Podmínky zpracování dat

DATA PROCESSING TERMS

(to the Scaut Terms of Service)

‍

SCAUT, s.r.o., with its registered office at Inovační 122, Zlatníky-Hodkovice, 252 41, Czech Republic (the “Provider”) and the User have agreed based on the Scaut Terms of Service available at [WEBSITE URL](the "Terms") between SCAUT and the User on the services defined in the Terms to be provided by SCAUT (the “Services”). Relationship between SCAUT and the User is thus based on the Terms concluded between SCAUT and the User, to which this Data Processing Terms is attached. This Data Processing Terms (hereinafter as the "DPT")forms integral part of the Terms. This DPT, Terms and any other annexes forms an agreement between the Provider and the User (the “Agreement”).

Words starting with capital letters shall have the same meaning as set forth in the Terms or any other annex referred to in the Terms, unless otherwise stated in the DPT. Terms such as personal data, personal data controller, personal data processor or personal data processing have the meanings set out in the GDPR.

The DPT is in accordance with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter as "GDPR").

This DPT shall replace any comparable or additional rights or documents pertaining to personal data processing by SCAUT as a personal data processor(including any existing data processing addendum to the Terms).

In accordance with GDPR, the User has verified that SCAUT provides sufficient guarantees to implement appropriate technical and organizational measures to ensure that the processing of personal data complies with the GDPR.

‍

1.       INTRODUCTORY PROVISIONS

1.1.  Processing of personal data as a personal data processor.
‍SCAUT processes personal data on behalf ofthe User within the provision of the Services ordered by the User, mainlyconsisting of verifying the truthfulness and completeness of selectedbiographical data of employees, candidates for employment or contractualrelationship with the User (hereinafter as the “Candidate”). Thus, SCAUTacts as a processor (or sub-processor) of personal data in relation to the User and the User acts as the controller of personal data. Processing activities done by SCAUT arise from the Terms or from documented requests done by the User during provision of the Services through Platform.
‍

1.2.   Authorisation to process personal data.
‍The User hereby authorizes SCAUT to process the personal data of the data subjects provided by the User within the framework of the provision of the Services, to the extent set out in this DPT. Provider will process personal data for the User based on the User's documented instructions and to the extent necessary for the proper performance of the obligations of SCAUT under the Terms.
‍

1.3.   User responsibility.
If SCAUT acts as the personal data processor, the User is responsible for fulfilling all obligations in relation to the processing of personal data, in particular for properly informing data subjects about the processing of personal data, obtaining consent to the processing of personal data, if necessary, handling requests from data subjects regarding the exercise of their rights (such as the right to information, access, correction, erasure, restriction of processing, objection, etc.). SCAUT shall assist the User in fulfilling these obligations via documented requests of the User. However, SCAUTis not responsible at any way for the accuracy and legality of the activities carried out by the User.
‍

1.4.   Declaration.
Both the User and SCAUT undertake to comply with their obligations arising from the applicable legal regulations which applies to the processing of personal data.

‍

2.      SUBJECT MATTER OF PROCESSING, CATEGORY OF DATA SUBJECTS AND TYPE OF PERSONAL DATA

2.1.   Subject matter of the processing.
The subject matter of processing of below defined personal data by SCAUT is the performance of the Services pursuant to the Terms, the relevant provisions of the GDPR and the User’s instructions.
‍

2.2.    Types of personal data.
Under the subject matter of fulfilment of duties under the Terms and providing the Services, the following personal data may be processed in accordance with this DPT:

2.2.1.      identification data,

2.2.2.      personal identification number,

2.2.3.      contact details,

2.2.4.      details of documents/photocopies of documents,

2.2.5.      details of education /photocopy of proof of education,

2.2.6.      professional data,

2.2.7.      details of previous employment, contact details of previous employers,

2.2.8.      the information contained in the work assessment,

2.2.9.      references from previous employers,

2.2.10.    insolvency and bankruptcy records,

2.2.11.    criminal record /excerpt from the criminal record,

2.2.12.    entries on sanctions lists,

2.2.13.    records of debts owed to entities that are recorded in the bank/non-bank Userinformation register,

2.2.14.    records of tax arrears to the tax authorities,

2.2.15.    records of civil litigation for damages, etc.

