Logo
instaview.
Book a Demo

Data Processing Agreement

Last Updated: 18.10.2025

This Data Processing Agreement (hereinafter "Agreement") was concluded in accordance with Article 28 (3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), as amended (hereinafter "GDPR") between

(1) Instaview s.r.o., a company incorporated under the laws of the Czech Republic, with its registered office at Kaprova 42/14, 110 00 Staré Město., Company ID No: 23398574, registered with the Commercial Register maintained by the Municipal Court in Prague, file. No C 426429, operating under the trade name "InstaView" (hereinafter "Processor"); and

(2) and the customer entering into that Agreement (hereinafter "Controller"; Controller and Processor together as "Parties" and individually as "Party");

WHEREAS

(A) The Parties concluded Master Service Agreement (hereinafter "Contract"), whereby in connection with performance of the Contract it may be required that the Processor processes personal data of natural persons on behalf of the Controller in accordance with GDPR and other applicable data privacy laws and regulations;

(B) The performance of the Contract includes the provision of the services specified in the Contract (hereinafter the "Services") which imply the processing of personal data, as further described in the Info on Processing of Personal Data and

(C) The Parties are interested in regulating their rights and obligations concerning the processing of personal data of natural persons by the Processor for the Controller when performing the Contract in accordance with relevant provisions of GDPR and relevant implementing generally binding legal regulations for the purpose of ensuring an appropriate level of protection of data subjects of processed personal data;

THE PARTIES AGREED AS FOLLOWS

1 DEFINITIONS

1.1 Terms used in this Agreement with initial capital letters have, according to the will of the Parties, the following meaning:

"Agreement" means this data processing agreement;

"Authorized Person" means a natural person who has undertaken in writing to maintain confidentiality regarding Processed Personal Data and adopted security measures, the disclosure of which could compromise the security of Personal Data, or upon whom such confidentiality obligation is imposed by generally binding legal regulations, provided that such person must meet all relevant requirements established by this Agreement, GDPR and Implementing Legal Regulations;

"Contract" has the meaning stated in Preamble (A) of this Agreement;

"Controller" has the meaning stated in the introductory provisions of this Agreement;

"Controller Instructions" means Processing of Customer Personal Data in accordance with this Agreement. This Agreement is a complete expression of the Controller's instructions and any additional or amended documented instruction will be binding on the Processor pursuant to an amendment to this Agreement signed by both parties.

"Customer Personal Data" means any Personal Data pertaining to the Contract made available by the Controller and processed under the Agreement by the Processor on behalf of the Controller.

"Data Subject" means a natural person to whom the Processed Personal Data relate;

"GDPR" has the meaning stated above;

"Info on Processing of Personal Data" means the detailed description of data processing activities available at https://www.instaview.sk/privacy-data-processing or accessible via the Controller's account dashboard;

"Implementing Legal Regulations" means relevant generally binding legal regulations applicable to Processing of Personal Data by the Processor for the Controller based on this Agreement in connection with performance of the Contract;

"Personal Data" means any information relating to an identified or identifiable Data Subject; an identifiable Data Subject is a Data Subject who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that Data Subject in accordance with Article 4(1) GDPR and Implementing Legal Regulations;

"Personal Data Breach" means a breach of security involving Personal Data and leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data transmitted, stored or otherwise processed under this Agreement.

"Processing" means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction in accordance with Article 4(2) GDPR and Implementing Legal Regulations;

"Processor" has the meaning stated in the introductory provisions of this Agreement.

"Services" have the meaning stated in the introductory provisions of this Agreement.

"Sub-processor" means a person entrusted with Processing of Personal Data for the Controller (and with its consent) based on a written contract concluded between such person and the Processor;

"TOMs" means the technical and organizational measures available at https://www.instaview.sk/toms ;

2 SUBJECT AND PURPOSE OF THE AGREEMENT

2.1 By accepting the Contract, the Controller (customer) agrees to this Agreement (DPA) as an integral part of the contractual relationship with InstaView. This Agreement governs the processing of personal data by InstaView (as Processor) on behalf of the Controller in accordance with GDPR If you have questions, contact privacy@instaview.sk.

2.2 The subject of this Agreement is the regulation of rights and obligations of the Parties during Processing of Customer Personal Data by the Processor for the Controller in connection with performance of this Agreement and the Contract.

