Contract for Data Processing

Definitions
1. The following definitions are used in this contract for data processing:
  1. the terms of service – the terms and conditions of the service provided to the school by the service provider;
  2. the general regulation – the regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data;
  3. personal data – any information relating to an identified or directly or indirectly identifiable natural person entered in the eKool or otherwise disclosed to the service provider by the school or a user authorised by the school. Personal data include the following data of pupils, teachers, legal representatives of pupils (parents and persons with rights of custody) and other persons whom the school has designated a role with the right of access to the data of pupils, and the relevant officials or employees of the local government, operator of the school and ministries:
    1. identification and contact data (incl. given name and surname, personal identification code, date of birth, address, telephone number, e-mail address);
    2. data related to a person (e.g. sex, relation to a pupil, a role designated in the eKool);
    3. data related to learning, learning results and behaviour (e.g. data on enrolment and status of the studies, subjects, curriculum, grades, certificate of developmental assessment, class, parallel, data related to attendance, data on decrees, notices, data on decisions of the teachers' council, performance reviews and discussions) and
    4. other data necessary to organise the activities of an educational institution (e.g. data on meals, diet, attached documents, notes made by the school and the number, date of issue, school and access log of the school card (as defined in section 2.2));
  4. a sub-processor – a processor of personal data involved or used for the processing of personal data by the service provider who may access or otherwise process the data of the school, incl. personal data;
  5. a list of processors – information published on the web site of the service provider on the sub-processors and their data.
2. The definitions and terms used in this contract for data processing that have not been set out above shall have the meaning assigned to them in the terms of service and the general regulation.
Object of Contract for Data Processing
1. By the contract for data processing the school (as the controller of the personal data) authorises the service provider (as the processor of the personal data) to process the personal data that has been transmitted to or entered in the eKool or otherwise made available to the service provider by the school or a user authorised by the school in accordance with the contract, and the controller of which, pursuant to the general regulation, is the school, in the scale and scope necessary to perform the contract pursuant to the terms and conditions of the contract for data processing.
2. For the avoidance of doubt, the parties have agreed that in the case an electronic student or school card issued to pupils (previously and hereinafter: the school card) is used by the school, the school shall also be the controller of all the personal data related to the school card. The service provider shall process the respective data in the course of the provision of the service on behalf and with the authorisation of the school as a processor.
3. The service provider has agreed to provide the school with the service pursuant to the terms of service. Upon the provision of the service, the service provider shall process the data of the school which include personal data. The service provider shall process and protect the personal data in accordance with the terms and conditions of this contract for data processing.
4. The service provider shall process the personal data for the following purposes:
  1. to manage the learning process in the school and the collection and storage of the personal data required by law in relation thereto;
  2. to support cooperation between the school and a local government to the extent provided by law;
  3. to enable information on studies to be accessed by a pupil, parent, legal representative or other person designated by the school;
  4. to support the learning process through the analytics of the learning results;
  5. to support communication and cooperation between home and school.
5. The service provider shall process the personal data only to the extent necessary to provide the service in accordance with the terms of use, the contract for data processing and the eKool terms of use.
6. In matters not regulated in the contract for data processing the terms of service shall be applied.
Obligations of School
1. As the controller, the school shall ensure that there is an appropriate legal basis for the processing of personal data and that they have, if applicable, the consent of the data subject or their legal representative. The school shall also ensure that the personal data are processed, incl. that the service provider is authorised in accordance with the general regulation and any other applicable national and international personal data protection legislation as well as the terms of service and the contract for data processing.
2. The parties have agreed that the instructions of the school involving operations set out in the price list, incl. the destruction or restitution of data by the service provider, can give rise to additional fees. In such a case, the service provider shall notify the school of such fees before performing the respective operations, unless otherwise agreed in advance.
Obligations of Service Provider
1. On behalf and under the responsibility of the school the service provider undertakes to process personal data only in accordance with the terms of service, the contract for data processing and written guidelines issued to the service provider in accordance with the general regulation and other applicable personal data protection legislation for the processing of personal data by the school. Regardless of the above, the service provider shall have the right to process personal data irrespective of the school and the contract, including the contract for data processing, if they have an autonomous legal basis to process particular personal data as a controller (e.g. if the service provider processes personal data to perform a contract concluded with a data subject or their legal representative or on the basis of the data subject's consent). Such processing of personal data shall not be considered a breach of the contract for data processing.
2. In the absence of sufficient instructions and/or if the instructions contradict the general regulation and/or other applicable personal data protection legislation, the service provider shall notify the school thereof and, until the receipt of more detailed instructions, shall act in a manner complying, pursuant to their discretion, with the general regulation or the provisions of another applicable legal regulation and the assumed intention of the school.
3. The service provider enables the school to access, supplement, correct, erase and transmit the personal data processed on their behalf as well as restrict the processing thereof pursuant to the functionalities of the eKool at any time. If the school wishes to use the data in an operation not allowed by the eKool, the school shall submit to the service provider a written request to perform the respective operation and the service provider shall comply therewith within a reasonable time, if possible. Regardless of the above, the school shall not have access to the data the user has entered in the eKool within a functionality created for personal use and with regard to which the user may presume that they are not shared with the school (e.g. data on the discussions of the user, uploaded files, blog posts, etc.).
4. The school shall have the right to verify that personal data are processed in accordance with the contract for data processing. The service provider undertakes not to obstruct the school in conducting the referenced inspection and to assist the school therewith to a reasonable extent.
