Provider put in place rules for handling of personal data and valuable information;
- all of the Provider’s employees shall be bound by a confidentiality obligation at least with respect to all transferred personal data;
- Technical Measures:
- Antivirus solutions for malware protection;
- Network security solutions;
- Encryption of the hard disks and external media of the Provider’s employees;
- Backing up of the processed data;
- Protection of access to the Customer’s data by a password or a similar feature..
9.2. The Provider shall secure all technical means belonging to the Provider which shall be used to protect Service provision from cyber attacks using the newest and best measures with regard to the nature of the personal data and the state of the art. The Provider is liable for any damage to personal data by a third party should it be proven that the data were not appropriately secured in accordance with Article 9 hereof.
10. DESTRUCTION OF PERSONAL DATA AFTER CESSATION OF THEIR PROCESSING
10.1. Following the cessation of provision of Services, regardless of the manner or the reason for this cessation, the Provider shall permanently destroy all personal data of the Customer’s data subjects being processed under this Data Processing Terms, except for cases where storage of the personal data is required by the laws of the Czech Republic or the European Union.
11.1. The Provider is entitled to charge the Customer for purposefully expended costs related to the processing of any request under Article 8 of this Data Processing Terms, or an inspection pursuant to Section 8.4 hereof.