Data Processing Agreement

Between

1. jsreport s.r.o. (“jsreport”); and
2. “Customer(s)” as defined in the Terms and Conditions by jsreport (the “Client”).

Object of this Agreement

1. Pursuant to the Terms and Conditions by jsreport entered into between jsreport and Client (version 05/2018) (the “TC”), jsreport has agreed to provide the Client with certain services (the “Services”). To the extent that jsreport is processing Client’s personal data as defined in European laws (“Personal Data”) as part of the Services, the terms contained in this Data Processing Agreement (“Agreement”) will apply. This Agreement shall be entered into according to the applicable law, mainly the European General Data Protection Regulation EU no. 2016/679 (“GDPR”), as applicable.
2. If the Services are altered during the term of the TC and the altered Services involve new or amended processing of Client’s Personal Data, the parties will ensure that Annex 1 attached to this Agreement is updated as appropriate before such processing commences.
3. If there is any conflict or inconsistency between this Agreement and the TC, this Agreement will take precedence and apply to the extent of the conflict or inconsistency. The parties hereby agree that the TC is amended accordingly to give effect to this clause 1(3).
4. In respect of all processing of Client’s Personal Data carried out pursuant to the TC, jsreport is the processor according to Article 4 para. 8 GDPR (or BDSG) and the Client is the controller acc. Article 4 para. 7 GDPR (or BDSG).
5. For entering into this Agreement section 3 of the TC shall apply.

Processing

1. The Client is responsible for ensuring the data protection standards set by applicable national law (“Applicable Law” or “Data Protection Legislation”). jsreport will support the Client in fulfilling the necessary data protection standards.
2. jsreport shall implement a compliance mechanism to prove compliance with the GDPR and BDSG on request of the Client. Furthermore, jsreport shall:
   • unless Applicable Law requires otherwise, only process Client’s Personal Data on and in accordance with the Client’s documented instructions as set out in this Agreement or otherwise in writing including electronic form (“Processing Instructions”);
   • unless prohibited by Applicable Law, notify the Client if Applicable Law requires it to process Client’s Personal Data other than in accordance with Processing Instructions (such notification to be given before such processing commences). jsreport will bind its personnel accordingly in writing;
   • notify the Client if, in its opinion, the processing of Client’s Personal Data in accordance with Processing Instructions infringes Data Protection Legislation;
   • maintain a record of all categories of processing carried out on behalf of the Agency and make it available on request to the Client and the competent data protection authority
   • co-operate and assist the Client with any privacy impact assessments and consultations with (or notifications to) relevant regulatory authorities that are reasonably relevant pursuant to Data Protection Legislation in relation to the Client’s Personal Data and the Services. jsreport may charge such request based on its reasonable efforts for any services, which are not necessary to fulfill by jsreport.
3. After the business purposes for which Client’s Personal Data was processed have been fulfilled (or earlier upon the Client’s written request) jsreport shall, at the Client’s option, either delete or return all Client’s Personal Data and delete any existing copies of the same (unless storage of such copies is required by Applicable Law).
4. jsreport shall ensure that its personnel are reliable and receive adequate training on compliance with this Agreement and Data Protection Legislation and are obligated to maintain the security and confidentiality of any Personal Data to which they have access even after their engagement ends.

Client Warranties

1. The Client warrants and represents that:
   • the processing of Client’s Personal Data by the Client will be carried out in accordance with the contractual obligations;
   • jsreport is entitled to process Client’s Personal Data pursuant to the TC for the purpose of providing the Services and such use will comply with Data Protection Legislation;
   • all Processing Instructions shall at all times be in accordance with Data Protection Legislation; and
   • it is satisfied that jsreport’s processing operations are suitable for the purposes for which the Client proposes to use the Services and engage jsreport to process Client’s Personal Data.

