PERSONAL DATA PROCESSING AGREEMENT
APPENDIX NO. 1 TO THE TERMS AND CONDITIONS OF THE RETINO SERVICE
(hereinafter referred to as the "Data Processing Agreement") concluded between:
You, who have decided to use the Retino service;
(hereinafter referred to as the "Controller" or "you")
and
Retino.cz s.r.o., Company ID: 06222234, with registered office at Klimentská 1746/52, Nové Město, 110 00 Prague 1, registered in the commercial register maintained by the Municipal Court in Prague, file ref. C 278391,
(hereinafter referred to as the "Processor", "Retino", or "we")
(the Processor and the Controller hereinafter collectively referred to as the "Contracting Parties" and individually as the "Contracting Party").
If you use the Retino service (hereinafter referred to as the "Service"), Retino will be the processor of the Personal Data that you entrust to us. The Service is provided on the basis of the Terms and Conditions for the provision of the Retino service (hereinafter referred to as the "Terms"). By entering into the Agreement, you confirm that you have read and agree to the Data Processing Agreement, and it is legally binding for you. This Data Processing Agreement applies to all users who have access to or use the Service.
Please read this Data Processing Agreement carefully, which defines the conditions for the processing of Personal Data under which the Service is provided. If you have any questions regarding the processing of Personal Data, you can contact us at any time at support@retino.com.
The Contracting Parties process Personal Data in connection with the concluded Agreement in accordance with legal regulations, in particular in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council (hereinafter referred to as "GDPR"). According to the GDPR, the Contracting Parties must set out the rules of processing in writing, which they do in this Data Processing Agreement.
Subject and purpose of the Data Processing Agreement. By entering into this Data Processing Agreement, as the Controller you authorize the Processor to carry out the processing of Personal Data for you in connection with the provision of the Service. The aim is to ensure the protection of Personal Data to the extent required by legal regulations. The scope of processed Personal Data can be found in Appendix A of this Data Processing Agreement.
Retino Service. The Retino Service consists primarily of providing services to facilitate the complaints process, providing access to software for managing return processes and other services, as further defined in the Terms.
What the position of Processor and Controller means. When using the Service, you provide us with Personal Data of which you are the Controller, which we subsequently process on your instructions and to the extent you have chosen. When processing Personal Data, you are in the position of the Controller of Personal Data pursuant to Article 4(7) of the GDPR and Retino is in the position of the Processor pursuant to Article 4(8) of the GDPR.
Written form. Pursuant to Article 28 of the GDPR, the Contracting Parties set out the rules of processing in writing in this Data Processing Agreement.
Definitions. The definitions of terms in the Terms shall be adopted with the same meaning in this Data Processing Agreement.
Duration of the Terms. This Data Processing Agreement is concluded for the duration of the Agreement under the Terms.
Moment of conclusion and termination of the Data Processing Agreement. The Data Processing Agreement is concluded at the moment of completion of registration for the purpose of using the Service (conclusion of the Agreement). The Data Processing Agreement may be terminated under the same conditions as the termination of the use of the Service under the Terms.
Effects of termination. Termination of this Data Processing Agreement also results in the termination of the contractual relationship in the areas to which this Data Processing Agreement relates, unless the Contracting Parties agree otherwise. Termination of the Terms also terminates this Data Processing Agreement. However, the termination of this Data Processing Agreement does not affect the Processor's obligations in transferring (returning) Personal Data to the Controller or their destruction and the maintenance of confidentiality of information.
Lawfulness of processing. The Controller and the Processor undertake to comply with the regulations governing the protection of Personal Data.
Cooperation. The Controller and the Processor undertake to assist each other to the necessary and reasonable extent in fulfilling obligations in the processing of Personal Data arising from mutually concluded agreements and legal regulations, in particular in connection with responses to the exercise of data subjects' rights, security incidents, and also with the preparation of impact assessments and dealings with supervisory authorities. The Contracting Parties undertake to provide the necessary documents for processing a request relating to the processing of Personal Data under the Terms. The Contracting Party shall provide these documents without undue delay, but no later than within 10 working days of receiving the request for cooperation from the other Contracting Party.
Incident. The Contracting Party shall notify the other party that it has become aware of a security breach within 48 hours of becoming aware of the breach. A breach shall be understood as any case of a breach of the security of Personal Data that could potentially lead to the accidental or unlawful destruction, alteration or unauthorized provision or disclosure of Personal Data processed under the Agreement as amended by the Terms.
Access restriction. The Processor shall ensure that access to Personal Data is restricted only to (a) employees who process Personal Data as part of their job duties, and (b) persons who cooperate with the Processor and may process Personal Data for the Processor within the scope of such cooperation, in accordance with the terms of this Data Processing Agreement and for the purpose of providing Services under the Agreement as amended by the Terms. If these persons are not subject to a statutory duty of confidentiality, the Processor shall ensure their contractual confidentiality.
Processor's commitment regarding adopted measures. The Processor has adopted and undertakes to maintain appropriate technical and organizational measures pursuant to the GDPR throughout the duration of this Data Processing Agreement, which apply to the Processor. An overview of adopted measures can be found in Appendix B of this Data Processing Agreement.
Processor's commitment. The Processor undertakes to:
comply with all obligations arising for processors of Personal Data from relevant legal regulations when processing personal data;
process Personal Data exclusively on the basis of the Controller's instructions made pursuant to this Data Processing Agreement, including on matters of transferring Personal Data to a third country or international organization;
notify the Controller without undue delay of cases where a review or other administrative proceedings relating to the processing of Personal Data by the Processor are initiated by the Office for the Protection of Personal Data or another administrative body, and provide the Controller with all information about the progress and results of such review or proceedings;
assist the Controller in ensuring compliance with the Controller's obligations regarding the security of Personal Data pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of the processing to be carried out by the Processor;
allow the Controller to conduct internal audits, including inspections, carried out by the Controller or another auditor appointed by the Controller, provided that these are notified to the Processor one month before they take place; the Processor may raise objections against any auditor appointed by the Controller if the auditor is not independent or is in a competitive or similar position vis-à-vis the Processor. On the basis of the Processor's objection, the Controller is obliged to appoint another auditor;
report to the Controller any breach of the security of Personal Data of which it becomes aware, without undue delay, no later than within 48 hours of becoming aware of the security breach. The minimum scope of this notification is set out in Article 33(3) of the GDPR;
maintain records of all breaches of Personal Data security and corrective measures taken to ensure an adequate level of processing security. The Processor is obliged to provide the Controller with all necessary cooperation related to the investigation of security breaches and the fulfilment of the Controller's obligations under Articles 33 to 34 of the GDPR;
assist the Controller in demonstrating processes or documents that prove that the Controller complies with the GDPR.
Reimbursement of costs. The Contracting Parties have agreed that the Processor is entitled to reimbursement of reasonable costs associated with the provision of cooperation from the Controller.
Processor's confidentiality. The Processor undertakes to maintain confidentiality regarding all Personal Data provided by the Controller, and shall keep them secret, shall not disclose them, shall not make them accessible to third parties, either in whole or in part, unless they are to be transferred on the basis of the Controller's instructions, or if so required by legal regulations.
Trade secrets. All information and documents that the Processor makes available to the Controller in connection with an audit or inspection constitute part of the Processor's trade secrets, and unless otherwise provided, are subject to the confidentiality requirements under this Data Processing Agreement. Such information and documents may only be disclosed to the competent supervisory authority.
Lawfulness of processing. The Processor undertakes to fulfil its obligations relating to the protection of Personal Data throughout the duration of the Agreement, unless the provisions of the Agreement, this Data Processing Agreement or relevant legal regulations provide that they are to continue even after the expiry of its effectiveness.
Engaged processors and engagement of a new processor. The Processor has further engaged providers (sub-processors) in the processing of Personal Data, who are listed in Appendix C. If the Processor engages other processors, it shall inform the Controller before such change by e-mail or directly in the Application. If the Controller does not agree with the engagement of a new processor, the Controller may file an objection no later than within 5 days of receiving the Processor's notification. Filing an objection, and thus not engaging a new (sub-)processor, may result in the inability to use the Service.
Programmers and other specialists of the Processor. The Controller expressly agrees to the engagement of additional processors – programmers and other specialists of the Processor in the position of self-employed natural persons who provide services to the Processor on the basis of a cooperation agreement.