2.2.16.    police search records,

2.2.17.    land registry records,

2.2.18.    data obtained from publicly available sources,

2.2.19.    other data provided by the User to SCAUT, e.g.,through Platform or data provided by the Candidate when providing Services bySCAUT.

2.3.   Categories of data subjects.Personal data will be processed about the categories of data subjects, as set forth below:

2.3.1. employees of the User,

2.3.2. potential employees of the User (applicants for employment with the User),

2.3.3. business partners of the User,

2.3.4. other natural persons whose personal data the User transfers to SCAUT for processing.

‍

3.       NATURE AND PURPOSE OF DATA PROCESSING

3.1.   Nature of personal data processing.
SCAUT will process personal data in an automated, electronic manner or in paper form if necessary. The processing will consist of searching for, collecting, recording, organizing of personal data, storing them in the Platform and on data carriers.Furthermore,SCAUT ensures the management and storage of personal data and their backup, blocking, deleting, and disclosure to persons designated by the User and other activities which by their nature correspond to the provision of the Services to the User, this DPT and any other documented instructions provided by the User.
‍

3.2.   Purpose of processing.
The purpose of the processing is to provide the Services as defined in the Terms to the User and other purposes which may arise from the scope of provision of the Services to the User under the Agreement.

‍

4.       DURATION OF THE PROCESSING

4.1.   Duration of processing of personal data.
The processing of personal data will be carried out for the duration of the Agreement, or for as long as the Userinstructs SCAUT, in connection with the performance of the Agreement. Provider undertakes to comply with the obligations set out in the data protection lawsfor the entire duration of the Agreement, unless it is clear from the Agreement that they are to continue after its termination.
‍

4.2.   Return and deletion of personal data.
The User instructs SCAUT to delete the personal data, including existing copies, within the time frame set by the User in the Platform. If the User does not set the time frame of retention period in thePlatform, the deletion will be done within 90 days after submission of the results of the checks, unless otherwise agreed or set up in the Platform. SCAUT may retain personal data in cases where the storage of personal data is required by the law of the Czech Republic or the European Union and in cases where SCAUT processes personal data for the purpose of defending against potential claims and for legal and other proceedings.  

‍

5.       PROCESSING SECURITY

5.1.   Technical and organizational measures.
To ensure the security of personal data, SCAUT has implemented the technical and organizational measures listed in Annex 1 and undertakes to maintain them to ensure the security of personal data processing throughout the processing period under these Terms.
‍

5.2.   Confidentiality.
SCAUT shall grant its employees access to the personal data processed only to the extent necessary for the implementation, administration, and control of the Terms.SCAUT shall ensure that the persons authorised to process the personal datareceived are bound by an undertaking of confidentiality or are subject to a legal obligation of confidentiality.

‍

6.       OTHER RIGHTS AND OBLIGATIONS OF SCAUT

6.1.    In personal data processing, SCAUT is obligated to:

6.1.1. process personal data solely on the basis of documented instructions of the User; for the avoidance of doubt, the processing of personal data in accordance with obligations of SCAUT under the Terms shall be deemed to be carried out in accordance with the User's instructions. An instruction given via the e-mail address or via thePlatform of an authorised person according to the Terms shall also be deemed to be a written instruction;

6.1.2. follow the User's instructions regarding the transfer of personal data to a third country or an international organisation, unless such processing is already required by European Union or Member State law to which SCAUT is subject, in which case SCAUT shall inform the User of this legal requirement prior to processing, unless such legislation prohibits such information for important reasons of public interest;