Security and Delegation

1. jsreport shall:
   • implement and maintain throughout the term of the TC appropriate technical and organisational measures, which are described in Annex 4, intended to protect Client’s Personal Data against accidental, unauthorised or unlawful access, disclosure, alteration, loss, damage or destruction; and
   • take reasonable steps to ensure that its personnel do not process Client’s Personal Data other than in accordance with processing instructions by Client (unless required to do so by Applicable Law) and are obligated to maintain the security and confidentiality of any Client’s Personal Data to which they have access. The personnel shall be bound in writing to fulfil these obligations.
   • jsreport undertakes to comply with the requirements of data secrecy pursuant to BDSG when processing the Client’s Personal Data, and may only assign those staff members with the processing and usage of the Client’s Personal Data who have undertaken in writing to comply with the requirements of data secrecy pursuant to section 53 BDSG.
   • During the selection and deployment of staff, jsreport shall take steps to ensure that staff members comply with the statutory provisions on data protection, and do not forward to third parties, or otherwise exploit, information originating from the Client’s sphere.

Notifications

1. jsreport shall, without undue delay, notify the Client if:
   • it becomes aware of a personal data breach; or
   • it receives a request from or on behalf of a data subject of Client’s Personal Data to exercise any of the rights given to data subjects by Data Protection Legislation; or
   • it receives a request from the Press, a Data Protection authority or another public authority.
2. jsreport shall (at the Client’s expense) provide such further information and assistance as the Client reasonably requires in handling and responding to such notifications in accordance with its obligations under Data Protection Legislation.
3. jsreport shall document any personal data breaches, comprising the facts relating to the personal data breach, its effects and the remedial action taken and will supply the list to Client on request.

Inspections and Assistance with Regulators

1. Subject to reasonable written advance notice from the Client jsreport shall:
   • permit the Client to conduct (and shall contribute to) audits and inspections of its systems and processes in relation to the processing of Client’s Personal Data subject to the Client ensuring:
     • that such audit or inspection is announced to jsreport at least 2 weeks in advance in writing as far as legally possible and undertaken during normal business hours (Mondays to Fridays at business days (Prague), 9 a.m. to 6 p.m.) and with respect and minimal disruption to jsreport’s business and the business of other clients of jsreport; and
     • that all information obtained or generated by the Client or its auditor(s) in connection with such audits and inspections is kept strictly confidential (save for disclosure to a regulatory authority or as otherwise required by Applicable Law);
   • give the Client such information as is reasonably necessary to verify that jsreport is in compliance with its obligations under Data Protection Legislation; and
   • co-operate and assist the Client with data protection impact assessments and consultations with any regulatory authority that are relevant pursuant to Data Protection Legislation in relation to the Client’s Personal Data and the Client may not use without the support of jsreport.
2. The cost of such audit, inspection, provision of information or data protection impact assessment shall be borne by the Client.
3. Such audits may be (partly) fulfilled by relating to certification mechanisms, Codes of Conduct, special seals regarding GDPR or BDSG or certificates such as ISO27001, self-assessments or audits conducted by the Data Protection Officer.
4. The Client may require jsreport to conduct an audit or inspection of the Sub-Processor’s systems and processes in relation to the processing of Client’s Personal Data. The cost of such an audit or inspection shall be borne by the Client.

Duration of the Agreement, termination rights

1. This Agreement is entered into for the term of the TC.

Sub-Processors

1. jsreport shall use any sub-processor as jsreport’s processor according to Article 4 para. 8 GDPR (or BDSG) to process Client’s Personal Data (each a “Sub-Processor”) only after informing the Client in writing (including electronic form, section 126b BGB) about name, address, and personal data processed by the Sub-Processor. If the Client does not object to the Sub-Processor within 2 weeks after being informed, the respective Sub-Processor is approved by Client. jsreport has to enter a contract with Sub-Processor which contains substantially similar obligations with respect to the processing of Client’s Personal Data as to which jsreport is bound by this Agreement. The Sub-Processors named in Annex 3 attached to this Agreement shall be deemed accepted by Client.
2. jsreport shall be obligated to contractually safeguard the Client’s control rights, in relation to the Sub-Processor. Upon the Client’s request, jsreport shall be obligated to inform the Client of the contents of the contract with relevance for the exercising of the control rights, and of the implementation by the Sub-Processor of his obligations with data protection relevance.
3. With respect to the Sub-Processor’s activities, jsreport shall ensure that the data protection provisions regarding data processing services as well as jsreport’s obligations under this Agreement shall also be complied with in the subcontracting relationship. jsreport shall verify compliance with the obligations by the Sub-Processor by corresponding controls, and shall enforce them in the event of violations. Data may only be forwarded to the Sub-Processor once compliance with the data safety requirements has been documented by the Sub-Processor.

