No Widget Added

Please add some widget in Offcanvs Sidebar

Shopping cart

0 FREE Preview

Data Processing Agreement

Data Processing Agreement
in accordance with Art. 28 GDPR

between

Customer
hereinafter referred to as the “Controller

and

Brigantina Group s.r.o.
IČO: 24719412
Zdiměřická 2403/12,
Prague, Czech Republic

hereinafter referred to as the “Processor

Preamble

The Controller has selected the Processor to act as a service provider in accordance with Art. 28 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation, “GDPR”).

This Data Processing Agreement, including all Annexes (hereinafter referred to collectively as the “Agreement”), specifies the data protection obligations of the parties from the underlying Principal Agreement, the Contract for paid services and/or the order descriptions (hereinafter referred to collectively as the “Principal Agreement”).

The Processor guarantees the Controller that it will fulfil the Principal Agreement and this Agreement in accordance with the following terms:

Sect. 1 Scope and definitions

    1. The following provisions shall apply to all services of data processing provided by the Processor on behalf of the Controller under Art. 28 GDPR, which the Processor performs on the basis of the Principal
    2. If this Agreement uses the term “data processing” or “processing” of data, this shall be generally understood to mean the use of personal data. Data processing or the processing of data shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or
    3. Reference is made to further definitions set forth in 4 GDPR.

Sect. 2 Subject matter and duration of the data processing

    1. The Processor shall process personal data on behalf and in accordance with the instructions of the
    2. The data processing shall involve carrying out the training of students within the scope agreed with the Controller as agreed upon in the Principal
    3. The duration of this Agreement corresponds to the duration of the Principal

Sect. 3 Nature and purpose of the data processing

The nature and purpose of the processing of personal data by the Processor is specified in the Principal Agreement. The Principal Agreement includes the following activities and purposes:

The person responsible shall provide the processor with selected data in accordance with § 5 of this agreement. The contract Processor uses this customer data to provide and document the training service as described in the main contract.

Sect. 4 Categories of data subjects

The categories of individuals affected by the processing of personal data under this Agreement (“data subjects”) include:

Students who have been authorized by the Controller to use the service, provided they are natural persons.

Sect. 5 Types of personal data

The following types of personal data shall be processed under this Agreement:

    • Master data of the students as agreed with the Controller, usually first name, surname and e-mail address, phone number
    • Time, title and language of the completed training
    • Connection data when using the learning platform

Sect. 6 Rights and duties of the Controller

    • The Controller is solely responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects, and is hence a controller within the meaning of 4 (7) GDPR.
    • The Controller is entitled to issue instructions concerning the nature, scale and method of data Upon request by the Processor, the Controller shall confirm verbal instructions immediately in writing or in text form (e.g. by email) to the Processor.
    • Insofar as the Controller deems it necessary, persons authorized to issue instructions may be The Processor shall be notified of such in writing or in text form. In the event that the persons authorized to issue instructions change, the Controller shall notify the Processor of this change in writing or in text form, naming the new person in each case.
    • The Controller shall notify the Processor immediately of any errors or irregularities detected in relation to the processing of personal data by the

Sect. 7 Duties of the Processor

    1. Data processing

The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying Principal Agreement and in accordance with the Controller’s instructions.

2. Data subjects’ rights

      • The Processor shall, within its capabilities, assist the Controller in complying with the rights of data subjects, particularly with respect to rectification, restriction of processing, deletion of data, notification and information. If the Processor processes the personal data specified under 5 of this Agreement on behalf of the Controller and these data are the subject of a data portability request under Art. 20 GDPR, the Processor shall, upon request, make the dataset in question available to the Controller within a reasonably set time frame, in a structured, commonly used and machine-readable format.
      • If so instructed by the Controller, the Processor shall rectify, delete or restrict the processing of personal data specified under 5 of this Agreement. The same applies if this Agreement stipulates the rectification, deletion or restriction of the processing of data.
      • c. If a data subject contacts the Processor directly to have his or her personal data specified under Sect. 5 of this Agreement rectified, deleted or the processing restricted, the Processor shall forward this request to the Controller immediately upon receipt.