6.1.3. taking into account the nature of the processing, SCAUT shall assist the User through appropriate technical and organisational measures, where possible, to comply with the User's obligation to respond to requests to exercise the rights of data subjects; the specific rules on handling data subjects request are stipulated in the Article 6.2 of this DPT;

6.1.4. assist the User in complying with the User's obligations to (i) ensure the level of security of the processing, (ii) report personal data breaches to the Data Protection Authority and, where applicable, to data subjects, (iii) assess the impact on the protection of personal data and (iv) carry out prior consultation with the Data Protection Authority, all taking into account the nature of the processing and the personal data held by SCAUT;

6.1.5. allow the User or a person authorised by the User to check (including audit or inspection) compliance with this DPT, in particular the obligations for processing personal data arising therefrom, and shall contribute to such controls as reasonably instructed by the User or the authorised person; the specific rules for audits are set out in Articles 6.3, 6.4 and 6.5 of this DPT;and

6.1.6. provide the User with all information that can be reasonably expected from SCAUT to prove that the obligations set out in the GDPR and other data protection legislation have been met;

6.1.7. inform the User if, in its opinion, the User's instructions violate the GDPR.
‍

6.2.    Data subjects’ requests.
SCAUT shall, to the extent legally permitted, promptly notify the User if SCAUT receives a request from a data subject to exercise right of access,right to rectification, restriction of processing, erasure, data portability,object to the processing, or its right not to be subject to an automated individual decision making. In addition, to the extent that the User, in itsuse of the Services, does not have the ability to address a data subject request, SCAUT shall upon the User's request provide commercially reasonable efforts to assist the User in responding to such data subject request, to the extent SCAUT is legally permitted to do so and the response to such data subject request is required under data protection laws and GDPR. To the extent legally permitted, the User shall be responsible for any costs arising from SCAUT’s provision of such assistance and shall be responsible for correct handling of such request.
‍

6.3.    Information about security attestations.
The User is mainly entitled to monitor, and from time to time, including prior to the commencement of the data processing by SCAUT, audit SCAUT’s compliance with applicable data protection laws and the Terms, and may perform this right by obtaining information from SCAUT to provide security attestations and audits such as ISO 27001 and SOC2 or other certificates and inspecting the stored data and systems as well as other specified under the rules set in Article 6.4. and 6.5. of this DPT.
‍

6.4.    Audits.
The User shall send any request for an audit (check) exclusively to SCAUT’s e-mail address dpo@scaut.com,at reasonable intervals. Upon receipt of an audit request, SCAUT and the User shall agree in advance on (a) the possible date of the audit, security measures and how to ensure compliance with confidentiality obligations during the audit,and (b) the expected start, extent and duration of the audit. If no Terms is reached within 30 days of the date of the request, SCAUT shall determine the terms of the audit.
‍

6.5.    Auditors.
SCAUT may object in the written form to any auditor (authorised person) appointed by the User if, in SCAUT’s opinion, the auditor is not sufficiently qualified, is not independent, is in a competitive position with SCAUT or is otherwise evidently unsuitable. Following an objection, the User shall appoint another auditor orto carry out the audit itself.  The User shall promptly notify SCAUT with information regarding any non-compliance discovered during an audit.
‍

6.6.    Sub-processors.
The User agrees with the involvement of other sub-processors in the processing of personal data. Depending on the type of the Services provided or requested by the User, SCAUT may use other sub-processors or share personal data with other personal data recipients. The User hereby agrees that SCAUT will involve sub-processors:

6.6.1. Companies listed in the Platform according to the scope of provided Services, mainly in connection with the non-EU screenings;