Liability

1. jsreport and Client shall be jointly liable for any damages arising from any processing of data not complying with the provisions of GDPR and/or BDSG vis-à-vis any affected individual.
2. In respect to Client, jsreport shall only be liable for any damages in connection with any processing of personal data under this Agreement if such damages are resulting from (i) a breach of a duty assigned to jsreport as data processor according to the applicable provisions of GDPR or BDSG, (ii) jsreport acting against a respective (legal) order by Client, and/or (iii) jsreport omitting such (legal) order by Client, whereas the limitations and provisions of the TC shall apply.
3. For any other liability based on other legal provisions than the GDPR or BDSG the provisions set forth in the TC shall apply.

General

1. Annex 1 to this Agreement describes the processing of Client’s Personal Data permitted in connection with the TC; Annex 2 lists the Sub-Processors (if any) who the Client agrees that these may process Client’s Personal Data;Annex 3 sets out the agreed Sub-Processors; Annex 4 sets out the technical and organizational measures taken by jsreport. All Annexes are integrated parts of this Agreement.
2. The invalidity of a provision of this Agreement shall not affect the validity of the remaining provisions. If a provision proves to be invalid, the Parties shall replace it with a new provision which approximates the intentions of the Parties as closely as possible.
3. Any changes or amendments to this Agreement must be made in the same form as this agreement is agreed on. This also applies to the waiver of this form clause itself.
4. The sole place of jurisdiction for any and all disputes arising from and in connection with this agreement shall be Prague, unless there is a sole statutory place of jurisdiction.
5. The Agreement shall be subject to Czech Republic law under exclusion of any conflict of aw rules or the United Nations Convention on Contracts for the International Sale of Goods.
6. In the event of any discrepancies of provisions of the TC and this Agreement, the provisions of this Agreement shall prevail.

Annex 1

Personal data and the purpose of their processing by jsreport on behalf of the Client

The list shall state the extent, the nature and purpose of any contemplated collection, processing and use of data, the type of data, and the circle of data subjects.

Type of Personal Data

• Contact Data and Details
• Other Personal Data added by Client when using Services

Data Subjects

• Client’s Staff
• Client’s Applicants, Trainees, Interns, Students, Retirees
• Client’s Customers
• Other data subjects affected when Client uses Services.

Purpose of Processing and Use of Data

• Use of Services
• Analysis in pseudonmized or anonymized form by jsreport for internal purposes and statistics
• Other purposes for use of Services by Client
• jsreport is instructed as follows:
  • The Client hereby instructs jsreport to process the above-mentioned personal data for the above-mentioned purposes. Changes may apply through further instructions.

Annex 2

Persons eligible to issue instructions

1. Persons eligible to issue instructions on behalf of the Client:
   • Contact at Client:
     • Person and contact details named within the Client’s account. An additional contact shall be named by Client via email to contact details below.
2. Person eligible to receive instructions on behalf of jsreport
   • Contact at jsreport: support@jsreport.net

Annex 3

Processing of personal data

List of sub-processors: Amazon Web Services, Inc., MongoDB Inc.

Annex 4

Data Safety Requirements

1. Object and scope of Annex 4
   • The GDPR and BDSG requires individual requirements to data safety, which must be implemented by suitable technical and organizational measures. Only an overall view and evaluation of all measures taken will allow the conclusion that the reasonable level of data safety as required by the law can be guaranteed. If personal data are processed by a service provider, jsreport is obligated under section 32 GDPR and 64 BDSG to define the technical and organizational measures relating to data safety.
2. Organizational provision on processing
   • jsreport maintains a system to examine, assess, and evaluate regularly the effectivity of the security of processing data. jsreport will, on request, provide details on such security measures. jsreport will also, on request, prove such system of evaluation to the Client.