Help
Help
Breadcrumbs

Data Processing Agreement 2026


2026 ELEVEO DPA.pdf


Data Processing Agreement

 

Eleveo a.s.

Company ID: 257 30 151

Registered office: Boudníkova 2514/7, 180 00 Praha 8

registered in the Commercial Register kept at the Municipal Court in Prague, Section B, File No. 22865

Represented by: Marcel Westerbeek, Chairman of the Board

(hereinafter as the „Controller“)

 

and

 

[•]

Company ID:  [•]

Registered office: [•]

registered in the Commercial Register kept at the Municipal Court in [•], Section [•], File No. [•] (hereinafter as the „Processor“)

enter into this contract (hereinafter referred to as the „Agreement“) in accordance with EU Regulation (EU) 2016/679 of the European Parliament and of the council of 27 April 2016 on protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “GDPR”) (Controller and Processor hereinafter referred to as „Parties“ or each separately as „Party“)

I.

Preamble

  1. Parties entered on [•] into contract on [•] (hereinafter as „Associated agreement“), in which the Processor agreed to perform [•] for the Controller. In order to properly perform the obligations under the Associated agreement, it is necessary for the Processor to have access to the personal data of the persons specified in Article 8 of the Agreement (hereinafter referred to as the "Data subjects") processed by the Controller (hereinafter referred to as "Personal Data"), which will be processed by the Processor based on this Agreement.

  1. The Controller hereby authorizes the Processor to process Personal Data in accordance with GDPR and in the scope of his activity under this Agreement.

  1. The date from which the Processor is authorized to begin processing the Personal Data on behalf of the Controller shall be deemed to be the effective date of this Agreement.

II.

Instructions, purpose and extent of processing and categories of Data subjects

  1. Personal data will be processed by the Processor by nature either automatically or manually.

  1. The Processor performs the following elementary tasks in the processing of Personal data on behalf of the Controller:

(a) the collection and processing of data by authorized persons;

(b) storing and archiving of data in paper and electronic form.

  1. The Processor will process Personal Data only on the basis of instructions issued by the Controller. If, in the Processor's opinion, any instruction issued by the Controller is in breach of legal regulations, the Processor shall immediately inform the Controller of such a breach. These instructions can also be represented by a user controlled actions within the software.

  1. The processor is entitled to process Personal data provided by the Controller only for the purpose of fulfilling the obligations arising out of this Agreement and for the duration thereof. The Processor declares that he is familiar with the GDPR regarding processing of Personal Data.

  1. The purpose of processing is [•].

  1. The personal Data will be processed to the following extent:

  • name, surname and title;

  • personal identification number, date of birth;

  • ID card number;

  • signature;

  • marital status;

  • information about education;

  • capacity to exercise juridical acts;

  • citizenship;

  • permanent, temporary residency;

  • sex;

  • wage, salary or income affairs and other financial requisites granted for performance of duties or for performance of work;

  • specification of days on which work was done;

  • bank account details;

  • amounts affected by the court enforcement of a decision or enforcement by the administrative authority;

  • monetary penalties and fines, as well as compensations imposed on the employee by a relevant authority;

  • unrightfully received amounts of social security benefits and pension savings or their deposits, social benefits, benefits in material need and contributions to the benefit in material need, monetary contributions to compensate for the social consequences of severe disability which the employee is obliged to return on the basis of a decision pursuant to a special regulation;

  • annual sum of the retirement pension paid;

  • details on incapacity for work;

  • details on relevant personal obstacles to work;

  • details related to a change of capacity for work;

  • details related to a previous employer(s);

  • details of family members in the following scope: name, surname, address, date of birth, personal identification number;

  • details about employment statement;

  • details about the taking of maternity leave or parental leave;

  • details related to the grant of pensions, type of pension;

  • personal data provided on certificates, acknowledgements of completed exams and educational activities.

  1. Concerned persons, for whom the Processor is authorized to process Personal Data:

  • employees;

  • spouses of employees;

  • dependent children of employees;

  • parents of dependent children of employees;

  • close persons;

  • former employees.

III.

