ADDENDUM ON THE PROCESSING OF PERSONAL DATA
For the purposes of this Addendum:
|Personal data controller||
Konica Minolta IT Solutions Czech s.r.o.,
headquarters: U plynárny 1002/97, Michle, 101 00 Prague 10,
ID No.: 25820826, VAT No.: CZ25820826, also referred to as “Controller“.
|Personal data processor||The Company, in its capacity as a supplier under the contract, referred to in this Addendum, also referred to as the “Provider”.|
|The terms “controller”, “data subject”, “personal data”, “personal data breach”, “processing”, “processor” and “supervisory authority”||They have the same meaning as in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (alsoas “GDPR“).|
|Processing services||means the personal data processing services provided by the Provider to the Controller under the Contract and any related technical support insofar as it involves the processing of personal data.|
1. Subject matter and purpose of the Addendum
- The Provider shall perform services for the Controller in connection with the performance of the contract referred to in this Addendum (hereinafter referred to as the “Contract”). In the course of this activity, the Provider may have access to personal data and undertakes to process them only for the purposes for which they have been entrusted to it and only in accordance with the documented instructions of the Controller. The scope and purpose of the data processing to be carried out by the Provider are defined in the Contract and any amendments thereto. The responsibility for the lawful processing of personal data shall be borne by the Controller.
- The Parties enter into this Addendum to the Agreement (hereinafter referred to as the “Addendum”) for the purpose of modifying their rights and obligations under the legislation governing the protection of personal data. In the event of a conflict between the provisions of this Addendum and the Contract, the provisions of this Addendum shall prevail.
- The processing of personal data will be carried out for the duration of the Contract or until all personal data is deleted by the Provider, unless otherwise specified in other provisions.
2. Nature of the data processed, data subjects
- The Provider will process the Controller’s personal data manually and automatically for the purpose of providing processing services to the Controller. The personal data of the Controller may include, for example, name, surname, telephone number, e-mail, job title of the data subject or any other information, including information provided by the Controller from databases, necessary to fulfil the purpose of the processing services.
- The Controller’s personal data relates to the following categories of data subjects:
- the data subjects whose personal data the Provider collects when providing processing services; and/or
- data subjects whose personal data are transferred to the Provider in connection with the provision of processing services by, on the instructions of or on behalf of the Controller.
- Depending on the nature of the processing services, the above categories of data subjects may include:
- employees or other associates of the Controller,
- members of the Controller’s business bodies,
- customers or potential customers of the Controller.
- The Provider does not process special categories of personal data for the Controller pursuant to Article 9 of the GDPR.
3. Right of the Controller to issue instructions
- The Provider undertakes to collect, process or use personal data only in connection with the performance of the Agreement and only for the purpose and in the manner specified by the Controller.
- By accepting this Addendum, the Controller instructs the Provider to process the Controller’s personal data in accordance with generally binding legal regulations:
- to provide Processing Services;
- as evidenced by the use of Processing Services;
- as set out in the Contract, including this Amendment; and
- as evidenced by any other documented instruction from the Controller agreed by the Contractor for the purposes of this Addendum.
- If the Provider considers that the instructions issued by the Controller do not comply with the applicable legislation on personal data protection, the Provider is obliged to inform the Controller immediately. Thus, the Provider may postpone the execution of the instruction until the Controller confirms or changes the instruction in question. The Provider shall have the right to refuse to execute a manifestly unlawful instruction.
- The Provider shall be entitled to special compensation for any actions it performs on the instructions of the Controller outside the scope of the Contract and/or which are not a legal obligation of the Provider. Compensation shall be governed by the Provider’s applicable price list for services.
4. Provider’s security measures
- The Provider is obliged to implement and maintain the security measures listed demonstratively
in Annex 1, which may be updated or modified from time to time, provided that the updates or modifications do not result in a reduction in the overall security of the processing of personal data.
- Dr. Frederike Rehker is the Data Protection Officer designated by the Provider. The Controller may address any questions regarding the processing of personal data by the Provider to the following email address: email@example.com
5. Rights and obligations of the Provider
- During the processing of personal data, the Provider shall take appropriate steps to ensure compliance with security measures by its employees, other collaborators or contractors to the extent appropriate to their activities.
- The Provider undertakes to inform the Controller immediately in writing of any personal data breach. The notification of a personal data breach must contain at least the following information:
- A description of the nature of the personal data breach, if possible indicating the categories and number of data subjects affected and the categories and number of personal data affected.
