Data Processing Agreement


CUSTOMER – is the user (legal entity - your company) of the service provided by Informatika projekt d.o.o.

PROVIDER – Informatika projekt d.o.o. (legal entity - us)

GDPR – means EU directive 2016/679

Applicable Data Protection Law - means all applicable laws, regulations, legislative and regulatory requirements, and codes of practice applicable to the processing of personal data, including all the provisions of the GDPR, and any other relevant laws, regulations or instruments, as amended or superseded from time to time and together with any regulations or instruments made thereunder, that are applicable to a processor or sub-processor.

Personal information - means any information relating to an identified or identifiable natural person (hereinafter “Data Subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of such a natural person.

Controller - the natural or legal person, authority, organization or other agency that makes decisions individually or together with other parties regarding the purposes and means for processing Personal Data.

Processor - a natural or legal person, authority, organization or other agency that processes Personal Data on behalf of the Controller.

Sub-processor - the contractual partner of the Processor, engaged to carry out specific processing activities on behalf of the Controller.

Third party - means a natural or legal person, public authority, agency, or body other than the Data Subject, Controller, Processor, Sub-processor, and persons who, under the direct authority of the Controller, Processor or Sub-processor, are authorized to process Personal Data.

The terms used in this Agreement such as “processing” (and “process”), “transfer of data”, “categories of data”, “personal data breach” and “technical and organizational measures” shall have the meaning ascribed to them in the Applicable Data Protection Laws.

Subject matter

This agreement governs the processing of Personal data by PROVIDER as the processor for and on behalf of CUSTOMER as the controller, according to CUSTOMER’s instructions.

Processing details

Purpose of processing

Purpose of data processing are as follows:

  • testing and quality analysis of CUSTOMER’s Voice over IP infrastructure
  • communication between CUSTOMER and CUSTOMER’s partner in order to share results of the conducted tests

Duration of processing

Duration of processing is determined by CUSTOMER’s instructions to PROVIDER exclusively. CUSTOMER’s data is retained at the PROVIDER undefinitely or until the CUSTOMER requests deletion of CUSTOMER’s data.

Categories of data subjects

The Personal Data processed may concern the following categories of Data Subjects:

  • Users of phone numbers that are used by the CUSTOMER while conducting the test
  • Partners of the CUSTOMER

Categories of personal data

Categories of personal data that the PROVIDER can process at CUSTOMER’s request:

  • Phone number
  • e-mail address

Special categories of personal data

PROVIDER does not intentionally collect or process any special categories of Personal Data unless the Client or its customers/end users/ suppliers include such type of data in the content submitted to PROVIDER and/or while using the PROVIDER Services. Said processing of special categories of Personal Data is unintentional for PROVIDER and the Client shall be regarded as solely responsible for ensuring that such processing be lawful and in accordance with any applicable law, including the Applicable Data Protection Law.

Obligations of the CUSTOMER

The CUSTOMER shall be solely responsible for assessing whether Personal Data can be processed lawfully and for safeguarding the rights of the Data Subjects. The CUSTOMER shall ensure in its area of responsibility that the necessary legal requirements are met (for example by collecting declarations of consent) so that the PROVIDER can provide the agreed Services in a way that does not violate any legal regulations.

The PROVIDER shall process Personal Data only upon the documented instructions of the CUSTOMER and the CUSTOMER shall ensure that its instructions are lawful and that PROVIDER’s processing of Personal Data will not cause the PROVIDER to violate any applicable law, regulation or rule, including Applicable Data Protection Laws.

Obligations of the PROVIDER


The PROVIDER shall process Personal Data in accordance with this Agreement and Applicable Data Protection Laws and only upon the documented instructions of the CUSTOMER. The PROVIDER shall be entitled to suspend performance of data processing if the instruction of CUSTOMER infringes any applicable legal provisions


All Personal Data that the PROVIDER receives from the CUSTOMER is confidential and the PROVIDER shall not provide or make the Personal Data in any other way available to any Third Party without the CUSTOMER’s prior written consent. The PROVIDER shall ensure that only those of its employees and other persons operating on behalf of the PROVIDER who have a need to know and are under confidentiality obligations with respect to the Personal Data, have access to the Personal Data.

Technical and organizational data protection measures

The PROVIDER warrants implementation, monitoring and control over technical and organizational measures with aim of protecting the confidentiality, integrity and availability of CUSTOMER’s Personal data handed over to the PROVIDER for processing.

Responding to Data Subject and Third Party requests

In the event that PROVIDER receives a complaint, request, enquiry or communication from either a Data Subject, supervisory authority or Third Party which relates to the processing of Personal Data or to either Party's compliance with Applicable Data Protection Laws or this Agreement, PROVIDER shall immediately, and in any case no later than within five (5) working days, inform the CUSTOMER providing details of the same, to the extent legally permitted.

Data breach notification

In respect of any Personal Data breach, the PROVIDER shall notify the CUSTOMER of such a breach immediately, but in no event later than 48 h (forty-eight hours) after becoming aware of the Personal Data breach and provide reasonable details pertaining the subject Personal Data breach.

Records of processing activities

If is required so by Applicable Data Protection Laws, the PROVIDER shall maintain complete, accurate and up to date records of processing activities carried out on behalf of the CUSTOMER according to Applicable Data Protection Laws and Art. 32 (2) GDPR and provide those records upon request to the CUSTOMER. The PROVIDER shall cooperate with the CUSTOMER and shall provide the CUSTOMER with any details necessary for maintaining its records of processing activities when requested to do so.


The CUSTOMER consents to the PROVIDER to engage sub-processors for carrying out specific processing activities on behalf of the CUSTOMER, under the condition that the PROVIDER impose the same data protection obligations as set out in this Agreement on that other sub-processors regarding to PROVIDER’s obligations to the CUSTOMER. The PROVIDER shall maintain an up-to-date list of its sub-processors and shall, at the CUSTOMER’s request, share the current sub-processors list with the CUSTOMER.

International data transfers

PROVIDER warrants that the processing activities are performed and the underlaying infrastructure is located inside EU member states.

Termination, deletion and return of personal data

This Agreement shall be valid for the duration of the actual provision of Services by the PROVIDER. PROVIDER’s confidentiality obligations shall survive any termination of this Agreement.

Following the termination of this Agreement, the PROVIDER shall, at the instruction of the CUSTOMER:

  • return to the CUSTOMER personal data that was passed to the PROVIDER for processing in which case the returned data should be in a format with can be easily read and used by the CUSTOMER, and/or;
  • delete all such data unless prohibited from doing so by mandatory law, in which case the PROVIDER shall inform the CUSTOMER of any such requirement unless prohibited by that applicable law.

Contact details

Contact details of the PROVIDER for data protection enquiries: