These clauses need to be applied by the Service Provider based on the agency contract for the data controlling activity in connection to the
6311 – Data processing, web-hosting
service provided for the User, during which the Service Provider manage personal data in the name of the User, as data controller.
The object of the data processing is managing the personal data of the natural person contacting the User by the Service Provider’s scheduling system, in connection with fulfilling the agency contract between the Service Provider and the User. Using the User as data processor does not need prior consent from the affected natural persons, but they need to be informed which is the User’s task.
The data controlling activity lasts until the existence of the contract between the Service Provider and the User, or until the withdrawal of the affected natural person’s data controlling consent.
The goal of the data controlling is to provide general scheduling system for the User in a cloud-based, embeddable form (TEAOR 6311 – Data processing, web-hosting
Managed personal data: Name of the natural person, address, phone number, email address, online id. The system allows the User to ask for other data from the Customer in a form connecting to the booking. The data in this form can be specified by the User in the system settings.
The User is responsible for the data asked in the booking form complies the requirement of the current legislation, and does not tend to sensitive personal data or special data that requires a higher level of protection.
The User’s Customers are affected by data controlling.
The User as data controller is entitled to check the execution of the activity according to the contract at the Service Provider as data processor.
The User as data controller is responsible for the legality of the instructions connecting to the tasks specified in the contract. If the instructions are unlawful, the Service Provider as data processor must notify immediately.
The User as data controller is required to inform the natural persons affected with data controlling about the data processing according to the contract with the Service Provider, and if the laws specify, get their consent.
The Service Provider as data processor acts based on the User as data controller’s instructions during its activity.
The Service Provider as data processor grants during its activity that the persons who are authorized to access the affected personal data can commit to be confidential in relation to the personal data, if they are not under legitimate confidentiality obligation.
The Service Provider as data processor does technical and organizational arrangements considering the current position of science and technology, cost of implementation, the nature, scope, circumstance and goals of data controlling, the variable probability and severity risk of the natural persons’ rights and freedom, in order to guarantee the data safety equivalent to the level of risk. The Service Provider as data processor takes action to grant that the natural persons who are under its control and who have access to personal data, can manage the mentioned data accoding to the instructions from the User as data controller. Except if EU or member state law obliges differently. It takes care of that the stored data only can be accessible through internal system or direct access by authorized persons and only in context of data controlling. It provides the regular maintenance and development of the used devices. It places the data storage device in a closed premise with suitable physical protection, takes care of its physical protection. The Service Provider as data processor has to employ persons with proper knowledge and experience to provide the tasks of the contract. Also takes care of their preparation about the data protection legislative provisions, obligations of this contract and the goal and mode of data collection.
The Service Provider as data processor will use additional data processor only if it meets the criteria of the Regulation (Regulation of EU 2016/679) and the Act CXII of 2011 on Informational Self-determination and Freedom of Information. The User as data controller gives general authorization to the Service Provider as data processor to use additonal data processor (subcontractor). Before start to use additonal data processor, the Service Provider as data processor notifies the User as data controller about the person of the additonal data processor and the planned tasks that the additonal data processor will do. If the User as data controller raises objection against the additional data processor based on the notification, using this additional data processor is only possible if the conditions of the objections are fulfilled. If the Service Provider as data processor uses the service of additional data processor, it has to guarantee the implementation of suitable technical and organizational arrangements, thereby grant that the procession of data comply with the criteria of the current legislation. If the additional data processor does not fulfill its data protection obligation, the Service Provider as data processor who commissioned it, has full responsibility towards the User as data controller about the fulfillment of the additional data processor’s obligation.
The Service Provider as data processor helps the User as data controller with every suitable resources during its data processor activity to validate the rights of the ones who are affected with data processing and in favor of fulfill its obligation. The Service Provider as data processor helps the User as data controller in fulfilling its obligation of the Article 32-36 of the Regulation (Data safety, Data protection impact assessment and prior consultation), considering the nature of the data controlling and the information available for the data processor.
The Service Provider as data processor provides the User as data controller every information that is needed to fulfill the obligations mentioned in the Article 28 of the Regulation (The data processor). Furthermore what allows and helps the User as data controller or other commissioned controllers, with audits including on-site inspections. The Service Provider as data processor immediately notifies the User as data controller if it presumes that its instructions violate the data protection provisions of the member sate or EU.
The expiry of the agency contract between Service Provider and the User causes the expiry of the data processing contract too. Following the expiry of this contract the Service Provider as data processor deletes every personal data, record in connection with the expired contract and every personal data and copies from the User as data controller. The deletion of the data has to be in 3 calendar years from the expiry of the contract.
With questions that are not regulated in this chapter, the Act V of 2013 on the Civil Code, the Regulation (EU) 2016/678 of the European Parliament and the Council and the Act CXII of 2011 on Informational Self-determination and Freedom of Information has to be used.