on the entrustment of the processing of personal data
Travatar (in accordance with the ToS), hereinafter referred to as , "Processor"
Hereinafter also referred to individually as "Party" or jointly as "Parties".
- The Administrator uses the Travatar Services through the Travatar.ai platform, on the basis of the ToS, available at https://travatar.ai: (hereinafter: ToS);
- In order to perform the Agreement, it is necessary to entrust the Processor with the processing of personal data in accordance with the Regulation (EU) No. 679/2016 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter: GDPR),
- The Parties shall, with the commencement of the Service, enter into this Personal Data Processing Entrustment Agreement:
- The Controller declares that it is the Controller of the personal data entrusted to the Processor within the meaning of the GDPR.
- The Administrator entrusts the Processor with the processing of personal data under the terms of this Agreement and only for the purpose and to the extent necessary for the performance of the Agreement, i.e. for the provision of the Service.
- The Processor will process the following range of entrusted personal data:
- e-mail address
- phone number
- credit card number
- other data voluntarily provided in connection with the use of the services.
- The Administrator entrusts the processing of the data indicated in point 3 of this Agreement for the duration of the Agreement.
- The Processor undertakes to process the personal data entrusted to it in accordance with the provisions of the generally applicable law on the protection of personal data and, without undue delay, to update, rectify, amend, anonymize, limit the processing or delete the personal data indicated in accordance with the Administrator's instructions (if such an action could result in the impossibility of further implementation of the processing activity, the Processor shall inform the Administrator prior to undertaking it and shall subsequently comply with the Administrator's instructions).
- The Processor shall keep the personal data entrusted to it for processing confidential.
- The Processor undertakes, when processing the entrusted personal data, to secure the personal data by applying appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risks involved in the processing of personal data (taking into account the level of technology, the costs of implementation, the nature, scope and purposes of the processing as well as the likelihood of occurrence and the scale of risks to the rights and freedoms of natural persons), in accordance with Art. 32 GDPR, in particular securing personal data from unauthorized access, from being taken by an unauthorized person, from being processed in breach of the applicable legislation, from being altered, lost, damaged or destroyed, and guaranteeing a level of protection appropriate to the risks in terms of confidentiality, integrity, availability and resilience of the Systems,
- Technical and organizational measures are subject to technical progress and further development, so that the Processor may implement adequate alternative measures as it deems appropriate.
- The Processor will keep a register of all categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) of the GDPR.
- The Processor shall only allow persons with personal data processing authorizations to process the entrusted personal data.
- The Processor undertakes to promptly notify the Controller at the email address shown of:
- any breach or misuse of the personal data entrusted under this Agreement;
- any action with its own participation in matters relating to the protection of personal data entrusted under this Agreement, conducted in particular before a supervisory authority, public authorities, the police or before a court.
- The Processor undertakes to respond promptly and with due diligence to any question from the Controller regarding the processing of personal data entrusted to it under this agreement.
- The Processor shall promptly inform the Controller of requests for the exercise of the rights of persons under Articles 15 to 22 of the GDPR that have been made directly to the Processor by data subjects.
- The Processor shall enable the Controller to audit the compliance of the processing of the entrusted personal data with this contract and the Data Protection Legislation.
- The Controller shall inform the Processor of the intention to carry out an audit at least 14 days prior to the commencement of the audit activities.
- The Processor is obliged to allow the Controller to carry out an audit, to make available all information and documents necessary for this purpose.
- The Processor undertakes to apply any post-inspection recommendations regarding the protection of the entrusted personal data and the manner in which they are processed, insofar as these recommendations are in accordance with the provisions of this contract and applicable laws.
- The Processor shall be responsible for the processing of the entrusted personal data in contravention of this contract and the law, and in particular for making the data available to unauthorized persons.
- The Processor shall be liable for damages to the Controller in the event that claims are made against the Controller by persons whose personal data security has been compromised as a result of the performance of this agreement for reasons attributable to the Processor.
- In the event of termination or expiration of this agreement, the Processor shall be obliged to irreversibly delete or return any personal data entrusted - as requested by the Controller - and irreversibly delete any existing copies thereof, with the exception of the data which it is obliged to keep under applicable law.
- The Administrator will notify the Processor of the date of return or deletion of the entrusted personal data. The method of return or deletion of the data will be evidenced by a written protocol.
- Each Party will notify its own employees and/or subcontractors of the transfer of personal data to the other Party and is obliged to fulfil any obligations towards them to enable the legality of such transfer.
- Each party is responsible for complying with the information obligation under Article 13 of the DPA towards its own employees and subcontractors.
- This Agreement shall terminate in the event of the performance or termination, for any reason, of the Agreement.
- Disputes arising from this Agreement shall be resolved by the Parties in accordance with the Rules.