6.6.2. Microsoft Ireland Ltd., Ireland, RN IE256796;

6.6.3. Amazon Web Services EMEA SARL, Luxembourg, FC034225;

6.6.4. Trustmatics.r.o., Slovakia, ID 53328001;

6.6.5. SCAUTs.r.o. or SCAUT SK, j.s.a. according to the subject providing Services;

6.6.6. [TBD].
‍

6.7.    Objections to involvement of other sub-processors.
SCAUT shall inform the User in written form before the involvement of an additional sub-processor, and the User may object to the involvement of the additional sub-processor within 10 business days after notification. If the User does not object within the time limit, SCAUT will engage the additional sub-processor. If the User objects, SCAUT will assess the objection and, if it finds it justified, it will not engage the additional sub-processor or make commercially reasonable change to the User’s configuration or use of the Services to avoid processing by such sub-processor.If a change is not possible, SCAUT may terminate the contractual relationship with the User (or part of it) or not provide the part of the Services to which the additional sub-processor is linked, without being in default or in breach of any obligation. Provider will refund the User any prepaid fees covering the remainder of the term of such Terms following the effective date of termination with respect to such terminated Services, without imposing a penalty for such termination on the User.
‍

6.8.    Obligations to other sub-processors.
If SCAUT engages another sub-processor to process personal data, thisother sub-processor must contractually commit to the same obligations to protect personal data as those agreed between the User and SCAUT, to implement appropriate technical and organisational measures so that the processing complies with the requirements of the GDPR and these Terms.
‍

6.9.    Liability for sub-processor.
SCAUT shall be liable for the acts and omissions of its sub-processorsto the same extent SCAUT would be liable if performing of the Services of each sub-processor is done directly under the terms of this DPT, except as otherwise set forth in the Terms.

6.10. Costs related to the performance of the DPT. Unless otherwise agreed in written form between SCAUT and the User, the User shall bear their own costs associated with the performance of the DPT.

‍

7.       SECURITY OF PERSONAL DATA AND PERSONAL DATA BREACH

7.1.   Obligation to secure personal data.
SCAUT has adopted and maintains technical and organizational measures to prevent unauthorized or accidental access to, modification, destruction or loss of personal data, unauthorized transmissions, other unauthorized processing or other unauthorized misuse of personal data. SCAUT regularly monitors compliance with these measures.
‍

7.2.   Personal Data Breach.
In the event of a Personal Data breach, SCAUT shall cooperate with theUser and assist the User in fulfilling its obligations under Articles 33 and 34 of the GDPR or, where applicable, Article 35 of the GDPR, considering the nature of the processing and the information available to SCAUT.
‍

7.3.   Information of the Security Breach.
In the event of a breach of security of Personal Data processed by SCAUT, SCAUT shall inform the User thereof without undue delay after becoming aware of the breach. Such notification shall include all information SCAUT has at his disposal, however to maximum extent specified in Article 33(3) GDPR:

7.3.1.     a description of the nature of the breach in question (including, where possible, the categories and approximate number of data subjects and data records concerned),

7.3.2.     details of a contact point where you can obtain more information about the Personal Data breach,

7.3.3.     the likely consequences and measures taken or proposed to be taken in relation to the breach, including measures to mitigate any adverse effects.
‍

7.4.   Assistance to the User.
SCAUT will respond to any request from the User to provide assistance in the event of a security breach within undue delay.
‍

7.5.   Further Information.
If it is not possible to provide all this information at once, the initial notification shall contain the information available at the time and further information shall be provided as soon as it is available.
‍

7.6.    Unlawful instructions.
If the User instructs SCAUT in such a way that a breach of obligations under the GDPR or other data protection laws occurs, and SCAUT is sanctioned by a supervisory authority or other regulatory body on the basis of such instruction, or is required to compensate data subjects, the User agrees to compensate SCAUT and pay for any damages incurred upon written notice by SCAUT.

‍

8.       LEGAL LIABILITY

8.1.   Limitation of liability.
The limitation of liability under Article 7.5. of the Terms shall also apply to this DPT.

