Terms and conditions of Personal Data Processing – DATA PROCESSING AGREEMENT

according to Article 28 General Data Protection Regulation (EU) 2016/679

(the “Data Processing Agreement”)

1.1  Alma Career Czechia s.r.o., with its registered office at Menclova 2538/2, Libeň, 180 00 Prague 8, the Czech Republic, ID No. 264 41 381, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, Insert 82484, issues this Data Processing Agreement in the form of an Amendment to the General Terms and Conditions for Businesses (“GTC”) laying down the contractual relations between businesspersons and Alma Career entered into in connection with the use of Electronic Systems.

1.2  This Data Processing Agreement lays down the rights and obligations of Alma Career as the Processor and the Client as the Data Controller (jointly referred to as the “Parties”) in relation to the processing of personal data by Electronic Systems based on the GTC and the Agreement.

1.3  The services provided under the Agreement include activities during which personal data may be processed by the Processor for the Controller within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (the General Data Protection Regulation) (“Regulation”).

1.4  The Parties intend to fulfil all their obligations arising out of the Regulation and any other local law adopted based on the Regulation, as the case may be (“Applicable Privacy Laws”).

1.5  Under Article 28 of the Regulation, the Controller is obliged to enter into a written agreement with the Processor concerning the processing of personal data, in which the Processor will, inter alia, provide sufficient guarantees to implement appropriate technical and organisational measures to ensure the protection of personal data.

1.6  The Parties enter into this Data Processing Agreement with a view to complying with their respective obligations under the Regulation and the Applicable Privacy Laws to ensure the protection of personal data processed by the Parties during the performance of the Agreement.

1.7  It is the Parties’ desire that this Data Processing Agreement should cover all the personal data processing activities performed by the Processor for the Controller in connection with the Services provided under any Agreement.

2.1  The Processor will process personal data for the Controller which the Controller has acquired or will acquire in connection with its business activities or which the Processor itself will acquire for the Controller for this purpose (“Personal Data”) in the course of provision of the Processor’s Services under the Agreement.

2.2  The purpose of this Data Processing Agreement is to define the scope of rights and obligations of the Parties during the processing of Personal Data. This Data Processing Agreement regulates the Parties’ rights and obligations in providing Services under Article 3.1 and applies separately to each Service provided under the Agreement.

2.3  Data Processing Agreement also defines the scope of the Personal Data to be processed, the purpose of their processing, and the conditions and guarantees to be provided by the Processor to implement appropriate technical and organisational measures to ensure the protection of Personal Data.

3.1  The Processor will process Personal Data according to the documented instructions of the Controller to the extent necessary to fulfil the Processor’s obligations under the Agreement and for the purpose of their use by the Controller for the Controller’s business, namely:

(a)  for management and record keeping of the personal data of the Controller’s job applicants and the Controller’s employees while managing the recruitment process (in particular, the Teamio, Jobs.cz, Práce.cz, Jobote and Práce za rohem / Praca za Rogiem, Techloop, Atmoskop services or any of them), and/or

(b)   education of the Controller’s employees through the Seduo service.

Note: Personal Data processing under this Data Processing Agreement takes place only in the scope of Services agreed in the Agreement.

3.2  The Processor will process the Personal Data of job applicants and the Controller’s employees or contractors (“Data Subjects”) within the following scope:

(a) Scope of Personal Data under Article 3.1(a) of the Data Processing Agreement

(b) Scope of Personal Data under Article 3.1(b) of the Data Processing Agreement

3.3  If the Controller provides the Processor with, or if in connection with the Processor’s activities performed for the Controller the Processor otherwise gains access to, any other Personal Data of Data Subjects or if Personal Data of other data subjects are provided to the Processor and at the same time, the Processor acts as a processor of such Personal Data for the Controller, the Processor is obliged to also process and protect that Personal Data in compliance with the requirements of (i) the Regulation (ii) the Applicable Privacy Laws, and (iii) this Data Processing Agreement.

3.4  The Processor will process the Personal Data of Data Subjects until the expiration of this Data Processing Agreement.

3.5  The processing of Personal Data hereunder shall not give rise to any additional fee in addition to the remuneration under the Agreement.