Processor's obligation in case of termination of cooperation. The Processor undertakes that in the event of termination of the provision of Services, it shall delete all Personal Data and, at the Controller's request, return them, including all copies, unless EU or Czech law requires their storage. If the Controller so requests, the Processor shall ensure that all regularly exported data are transferred to the Controller, as a standard within 60 days from the termination of the contractual relationship under the Terms; after this period, the Processor shall make the Controller's data inaccessible.
Data return. The Controller may request the Processor to send backed-up data pursuant to the Terms, no later than within 2 months from the deletion of the User Account, unless the deadline under Article 3.10 has expired in the meantime. After the expiry of this deadline, the Controller's data are irreversibly deleted.
Legal order. For matters not specifically regulated in this Data Processing Agreement, generally binding legal regulations shall apply. The Data Processing Agreement shall be governed by and construed in accordance with the legal order of the Czech Republic, in particular Act No. 89/2012 Coll., the Civil Code, as amended. The Contracting Parties have agreed that business customs shall not take precedence over any provisions of the law, including those provisions of the law that do not have mandatory effect.
Force majeure. The Processor shall not be liable for situations where it was unable to fulfil its obligation arising from the Data Processing Agreement due to an event referred to as force majeure (war, unrest, terrorism, rebellions, strikes, fires, epidemics or natural disasters).
Communication between the Contracting Parties. The Contracting Parties have agreed that their communication regarding the Data Processing Agreement (including notification of a security incident) shall be conducted via the following e-mail addresses:
Controller: the e-mail address with which the Controller registered for the Service;
Processor: support@retino.com.
Prohibition of assignment. No Contracting Party may in any way assign or transfer the rights and obligations arising from or related to this Data Processing Agreement without the prior written consent of the other Contracting Party.
Updates and changes. The Processor reserves the right to modify or update this Data Processing Agreement. If we make changes that alter the rights and obligations under the Data Processing Agreement, you will be notified in a timely manner by e-mail. If you continue to use the Service, you agree to the updated version of the Data Processing Agreement. If you do not agree with the changes, please stop using the Service.
Effectiveness. This Data Processing Agreement is effective in this version on the same day as the Terms, of which it is an appendix.
Appendices. The following appendices form part of the Data Processing Agreement:
Appendix A: Nature, scope, duration and purpose of Personal Data processing,
Appendix B: Technical and organizational measures,
Appendix C: List of sub-processors.
Nature of processing. Personal Data are processed automatically through the Processor's systems used by the Processor for the provision of the Service.
Purpose. The purpose of processing is to enable the Controller to use the Service (performance of the Agreement).
Legal basis for processing. The legal basis for the processing of Personal Data within the provision of the Service is the performance of the Agreement (as amended by the Terms).
Scope of processing. Depending on how the Controller uses the Service, the following Personal Data in particular may be processed in connection with the provision of the Service:
Contact details: First name, surname, e-mail, telephone number, address, Company ID, registered office, order number, account number, address;
Data on tax documents: Contact details, order number, account number, invoice number; or
Possibly other Personal Data transferred as part of integration, processed exclusively on the Controller's instructions.
Special categories of Personal Data. The Controller undertakes not to make available to the Processor any Personal Data falling within a special category of Personal Data within the meaning of Article 9 of the GDPR. Special categories of Personal Data may only be processed after explicit prior agreement with the Processor. What are special categories of Personal Data? These are Personal Data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health status or sexual life or sexual orientation of a natural person. Genetic and biometric data are also considered a special category of data if they are processed for the purpose of uniquely identifying a natural person.
Data subject. These are typically Personal Data of the Controller's customers or clients, the Controller's employees and other cooperating persons including suppliers, users of the Controller's websites, business partners or their employees or representatives.
Duration of processing. Personal Data are processed for the period specified in Article 3.10 of the Data Processing Agreement.
Technical measures. Security is very important to us and therefore we continuously work to ensure that your Personal Data is protected. When choosing measures, we take into account the scope of processing, the risk of processing or the state of our technology.
We regularly back up data;
we update antivirus software systems;
we encrypt data using SSL/TLS ("secure sockets layer / transport layer security") for all data transfers;
we use the secure https protocol;
our data on servers is encrypted;
we develop technology with regard to the protection of personal data (privacy by design);
access passwords to information systems (where Personal Data will be processed) and access permissions are controlled at the individual level.
