Skip to content

Data Processing on Behalf of the Client (Processor Agreement under Art. 28 GDPR)

17/07/2025

1. Provider

The Provider acts in relation to the Client’s data subjects as a Processor pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter "GDPR"). For this reason, the contractual relationship between the Provider and the Client in the provision of services is governed by the following:

a) The Provider has a general authorization to engage another processor (especially its subcontractors). If the Provider engages another processor, the Provider is obliged to impose the same obligations regarding personal data protection on this other processor in the contract or other legal act as are set out in these Terms and Conditions, and the Provider remains liable to the Client if the other processor fails to fulfill its obligations regarding personal data protection;

b) The Provider undertakes to process personal data only for the purposes of providing the services ordered by the Client. The subject of the personal data processing is the service that the Provider will provide to the Client;

c) The Provider processes personal data for the duration of the contractual relationship and for 6 months after its termination;

d) The Provider processes personal data to the extent necessary to achieve the agreed purpose, as processed by the Client. The Client may limit the scope of processed personal data. Unless expressly stated otherwise by the Client, the Provider does not process special categories of data. Personal data may only be processed to the extent necessary to achieve the purposes set out in letter g) of this section, in particular: (i) identification and contact data and other data related to accounting and business records; (ii) identification data and/or data related to the activities of the data subject and/or data necessary for the creation of a database and/or mailing list and/or such communication and/or other data related to the provision of agreed services depending on the type of service provided; (iii) other data necessary to achieve the purpose of processing;

e) Due to the nature of the services, the list of categories of data subjects may change. The Client maintains an up-to-date list of categories of data subjects. Categories of personal data include, among others, all natural persons whose personal data are processed in the provision of agreed activities and services, such as: (i) the Client’s customers; (ii) the Client’s employees; (iii) employees and statutory bodies of the Client’s business partners; (iv) persons whose personal data are in the database; (v) and other natural persons depending on the services provided;

f) The Provider performs processing operations with personal data necessary to fulfill the purpose of processing, in particular: collection, gathering, storage, database creation, and destruction under the conditions set out in these Terms and Conditions;

g) The Provider is obliged to process personal data only to the extent necessary to achieve the purpose of processing – provision of services and only on the basis of the Client’s instructions contained in the order and these Terms and Conditions, so that the processing corresponds to the usual way of providing services, including the transfer of personal data to an international organization. If personal data are transferred to an international organization under a special regulation or international treaty binding on the Slovak Republic, the Provider is obliged to notify the Client of this requirement before processing personal data, unless such notification is prohibited by a special regulation or international treaty binding on the Slovak Republic for reasons of public interest; The Provider is obliged to protect processed personal data against damage, destruction, loss, alteration, unauthorized access and disclosure, provision or publication, as well as against any other unlawful methods of processing;

h) The Provider declares that it guarantees the security of processed personal data, and when adopting technical and organizational measures to ensure the protection of the rights and personal data of the Client’s data subjects, especially against accidental or unlawful destruction, loss, alteration, or unauthorized provision of transmitted personal data, stored personal data, or otherwise processed personal data, or unauthorized access, it has taken into account the nature, scope, context, and purpose of personal data processing, the risks that may compromise the security of personal data protection, and their seriousness. The Provider undertakes to take all steps to ensure the highest level of security of the Client’s personal data, as well as to secure all data, database, and mail files of the Client against loss, damage, destruction, or any other unlawful processing;

i) The Provider is obliged not to provide personal data to third parties, not to use personal data for any purpose other than the agreed purpose, not to misuse them for its own benefit or the benefit of a third party, and not to handle personal data contrary to this section of the Terms and Conditions;

j) The Provider is obliged to ensure that the collected personal data are processed in a form enabling the identification of the Client’s data subjects only for the period necessary to achieve the purpose of processing;

