Data Processing Agreement

Scope and roles of the parties

This Data Processing Agreement (the "DPA") forms part of the agreement between the customer (the "Controller") and Alpha Analytics s.r.o. (the "Processor") for the use of the Carsdata.com services (the "Services"). It governs the processing of personal data that the Processor carries out on behalf of the Controller and applies whenever such processing is subject to Regulation (EU) 2016/679 (the "GDPR").

The Controller determines the purposes and means of the processing of personal data and is responsible for the lawfulness of that processing. The Processor processes personal data only on behalf of, and on the documented instructions of, the Controller. Where the Processor determines the purposes and means of processing for its own activities, it acts as a controller and that processing is governed by the Privacy Policy rather than by this DPA.

In the event of any conflict between this DPA and the rest of the agreement between the parties in relation to the processing of personal data, this DPA prevails.

Definitions

Terms such as "personal data", "processing", "controller", "processor", "sub-processor", "data subject", "personal data breach" and "supervisory authority" have the meanings given to them in the GDPR. "Applicable data protection law" means the GDPR and any other data protection or privacy laws applicable to the processing of personal data under the agreement.

Subject matter, duration, nature and purpose of processing

The subject matter of the processing is the provision of the Services. The Processor processes personal data for the duration of the agreement and for as long afterwards as required to comply with its legal obligations or as otherwise set out in this DPA.

The nature and purpose of the processing is the operation and provision of the Services to the Controller, including hosting, storage, analysis and the technical operations necessary to make the Services available. The Processor processes the categories of personal data and data subjects that the Controller submits to, or makes available through, the Services — typically the identification and contact details of the Controller’s representatives and authorised users, and any personal data contained in the records the Controller chooses to process through the Services.

Obligations of the Processor

The Processor undertakes to:

• process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country, unless required to do so by law — in which case the Processor will inform the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest;
• immediately inform the Controller if, in its opinion, an instruction infringes applicable data protection law;
• ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
• implement and maintain the technical and organisational security measures described in this DPA;
• respect the conditions for engaging sub-processors set out in this DPA;
• assist the Controller, taking into account the nature of the processing, in responding to requests from data subjects exercising their rights;
• assist the Controller in ensuring compliance with its obligations regarding security of processing, breach notification, data protection impact assessments and prior consultation, taking into account the nature of processing and the information available to the Processor;
• at the choice of the Controller, delete or return all personal data after the end of the provision of the Services, and delete existing copies unless retention is required by law;
• make available to the Controller the information necessary to demonstrate compliance with the obligations of a processor, and allow for and contribute to audits as set out in this DPA.

Obligations of the Controller

The Controller is responsible for ensuring that it has a valid legal basis for the processing of personal data through the Services, that it has provided any notices and obtained any consents required from data subjects, and that its instructions to the Processor comply with applicable data protection law. The Controller must not submit any personal data through the Services that it is not entitled to process.

Confidentiality

The Processor treats all personal data as confidential and ensures that access is limited to those personnel who need it to provide the Services. Such personnel are bound by written confidentiality obligations and receive appropriate data protection and security training.

Security of processing

Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of data subjects, the Processor implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures are described in the Security overview and include, as appropriate, the encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems, the ability to restore availability and access in a timely manner following an incident, and a process for regularly testing and evaluating the effectiveness of those measures.

Sub-processors

The Controller grants the Processor general authorisation to engage sub-processors to support the provision of the Services (for example, cloud infrastructure and storage providers). The Processor maintains an up-to-date list of sub-processors and informs the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object on reasonable data protection grounds.

The Processor imposes on each sub-processor, by way of a contract, data protection obligations that are no less protective than those set out in this DPA, and remains fully liable to the Controller for the performance of each sub-processor’s obligations.

Assistance with data subject rights

Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests by data subjects exercising their rights of access, rectification, erasure, restriction, portability and objection. Where the Processor receives a request directly from a data subject, it will, without undue delay, forward the request to the Controller and will not respond to it itself unless instructed to do so by the Controller.

Personal data breach notification

The Processor notifies the Controller without undue delay after becoming aware of a personal data breach affecting personal data processed on behalf of the Controller. The notification includes, to the extent available, a description of the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a point of contact for further information. The Processor assists the Controller in meeting its own breach notification and communication obligations to supervisory authorities and data subjects.

Data protection impact assessments

The Processor provides reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities that the Controller reasonably considers to be required under Articles 35 or 36 of the GDPR, in each case solely in relation to the processing of personal data by the Processor on behalf of the Controller and taking into account the information available to the Processor.

International data transfers

The Processor primarily processes and stores personal data within the European Union / European Economic Area. The Processor does not transfer personal data to a country outside the EEA that does not benefit from an adequacy decision unless it has put in place an appropriate transfer mechanism recognised under the GDPR, such as the European Commission’s Standard Contractual Clauses, together with any supplementary measures necessary to ensure an adequate level of protection.

Audits and inspections

The Processor makes available to the Controller the information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor mandated by it. Audits are conducted on reasonable prior notice, during normal business hours, no more than once per year (save where required by a supervisory authority or following a personal data breach), and in a manner that does not disrupt the Processor’s operations or compromise the confidentiality of other customers’ data. The Processor may satisfy audit requests by providing relevant third-party audit reports or certifications where available.

Return and deletion of data

On termination or expiry of the Services, the Processor will, at the choice of the Controller, delete or return all personal data processed on behalf of the Controller and delete existing copies, unless applicable law requires continued storage. Standard system backups are deleted in accordance with the Processor’s documented retention cycle.

Liability, term and governing law

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the agreement between the parties. This DPA takes effect on the effective date of the agreement and remains in force for as long as the Processor processes personal data on behalf of the Controller. This DPA is governed by the law of the Czech Republic, unless the agreement between the parties specifies otherwise, and without prejudice to the mandatory provisions of the GDPR.

To request a countersigned copy of this DPA, or to discuss specific data protection arrangements, contact us at info@carsdata.com.