5. The service provider undertakes to allow the school to access all the information necessary to assess the performance of the obligations of the service provider under the contract of processing data, the general regulation or other applicable personal data protection legislation. The service provider also undertakes to assist the school to a reasonable extent in fulfilling their obligations related to the processing of personal data under the general regulation and/or other applicable personal data protection legislation.
6. The service provider shall ensure a level of security appropriate to the threats and risks related to the processing of personal data by implementing suitable and appropriate technological, physical and organisational measures to protect the personal data against unauthorised access, destruction and alteration and ensure that the data are processed only for the purposes of and to the extent necessary for the contract. The service provider shall, inter alia, create periodic backup copies of the data that are stored separately from the basic data.
7. The service provider shall ensure that the personal data are accessed and processed only by their employees, members of management or other natural persons having a contractual relationship with them who need the access to perform their duties related to the performance of the contract and are obliged to comply with the obligation of confidentiality, the contract for data processing and the contract in relation to the processing of personal data.
8. The service provider undertakes to cooperate with the school and assist them in solving and executing the communications submitted by data subjects in relation to the processing of personal data as well as their requests to exercise the rights related thereto, incl. the requests to access or erase their personal data.
9. If a request related to personal data, incl. a request to erase or correct the data or restrict the processing thereof, provide information or perform any other action, is submitted by data subjects or the supervisory authority monitoring personal data protection, the service provider shall notify the school thereof before addressing the request or performing any operations with personal data. If the request must be addressed without delay, the school shall be notified as soon as reasonably possible of the service provider addressing the response. The service provider may correct, erase and amend the personal data processed on behalf of the school or restrict the processing thereof only in prior concordance with the school.
10. Upon the receipt of a respective written instruction from the school, the service provider must erase or destroy the data pursuant thereto either in part or in full without undue delay. Regardless of the above, the personal data contained in the backup copies of the eKool data base shall not be erased. If the personal data which were to be erased are reactivated upon the restoration from the backup, they shall be erased again at the earliest opportunity.
Sub-Processors
1. The school hereby gives the service provider their overall consent to involve and/or use sub-processors to process personal data in relation to the provision of the service. The service provider shall be held liable for the conduct of the used or involved sub-processors processing the personal data as if it was their own. The service provider shall ensure that the sub-processors comply with the contract for data processing, the general regulation and other applicable personal data protection legislation at least to the same extent as them.
2. The service provider shall publish the information on the sub-processors used and involved by them in the list of processors available on their web site.
3. If the service provider intends to involve a new sub-processor, the service provider must publish the data of the sub-processor in the list of processors at least 14 calendar days before transmitting any personal data to them. If the school does not object to the new sub-processor within the referenced period, they are deemed to have accepted the sub-processor. If the school has submitted their reasoned written objections to the new sub-processor within the referenced period but an agreement on not involving or changing the sub-processor has not been reached, the school shall have the right to cancel the contract and the contract for processing services as a part thereof from the moment the sub-processor the school objected to commences the processing of the personal data.
Personal Data Breaches
1. Upon a personal data breach, the service provider shall take the necessary measures to preclude, prevent or diminish the threat arising to the personal data therefrom, incl. the risk of accidental or unlawful destruction, loss, alteration or unauthorised access and disclosure of the personal data.
2. The service provider shall notify the school of a personal data breach without undue delay (if possible, within 72 hours of the discovery thereof).
3. The service provider shall document any and all personal data breaches and the circumstances thereof, incl. their effect and the corrective actions taken to remedy the breach. At least the following circumstances of a personal data breach shall be documented:
  1. a description of the mode of the breach and, if possible, a description and the amount of the affected categories of the data subjects and the data;
  2. a description of the likely as well as actual consequences;
  3. a description of corrective actions taken or to be taken by the service provider to remedy the breach.
4. A copy of the documentation on the personal data breach shall be submitted to the school or the relevant supervisory authority at their written request.
5. The service provider shall not be held liable and the school alone is responsible for the performance of any reporting obligations applicable to the school as the controller in relation to the personal data breach, incl. an obligation to notify data subjects, the supervisory authority or third parties.
Liability
1. Considering the liability restrictions in the terms of service, the service provider shall compensate the school for any wrongfully caused material damage which:
  1. arises from a fundamental breach of the contract and/or contract for data processing by the service provider in the course of processing personal data,
  2. arises from a fundamental infringement of the general regulation and/or other applicable personal data protection legislation by the service provider in the course of processing personal data and/or
  3. arises from a fundamental infringement of the contract for data processing, the general regulation and/or other applicable personal data protection legislation by a sub-processor used or involved by the service provider in the course of processing personal data.
Validity and Termination
1. The validity of the contract for data processing is inextricably linked to the validity of the contract and the contract for data processing shall expire upon the expiry of the contract.
2. The service provider shall return any and all personal data to the school or make them otherwise available for recovery upon the expiry of the contract for data processing but no later than within 30 days thereof. If the school has accepted the personal data or declined therefrom in writing, any and all personal data in the possession of the service provider, except for the personal data that may be processed by them on a legal ground other than the contract or the contract for data processing, must be irretrievably erased or destroyed.
3. If the school neither accepts nor declines the acceptance of the personal data subject to return within 30 days of the expiry of the contract for data processing, the service provider shall erase or destroy the personal data subject to return, except for the data which pursuant to the applicable legislation must be stored by the school. The personal data which pursuant to the applicable legislation must be stored by the school shall be stored by the service provider until the receipt of a written authorisation from the school to erase the data or until the respective legal obligation expires. The school shall compensate the service provider for the storage of the personal data according to the price list, unless otherwise agreed.