Annex No. 1 to Terms and Conditions: Data Processing Agreement

Effective starting: March 19, 2019

This Data Processing Agreement (hereinafter referred to as “DPA“) is concluded pursuant to Article 28 of Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, whereby repealing Directive 95/46/ES (hereinafter referred to as “GDPR“) between:

Gruveo, s.r.o., having its registered seat at Dénešova 71, 040 23 Košice, Slovak republic, Company ID number: 50 026 232, registered in Business Registry of District Court Bratislava I, file Sro, file number 38211/V,
as the Processor
(hereinafter referred to as “Gruveo“)


Customer as the Controller
(hereinafter referred to as the “Customer“)

(hereinafter Gruveo and the Customer mutually referred to as “Parties“ and each individual party also as the “Party“);

in the following wording:


1.1. Gruveo is a service provider of communication software applications and other services that are made available through this software (“Services”) and that are provided through the website ( (“Website”).

1.2. This DPA sets out the terms and conditions for the processing of the personal data (hereinafter referred to as the “Personal Data”) by Gruveo on behalf of the Customer under the agreement (hereinafter referred to as the “Agreement”) concluded between the Parties. Pursuant to the Agreement the Customer acquires the Services as defined in the Agreement from Gruveo and Gruveo provides those Services to the Customer. This may involve the processing of Personal Data by Gruveo on behalf of the Customer as part of the provision of the relevant Services.

1.3. Gruveo acts as a data processor or sub-processor and the Customer acts as a data controller or as a data processor, pursuant to the definitions contained in the data protection laws that shall mean all applicable data protection laws, including but not limited to the GDPR and Act No. 18/2018 Coll. Personal Data Protection Act as amended and the instructions and binding orders of the data protection authorities (hereinafter collectively referred as to the “Data Protection Regulation”).


2.1. The subject-matter of the DPA herein is the authorisation of Gruveo to process the Personal Data provided by the Customer and on behalf of the Customer for the purposes agreed in the Agreement and this DPA.

2.2. Gruveo is entitled to process Personal Data in the scope of, under conditions and for the purpose agreed with the Customer in the DPA and in the manner permitted under Data Protection Regulation.


3.1. The purpose of the processing of the Personal Data by Gruveo is to enable the performance of the agreed Services pursuant to the Agreement.

3.2. The processing to be carried out by Gruveo is as follows:

3.2.1. the duration of the processing will be throughout the period within which Gruveo performs the relevant Services under the Agreement;

3.2.2. the Personal Data to be processed will be any personal data provided by the Customer to Gruveo and Personal Data acquired and processed by Gruveo in order to enable or facilitate the provision of the Services under the Agreement; the types of processed Personal Data and the categories of data subjects are as described in the fifth part of Privacy Policy for Gruveo Services (see:

3.2.3. the obligations and rights of the data controller in relation to the processing are set out below.


4.1. The Customer shall:

4.1.1. process the Personal Data in compliance with the Data Protection Regulation;

4.1.2. be entitled to give written instructions to Gruveo on the processing of Personal Data. Such instructions shall be binding on Gruveo on the condition that if the completion of the instructions requires the provision of Services under the Agreement, or result in costs emerging on Gruveo’s side, the Customer shall simultaneously pay the applicable service fees costs. Gruveo shall not meet any Customer instructions which are contrary to any Sections of this DPA.

4.1.3. retain the control over the Personal Data. If any data subject requests for information on the processing of Personal Data or requests any other rights under Chapter III of GDPR, the Customer shall immediately instruct Gruveo to take the appropriate measures.


5.1. In relation to the processing of personal data under this DPA, Gruveo shall:

5.1.1. process the Personal Data (including when making an international transfer) only to the extent necessary in order to provide the Services and then only in accordance with the terms of this DPA, the Agreement, good data processing practices and the Customer’s written instructions, unless otherwise required by Data Protection Regulations;

5.1.2. implement appropriate technical and organisational measures to ensure a level of security appropriate to the risks that are presented by the processing, in particular protection against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed under this DPA;

5.1.3. shall periodically test, assess and evaluate the effectiveness of its technical and organisational measures;

5.1.4. take all reasonable steps to ensure that only authorised personnel have access to the personal data and that any persons whom it authorises to have access to the Personal Data will respect and maintain all due confidentiality in relation to the Personal Data (including by means of an appropriate contractual duty of confidentiality where the persons concerned are not already under such a duty under the law; such duty of confidentiality shall continue even after the legal relationship with persons that are authorised to have access to the personal data has been terminated);

5.1.5. immediately notify the Customer if, in Gruveo’s opinion, any instruction given to Gruveo infringes the Data Protection Regulations;

5.1.6. where applicable in respect of any Personal Data processed under this DPA, co-operate with and assist in ensuring compliance with: Customer’s obligations to respond to requests from any data subject(s) seeking to exercise its/their rights under Chapter III of the GDPR, including by notifying Customer of any written subject access requests Gruveo receives relating to the Customer’s obligations under the Data Protection Regulations; Customer’s obligations under Articles 32 – 36 of the GDPR taking into account the nature of processing and the information available to Gruveo;

5.1.7. provide the Customer with all information necessary to demonstrate compliance with Customer’s obligations set out in this DPA and in the Data Protection Regulation;

5.1.8. process the Personal Data only during the term of this DPA.