k) The Provider undertakes to cooperate and provide the Client with assistance in ensuring the Client’s compliance with the obligations to respond to requests of the Client’s data subjects in exercising their rights under Chapter III of the GDPR, including informing the Client of any written request for access that may be delivered to the Provider in connection with the Client’s obligations under the GDPR, Act No. 18/2018 Coll. on the Protection of Personal Data and on Amendments and Supplements to Certain Acts (hereinafter "Personal Data Protection Act") and other related regulations, within 48 hours (excluding weekends and public holidays) from the date of delivery of the request by the Client;

l) The Provider undertakes to cooperate and provide the Client with assistance in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR, namely: i) ensuring the security of processing; ii) notifying the Client of any personal data breach; iii) if necessary, conducting a data protection impact assessment regarding the impact of processing on personal data protection; iv) consulting with the Office for Personal Data Protection of the Slovak Republic on the intention to carry out personal data processing if the data protection impact assessment shows that such processing would lead to a high risk if the Client does not take measures to mitigate this risk; v) The Provider undertakes to provide the Client with all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR and to provide the Client with assistance in the context of a personal data protection audit and control by the Client or an auditor appointed by the Client. The Client is obliged to notify the Provider of the audit at least 21 days before the planned audit date. The notification must include the subject of the audit, as well as the start date and duration of the audit. The audit must be carried out during the Provider’s working hours and must not unduly interfere with the Provider’s activities. The audit is carried out at the Client’s expense, and the Client shall also reimburse the Provider for all costs incurred by the Provider in connection with the audit;

m) The Provider is obliged to immediately notify the Client if, in the Provider’s opinion, any instruction given by the Client violates the GDPR, the Personal Data Protection Act, a special regulation, or an international treaty binding on the Slovak Republic concerning personal data protection. The Provider is obliged to immediately inform the Client if a data subject of the Client exercises their rights with the Provider. The Provider is obliged to inform the Client without delay, but no later than within 48 hours, if a personal data breach occurs;

n) The Provider undertakes, after the termination of the validity and effectiveness of the contractual relationship with the Client, at the Client’s decision, to delete personal data, unless a special regulation or international treaty binding on the Slovak Republic requires the retention of such personal data;

2. Information on Data Subject Rights:

The Client acknowledges that the person providing personal data (data subject) has, under Articles 15 to 22 and Article 34 of the GDPR, the following rights in relation to the Client (the Provider undertakes to provide the Client with assistance in fulfilling the rights of the data subject, without delay upon the Client’s request, but no later than within 7 days):

a) Right of access to personal data under Article 15 GDPR: The data subject has the right to obtain from the Client confirmation as to whether or not personal data concerning them are being processed. The data subject has the right to access such personal data and the information referred to in point 2 of this section;

b) Right to rectification of personal data under Article 16 GDPR: The data subject has the right to have the Client rectify without undue delay inaccurate personal data concerning them. Taking into account the purposes of the processing, the data subject has the right to have incomplete personal data completed;

c) Right to erasure of personal data under Article 17 GDPR: The data subject has the right to have the Client erase personal data concerning them without undue delay, if the data subject has exercised the right to erasure, if: i) the personal data are no longer necessary for the purpose for which they were collected or otherwise processed; ii) the data subject withdraws consent on which the processing is based, and there is no other legal ground for the processing; iii) the data subject objects to the processing and there are no overriding legitimate grounds for the processing, or the data subject objects to the processing for direct marketing purposes; iv) the personal data have been unlawfully processed; v) the erasure is required to comply with the GDPR, the Personal Data Protection Act, a special regulation, or an international treaty binding on the Slovak Republic; vi) the personal data were collected in connection with the offer of information society services;

d) Right to restriction of processing of personal data under Article 18 GDPR: The data subject has the right to have the Client restrict the processing of personal data if: i) the data subject contests the accuracy of the personal data, for a period enabling the Client to verify the accuracy of the personal data; ii) the processing is unlawful and the data subject opposes the erasure of the personal data and requests the restriction of their use instead; iii) the Client no longer needs the personal data for the purposes of the processing, but the data subject requires them for the establishment, exercise, or defense of legal claims; iv) the data subject has objected to processing, pending the verification whether the legitimate grounds of the Client override those of the data subject; v) the data subject whose processing of personal data is restricted must be informed by the Client before the restriction of processing is lifted. Under Article 19 GDPR, the Client is obliged, if the data subject so requests, to inform the data subject about the recipients to whom the Client has disclosed the rectification, erasure, or restriction of processing of personal data;

