This Data Processing Agreement (the “Data Processing Agreement” or “DPA”) is made and entered into by and between YourPass (YOUR PASS, s.r.o., Prague 4 - Chodov, Türkova 2319/5b, 149 00 Czech Republic, Company ID: 24809888, file no. C 176332 maintained by the Municipal Court in Prague, or YOUR PASS GmbH, Edisonstraße 63, 12459 Berlin-Oberschöneweide, Steuer-Nr.: 301/5855/0673, USt-IdNr: DE31725081, maintained by Amtsgericht Charlottenburg (Berlin) HRB 194946 B, or another YourPass group company with which you concluded the Agreement) and Client as of the Order Form Effective Date set forth therein and sets forth certain terms of the cooperation of the Provider and the Client relating to personal data processing. All capitalized terms not defined herein shall have the meanings ascribed to them by the Agreement, if applicable.
1. Data Protection
1.1 “Agreement” means this DPA and any Order Form referencing this DPA, including but not limited to Provider’s Master Services Agreement and any other schedules, Service Descriptions, statements of work, exhibits or appendices thereto, whether attached or incorporated by reference.
1.2. Definitions. In this Clause, the following terms shall have the following meanings: (a) "controller", "processor", "data subject", "personal data" and "processing" (and "process") shall have the meanings given in Applicable Data Protection Law; and (b) "Applicable Data Protection Law" shall mean: Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) and any other applicable local data protection laws.
1.3 Relationship of the parties. Controller appoints Processor to process the personal data that is the subject of the Agreement by and between the parties (the "Data"). Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
1.4. Prohibited data. Controller shall not disclose (and shall not request any data subject to disclose) any special categories of Data to Processor for processing that are not expressly disclosed in Annex A.
1.5. Purpose limitation. Processor shall process the Data as a Processor for the purposes described in Annex A and strictly in accordance with the documented instructions of Controller (the "Permitted Purpose"), except where otherwise required by any EU (or any EU Member State) law applicable to Controller. In no event shall Processor process the Data for its own purposes or those of any third party. Processor shall immediately inform Controller if it becomes aware that Controller's processing instructions infringe Applicable Data Protection Law (but without obligation to actively monitor Controller's compliance with Applicable Data Protection Law).
1.6. International transfers. Processor shall not transfer the Data (nor permit the Data to be transferred) outside of the European Economic Area ("EEA") unless (i) it has first obtained Controller's prior written consent; and (ii) it takes such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Such measures may include (without limitation) transferring the Data to a recipient in a country that the European Commission has decided provides adequate protection for personal data, to a recipient that has achieved binding corporate rules authorisation in accordance with Applicable Data Protection Law, to a recipient in the United States that has certified its compliance with the EU-US Privacy Shield, or to a recipient that has executed standard contractual clauses adopted or approved by the European Commission.
1.7. Confidentiality of processing. Processor shall ensure that any person that it authorises to process the Data (including Processor's staff, agents and subcontractors) (an "Authorised Person") shall be subject to a strict duty of confidentiality (whether a contractual duty or a statutory duty), and shall not permit any person to process the Data who is not under such a duty of confidentiality. Processor shall ensure that all Authorised Persons process the Data only as necessary for the Permitted Purpose.
1.8. Security. Processor shall implement appropriate technical and organisational measures to protect the Data (i) from accidental or unlawful destruction, and (ii) loss, alteration, unauthorised disclosure of, or access to the Data (a "Security Incident"). Such measures shall have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing. Such measures shall include, as appropriate: (a) the pseudonymisation and encryption of personal data; (b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; (d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
1.9. Subprocessing. Processor shall not subcontract any processing of the Data to a third party subprocessor without the prior written consent of Controller. Notwithstanding this, Controller consents to Processor engaging third party subprocessors to process the Data provided that: (i) Processor provides at least 30 days' prior notice of the addition of any subprocessor (including details of the processing it performs or will perform), which may be given by posting details of such addition at a URL to be provided to Controller; (ii) Processor imposes data protection terms on any subprocessor it appoints that protect the Data to the same standard provided for by this DPA; and (iii) Processor remains fully liable for any breach of this DPA that is caused by an act, error or omission of its subprocessor. A list of approved subprocessors as at the date of this DPA is attached hereto. If Controller refuses to consent to Processor's appointment of a third party subprocessor on reasonable grounds relating to the protection of the Data, then either Processor will not appoint the subprocessor or Controller may elect to suspend or terminate the Master Services Agreement.
1.10. Cooperation and data subjects' rights. Processor shall provide all reasonable and timely assistance (including by appropriate technical and organisational measures) to Controller to enable Controller to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of the Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Processor, Processor shall promptly inform Controller providing full details of the same.
1.11. Data Protection Impact Assessment. If Processor believes or becomes aware that its processing of the Data is likely to result in a high risk to the data protection rights and freedoms of data subjects, it shall promptly inform Controller and provide Controller with all such reasonable and timely assistance as Controller may require in order to conduct a data protection impact assessment and, if necessary, consult with its relevant data protection authority.
1.12. Security incidents. Upon becoming aware of a Security Incident, Processor shall inform Controller without undue delay and shall provide all such timely information and cooperation as Controller may require in order for Controller to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Processor shall further take all such measures and actions as are necessary to remedy or mitigate the effects of the Security Incident and shall keep Controller of all developments in connection with the Security Incident.
1.13. Deletion or return of Data. Upon termination or expiry of the Agreement, Processor shall (at Controller's election) destroy or return to Controller all Data (including all copies of the Data) in its possession or control (including any Data subcontracted to a third party for processing). This requirement shall not apply to the extent that Processor is required by any EU (or any EU Member State) law to retain some or all of the Data, in which event Processor shall isolate and protect the Data from any further processing except to the extent required by such law.
Audit. Processor shall make available to Controller all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement. In fulfilment of this requirement, the Processor shall respond to any reasonable written audit questions submitted to it by Controller, provided that Controller shall not exercise this right more than once per year.
Data Processing Description
This Annex A forms part of the DPA and describes the processing that the Processor will perform on behalf of the Controller.
The Controller is a customer of processor’s that will provide data to Processor in order to allow Processor to provide services to Controller pursuant to the Agreement.
The processor is a software company that provides SaaS services for the purpose of issuing and administering virtual cards in mobile wallets and any other purposes to be agreed by the Parties.
The personal data to be processed concern the following categories of data subjects:
Users of the virtual cards;
Any other individuals whose personal data are uploaded or transmitted via the Services.
Categories of data
The Personal Data to be processed concern the following categories of data:
Identification data of virtual card users (including, for example, name, address, email address);
Electronic identification data (including, for example, login details);
Descriptive information about the virtual card users as defined for the respective virtual card by the Controller;
Any other Personal Data uploaded or transmitted via the Services.
Special categories of data
The Services are not designed to accommodate sensitive personal information, such as, for example, individual health or medical information, and Controller agrees not to input such data into the Services.
The personal data will be subject to the following basic processing activities: Processing activities that are necessary to provide the Services, including hosting, storage, providing access and applying analytics.
Amazon Web Services, Inc.
Use case: Server infrastructure, web services, data storage, etc.
Location: 2021 Seventh Ave., Seattle, Washington 98121, USA
YOUR SYSTEM, spol. s.r.o.
Use case: IT solution vendor, Help desk subcontractor, etc.
Location: Prague 4 - Chodov, Türkova 2319/5b, 149 00, Czech Republic