3.  Monitoring duties

      • The Processor shall ensure, by means of appropriate controls, that the personal data processed on behalf of the Controller are processed solely in accordance with this Agreement and/or the Principal Agreement and/or the relevant instructions.
      • The Processor shall organize its business and operations in such way that the data processed on behalf of the Controller are secured to the extent necessary in each case and protected from unauthorized access by third parties.
      • The Processor confirms that it has appointed a Data Protection Officer in accordance with Art. 37 GDPR and that the Processor shall monitor compliance with data protection and security laws. For questions about data protection the Controller can be contacted via [email protected]

4. Information duties

      • The Processor shall inform the Controller immediately if, in its opinion, an instruction issued by the Controller violates legal regulations. In such cases, the Processor shall be entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Controller.
      • The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor.

5. Location of processing

The processing of the data shall in principle take place in the territory of the Czech Republic, in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled.

6. Deletion of personal data after order completion

After termination of the Principal Agreement, the Processor shall delete or return all the personal data processed on behalf of the Controller to the Controller after the end of the provision of services relating to processing and delete existing copies, provided that the
deletion of these data does not conflict with any statutory storage obligations of the Processor. The deletion in accordance with data protection and data security regulations must be documented and confirmed upon request to the Controller.

Sect. 8 Monitoring rights of the Controller

    1. The Controller shall be entitled, after prior notification in good time and during normal business hours, to carry out an inspection of compliance with the provisions on data protection and the contractual agreements to the extent required, either himself or through third parties, without disrupting the Processor’s business operations or endangering the security measures for other Controller and at his own expense. Controls can also be carried out by accessing existing industry-standard certifications of the Processor, current attestations or reports from an independent body (such as auditors, external data protection officers or external data protection auditors) or self-assessments. The Processor shall offer the necessary support to carry out the
    2. The Processor shall inform the Controller of the execution of inspection measures by the supervisory authority to the extent that such measures or requests may concern data processing operations carried out by the Processor on behalf of the

Sect. 9 Subprocessing

    1. The Controller authorizes the Processor to make use of other processors in accordance with the following subsections in Sect. 9 of this Agreement. This authorization shall constitute a general written authorization within the meaning of 28 (2) GDPR.
    2. The Processor currently works with the subcontractors specified in Annex 2 and the Controller hereby agrees to their
    3. The Processor shall be entitled to appoint or replace other processors. The Processor shall inform the Controller in advance of any intended change regarding the appointment or replacement of other The Controller may object to an intended change.
    4. The objection to the intended change must be lodged with the Processor within 2 weeks after receipt of the information on the change. In the event of an objection, the Processor may, at his own discretion, either provide the service without the intended change or propose an alternative subcontractor and coordinate it with the Controller. Insofar as the provision of the service is unreasonable for the Processor without the intended modification – for example, due to the associated disproportionate costs for the Processor – or the agreement on an alternative subcontractor fails, the Controller and the Processor may terminate this Agreement as well as the Principal Agreement with a notice period of one month to the end of the month.
    5. A level of protection comparable to that of this Agreement must always be guaranteed when other processors are The Processor is liable to the Controller for all acts and omissions of other processors it appoints.

Sect. 10 Confidentiality

    1. The Processor is obliged to maintain confidentiality when processing data for the
    2. In fulfilling its obligations under this Agreement, the Processor undertakes to employ only employees or other agents who are committed to confidentiality in the handling of personal data provided and who have been appropriately familiarized with the requirements of data Upon request, the Processor shall provide the Controller with evidence of the confidentiality commitments.
    3. Insofar as the Controller is subject to other confidentiality provisions, it shall inform the Processor The Processor shall oblige its employees to observe these confidentiality rules in accordance with the requirements of the Controller.