- A description of the measures and steps taken or proposed by the Provider to eliminate the breach and any measures leading to the reduction of adverse impacts.
- The Provider undertakes to immediately take the necessary measures to re-secure the personal data and mitigate any adverse effects on the data subjects, inform the Controller and request instructions on how to proceed.
- The Parties undertake to provide each other with all necessary cooperation in dealing with each other, with the Data Protection Authority (and its equivalent in other countries) or with other public authorities.
6. Rights and Obligations of the Controller
- The Controller is responsible for fulfilling all obligations in relation to the processing of the Controller’s personal data, in particular for properly informing data subjects about the processing of the Controller’s personal data, obtaining consent to the processing of the Controller’s personal data, if necessary, handling requests from data subjects regarding the exercise of their rights (such as the right to information, access, rectification, erasure, restriction of processing, objection, etc.). The Controller is also responsible for fulfilling all notification obligations to the supervisory authority in relation to the processing of the Controller’s personal data, in particular for reporting personal data breaches.
- The Controller is solely responsible for familiarizing itself with this Addendum and evaluating the security measures taken and the obligations of the Provider with respect to the Controller’s needs, in particular in relation to the Controller’s security obligations under generally binding legal regulations. For this purpose, the Controller may request various documents such as expert reports, certifications, results of internal audits, etc. Furthermore, the Controller shall have the right, as agreed by the parties, to personally check during normal working hours (with a minimum of three weeks’ notice) that the Provider has implemented technical and organisational measures or has had such implementation confirmed by a qualified third party that is not a direct competitor of the Provider. The Purchaser shall only carry out the inspection in the manner and to the extent strictly necessary and shall not unreasonably interfere with the Provider’s operational activities as part of the inspection activity. The costs of the audit and the Provider’s participation beyond what is strictly necessary shall be borne by the Controller.
- If the Provider, in the course of processing the Controller’s personal data, receives any request from the data subject in relation to the Controller’s personal data, the Provider shall inform the data subject to contact the Controller directly with the request. The Controller shall be responsible for handling such requests.
7. Provision of subcontractors
- The services provided under this Addendum and other related services may be performed in cooperation with another processor identified in Exhibit 2. Such processors shall be deemed to be approved by the Administrator.
- The Controller hereby grants the Provider general permission to involve another processor in the processing of personal data (Involvement of other processors in the processing), provided that the Controller complies with the obligations specified in this Addendum. The Provider shall immediately inform the Controller in writing of the appointment of the additional processor, who may comment on the Provider’s intention to do so by way of objection.
- The Provider undertakes to select a further processor to the best of its knowledge on the basis of qualification and reliability and to delegate to it the same obligations as those imposed on the Provider by this Addendum, and at the same time to ensure that the Controller is allowed to directly exercise the rights it is entitled to under this Addendum (in particular the right to carry out inspections and controls). In the event that the additional processor is located in a third country, the Provider must ensure that such additional processor complies with the required level of security of personal data (e.g. the contract will be covered by the Standard Data Protection Clauses).
- The involvement of other processors in the processing shall not be deemed to be the provision of a third party to perform such services, which are considered secondary by definition. Such services include, for example: mailing, transportation and delivery services, cleaning and telecommunications services that are not directly related to the services that the Provider performs for the Controller, as well as, for example, security services. Maintenance and testing services performed by the additional processor must be approved by the Controller if they are performed in connection with IT systems that are also used to perform services for the Controller.
- The Provider does not transfer data entrusted to it by the Controller to third countries in the context of processing.
- The Controller undertakes to be liable for claims brought against the Provider in connection with loss or damage to data suffered by the data subject as a result of prohibited or incorrect processing under data protection legislation, in the event that the incorrect or prohibited processing of data occurred on the basis of instructions issued by the Controller.
- Each Party undertakes to exempt the other Party from liability if the other Party concerned proves that it is not in any way responsible for the circumstances leading to the loss or damage suffered by the data subject.
9. Termination of the provision of processing services
- Upon termination of the provision of processing services, the Provider undertakes to return to the Controller all documents, data, electronic media and other data provided to the Provider or – if the Controller so wishes and EU law or Czech law does not require archiving – delete or destroy the personal data.