4.1  While processing Personal Data, the Processor shall act with due professional care to avoid any violation of the Regulation or the Applicable Privacy Laws.

4.2  If the Processor finds out about a breach of any of the Controller’s obligations under the Regulation, the Processor shall notify the Controller without undue delay.

4.3  While processing Personal Data, the Processor shall adhere to documented instructions from the Controller. The instructions shall be given in accordance with this Data Processing Agreement, mostly via features of the products/Services used under the Agreement. The instructions shall comprise updating, deleting, amending or other handling of Personal Data. No instruction of the Controller may result in an extension of any technical or organisational measures beyond the scope defined in this Data Processing Agreement. The Processor shall inform the Controller about an inappropriate instruction if the Processor, using its due professional care, could ascertain the inappropriate nature of the instruction. The Processor may at its sole discretion refuse to adhere to an instruction that would result in breaching the Regulation or Applicable Privacy Laws.

4.4  The Processor ensures that no Data Subject will suffer any damage to their rights, in particular the right to human dignity, and is also required to take protective measures against unauthorised interference with the private and personal lives of Data Subjects.

4.5  The Processor undertakes to fulfil the information obligation in accordance with Article 13 of the Regulation, unless the Agreement states otherwise for specific products.

4.6  If the Data Subject requests information regarding the processing of his/her data in accordance with Article 15 of the Regulation, the Processor will provide the Data Subject with identification of the Controller and will refer the Data Subject to exercise the right towards the Controller. The Processor will further proceed in accordance with the Controller’s written instructions.

4.7  The Processor shall notify the Controller of the investigation carried out by a relevant Supervisory Authority and of the result thereof, if it concerns Personal Data processed for the Controller or the parameters of the Service provided by the Processor to the Controller, and shall provide the Controller with information that the investigation carried out has affected such parameters. For the avoidance of doubt, requests from a relevant Supervisory Authority concerning the processing of personal data for which no proceedings - control or administrative - have taken place are not considered to be investigations carried out.

4.8  The Controller shall notify the Processor of any inspection or an initiation of administrative proceedings concerning imposing a remedial measure and/or imposing of a fine carried out by a relevant Supervisory Authority (“Administrative Proceedings”), insofar as the inspection or Administrative Proceedings concerns (i) Personal Data processed by the Processor for the Controller, or (ii) parameters of the Service provided to the Controller and if it is anticipated that carrying out of such an inspection or Administrative Proceeding may affect such parameters.

4.9  The Processor shall inform the Controller about any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal data transmitted, stored or otherwise processed (“Personal Data Breach”) without undue delay. After informing the Controller, the Processor shall provide the Controller with assistance in dealing with the Personal Data Breach and/or in adopting measures to mitigate any potential adverse effects and to prevent similar occurrences in the future.

4.10  The notification on Personal Data Breach must include at least:

(a)  a description of the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned,

(b)   a description of the likely consequences of the Personal Data Breach,

(c)  a description of the measures taken or proposed to be taken by the Processor to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

4.11  The Processor agrees to allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller acknowledges that carrying out such an audit may not affect third parties’ rights (e.g. other controllers or data subjects), in particular with respect to ensuring the confidentiality of personal data. The Controller also acknowledges that carrying out such an audit would be subject to a special agreement regarding costs incurred by the Processor which shall be paid by the Controller.

4.12  The Processor will assist the Controller in fulfilling the Controller’s obligation to respond to requests for the exercise of the rights of Data Subjects, especially to requests for access to, rectification or erasure of Personal Data, restriction of processing or portability of Personal Data; if it possible to fulfil such obligations via features of particular products or services, the Controller may not request unsubstantiated cooperation from the Processor.

4.13  The Processor agrees to assist the Controller in securing the obligations stipulated in the Regulation, in particular the obligation to secure the processing of Personal Data, report events of Personal Data Breach, secure data protection impact assessment or prior consultation with the Supervisory Authority, with regard to the nature of the processing and of the information available to the Processor.

5.1 Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor agrees under Article 32 of the Regulation, to implement all appropriate technical and organisational measures to ensure the protection of Personal Data in the manner described in the Regulation or other applicable laws to exclude the possibility of unauthorised or accidental access to Personal Data, their alteration, destruction or loss, unauthorised transfers, unauthorised processing, or any other misuse of Personal Data.