Sect. 11 Technical and organizational measures

    1. The technical and organisational measures described in Annex 1 are agreed upon as The Processor may update and amend these measures provided that the level of protection is not significantly reduced by such updates and/or changes.
    2. The Processor shall observe the principles of due and proper data processing in accordance with Art. 32 in conjunction with Art. 5 (1) GDPR. It guarantees the contractually agreed and legally prescribed data security measures. It will take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected parties. Measures to be taken include, in particular, measures to protect the confidentiality, integrity, availability and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security at all times, the Processor will regularly evaluate the measures implemented and make any necessary

Sect. 12 Liability/Indemnification

    1. The Processor shall be liable to the Controller for any and all loss or damage culpably caused in the performance of the services under the Principal Agreement or by a breach of applicable statutory data protection obligations on the part of the Processor, its employees or parties commissioned by it to implement the Principal Agreement. The Processor shall not be obliged to pay compensation if the Processor proves that it has processed the data provided by the Controller solely in accordance with the instructions of the Controller and that it has complied with its obligations arising from the GDPR specifically directed to
    2. The Controller shall indemnify the Processor against any and all claims for damages asserted against the Processor based on the Controller’s culpable breach of its own obligations under this Agreement or under applicable data protection and security

Sect. 13 Miscellaneous

    1. In case of contradictions between the provisions contained in this Agreement and provisions contained in the Principal Agreement, the provisions of this Agreement shall
    2. Amendments and supplements to to this Agreement shall be subject to the mutual consent of the contracting parties, with specific reference to the provisions of this Agreement to be Verbal side agreements do not exist and shall also be excluded for any subsequent changes to this Agreement.
    3. This Agreement is exclusively subject to the laws of the Czech
    4. In the event that access to the data which the Controller has transmitted to the Processor for data processing is jeopardized by third-party measures (measures taken by an insolvency administrator, seizure by revenue authorities, etc.), the Processor shall notify the Controller of such without undue

Schedule of Annexes

Annex 1 –  Technical and organizational measures taken to ensure the security of processing

Annex 2 – Subprocessors pursuant to Sect. 9 of this Data Processing Agreement

Annex 1

Technical and organizational measures to ensure the security of processing The Processor guarantees that the following technical and organizational measures have been taken: 1. Encryption measures

Measures or operations in which a clearly legible text/information is converted into an illegible, i.e. not easily interpreted, character string (secret text) by means of an encryption method (cryptosystem).

Description of the encryption measure:

Symmetrical/asymmetrical encryption of connections between participant clients and servers and between servers.

2.Physical access control

Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data storage media.

Description of physical access control:

No unauthorized access to data processing systems via electronic keyfob door openers.

3.Logical access control

Measures to prevent unauthorized persons from processing or using data which is protected by data privacy laws.

Description of logical access control system:

No unauthorized system use via secure passwords, automatic computer locking mechanisms, and encryption of data carriers.

4. Data access control

Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage.

Description of data access control:

No unauthorized reading, copying, modification or removal within the system, via an authorization concepts and on-demand access rights, a clean desk policy and automatic locking of computers in absentia.

5.Separation rule

Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.

Description of the separation control process:

Separate processing of data collected for different purposes via an authorization concept, a software-based customer separation and a separation of test and production systems.

6.Transmission control

Measures to ensure that it is possible to verify and establish to which bodies personal data may be or have been transmitted or made available using data communication equipment.

Description of transmission control:

No unauthorized reading, copying, modification or removal during electronic transmission or transport via encryption.

7.Availability control

Measures to ensure that personal data are protected against accidental destruction or loss. Description of the availability control system:

Hosting and data backup procedure.

Annex 2

Subprocessors pursuant to Sect. 9 Data Processing Agreement

The Processor currently works with the following subcontractors and the Controller hereby agrees to their appointment.

3NТ SОLUТIОNS LLР22 Brоndеsbury Pаrk, Willesden, London NW6 7DLWebsite hosting and data storage of course and participants
Zoho Corporation B.V.Beneluxlaan 4B 3527 HT UTRECHT The NetherlandsCustomer service via email, transactions emails