‍

9.       FINAL PROVISIONS

9.1.   Effectiveness.
This DPT shall become legally binding between the User and SCAUT together with the Terms.
‍

9.2.   Invalidity of Provisions.
The invalidity of any provision of this DPT shall not invalidate the entire Terms. In the event of invalidity of any provision of this DPT, the User and SCAUT undertake to replace the invalid provision with a valid provision that best corresponds to the content and purpose of the invalid provision.
‍

9.3.   Annexes.
The Annexes are an integral part of this DPT:
‍

9.3.1.  Annex 1 TECHNICAL AND ORGANISATIONAL MEASURES.

‍

ANNEX 1

TECHNICAL AND ORGANISATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE DATA SECURITY

1.     Confidentiality measures

a.     Access control

Measures to prevent unauthorised persons from accessing premises wherepersonal data are processed:

(e.g. access control system, card reader, smart cards, controlled key distribution, barriers that allow only one person to enter the premises,identity checks by security guards, alarm system, motion sensors, glass break detectors, CCTV, external security).
‍

b.      System access control

Measures to prevent the use of systems for processing personal data without authorisation:

(e.g. password guidelines, logging password and smart card usage,regular log checks, firewall, virus scanner, use of state-of-the-art encryption methods)
‍

c.      Data access control

Measures to ensure that persons authorised to use the data-processing system have access only to data that have been lawfully disclosed to them and that personal data cannot be read, copied, modified or deleted without authorisation during processing, use or after recording:

(e.g. security mechanisms in the system, superior access protection system, permissions allocation according to predefined roles and profiles,multiple mesh principle, automatic access permission revisions, access logging,regular log checks, state-of-the-art encryption method)
‍

d.     Separate control

Measures to ensure that data collected for different purposes can beprocessed separately:

(e.g. physical or logical separation of systems in use, separation by administrators or accounting areas, separation by access rules, separation of production environment and test and development environment, multiple eyes principle)

2.     Integrity measures (Article 32(1)(b) GDPR)

a.     Transmission control

Measures to ensure that personal data cannot be read, copied, modified or erased without authorisation during electronic transmission or transport or when recorded on storage media and to ensure that it is possible to identify and verify where personal data will be transmitted by means of a data transmission device and that it is possible to identify and check to which subjects personal data will be transmitted by means of a data transmission device:

(e.g. use of state-of-the-art encryption, VPN, storage media disposal regulations, secure transport of storage media, baggage screening)

b.     Access control

Measures to ensure that it is subsequently possible to identify and check whether personal data have been entered, modified or deleted from processing systems and, if so, by whom:

(e.g. recording system activities, processing records, regular log checks)

3.     Measures to ensure availability and capacity (Article 32(1)(b) GDPR)

a.     Control of work

Measures to ensure that personal data processed on behalf of the User is processed strictly in accordance with the User's instructions:

(e.g. issuing instructions, defining and differentiating between User and Provider controls, contracting and inspecting sub-processors)

b.     Availability check

Measures to protect personal data against accidental destruction orloss:

(e.g., description of frequency, media, storage time and location of backup data storage, backup copy storage, emergency generator, uninterruptible power supply, fire protection, disaster contingency plan)

c.      Capacity

Systems and activities are designed to allow for high load or highcontinuous processing loads.

(e.g. storage, access, line capacity, etc.)

4.     Measures to pseudonymise personal data

(e.g. separating master and sales User data or using personal, User and supplier identifiers instead of real names.)

5.     Measures for encryption of personal data

(e.g. Symmetric Encryption, Asymmetric Encryption, Hashing)

6.     Measures to quickly restore the availability of personal data after a physical or technical incident

(e.g. backup, redundant data storage, dual IT infrastructure)

7.     Measures for regular testing, assessment and evaluation (Article 32(1)(d),Article 25(1) GDPR)

(e.g. Data Protection Management, Incident Management, Privacy by Default (Article 25(2) GDPR), Data Protection Officer Audit, IT audits,external audits, audits, certifications)

‍