Data Processing Agreement

According to the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as the "GDPR"), Provider (hereinafter referred to as the "Processor") and You (hereinafter referred to as the "Controller") are entering into the data processing contractual relationship in order to define the terms and conditions for the processing of personal data, the manner of its protection, as well as to define other rights and obligations of both parties in the processing of personal data of data subjects on behalf of the Controller during the course of performing the subject matter of these Terms as the main contract.

1. Personal Data Processing. The services provided in compliance with these Terms includes processing information relating to an identified or identifiable natural person listed in the Privacy Policy (hereinafter referred to as the "Personal Data").

2. Authorization. The Controller authorizes the Processor to process Personal Data, including the following instructions:

(i) Purpose of Processing shall mean the provision of services in compliance with these Terms. The Processor is only allowed to process Personal Data on behalf of the Controller regarding the provision of services requested by Controller. All information collected for additional purposes is processed outside of Controller-Processor contractual relationship.

(ii) Processing Period shall mean period from entering cooperation under these Terms to termination of services,

(iii) Scope and Categories of Personal data shall include general personal data, excluding any special categories of Personal Data,

(iv) Data Subject shall mean natural person as an authorized user of Controller’s devices,

(v) Processing Activities shall mean every and all operation necessary for the purpose of processing,

(vi) Documented Instructions shall mean instructions described in these Terms, its Annexes, Privacy Policy, and service documentation. The Controller shall be responsible for the legal admissibility of the processing of Personal Data by the Processor regarding the respective applicable provisions of data protection law.

3. Obligations of Processor. The Processor shall be obliged to:

(i) process Personal Data only on the grounds of Documented instructions and for the purpose defined in Terms, its Annexes, Privacy Policy, and service documentation,

(ii) ensure that persons authorized to process the Personal Data have committed themselves to confidentiality and follow the Documented instructions,

(iii) implement and follow the measures described in Terms, its Annexes, Privacy Policy, and service documentation,

(iv) assist the Controller with responding to requests from Data Subjects related to their rights. The Processor shall not correct, delete or restrict the processing of Personal Data without the instruction from Controller. All requests from Data Subject related to Personal Data processed on behalf of the Controller shall be forwarded to the Controller without delay.

(v) assist the Controller with notification of personal data breach to the supervisory authority and Data Subject,

(vi) delete or return all the Personal Data to the Controller after the end of Processing Period,

(vii) keep an up-to-date register of all the categories of Processing Activities carried out on behalf of Controller,

(viii) make all information necessary to demonstrate compliance as part of Terms, its Annexes, Privacy Policy, and service documentation available to the Controller.

4. Engaging Another Processor. The Processor is entitled to engage another processor for carrying out specific processing activities such as the provision of cloud storage and infrastructure for the service in compliance with Terms, its Annexes, Privacy Policy, and service documentation. Currently, Microsoft provides cloud storage and infrastructure as part of Azure Cloud Service. In such a case, the Processor shall remain the only point of contact and the party responsible for compliance.

5. Territory of Processing. The Processor ensures that processing takes place in the European Economic Area or a country designated as safe by the decision of the European Commission based on the decision of the Controller. Standard Contractual Clauses shall apply in case of transfers and processing located outside of the European Economic Area or a country designated as safe by the decision of the European Commission upon the request of the Controller.

6. Security. The Processor is ISO 27001:2013 certified and uses the ISO 27001 framework to implement a layered defense security strategy when applying security controls on the layer of the network, operating systems, databases, applications, personnel, and operating processes. Compliance with the regulatory and contractual requirements is regularly assessed and reviewed similarly to other infrastructure and operations of Processor, and necessary steps are taken to provide compliance on a continuous basis. The Processor has organized the data security using ISMS based on ISO 27001. The security documentation includes mainly policy documents for information security, physical security, and security of equipment, incident management, handling of data leaks and security incidents, etc.

7. Processor’s Contact Information. All notifications, requests, demands and other communication concerning personal data protection shall be addressed to ESET, spol. s.r.o., attention of: Data Protection Officer, Einsteinova 24, 85101 Bratislava, Slovak Republic, email: dpo@eset.sk.