5.2. This DPA shall not prevent Gruveo from processing the Personal Data as required by law, regulation or by a competent court or Supervisory Authority. In case a Supervisory Authority or a competent court makes a request concerning the Personal Data, including a request for blocking, deleting, amending the Personal Data, delivering them any information or executing any other actions, Gruveo shall, without undue delay, inform the Customer of all such requests prior to any response or other action concerning the Personal Data, or as soon as reasonably possible in case any law or regulation prescribes an immediate response to the Supervisory Authority or a competent court, unless such notice to the Customer is prohibited by the respective law, regulation or order.

5.3. In the event of a personal data breach, i.e., a breach of security leading to accidental or unlawful destruction, loss, alternation, unauthorised disclosure of, or access to the Personal Data, Gruveo shall without undue delay notify the Customer via e-mail.

5.4. Gruveo shall take appropriate steps to protect the Personal Data after having become aware of a personal data breach under Art. 5.3 hereof, in order to limit any possible detrimental effect to the data subjects. Gruveo will cooperate with the Customer to respond to said personal data breach.

5.5. The both Parties hereby undertake to provide each other with mutual cooperation necessary for the fulfilment of provisions in the DPA herein.

5.6. If a breach of the Customer’s obligation stipulated in the DPA and/or Data Protection Regulations results into any damage or loss to Gruveo, the Customer is obliged to reimburse Gruveo such a loss in its full amount.


6.1. The Customer acknowledges and agrees that Gruveo may engage third-party sub-processors in connection with the processing of Personal Data within the sphere of the Agreement. Upon request, Gruveo shall make available to the Customer the current list of sub-processors that shall include the names and country locations of those sub-processors, alongside with the scope of services they provide for Gruveo. Customer agrees to the application of these subcontractors for the indicated scope of services.

6.2. In case of any additions or change to the current list, Gruveo shall notify the Customer in advance – indicating the name, country location, and subcontracted service of the proposed new sub-processor. Unless Customer objects in writing within 15 calendar days of being informed about Gruveo’s use of a new sub-processor, Gruveo may apply the new sub-processor for the indicated data processing activities. If Customer made an objection within the given timeline, Gruveo will use reasonable efforts to change the third party to avoid processing of the Personal Data by the “objected-to” new sub-processor. If Gruveo is unable to implement such changes within 30 calendar days, the Customer within further 30 calendar days from Gruveo’s notice (or – if Gruveo has failed to reply – from the expiry of the 30 calendar days available for Gruveo’s notice) may terminate the Agreement. If Customer fails to send such a termination notice to the Gruveo within said deadline, this shall be deemed to be a consent to the application of the proposed sub-processor.

6.3. Gruveo remains responsible for the Personal Data processing activities of its sub-processors as if the processing activities were carried out by Gruveo itself and for this purpose it shall conclude with each subcontractors a written contract that imposes to the subcontractors the same data protection obligations as set out for Gruveo in this DPA.


7.1. Gruveo is obliged to provide the Customer with all the information and documentation necessary to prove the performance of obligations of Gruveo as stipulated in Data Protection Regulation.

7.2. At any time during the term of this DPA, the Customer and/or a recognised, independent third party auditor appointed by the Customer shall have the right to perform audits of Gruveo’s and it’s sub-processors’ facilities in accordance with the Agreement. However, any audit pursuant to this DPA shall be limited to assessing Gruveo’s compliance with its obligations under this DPA and shall not extend to granting access to any data of other Customers processed by Gruveo or data related to the usage of security measures by Gruveo.


8.1. The processing of Personal Data is exercised by Gruveo within area of the EU/EEA member states. If it is necessary for the providing of the Services, the Personal Data may be transferred outside the EU/EEA territory provided that in such respective transfer the specific conditions stipulated under Article 44- 50 of GDPR are followed.


9.1. Gruveo processes Personal Data only during the Agreement and for so long as is necessary for the purpose(s) for which it was originally collected. Upon termination of the Agreement for any reasons, Gruveo shall either delete all Personal Data, except to the extent that it is necessary for Gruveo to continue to process it for the purpose of compliance with legal obligations to which the Gruveo are subject or for another legitimate and lawful purpose (in particular, invoicing data that shall be stored during ten years under respective laws).

9.2. Upon Customer’s request, Gruveo shall confirm to the Customer in writing that the deletion of Personal Data has been accomplished.


10.1. This DPA shall be governed by the same substantive law and have the same jurisdiction like the applicable substantive law and jurisdiction has been agreed in the Agreement.

10.2. All terms and definitions used in this DPA herein have the same meaning as terms and definitions used in the Agreement unless otherwise expressly stated.

10.3. The Parties declare that prior to the concluding hereof, they have carefully read the DPA, understood its contents and attest that it is executed of their true and free will and that the DPA was not concluded in duress or under grossly unfavourable terms.

10.4. The DPA comes into force and shall become effective upon the conclusion of the Agreement.