2.3 The purpose of this Agreement is to ensure an appropriate level of protection of rights and legally protected interests of Data Subjects during Processing under the Contract.

2.4 The Controller hereby, in connection with performance of obligations under the Contract, authorizes the Processor to perform Processing under conditions agreed in this Agreement, and the Processor undertakes to process such Personal Data for the Controller under conditions and to the extent stipulated hereinafter in this Agreement.

3 PURPOSE, SCOPE AND DURATION OF PERSONAL DATA PROCESSING

3.1 Personal Data will be processed by the Processor exclusively for the purpose of proper performance of this Agreement and the Contract and in accordance with Customer Instructions, this Agreement, GDPR and Implementing Legal Regulations. The purpose and nature of Processing, scope and type of processed Personal Data, definition of Data Subjects and subject and duration of Processing necessary for proper performance of the Contract are set out in the Info on Processing of Personal Data. Should the Parties conclude additional Contracts in the future or modify the scope and specificities of the Processing of Customer Personal Data, they undertake to update the Info on Processing of Personal Data immediately after mutual agreement so that it contains definition of the above-mentioned data also in relation to the newly concluded Contract or updated or amended the Contract (if necessary).

3.2 In accordance with Article 3.1 of this Agreement, the Processor will process Customer Personal Data and specifically undertakes to:

(a) process Personal Data in accordance with GDPR and Implementing Legal Regulations;

(b) process Personal Data according to the Controller Instructions, to the extent, for the period and in accordance with the purpose set by this Agreement, unless required to do so by a law to which the Processor is subject, in which case the Processor shall inform the Controller of that legal requirement in advance, unless the law prohibits this on important grounds of public interest.

(c) The Processor shall immediately inform the Controller if, in the Processor's opinion, instructions given by the Controller infringe Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 or the applicable law.

(d) ensure Processing exclusively through its employees and/or Authorized Persons (if necessary) and/or Sub-processors under conditions set out in Article 6 of this Agreement;

(e) adopt all measures necessary or appropriate to ensure an appropriate level of protection of Personal Data during its Processing. The Processor shall implement the TOMs;

(f) immediately inform the Controller of facts significant for performance of Controller obligations under this Agreement, GDPR and/or Implementing Legal Regulations;

(g) provide the Controller with all reasonably required cooperation necessary for proper performance of Controller obligations established in relation to Processing under this Agreement, GDPR and/or Implementing Legal Regulations;

(h) upon Controller instruction in cases established by this Agreement, GDPR and/or Implementing Legal Regulations, cease further Processing of Personal Data, delete such Personal Data (without prejudice to Article 17(2) GDPR) and/or transfer them to the Controller and delete their copies and records, and demonstrate such operations with Personal Data to the Controller upon request;

(i) provide the Controller upon request with information and documentation proving that the Processor processes Personal Data in accordance with this Agreement, GDPR and Implementing Legal Regulations.

3.3 Personal Data processing shall primarily occur within EU/EEA territory. Any transfer outside EU/EEA requires compliance with Article 9 of this Agreement and prior written notification to the Controller specifying the transfer mechanism used.

4 ADDITIONAL RIGHTS AND OBLIGATIONS OF THE PARTIES

4.1 The Controller shall ensure the lawfulness and transparency of the Processing of Customer Personal Data under this Agreement. In particular, the Controller shall ensure (and is solely responsible for ensuring) that the required notices have been given and that Customer Personal Data is processed on a valid legal basis in accordance with GDPR, for Processor to process Customer Personal Data as contemplated by this Agreement.

4.2 If the Processor determines the inappropriate nature of an instruction given to the Processor by the Controller, it shall notify the Controller without undue delay. If the Controller insists on execution of such instruction, the Processor is obliged to execute it, unless execution of this instruction would be contrary to GDPR and/or Implementing Legal Regulations; however, in such case, the Controller bears all responsibility for execution of such instruction.

4.3 The Processor undertakes not to disclose or make accessible Personal Data obtained in connection with this Agreement and/or the Contract to any third party except its employees and/or Authorized Persons or Sub-processors (established in accordance with Article 6 of this Agreement). The Processor undertakes to ensure that each Authorized Person and each Sub-processor undertakes to maintain confidentiality about processed Personal Data and adopted security measures, unless this obligation is imposed on them by generally binding legal regulations (e.g., statutory confidentiality obligation). The Processor shall ensure that the confidentiality obligation of Authorized Persons and Sub-processors in relation to processed Personal Data shall last throughout the duration of this Agreement as well as after its termination.