Rights and duties of the Parties

  1. In the performance of an activity under this Agreement, the Processor is required to protect the personal data provided by the Controller against accidental damage and destruction, unlawful damage, accidental loss, alteration, unauthorized access and disclosure, as well as any other unacceptable forms of processing. For this purpose, the Processor shall adopt appropriate technical, organizational and personnel measures required to fulfill these duties.

  1. The Processor undertakes to maintain the confidentiality of the Personal Data and to ensure the confidentiality of all persons who have access to the Personal Data (hereinafter referred to as the "Authorized Person") in connection with processing under this Agreement.

  1. In case of any breach of GDPR provisions or provisions of this Agreement, the Processor must immediately notify the Controller using the following email address: legal@eleveo.com.

  1. The Processor has an obligation to provide the Controller, if possible, with any necessary cooperation in order to fulfill the obligation of the Controller to respond to requests of Data Subjects in accordance with GDPR.

  1. The Processor cooperates with the Controller in fulfilling the obligations under GDPR Articles 32-36, taking into account the nature of the processing and the information available to the Processor.

  1. While processing the Personal Data, the Processor is further obliged to:

a) comply with GDPR provisions;

b) comply with the provisions of the Agreement;

c) when naming a new authorized person, ensure instruction of this person, its training with regard to handling and protection of personal data and to bind such person with the same non-disclosure obligations;

d) enable authorized persons to participate in training on the principles of the processing of personal data and the use of means for the automated processing of personal data;

e) provide authorized persons with the necessary material equipment (lockable space, computer with internet connection, and other equipment related to the proper performance of the duties under this Agreement);

f) prevent access to Personal Data in any form by unauthorized persons;

g) provide cooperation to the Controller in reaction to the exercise of personal rights of Data Subjects in accordance with GDPR;

h) comply with all provisions of Czech law relating to the protection and processing of personal data.

  1. The Controller declares that when selecting the Processor, he took into consideration his professional, technical, organizational and personnel capability and his ability to guarantee the security of the processing of Personal Data under the GDPR.

  1. The processor is/is not entitled to involve other subjects (hereinafter referred to as the "Sub-processor") in the processing. The Processor acknowledges that he must conclude a contract with the Sub-processor that imposes the same contractual obligations on the Sub-processor as those defined under this Agreement. The Processor will engage the following Sub-processors in processing of Personal Data:

 

Company name

Company ID

Address                                         

Scope of processing

 

 

 

 

 

 

 

 

 

The involvement of any other Sub-processor not listed in this table is subject to the written consent of the Controller.

IV.

Security of Personal Data

  1. The Processor declares that he has undertaken all the technical and organizational measures required under Article 32 of the GDPR and keeps them in line with technical progress and developments in the sector.

  1. The Processor shall ensure that the Controller can verify compliance of the Processor with the obligations set in Article 28 of the GDPR. The Processor shall, upon request, provide the Controller with all relevant information to demonstrate the application of technical and organizational measures. These measures can be demonstrated by reports or excerpts from reports provided by independent bodies, such as auditors or data protection officers, or current auditor's certificates.

V.

Duration of the Agreement and processing

  1. This Agreement is concluded for the duration of the Associated Agreement, and neither of the Parties is entitled to terminate this Agreement as long as the Associated Agreement is still in force.

  1. After the fulfillment of the purpose of the processing of Personal Data, that is after this Agreement has been ended, the Processor is obliged to secure the liquidation of all the Personal Data provided by the Controller and he is subsequently obliged to notify the Administrator immediately of the liquidation of the personal data.

  1. The Processor is obliged to secure the return of Personal Data from Sub-processors or secure their deletion.

VI.

Sanctions

  1. For every single breach of any obligation under this Agreement or GDPR, the Processor agrees to pay a contractual fine in the amount of 5 000 EUR. The right of Controller to claim damages remains unaffected.

  1. The obligation set out in Article 24 of this Agreement also applies to the breach of obligations by the Sub-processor, if involved.

VII.

Other provisions

  1. This Agreement is governed by the GDPR and the relevant generally binding regulations of the Czech Republic.

  1. This Agreement can be modified, by a written amendment, which is signed by both Parties.

  1. This Agreement is executed in two originals, each Party retains one copy.

[place], [date]

[place], [date]

 

 

 

 

_________________________________

 

 

 

 

_______________________

Marcel S. Westerbeek, Chairman of the Board

[•]

Eleveo a.s.

[•]