Organizational measures. We have adopted and undertake to comply with the following measures:
Our employees and our service providers are bound by confidentiality;
Our employees are properly trained and also regularly further trained regarding the GDPR and are familiar with the rules of safe work on work devices;
In the case of storing API keys, we remove authorization data;
Access to all systems, including the information system, is personalized and protected by secure passwords;
We store passwords in the production environment in a separate location (Safe store), in which logs are recorded so that we can monitor employee access to individual Personal Data of Users.
| Processor | Address | What is it used for? | Where does it store data? | Transfer of data outside the EU (Art. 44 GDPR and reason for processing) | Data processing |
|---|---|---|---|---|---|
| Amazon Web Services, Inc. | 410 Terry Avenue North, Seattle, Washington 98109-5210, United States of America | Web service | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by Amazon for its own purposes. | DPA and Standard Contractual Clauses |
| Twilio Ireland Limited | 70 Sir John Rogerson's Quay, Dublin 2, D02 R296, Ireland | Web cloud communication platform | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by Twilio for its own purposes. | DPA and Standard Contractual Clauses |
| Stripe Technology Europe, Limited | The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland | Payment service | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by Stripe for its own purposes. | DPA and Standard Contractual Clauses |
| HERE Global B.V. | Kennedyplein 222–226, 5611 ZT Eindhoven, Netherlands | Web API | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by HERE Global for its own purposes. | DPA and Standard Contractual Clauses |
| Google Ireland Limited | Gordon House, Barrow Street, Dublin 4, Ireland | Web API | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by Google for its own purposes. | DPA and Standard Contractual Clauses |
| Google Cloud EMEA Limited | Velasco, Clanwilliam Place, Dublin 2, Ireland | Web service | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by Google for its own purposes. | DPA and Standard Contractual Clauses |
| Anthropic, PBC | 548 Market Street, PMB 90375, San Francisco, California, 94104, United States of America | Web API | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by Anthropic for its own purposes. | DPA and Standard Contractual Clauses |
| Intercom R&D Unlimited Company | 124 St Stephen's Green, Dublin 2, Ireland | Customer service | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by Intercom for its own purposes. | DPA and Standard Contractual Clauses |
| PPL CZ s.r.o. | K Borovému 99, Jažlovice, 251 01 Říčany | Transport | EU and outside EU | Data are transferred outside the EU on the basis of Standard Contractual Clauses of Decision 2021/914 of 4 June 2021 and are not processed by PPL CZ s.r.o. for its own purposes. | Internal DPA and Standard Contractual Clauses |
| Direct Parcel Distribution CZ s.r.o. | Modletice 135, 251 01 Říčany | Transport | EU and outside EU | Data are transferred outside the EU in connection with international shipment delivery, archiving and statistical processing and when using Google Analytics, while DPD acts in accordance with applicable personal data protection legislation. | Privacy policy statement |
| Liftago a.s. | Rohanské nábřeží 678/25, 186 00 Prague 8 – Karlín | Transport of persons and shipments | EU and outside EU | Data may be transferred outside the EU in connection with the use of cloud and analytical services for the purpose of platform operation, analytics and ensuring the functionality of the website and application; data are not processed by Liftago for its own purposes. | Privacy policy |
| General Logistics Systems Czech Republic s.r.o. | Průmyslová 5619/1, 586 01 Jihlava | Transport and logistics | EU and outside EU | Data are transferred outside the EU for the purpose of fulfilling the contract for shipment delivery and related logistics services between GLS subsidiaries and partner carriers; data are not processed by General Logistics Systems Czech Republic s.r.o. for its own purposes. | Information on personal data processing |
| GLS General Logistics Systems Slovakia s.r.o. | Budča 1039, 962 33 Budča, Slovak Republic | Transport and logistics | EU and outside EU | Data may be transferred outside the EU to GLS subsidiaries and contractual partners for the purpose of shipment delivery; the transfer is based on the exception for the performance of a contract under Art. 49(1)(b) and possibly (c) of the GDPR. GLS states that personal data are used only to fulfil contractual obligations and other use is not permitted. | Privacy policy |
| GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. | GLS Európa u. 2., 2351 Alsónémedi, Hungary | Transport and logistics | EU and outside EU | Data may be transferred outside the EU in connection with the international transport of shipments within the GLS group and to its contractual partners; data are not processed by GLS General Logistics Systems Hungary Csomag-Logisztikai Kft. for its own purposes. | Privacy policy |