4.4 Taking into account the nature of the Processing and the information concretely available, the Processor shall provide such reasonably necessary information and assistance as Controller may reasonably request to help Controller meet its obligations under Implementing Legal Regulations in relation to Customer Personal Data (insofar as such information is available to Processor and the sharing thereof does not compromise the security, confidentiality, integrity or availability of Processor's business and Personal Data which is not linked with the Processing under this Agreement).

4.5 At the Controller's request, the Processor shall also permit and contribute to an audit of the Processing under this Agreement. The Controller may conduct such audit at its sole cost and expense, provided i) reasonable prior notice is given, ii) the audit is conducted within the limits of the Processing under the Agreement and without disruption to the Processor's business operations or prejudice to the integrity, availability and confidentiality of data and information of the Processor which is not in the scope of the Agreement, iii) any auditor, including any third party-auditor, will be bound to maintain the confidentiality of the information obtained in relation to the audit. Any information obtained by the Controller in the context of this audit shall constitute confidential information of the Processor which shall be used by the Controller limited to confirming compliance with this Agreement. No more than one audit may be conducted in any 12-month period, unless required by law or following a confirmed Personal Data Breach.

4.6 In the event of a Personal Data Breach concerning the Personal Data under this Agreement processed by the Processor, the Processor shall cooperate and assist the Controller with its obligations under Articles 33, 34 GDPR, taking into account the information reasonably available to the Processor. If it is not possible to provide all relevant information at the same time, the Processor undertakes to provide additional information as soon as it becomes available without undue delay.

5 TECHNICAL AND ORGANIZATIONAL MEASURES

Taking into account the state of the art, implementation costs, nature, scope, context and purposes of Processing as well as various probable and various serious risks to rights and freedoms of Data Subjects, the Processor undertakes, for purposes of ensuring protection of Personal Data, to ensure throughout the duration of this Agreement as well as during the period of Personal Data processing, the level of security required by this Agreement, GDPR and Implementing Legal Regulations corresponding to relevant risks and undertakes to adopt such technical and organizational measures so that disclosure or unauthorized or accidental access to Personal Data, their alteration, destruction or loss, unauthorized transfers, unauthorized Processing or their misuse cannot occur. Processor undertakes to adopt the measures specified in the TOMs , satisfying the requirements of this Agreement and GDPR, and to provide to the Controller upon request documentation proving the adoption of the such measures.

6 SUB-PROCESSORS

6.1 The Processor is authorized to engage a third party (employees of the Processor are not considered third parties) to subcontract a processing activity under this Agreement and process Customer Personal Data provided that (i) such person meets requirements set by this Agreement, GDPR and Implementing Legal Regulations and (ii) the Processor concludes with such person a written contract for Personal Data processing in which such person undertakes to comply with obligations to the extent they are set for the Processor under this Agreement.

6.2 The Processor has the Controller's general authorization for the engagement of the Sub-processors listed at https://www.instaview.sk/sub-processors .

6.3 The Processor informs the Controller of all intended changes concerning acceptance of Sub-processors or their replacement and thus provides the Controller with opportunity to raise objections to such changes. If the Controller has justified objections against authorization of a Sub-processor under Article 6 of this Agreement on grounds relating to the protection of Customer Personal Data, Controller and Processor will work together in good faith to consider a mutually acceptable resolution to such objection. If a mutually acceptable resolution cannot be found in a reasonable time, the Processor shall not authorize the intended Sub-processor to process Personal Data based on Controller's justified objection.

6.4 In case Processing requires activity of a Sub-processor and the Controller refuses without justified reason Sub-processors that the Processor repeatedly offers, the Processor is authorized to withdraw from this Agreement and the Contract without undue delay (with effects ex nunc).

7 OBLIGATION TO COMPENSATE DAMAGE

7.1 The Controller declares and undertakes that it will properly fulfil all its obligations as controller of Personal Data arising from this Agreement, GDPR and Implementing Legal Regulations throughout the duration of this Agreement. The Processor is not responsible for any damage arising in connection with breach of Controller obligations.