This also applies to backups created by the Provider. The Provider undertakes to confirm in writing to the Controller upon request the deletion/destruction of all data and media concerned.
- The Provider’s obligation to treat confidentially the data it has learned in connection with the performance of the service under the Service Contract continues after the termination of the Contract. The obligations under this Addendum shall survive the termination of the Contract for so long as the Provider has in its possession the Personal Data it has collected or otherwise obtained on behalf of the Controller.
10. Final provisions
- This Addendum may be amended and supplemented only by written and numbered amendments signed by authorized representatives of both parties.
- The invalidity or unenforceability of any provision of this Amendment shall not invalidate the entire Amendment. In such a case, both parties shall make all necessary efforts to replace the invalid provision with a legally sound one.
- This Addendum and any disputes arising from it shall be governed by the relevant provisions of the Civil Code No. 89/2012 Coll., as amended, and other applicable laws of the Czech Republic.
Annex 1: Technical and organisational measures of the Provider
Annex 2: Approved additional processors
Annex 1: Technical and organisational measures of the Provider
- Securing confidentiality
1. Physical access control
Measures to prevent unauthorised persons from accessing data processing systems are as follows:
- Definition of persons authorised to enter the Provider’s premises
- Keeping records of granting and withdrawing access to the Provider’s premises
- Access control via photo ID cards with PIN code
- Access control via personal chips
- Keeping records of server room entries
- Rules for entry of foreign persons into the Provider’s premises
- Separate areas with access for authorized persons only
- Video monitoring of separate areas and the interior of the building, including server rooms
2. Controlling access to systems
Follow-up measures are taken to prevent unauthorised persons from accessing data processing systems:
- Access to the systems is only possible after authentication with an individual username and password
- Use of passwords with a minimum length of 8 characters meeting at least three of the four criteria (uppercase, lowercase, numeric, special character) and mandatory password changes every 90 days
- No password disclosure
- Record keeping on access allocation
- Restricting administrator access to a minimum
- Use of adequate firewall systems
3. Data access control
Unauthorised activities in data processing systems beyond the allocated permissions are prevented through access rights, the concept of needs-based authorisation and through their control:
- Restriction of access rights by area of activity
- Separation of organisational rights allocation from technical rights allocation
- Keeping records of changes in access rights
4. Separation control
- Defining different user profiles
- Specific access rights corresponding to data access requirements
- Separation of data from different applications using virtual machines (for individual applications)
- Within the meaning of (Article 32, Section 1, letter a) GDPR; Article 25, Section 1 GDPR)
2. Safeguarding integrity
- Data transfer control
- Encryption of data transmission, personally when transmitting over public networks (SSL, TLS)
- Permanent destruction of data, data media, including HDD printing equipment and hard copies in accordance with data protection and in accordance with the concept of protection categorization
2. Data input control
- Regular review and changes to access rights
- Keeping records of data processing (where possible and appropriate) to enable quick review and identification of whether and whose personal data has been recorded, changed or deleted (e.g. name records of the main ERP system)
- Recording and availability of activities in systems appropriate to the needs (e.g. log files)
- Explicit identification and marking of MFP/PP data storage devices
3. Availability and loadability: availability management and recovery capability
- Use of two certified IT centres that are located far apart to prevent service interruptions through mirroring (e.g. storage of duplicate data)
- Technical precautions in the form of early warning systems to protect against failures caused by fires, overheating, flooding and sources of uninterruptible power supply
- Measures to protect against power failures and current overload, e.g. uninterruptible power supply systems
- Scheduled execution of data backups and processes used for mirroring, if necessary
- Multi-layered antivirus/firewall architecture
- Centralised procurement of hardware and software
- Ability to recover in a timely manner in Article 32, Section 1, (c) GDPR)
4. Order management
- Designation of the person responsible for data protection
- Service Level Agreements (SLAs)
with external service providers
- Training of employees in the processing of personal data
- Mandatory consent of employees to confidentiality
5. Management of the organisation
- Continuous process control and, if necessary, adaptation of data protection measures
- Internal written rules governing the handling of
data handling, including copying
- Data protection litigation process
- Conduct a risk assessment for each relevant process
- Conduct an impact assessment for each relevant process
- Implementation of the basic settings of the organization management in accordance with the legislation
- Incident management and response
Annex 2: Approved additional processors
In the event of the involvement of other processors, the Provider shall inform the Controller in accordance with the terms of this Addendum.