Legal Documentation

Data Processing.

Data Processing Agreement (DPA) and technical standards.

This Data Processing Agreement (hereinafter referred to as the “DPA”) is entered into by and between tiketo (tiketo Solutions, s.r.o., Jeremenkova 88, Podolí, Prague 4, 140 00, Czech Republic, ID No.: xxxxxxx, registered under file C xxxxxxxx with the Municipal Court in Prague, or Prague Media Boutique s.r.o., Jeremenkova 88, Podolí, Prague 4, 140 00, Czech Republic, ID No.: xxxxxxx, registered under file C xxxxxxxx with the Municipal Court in Prague, or any other company within the tiketo group with which you have entered into a contract) and the Client as of the Effective Date indicated in the Order Form, establishing specific terms of cooperation between the Provider and the Client concerning the processing of personal data. All capitalized terms not defined herein shall have the meaning given to them in the Agreement, where relevant.

1. Data Protection

1.1

Agreement

“Agreement” means this DPA and any Order Form referring to this DPA, including, without limitation, the Provider’s main service agreement and any annexes, service descriptions, statements of work, appendices, or amendments thereto, either attached hereto or incorporated by reference.

1.2

Definitions

For the purposes of this clause, the following terms shall have the following meanings: (a) “Controller,” “Processor,” “Data Subject,” “Personal Data,” and “Processing” (and “Process”) shall have the meanings assigned to them by the Relevant Data Protection Law; and (b) “Relevant Data Protection Law” means Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (General Data Protection Regulation), along with any other applicable local data protection laws.

1.3

Parties’ Relationship

The Controller appoints the Processor to process the personal data subject to the Agreement between the parties (hereinafter referred to as “Data”). Each party shall comply with the obligations applicable to it under the Relevant Data Protection Law.

1.4

Prohibited Data

The Controller shall not provide (and shall not instruct the Data Subject to provide) any special categories of Data for processing unless expressly listed in Annex A.

1.5

Purpose of Processing

The Processor shall process the Data as a Processor for the purposes described in Annex A and strictly in accordance with the Controller’s documented instructions (hereinafter the “Permitted Purpose”), unless otherwise required by EU (or EU Member State) law. Under no circumstances shall the Processor process the Data for its own purposes or for the purposes of any third party. If the Processor becomes aware that the Controller’s instructions violate Relevant Data Protection Law, the Processor shall immediately inform the Controller (without any obligation to monitor the Controller’s compliance with the Relevant Data Protection Law actively).

1.6

International Transfers

The Processor shall not transfer the Data (nor permit the Data to be transferred) outside the European Economic Area (“EEA”) unless (i) it has obtained prior written consent from the Controller and (ii) it has taken necessary measures to ensure that the transfer complies with the Relevant Data Protection Law.

1.7

Confidentiality of Processing

The Processor shall ensure that any person it authorizes to process the Data (including the Processor’s employees, agents, and subcontractors) (hereinafter the “Authorized Person”) is subject to a strict duty of confidentiality.

1.8

Security

The Processor shall implement appropriate technical and organizational measures to protect the Data.

1.9

Subprocessing

The Processor shall not subcontract any processing of the Data to a third party without the prior written consent of the Controller.

1.10

Assistance and Data Subject Rights

The Processor shall provide the Controller with reasonable assistance to ensure responses to Data Subjects’ requests.

1.11

Data Protection Impact Assessment

If the Processor becomes aware that its processing of the Data may pose a high risk to the Data Subjects’ rights, it shall inform the Controller thereof.

1.12

Security Incidents

Upon becoming aware of a security incident, the Processor shall promptly inform the Controller and provide the necessary information for reporting the breach.

1.13

Data Deletion or Return

Upon termination of the Agreement, the Processor shall, at the Controller’s choice, delete or return all Data.

Annex A: Description of Data Processing

The Controller is the Processor’s customer, providing Data for the Processor to deliver services under the Agreement. The Processor is a software company providing SaaS services for the issuance and management of virtual cards in mobile wallets and for other purposes agreed by the Parties.

Categories of Data

Personal Data includes identifying information of virtual card users (e.g., name, address, email), electronic identification data, and descriptive information defined by the Controller. The services are not intended to process sensitive information, such as health data.

Processing Operations

Personal Data shall be subject to the following core processing operations: operations necessary for providing the Services, including hosting, storage, access provisioning, and application of analytical functionalities.

List of Subprocessors

1. Amazon Web Services, Inc.

PurposeServer infrastructure, web services, data storage
Location2021 Seventh Ave., Seattle, Washington 98121, USA

2. tiketo Solutions s.r.o.

PurposeIT solution provider, helpdesk subcontractor
LocationJeremenkova 763/88, Podolí, Prague 4, 140 00, Czech Republic

Questions regarding your data?