1. Contracting parties
1.1. Processor: DomusDigital, s.r.o. ID: 23956780 Registered office: Korunní 2569/108, 101 00 Prague E-mail: info@dokumentarna.cz (hereinafter "Processor").
1.2. Controller: User of the Dokumentárna.cz service who stores documents containing personal data in the service, (hereinafter "Controller").
By entering into a business relationship (registration and use of the Dokumentárna.cz service), this Data Processing Agreement is concluded pursuant to Article 28 GDPR.
2. Subject of processing
2.1. The purpose of this agreement is to regulate the rights and obligations in the processing of personal data that the Controller uploads or stores in the Dokumentárna.cz service.
2.2. The Processor processes personal data exclusively according to the Controller's instructions and to the extent necessary for service provision.
2.3. Personal data may be part of documents that the Controller uploads to the system (e.g., contracts, invoices, personal files, records, HR documents, etc.).
3. Nature and purpose of processing
3.1. The purpose of processing is to provide a cloud service for managing, storing, searching, displaying and organizing documents through the Dokumentárna.cz application.
3.2. Processing takes the form of: data storage and retention, data access for the Controller and authorized persons, backup, data security, operational and technical system maintenance.
4. Types of personal data and categories of data subjects
4.1. Types of personal data depend on the documents stored by the Controller. Usually these are: identification data (name, surname, ID number, date of birth), contact data, employee data, financial and contractual data, data on the Controller's clients or business partners.
4.2. Data subjects may be in particular: Controller's employees, customers, suppliers and business partners, other persons whose personal data is contained in documents stored by the Controller.
4.3. The Processor does not control the content of documents and assumes that the Controller stores only data to which it has authorization.
5. Rights and obligations of the Processor
The Processor undertakes in particular:
5.1. Process personal data only on the basis of documented instructions from the Controller.
5.2. Ensure protection of personal data using appropriate technical and organizational measures according to Article 32 GDPR.
5.3. Allow access to personal data only to persons who are authorized and bound by confidentiality.
5.4. Not use personal data for its own purposes.
5.5. Immediately notify the Controller of any breach of personal data security.
5.6. Provide assistance to the Controller in fulfilling its obligations under GDPR (e.g., responses to data subjects).
5.7. After termination of service provision, perform secure deletion of data, unless otherwise agreed.
5.8. Keep records of processing categories, if required by GDPR.
6. Rights and obligations of the Controller
The Controller undertakes:
6.1. Process personal data in accordance with legal regulations and GDPR.
6.2. Store in the service only such documents and data to which it has authorization.
6.3. Inform the Processor of inaccuracies, suspected incidents or data subject requests regarding processing.
6.4. Provide the Processor with accurate instructions for handling personal data.
7. Involvement of other processors
7.1. The Controller agrees that the Processor may involve other entities as sub-processors (e.g., hosting, backup, emailing, IT infrastructure).
7.2. The Processor is obliged to conclude a processing agreement with sub-processors in accordance with Article 28 GDPR.
7.3. The current list of sub-processors is available on the Dokumentárna.cz website / indicative: hosting and server infrastructure provider, backup system provider, email service provider, payment gateways (if used).
8. Transfer of data to third countries
8.1. The Processor does not transfer personal data outside the EU/EEA, unless necessary.
8.2. If transfer occurs, adequate level of protection must be ensured according to Article 46 GDPR (standard contractual clauses, etc.).
9. Personal data security
The Processor ensures in particular these measures: encrypted data transmission (HTTPS), access rights management, regular system updates and security patches, firewall and protection against unauthorized access, system backup and monitoring, access logging.
10. Processing period
10.1. Personal data is processed for the duration of use of the Dokumentárna.cz service.
10.2. After termination of the service, the Processor will delete data after the expiration of the retention period specified in the terms and conditions or according to the Controller's instructions.
11. Confidentiality
11.1. The Processor and all persons authorized by it are obliged to maintain confidentiality about personal data and security measures.
11.2. This obligation continues even after the termination of the agreement.
12. Control and audit
12.1. The Controller has the right to request information on how the Processor fulfills its obligations under GDPR.
12.2. Audits may be conducted in a scope and manner appropriate to the nature of the service, usually in the form of documented control (demonstration of security system, procedures, infrastructure description, etc.).
13. Final provisions
13.1. This agreement is part of the business relationship between the Controller and the Processor and forms an annex to the terms and conditions.
13.2. The agreement is effective from the date of user registration to the Dokumentárna.cz service.
13.3. The Processor may update the agreement; the Controller will be informed of changes by publication on the website.
13.4. Legal relationships are governed by the law of the Czech Republic.