7.2 The Processor's total aggregate liability for damage to the Controller under this Agreement is limited to the maximum amount of one month's remuneration paid by the Controller to the Processor under the Contract calculated according to the month in which the damage was caused. The Processor is not liable to the Controller for any indirect damages (particularly for loss of use, contracts, goodwill, revenues or profits or any consequential, special, indirect, incidental, punitive or exemplary loss, damage or cost). This limitation shall not apply in cases of wilful misconduct or gross negligence by the Processor.

7.3 The Controller undertakes to protect the Processor from incurring costs as a result of clearly unfounded or disproportionate demands of Data Subjects concerning fulfilment of information and communication obligations or performance of specific acts of the Controller (requiring Processor cooperation) with processed Personal Data.

7.4 Neither Party shall be liable for any failure to perform its obligations under this Agreement if such failure is due to circumstances beyond its reasonable control, including but not limited to acts of God, government actions, cyber attacks, or pandemic restrictions.

8 DURATION OF THE AGREEMENT

8.1 This Agreement becomes valid and effective upon the Controller's acceptance of the Contract (the Master Service Agreement (MSA)) and continues until termination of the last Contract concluded between the Parties.

8.2 If any of the Parties breaches its obligation from this Agreement and does not remedy the situation even within additional reasonable time limit set in writing by the other Party, the entitled Party may withdraw from this Agreement by delivering written notification of withdrawal to the other Party (with effects ex nunc).

8.3 If Processing occurs between the Parties based on any Contract even after termination of this Agreement, the Parties undertake to immediately begin negotiating in good faith for conclusion of a new processing agreement (or other similar legal act in required form) as required by Article 28 GDPR. This obligation does not apply if conclusion of such agreement is no longer required by legal regulations.

8.4 After termination of this Agreement, the Processor is authorized to continue processing Personal Data only if it is necessary for protection of rights and legally protected interests of the Controller or other affected person or if required by GDPR or Implementing Legal Regulations; however, such Processing must not be contrary to the right of Data Subjects to protection of their private and personal life. The Processor undertakes to delete individual Personal Data as soon as the purpose for which Personal Data were made accessible to it ceases, and until such time not to use the relevant Personal Data in any way that does not correspond to the purpose for which Personal Data were made accessible to it.

8.5 After termination of this Agreement, Personal Data may not be further processed, except as stated in Article 8.5 of this Agreement. Without undue delay after termination of this Agreement, the Processor undertakes, in accordance with Controller instruction, to either delete all Personal Data or return them to the Controller and delete existing copies, unless relevant generally binding legal regulations require storage of given Personal Data.

9 INTERNATIONAL TRANSFERS OF PERSONAL DATA

9.1 In the event that the Processing of Personal Data under the Contract and this Agreement, including due to the involvement of sub-processors, involves an international transfer of Personal data to a third country outside of Europe, the Processor undertakes that any transfer of Personal Data to third countries (outside EU/EEA) or international organizations shall comply with Chapter V GDPR and applicable Implementing Legal Regulations. No such transfer shall take place without appropriate transfer mechanisms being in place.

9.2 The Controller agrees that where the Processor engages a Sub-processor in accordance with Clause 6 for carrying out specific processing activities (on behalf of the Controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V GDPR, compliance can also be ensured by using EU standard contractual clauses in accordance with Article 46(2) GDPR.

10 FINAL PROVISIONS

10.1 In case of future change or replacement of GDPR and/or change and/or adoption of new Implementing Legal Regulations, the Parties undertake without undue delay to negotiate and conclude an amendment to this Agreement in good faith, whereby the obligation of the Parties under this Agreement will be adjusted to correspond to all relevant Implementing Legal Regulations and GDPR in valid wording (or legal regulations replacing GDPR).

10.2 This Agreement is executed in 2 counterparts with validity of original, of which each Party receives one copy.

10.3 Any changes or additions to this Agreement must be made in written form.

10.4 If any provision of this Agreement is or becomes invalid, ineffective or unenforceable in the future, this does not affect the validity, effectiveness or enforceability of remaining provisions of the Agreement, provided the defective provision can be separated from them. In such case, the Parties undertake to replace the defective provision with a flawless provision closest in content and purpose to the replaced provision.

10.5 This Agreement is governed by the legal order of the Czech Republic (excluding conflict of laws provisions), particularly GDPR and Act No. 89/2012 Coll., Civil Code, as amended.

10.6 For questions about these terms, contact: privacy@instaview.sk.