e) Right to data portability under Article 20 GDPR: The data subject has the right to receive the personal data concerning them, which they have provided to the Client, in a structured, commonly used, and machine-readable format and has the right to transmit those data to another controller;

f) Right to object to the processing of personal data under Article 21 GDPR: The data subject has the right to object to the processing of their personal data on grounds relating to their particular situation carried out on a legal basis because the processing of personal data is necessary for the performance of a task carried out in the public interest or because the processing is necessary for the purposes of the legitimate interests pursued by the Client or a third party, including profiling based on those provisions. The Client may no longer process the personal data unless the Client demonstrates compelling legitimate grounds for the processing which override the rights or interests of the data subject, or for the establishment, exercise, or defense of legal claims. The data subject has the right to object to the processing of personal data concerning them for direct marketing purposes, including profiling to the extent that it is related to such direct marketing;

g) Under Article 22 GDPR, the data subject has the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning them or similarly significantly affects them;

h) Under Article 34 GDPR, the data subject has the right to have the Client communicate to them without undue delay any personal data breach, if such a breach may result in a high risk to the rights of the natural person.

3. Breach of Obligation

The Processor is fully liable for any breach of any obligation arising from this Agreement as well as from the GDPR. If the Client is fined by the Office for Personal Data Protection of the Slovak Republic, the Processor is liable for such a fine to the extent that it was demonstrably and undoubtedly caused by the Processor.

4. Processing of Personal Data on Behalf of the Client

Since the Provider as a processor processes personal data on behalf of the Client, the Client hereby declares that the personal data of data subjects have been obtained in accordance with the applicable legislation of the state governing the relevant personal data processing. If the processing of personal data is governed by the GDPR, the Client declares that all personal data of data subjects have been obtained in one of the following ways:

a) Article 9(2)(a) GDPR – explicit consent of the data subject, or

b) Article 9(2)(b) GDPR – necessity of processing for the purposes of carrying out obligations and exercising specific rights in the field of employment law and social security and social protection law, if permitted by Union or Member State law or by a collective agreement under Member State law providing for appropriate safeguards for the fundamental rights and interests of the data subject, or

c) Article 9(2)(e) GDPR – processing relates to personal data which are manifestly made public by the data subject, or

d) Article 9(2)(f) GDPR – processing is necessary for the establishment, exercise, or defense of legal claims.

The Client hereby declares that they are liable for any damage that may arise to the Provider as a result of the Client’s unlawful acquisition of personal data and their subsequent provision to the Provider as a processor under this contractual relationship.

5. Subject of Personal Data Processing

The subject of personal data processing is (i) the category of "standard" personal data (in particular: name and surname, residential address, telephone number, email address, ID card number, personal identification number, location data (e.g., GPS), IP address (if linked to a specific person), employment data, education, work history) and (ii) the category of "sensitive" data (biometric data).

6. Disclosure of Personal Data

The Client is responsible if they disclose the personal data of data subjects to third parties and persons (either by disclosing the name and password to the Provider’s platform or by creating an account on the Provider’s platform for third parties), and is obliged to obtain all necessary consents of the data subjects for such disclosure, if required, and at the same time is obliged to proceed in accordance with the relevant legislation when making such disclosure.

7. Processing of the Client’s Data

a) If the Provider acts as a controller and the Client as a data subject, the Client hereby consents to the processing of the following data: (i) the category of "standard" personal data (in particular: name and surname, residential address, telephone number, email address, ID card number, personal identification number, location data (e.g., GPS), IP address (if linked to a specific person), employment data, education, work history) and (ii) the category of "sensitive" data (biometric data).

b) All provisions of these Terms and Conditions on Data Processing on Behalf of the Client apply accordingly to the processing of personal data under this section.