Personal Data Processing Agreement

PERSONAL DATA PROCESSING AGREEMENT

APPENDIX NO. 1 TO THE GENERAL TERMS AND CONDITIONS OF THE EMAIL MACHINE SERVICE

(hereinafter referred to as the “Processing Agreement“) concluded between:

1. You, the user of Email Machine Services; 

(hereinafter referred to as the “Administrator” or “you”) 

and

2. Email Machine s.r.o., with its registered office at Václavská 2073/20, Nové Město, 120 00 Prague 2, Company ID No.: 03568831, registered with the Municipal Court in Prague, file No. C 409739, represented by its managing director Michal Finta,

(also referred to as “Processor“, “Email machine“, or “we“)

(The Processor and the Controller are hereinafter collectively referred to as the “Parties” and individually as the “Party“).

Why do we need a Processing Agreement? Because in providing our Service, we must process your personal data in accordance with the Terms and Conditions, of which this Processing Agreement is a part. Personal data means any information relating to an identified or identifiable natural person (e.g. name, date of birth, address, network identifier, etc.) (hereinafter referred to as “Personal Data“).

Why should you familiarise yourself with the Processing Agreement? Because it defines the conditions for the processing of your Personal Data, and by confirming the Terms and Conditions, you also conclude this Processing Agreement with us. If you have any questions regarding the processing of Personal Data, you can contact us at any time at dpo@emailmachine.cz.

On what basis are we concluding the Processing Agreement? Thanks to the Processing Agreement, the Contracting Parties may process Personal Data in accordance with legal regulations. In particular, pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as the “GDPR“), the Contracting Parties must, in accordance with Article 28 of the GDPR, set out the rules for processing in writing, which they do in this Processing Agreement.

1. INTRODUCTION AND BRIEF OVERVIEW OF THE CONTENTS OF THE AGREEMENT
   1. What is the purpose of the Processing Agreement? By entering into this Processing Agreement as the Controller, you authorise us as the Processor to process Personal Data in connection with the provision of the Service. The purpose is to ensure the protection of Personal Data to the extent required by law. The scope of the Personal Data processed can be found in Appendix A to this Processing Agreement.
   2. What services do we provide? Email Machine's services consist primarily of managing and creating email and other marketing campaigns, as defined in more detail in the Terms and Conditions. 
   3. What is the position of the Processor and the Controller? When using the Service, you provide us with personal data for which you are the Controller, which we then process on your instructions and to the extent you choose. When processing Personal Data, you are in the position of a Personal Data Controller under Article 4(7) of the GDPR, and Email Machine is in the position of a Processor under Article 4(8) of the GDPR. 
   4. What definitions do we use? The definitions of terms in the Terms and Conditions are also used in this Processing Agreement with the same meaning.
   5. How long does the Processing Agreement last? This Processing Agreement is concluded for the duration of the contract in accordance with the Terms and Conditions. 
   6. When is the Processing Agreement concluded? The Processing Agreement is concluded upon completion of registration for the purpose of using the Service (conclusion of the agreement in accordance with the Terms and Conditions). 
   7. When can the Processing Agreement be terminated? The Processing Agreement may be terminated under the same conditions as the termination of use of the Service under the Terms and Conditions.
   8. What are the effects of terminating the Processing Agreement? Termination of this Processing Agreement shall also result in the termination of the contractual relationship in the areas covered by this Processing Agreement, unless the Contracting Parties agree otherwise. Termination of the Terms and Conditions shall also terminate this Processing Agreement. However, termination of this Processing Agreement shall not affect the Processor's obligations regarding the transfer (return) of Personal Data to the Controller or its disposal and compliance with confidentiality of information.
2. 1. What is the basic obligation of the Contracting Parties? Both the Controller and the Processor undertake to comply with the regulations governing the protection of Personal Data.
   2. What about cooperation regarding personal data? The Controller and the Processor undertake to assist each other to the necessary and reasonable extent in fulfilling their obligations in the processing of personal data arising from mutually concluded contracts and legal regulations, in particular in connection with responses to the exercise of data subjects' rights, security incidents, and the preparation of impact assessments and negotiations with supervisory authorities. The Contracting Parties undertake to provide the necessary documentation for processing requests relating to the processing of Personal Data in accordance with the Terms and Conditions. The Contracting Party shall provide such documentation without undue delay, but no later than 10 working days after receiving a request for cooperation from the other Contracting Party.
   3. What to do in the event of a security breach? The contracting party shall notify the other party that it has become aware of a security breach within 48 hours of becoming aware of the breach. A breach shall be understood to mean any case of a breach of security of Personal Data that could potentially lead to accidental or unlawful destruction, alteration or unauthorised provision or disclosure of Personal Data processed on the basis of the Agreement as amended by the Terms and Conditions.
3. 1. How must the Processor restrict access to Personal Data? The Processor shall ensure that access to Personal Data is restricted only to (a) employees who process Personal Data as part of their job duties, and (b) persons who cooperate with the Processor and may process Personal Data for the Processor within the scope of such cooperation, in accordance with the terms and conditions of this Processing Agreement and for the purpose of providing the Services under the Agreement as amended by the Terms and Conditions. If these persons are not subject to a statutory duty of confidentiality, the Processor shall ensure their contractual confidentiality.
   2. What measures must the Processor take? The Processor has adopted and undertakes to maintain, throughout the term of this Processing Agreement, appropriate technical and organisational measures in accordance with the GDPR applicable to the Processor. An overview of the measures adopted can be found in Annex B to this Processing Agreement.
   3. What are the obligations of the Processor? The Processor undertakes to:
      1. when processing Personal Data, comply with all obligations arising for the Personal Data processor from relevant legal regulations;
      2. process Personal Data exclusively on the basis of the Controller's instructions made in accordance with this Processing Agreement, including in matters concerning the transfer of Personal Data to a third country or international organisation;
      3. notify the Controller without undue delay of any cases where the Office for Personal Data Protection or another administrative authority initiates an inspection or other administrative proceedings in relation to the processing of Personal Data by the Processor, and provide the Controller with all information about the course and results of such inspection or proceedings;
      4. assist the Controller in ensuring compliance with the Controller's obligations regarding the security of Personal Data pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing to be carried out by the Processor; 
      5. allow the Controller to conduct internal audits, including inspections, carried out by the Controller or another auditor appointed by the Controller, provided that these are notified to the Processor one month in advance; The Processor may object to any auditor appointed by the Controller if they are not independent or are in a competitive or similar position to the Processor. Based on the objection raised by the Processor, the Controller is obliged to appoint another auditor; 
      6. report any breach of Personal Data security of which it becomes aware to the Controller without undue delay, no later than 48 hours from the moment it becomes aware of the breach. The minimum scope of this notification is specified in Article 33(3) of the GDPR;
      7. keep records of all personal data breaches and corrective measures taken to ensure an appropriate level of processing security. The processor is obliged to provide the controller with all necessary cooperation in connection with the investigation of security breaches and the fulfilment of the controller's obligations under Articles 33 to 34 of the GDPR;
      8. assist the Controller in providing evidence of processes or documents that demonstrate that the Controller complies with the GDPR.
   4. Who pays the costs in the event of an audit? The contracting parties have agreed that the Processor is entitled to reimbursement from the Controller for reasonable costs associated with providing cooperation in the performance of a personal data audit by the Controller. 
   5. What is the Processor's confidentiality obligation? The Processor undertakes to comply with the confidentiality obligation regarding all Personal Data provided by the Controller and will keep them secret, will not disclose them, will not make them available to third parties, either in whole or in part, unless they are to be transferred on the basis of the Controller's instructions or if required by law. 
   6. What is subject to trade secrets? All information and documents made available by the Processor to the Controller in connection with an audit or inspection form part of the Processor's trade secrets and, unless otherwise specified, are subject to the confidentiality requirements under this Processing Agreement. Such information and documents may only be disclosed to the competent supervisory authority.
   7. On what basis is Personal Data processed? The Processor undertakes to fulfil its obligations regarding the protection of Personal Data for the entire duration of the Agreement, unless the provisions of the Agreement, this Processing Agreement or the relevant legal regulations stipulate that they shall continue to apply even after the Agreement has expired.
   8. Who are the other processors involved? The Processor has also involved the following providers in the processing of Personal Data: Savvy s.r.o. (web services), INTERNET CZ, a.s. (web hosting services), WEDOS Internet, a.s. (web hosting services) and Master Internet, s.r.o. Details can be found in Appendix C to this Processing Agreement. If the Processor involves other processors, it shall inform the Controller of this change in advance by e-mail or in the application interface. If the Controller does not agree with the involvement of a new Processor, it may raise an objection within 5 days of receiving the Processor's notification. Raising an objection, and thus not involving a new (sub)processor, may result in the inability to use the Service.
   9. What about processors with a business ID number at the Processor? The Controller expressly agrees to the involvement of other processors – programmers and other specialists of the Processor in the position of natural persons engaged in business who provide services to the Processor on the basis of a cooperation agreement. 
   10. What are the Processor's obligations in the event of termination of cooperation? The Processor undertakes that, in the event of termination of the provision of Services, it will delete all Personal Data and, at the request of the Controller, return it, including all copies, unless EU or Czech law requires its storage. In such a case, within three months of receiving the Controller's request, the data will be returned via secure storage specified by the Controller in its request, to which the Processor will be granted access. If, after three years from the end of the cooperation, the Controller does not give instructions to transfer the Personal Data, the Processor shall notify the Controller of the possibility of returning the data. If the Controller does not give instructions to transfer the data within one month of the notification, the Personal Data shall be deleted in accordance with its legal obligations.
   11. When can data be requested back? The Controller may request the Processor to send the backed-up data in accordance with the Terms and Conditions, no later than 2 months after the deletion of the User Account. After this period, the Controller's data will be irretrievably deleted.
4. 1. What if data could be transferred outside the European Union? In connection with the provision of Services, we may use or engage sub-processors who may be located outside the European Economic Area. In such a case, we will enter into a standard contractual clause with each such sub-processor to ensure an adequate level of protection of Personal Data in accordance with the GDPR. If such a sub-processor is involved, the transfer of data will be described in this Processing Agreement.
5. 1. What legal system do we follow? The processing agreement is governed by and will be interpreted in accordance with the legal system of the Czech Republic, in particular the Civil Code and the GDPR. The contracting parties agree that commercial practices do not take precedence over any provisions of the law, not even those provisions of the law that do not have coercive effects.
   2. Does force majeure apply to the Processing Agreement? The Processor shall not be liable for situations where it was unable to fulfil its obligations under the Processing Agreement due to an event referred to as force majeure (war, riots, terrorism, uprisings, strikes, fires, epidemics or natural disasters).
   3. How can the Parties communicate? The Parties agree that their communication regarding the Processing Agreement (including security incident notifications) shall be conducted via the following email addresses:
      1. Administrator: the email address with which the Administrator registered for the Service;
      2. Processed by: dpo@emailmachine.cz.
   4. Can the Processing Agreement be assigned? Neither Party may assign or transfer the rights and obligations arising from or related to this Processing Agreement in any way without the prior written consent of the other Party. 
   5. Can we make updates and changes? The Processor reserves the right to amend or update this Processing Agreement. If we make changes that alter the rights and obligations under the Processing Agreement, you will be notified in a timely manner by email. By continuing to use the Service, you agree to the updated terms of the Processing Agreement. If you do not agree with the changes, please stop using the Service.
   6. When does the Processing Agreement take effect? In this version, it takes effect on 1 January 2025.
   7. Appendices. The following appendices form part of the Processing Agreement:

• Appendix A: Nature, scope, duration and purpose of Personal Data processing,
• Annex B: Technical and organisational measures
• Appendix C: List of processors.

APPENDIX A 

TO THE PERSONAL DATA PROCESSING AGREEMENT

NATURE, SCOPE, DURATION AND PURPOSE OF PERSONAL DATA PROCESSING

What is the nature of the processing? Personal data is processed automatically by the Processor’s systems used to provide the Service. 

What is the purpose of processing? The purpose of processing is to enable the Controller to use the Service (performance of a contract).

What is the legal basis for processing? The legal basis for processing Personal Data in connection with the provision of the Service is the performance of a contract (as amended by the Terms and Conditions).

What is the scope of processing? Depending on how the Controller uses the Service, the following Personal Data may be processed in connection with the provision of the Service:

• Contact details: Name, surname, e-mail, telephone number, address, date of birth, academic title, ID number, registered office, photograph or image of the person;
• IP address, cookies, gender, purchase history, product viewing history, shopping cart contents, user activity on the Processor's website (web tracking, click rate, open rate, delivered emails, unsubscribed users, spam complaints, browser type, mailbox type);
• Alternatively, other Personal Data processed exclusively on the instructions of the Controller, which the Controller considers necessary for the fulfilment of the purpose of the contract, or other data that can be attributed to the data subjects. 

What are special categories of personal data? These are personal data that reveal racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, or the sex life or sexual orientation of a natural person. Genetic and biometric data are also considered special categories of data if they are processed for the purpose of uniquely identifying a natural person.

Do we process special categories of Personal Data? The Controller undertakes not to disclose to the Processor any Personal Data that falls within a special category of Personal Data within the meaning of Article 9 of the GDPR. Special categories of Personal Data may only be processed after express prior agreement with the Processor. 

Who is the data subject? As a rule, this refers to the personal data of the Controller’s customers or clients, the Controller’s employees, and other cooperating persons, including suppliers, users of the Controller’s website, business partners, or their employees or representatives.

How long do we process Personal Data? Personal Data is processed for as long as the Contracting Parties are bound by the Agreement as amended by the Terms and Conditions, unless the agreement between the Contracting Parties or legal regulations stipulate a longer period.

APPENDIX B

TO THE PERSONAL DATA PROCESSING AGREEMENT

 Technical and organisational measures

What technical measures do we use? Security is very important to us, which is why we work continuously to protect your personal data. When choosing measures, we take into account the scope of processing, the riskiness of processing, and the state of our technology. 

• We use unique and strong passwords for access to each service individually;
• We back up data regularly; 
• We update antivirus software systems; 
• We encrypt data using SSL (secure sockets layer) for all data transfers;
• We use the secure https protocol;
• Our data on servers is encrypted;
• We develop technology with privacy by design in mind;
• Access passwords to information systems (where Personal Data will be processed) and access authorisations are controlled at the individual level. 

What organisational measures do we use? We have adopted and are committed to complying with the following measures:

• Our employees and associates are bound by confidentiality;
• Our employees and associates are properly trained in GDPR and familiarised with the rules of safe working on work equipment;
• Our employees follow internal guidelines governing organisational measures for personal data protection.
• When storing API keys, we remove authorisation data;
• Access to all systems, including the information system, is personalised and protected by secure passwords; employees are required to have encrypted hard drives.
• We store passwords in a separate location (Safe Store) in the operating environment, where logs are recorded so that we can control employees' access to individual Users' Personal Data.

APPENDIX C

TO THE PERSONAL DATA PROCESSING AGREEMENT

LIST OF PROCESSORS