5.2 The Processor agrees to implement the following organisational and technical measures:

(a)   without prejudice to Article 5.3 of this Data Processing Agreement, if Personal Data are processed by the Processor’s own employees, the Processor will entrust this activity strictly to its selected employees who will be instructed to process Personal Data, duly advised of their confidentiality duty with regard to Personal Data as well as other obligations they are required to comply with so as not to infringe the Regulation or this Data Processing Agreement,

(b)  without prejudice to Articles 5.3 and 5.4, not to authorise any third person without prior written authorisation of the Controller to process Personal Data,

(c)  to use adequate technical equipment and programmes to exclude unauthorised or accidental access to Personal Data by any persons other than the Processor’s authorised employees,

(d)   to store Personal Data in duly secured buildings and rooms,

(e)   to store hard-copy documents containing Personal Data in a safe place, and to keep due records regarding any movements of such document,

(f)  to store Personal Data in electronic form on secure servers or data carriers (storages), access to which will only be granted to authorised persons on the basis of access codes or passwords, and to periodically back up the Personal Data,

(g)  to ensure that remote transfers of Personal Data will only be carried out by means of a non-public network or by secure transfer via public networks, in particular via network security communication protocol. Taking into account the nature, scope, context and the risks of varying likelihood and severity some of the Personal Data may be transmitted via e-mails,

(h)   to ensure by appropriate technical means the ability to restore the availability of and access to Personal Data in a timely manner in the event of a physical or technical incident in accordance to the parameters for the particular Service agreed upon in the Agreement,

(i) to ensure a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

5.3  The Processor may engage another processor (“Other Processor”) to process Personal Data (general authorisation). The Processor will inform the Controller by e-mail sent to the Controller's address (Article 7.1) and via https://almacareer.com/legal/cz/en/supplier-list (“Bulletin Board”) of any new Other Processors the Processor intends to engage for the processing of Personal Data or any intended changes concerning Other Processors. The Controller shall have the opportunity to object to the addition of a new Other Processors under the conditions of the Agreement. In case of objections, Article 17(3) of the GTC applies.

5.4  If the Processor engages an Other Processor for carrying out specific processing activities, the same data protection obligations as set out in this Data Processing Agreement must be imposed on that Other Processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the Regulation.

5.5  The Controller acknowledges that services provided by Other Processors listed in the Bulletin Board may include transferring of Personal Data outside of the EU/EEA. The Processor guarantees that any transfer of Personal Data to third countries will only take place under the conditions set out in Articles 44-49 of the Regulation. If the transfer tools for the transfer of Personal Data to a third country are modified, revoked or invalidated, the Processor undertakes to take such measures as are equivalent to those required by EU law; for the period necessary to take measures to ensure an adequate level of protection, the Controller waives its right to invoke a breach of the Contract or the Data Processing Agreement.

5.6  An up-to-date list of Other Processors, including any European Commission decision on adequate protection or appropriate safeguards in place, is available on the Bulletin Board which forms an integral part of this Data Processing Agreement.

5.7  The Processor is obliged to adopt and document the adopted and implemented technical and organisational measures to secure Personal Data in accordance with the Regulation and Applicable Privacy Laws.

6.1  This Data Processing Agreement becomes valid and effective on the date of conclusion of the Agreement and shall terminate no earlier than upon termination of the Agreement. If the Parties have entered, or will at any time in the future enter, into another agreement under which Personal Data can be processed, this Data Processing Agreement will expire simultaneously with the expiry of that other agreement or, as the case may be, simultaneously with the expiry of the last of such agreements.

6.2  The Controller may terminate this Data Processing Agreement by a 3-day notice if the Processor breaches any of its obligations under the Regulation or the Applicable Privacy Laws, and the Processor fails to remedy that breach within 15 days following a written request of the Controller.

6.3  The Processor may terminate this Data Processing Agreement by a 3-day notice if the Controller breaches its obligations under the Regulation or the Applicable Privacy Laws, and the Controller fails to remedy that breach within 15 days following the Processor’s notification under Article 4.2 of this Data Processing Agreement.

