Verwerkersovereenkomst

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person as defined in Article 4(1) of the GDPR.

"Processing" means any operation performed on Personal Data, as defined in Article 4(2) of the GDPR.

"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

"Data Subject" means the identified or identifiable natural person to whom the Personal Data relates — in this context, visitors of the Controller's website(s).

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Consent Record" means the anonymised data collected and stored by the C5S widget documenting cookie consent preferences on the Controller's website(s).

2. Scope and Purpose of Processing

2.1 Purpose

The Processor processes data on behalf of the Controller for the purpose of providing the C5S cookie consent management service, which includes:

• Displaying a cookie consent widget on the Controller's website(s)
• Collecting and storing cookie consent preferences of the Controller's website visitors
• Maintaining consent records as proof of compliance with applicable regulations
• Providing consent statistics and analytics to the Controller

2.2 Data collected through the C5S widget

The C5S widget is designed to operate on the principle of data minimisation and anonymisation. The following data is collected from website visitors:

• Cookie consent preferences (accepted/declined cookie categories)
• Timestamp of consent action
• Anonymized browser and device type information
• Referring website URL (the Controller's domain)

2.3 Anonymisation of data

The C5S service does not store IP addresses or any other directly identifying information about website visitors. All data collected through the widget is fully anonymised at the point of collection, meaning it cannot be linked back to an identified or identifiable natural person. As such, the data collected through the C5S widget does not constitute Personal Data within the meaning of Article 4(1) of the GDPR.

The Processor does, however, process Personal Data of the Controller's account holders (name, email address, billing information) for the purpose of providing and billing for the C5S service.

2.4 Categories of Data Subjects

Account holders and authorised users of the Controller who register for and manage the C5S service.

2.5 Duration of Processing

The Processor shall process Personal Data for the duration of the Agreement. Upon termination, the provisions of Section 10 of this DPA shall apply.

3. Obligations of the Controller

The Controller warrants and undertakes that:

• It has a lawful basis for the use of the C5S service on its website(s).
• It shall inform its website visitors about the use of the C5S service in its own privacy policy.
• It is responsible for the configuration of the cookie consent widget, including the definition of cookie categories and associated descriptions presented to website visitors.
• Its instructions to the Processor regarding the processing of data comply with all applicable data protection laws.

4. Obligations of the Processor

The Processor warrants and undertakes that:

• It shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
• It shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• It shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6.
• It shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, as described in Section 7.
• It shall assist the Controller in ensuring compliance with the obligations related to security of processing, notification of personal data breaches, and data protection impact assessments.
• It shall not process Personal Data for any purpose other than providing the C5S service as instructed by the Controller.

5. Sub-processors

5.1 General authorisation

The Controller provides a general written authorisation to the Processor to engage Sub-processors for the provision of the C5S service. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes.

5.2 Notification of changes

The Processor shall notify the Controller at least 30 days in advance before engaging a new Sub-processor by updating the list of Sub-processors on the C5S website or by email notification. If the Controller objects to the engagement of a new Sub-processor within 14 days of being notified, the parties shall discuss the Controller's concerns in good faith. If no resolution is reached, the Controller may terminate the Agreement.

5.3 Sub-processor obligations

The Processor shall ensure that any Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. The Processor remains fully liable to the Controller for the performance of each Sub-processor's obligations.

5.4 Current Sub-processors

A current list of Sub-processors is available at https://c5s.eu/sub-processors.

6. Security Measures

The Processor shall implement and maintain the following technical and organisational measures:

• Encryption — All data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using industry-standard encryption methods.
• Access control — Access to Personal Data is restricted to authorised personnel on a need-to-know basis. Multi-factor authentication is used for administrative access.
• Data minimisation and anonymisation — IP addresses are not stored. Data collected through the C5S widget is fully anonymised at the point of collection. Only data strictly necessary for the provision of the service is collected.
• Infrastructure security — The service is hosted within the European Union on infrastructure provided by reputable hosting providers with appropriate certifications.
• Monitoring and logging — Access to systems containing Personal Data is logged and monitored.
• Backups — Regular automated backups are performed to ensure data availability and integrity.
• Incident response — Documented procedures are in place for the detection, reporting, and management of security incidents.

7. Data Subject Rights

7.1 Website visitors (widget data)

As described in Section 2.3, the data collected through the C5S cookie consent widget is fully anonymised and does not constitute Personal Data. Consequently, the rights of Data Subjects under Articles 15–22 of the GDPR (including the rights of access, rectification, erasure, restriction, portability, and objection) do not apply to this anonymised data, as it cannot be linked to an identified or identifiable natural person.

7.2 Controller's account holders

The Processor shall assist the Controller in responding to requests from the Controller's account holders exercising their rights under the GDPR, including:

• Right of access (Article 15 GDPR)
• Right to rectification (Article 16 GDPR)
• Right to erasure (Article 17 GDPR)
• Right to data portability (Article 20 GDPR)

The Processor shall promptly notify the Controller if it receives a request directly from a Data Subject and shall not respond to such request without the Controller's prior written authorisation, unless required by applicable law.

8. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay and no later than 48 hours after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
• The name and contact details of the Processor's contact point for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach and mitigate its possible adverse effects

9. International Data Transfers

The Processor shall not transfer Personal Data outside the European Economic Area (EEA) without the prior written consent of the Controller. In the event that such a transfer is necessary, the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR, such as Standard Contractual Clauses or an adequacy decision by the European Commission.

10. Data Retention and Deletion

10.1 Consent Records

Anonymised Consent Records are retained for a maximum period of 3 years from the date of collection, or for such shorter period as configured by the Controller, to serve as proof of consent in accordance with applicable regulations. As these records are anonymised, they do not fall under the GDPR right to erasure.

10.2 Account data

Personal Data of the Controller's account holders (name, email, billing information) is retained for the duration of the Agreement and for a period of one year after termination, unless a longer retention period is required by law.

10.3 Upon termination

Upon termination of the Agreement, the Processor shall, at the Controller's choice:

• Return all data (including Consent Records and account data) to the Controller in a commonly used, machine-readable format; or
• Delete all data and certify such deletion in writing.

The Controller must make its choice within 30 days of termination. If no instruction is received, the Processor shall delete all data within 60 days of termination.

11. Audits and Inspections

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 of the GDPR.

The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable advance notice of at least 30 days. The Controller shall bear the costs of any such audit. Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.

12. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. Nothing in this DPA shall limit either party's liability for breaches of its obligations under applicable data protection laws.

13. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Slovak Republic. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of the Slovak Republic.

14. Contact

For any questions regarding this DPA or data processing activities, please contact:

Lavien s.r.o.
Email: support@c5s.eu