1.1. This document lays down the rights and liabilities of the Provider (hereinafter also the “Processor”) and the User (hereinafter also the “Controller”) related to use of the Beecom Service, and services related, all in compliance with applicable effective data protection legislation, including but not limited to the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General DataProtection Regulation, hereinafter also just “GDPR”)
1.2. Capitalized terms have the same meaning as in the General Business Terms and Conditions (hereinafter also just “GTC“), unless explicitly stated otherwise.
2.1. In connection with use of the Service the Processor shall process entrusted data on the basis of the Controller´s instruction.
2.2. The subject of the processing shall include operations related to the Service provision and operation and to the web site operated by means of the Service.
2.3. The period of processing shall start at the moment when the Data are made available by the Controller to the Processor and shall continue throughout the Service Period until the Data migration after the Contract termination at the latest.
2.4. The processing shall be done by electronic operations consisting in Personal Data storage and combinations and further processing.
2.5. The purpose of the processing shall be web site operation, including further purposes following from the Contract.
2.6. The Processor shall process Personal Data in the scope in which the Data are made available by the Controller, i.e. including special categories of Personal Data. The Processor shall process Personal Data of the following categories of data subjects: customers or business partners of the Controller, as well as other individuals whose personal data shall be processed by means of the web site.
3.1. The Processor hereby agrees to only process the Personal Data according to explicit instructions of the Controller given by e-mail, via the HelpDesk or in another documented manner.
3.2. Considering the method of the Service provision the instruction shall also include Personal Data placement in the Service.
4.1. The Processor shall keep confidential all circumstances concerning Personal Data processing in compliance with section 17.1 of the GTC.
4.2. The Processor hereby agrees to bind all its employees and other individuals who may be granted access to the Personal Data with the same confidentiality commitment.
5.1. The Controller hereby agrees that the Processor shall use further processors (subprocessors) for the Personal Data processing. The list of these sub-processors can be found on the web here.
5.2. The Controller generally grants the Processor permit for involvement or replacement of any sub-processor. The Processor hereby agrees to provide the Controller with an adequate deadline for voicing justified objections against any changes in the list of sub-processors employed by the Processor.
5.3. In the case of any sub-processor involvement the Processor shall bind the new sub-processor with confidentiality commitments similar to its own.
6.1. The Processor hereby confirms to have take adequate security measures in the form of technical and organizational measures, including but not limited to appropriate de-personalization and encoding of the Personal Data, assurance of permanent confidentiality, integrity, accessibility and resilience of the system and services of Personal Data processing. The Processor further clams to have implemented measures with the help of which the Processor shall be able to timely renew availability and accessibility of the Personal Data, and to have instituted a process of periodic testing, assessment and evaluation of the adopted technical and organizational measures for Data processing security assurance.
7.1. The Processor hereby agrees to provide the necessary assistance to theController in connection with:
7.1.1. Responses to data subjects´ rights applications, as far as practicable;
7.1.2. Assurance of the Controller´s compliance with Articles 32 o 36 of GDPR in the necessary scope with consideration of the nature of the processing and the information available to the Processor.
7.2. To avoid any doubt, the Processor hereby agrees to provide this assistance in the framework of User Support.
8.1. The Processor hereby agrees to provide the Controller with the necessary information and documentation proving its compliance with its liabilities following from these Conditions for the purpose of documentation of compliance with the liabilities laid down by Article 28 of GDPR, using the procedure pursuant to Art. 7 of GTC. The Controller can do this once per calendar year, or more often in the case of a proven circumstance suggesting that the Processor has violated its contracted liabilities following ti it from these Conditions.
8.2. The Controller (or its authorized third-party representative) shall be entitled to audit the Processor with regard to compliance with the liabilities pursuant to section 8.1 hereof once per calendar year if the procedure pursuant to section 8.1 hereof reveals that the Processor has committed gross breach of its liabilities pursuant hereto. The Contracting Parties have agreed on the following solution procedure:
8.2.1. The Controller hereby agrees to first ask the Processor in writing to clarify and document adoption of adequate measures for prevention or mitigation of impact of the gross breach;
8.2.2. The Processor hereby agrees to deliver the clarification to the Controller within an adequate deadline with a description of the situation and its clarification, and with a specification of the adopted technical and organizational measures against its recurrence, where applicable.
8.2.3. If the Processor fails to respond or the matter is not satisfactorily clarified, orin the case of the gross breach causing actual damage to the affected data subjects´ rights, the Controller shall deliver to the Processor a request for access for the purpose of audit with a proposal of the date of the audit which shall not be shorter than 21 calendar days from the request delivery.
8.2.4. The Processor hereby agrees to confirm the Controller-proposed audit date or to propose another suitable date which shall not be later than within 14 days from the date originally proposed by the Controller. If the Processor fails to respond to the Controller´s request then the Processor shall be deemed to agree with the original audit date proposed by the Controller.
8.3. On the day of the audit the Processor hereby agrees to provide the Controller with access to its premises and printed and electronic documents proving compliance herewith. To avoid any doubt, the Contracting Parties have agreed that the Processor shall not be liable to provide access to spaces and documents where the access might compromise security, and exclude documents and materials containing the Processor´s business secret from the audit.
8.4. The audit costs shall be borne by the Controller and the Processor may request refund of purposefully incurred related costs.
9.1. The Processor hereby agrees that after the Contract termination the Controller shall be permitted return migration of the Personal Data and that the Processor shall erase all copies of the processed Personal Data after their successful migration back to the Controller´s systems.
10.1. These Conditions shall be governed by the Contract and the GTC.
10.2. Where the EU legal regulations or the GDPR do not apply to the Personal Data processing pursuant to the Contract and the GTC the provisions of Articles 7 and 8 hereof shall not apply either.
10.3. These Conditions come into effect as of 1 June 2019.