6.4  Unless the Agreement states otherwise for specific products, when the Agreement or this Data Processing Agreement terminates, the purpose of Personal Data processing otherwise expires, the consent (if applicable) is withdrawn by the Data Subject or the Data Subject makes a request under Article 17 of the Regulation, the Processor shall, according to the Controller’s instructions, destroy the Personal Data concerned, or transfer them to the Controller and destroy the Personal Data in its possession. The Controller’s instruction for the destruction or transfer of Personal Data must be delivered to the Processor at the latest as of the day of termination of the Agreement or this Data Processing Agreement, or, if such occurs prior to termination of the Agreement or the Data Processing Agreement, within 10 days after the Controller or Processor (whichever occurs later) is informed about the expiry of the purpose of Personal Data processing, withdrawal of the consent or delivery of the request under Article 17 of the Regulation, otherwise the Processor will destroy the Personal Data of the Data Subject on the day of termination of this Data Processing Agreement or the Agreement or upon the lapse of the aforementioned deadlines.

6.5  Upon termination of this Data Processing Agreement, the Processor shall comply with the Regulation and/or the Applicable Privacy Laws, particularly with regard to preventing any unauthorised use of Personal Data until their transfer by the Processor to the Controller in accordance with the Controller’s instructions or until their safe destruction by the Processor.

6.6  Termination of this Data Processing Agreement constitutes a fact which, depending on the Service provided, makes all or only some specific types of activities under the Agreement impossible.

6.7  The obligation to maintain confidentiality of Personal Data will survive termination of this Data Processing Agreement.

7.1  All notifications including Personal Data Breach notification may be delivered in person or by post to the address of the other Party's headquarters or e-mail:

The Controller’s e-mail: contact e-mail of the Main User, entered in the registration form provided by the Controller in the Electronic System, or contact e-mail of the Controller’s authorised employee given in the Seduo Administrator Account, or the contact e-mail specified in the Agreement, or another e-mail with the highest level of authorization within the specific service used.

The Processor’s e-mail: DPO-CZ@almacareer.com

7.2  The Controller may request a change of the address for the delivery of notifications by sending an electronic message to the Processor’s e-mail. The change of address shall be effective from the date of the confirmation sent by the Processor of receipt of the Controller's request.

8.1  Legal relations, obligations, rights and duties arising from this Data Processing Agreement, including amendments hereto, will be governed by and interpreted in accordance with the laws of the country in which the Processor has its registered office. The contractual matters between Controller and the Processor not expressly stipulated in this Data Processing Agreement are governed by the provisions of the GTC available at https://almacareer.com/legal/cz/en/general-terms-conditions.

8.2  An informative English translation of the GTC is available at https://almacareer.com/legal/cz/en/general-terms-conditions. In case of discrepancies between the English or other foreign language version, the Czech language version shall prevail.

8.3  If any provision of this Data Processing Agreement is held by a court of competent jurisdiction or any other authority to be invalid, ineffective, putative or unenforceable, such provision will be deemed to be deleted from this Data Processing Agreement and the remaining provisions of this Data Processing Agreement will continue in full force and effect, unless it can be assumed from the nature or content of that provision or the circumstances under which it was concluded that it cannot be severed from the rest of this Data Processing Agreement. In such case, the Parties will execute such amendments to this Data Processing Agreement to achieve the same or, if not possible, the closest possible effect to the effect of the original invalid, ineffective, putative or unenforceable provision.

8.4  The Parties agree to settle any dispute that may arise out of or in connection with the performance of this Data Processing Agreement amicably. If the Parties fail to settle a dispute amicably within 30 days, either of the Parties can refer the dispute to the competent court of law in accordance with applicable law.

8.5  The scope of processed Personal Data specified in Article 3.2 of this Data Processing Agreement may be extended or otherwise changed according to the functionality of the respective product without the need to conclude an amendment to this Data Processing Agreement or the GTC.

8.6  For purposes of execution of this Data Processing Agreement or any amendments thereto, the Parties agree that a contract is entered into only based on a full agreement on the wording of this Data Processing Agreement.

8.7  The terms not specified in detail herein have the meaning defined in the GTC or the Agreement.

8.8  This Data Processing Agreement is binding upon the Parties pursuant to the rules laid down in the GTC.

8.9  This Data Processing Agreement becomes valid and effective as of 1. 1. 2024.

Alma Career