- For the purpose of fulfilling the contract in accordance with the Terms and Conditions, the personal data of the data subject will be processed, while the intermediary and the operator conclude, within the framework of the Terms and Conditions, a contract for the processing of personal data within the meaning of Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, repealing Directive 95/46/EC (hereinafter referred to as “GDPR”).
- The subject of the contract is the definition of mutual rights and obligations in the processing of personal data, which occurs in the performance of the contract in accordance with the Terms and Conditions.
- The operator hereby entrusts the intermediary with the processing of personal data of data subjects or potential data subjects of the operator, i.e. end-users.
- The subject of the processing is the personal data of the data subjects stated in the personal documents of the identity of the data subjects.
- The scope of personal data contained in identity documents issued in different countries may vary, but as a rule, the following data are processed in particular: name, surname, date of birth, birth number, identity document number, permanent address and photograph.
- The subject of the processing is also an image of the face of the data subject, which is taken in real time for the purpose of comparing the captured image of a real face with the photo in the identity document and evaluating the so-called “liveness” of the data subject.
- The intermediary will process personal data in the performance of the contract as follows:
a) personal data taken from the submitted identity document of the data subject will be stored in VeriFace service for the purpose of carrying out the inspection and download by the operator,
b) the operator further processes the downloaded personal data outside the VeriFace service on its own behalf,
c) the operator can continue to use personal data for statistical and evaluation purposes through the administrator portal,
d) the operator hereby entrusts the intermediary with the storage of the personal data of data subjects for the purpose of evaluating the quality of the services provided, in particular to check the accuracy and completeness of the personal data processed,
e) this personal data will not be used for purposes other than improving the functionality of VeriFace service.
- The operator is obliged to process personal data on the basis of one of the legal grounds of processing pursuant to Art. 6 GDPR and to inform data subjects about the processing of personal data in the VeriFace service pursuant to Art. 13 GDPR through the administrator portal.
- When processing personal data, the intermediary is obliged to:
a) process personal data exclusively in accordance with GDPR and only for the above purposes, in no case process personal data for their own purposes,
b) not to transfer personal data to a third country or to an international organisation, unless such obligation is imposed on it by union or member state law applicable to the intermediary; in such a case, the intermediary shall inform the operator of this legal obligation before the transfer is carried out, unless the legislation prohibits information for important reasons of public interest,
c) ensure that persons authorised to process personal data are bound by confidentiality,
d) take and maintain technical and organisational measures such that unauthorised or accidental access to, alteration, destruction or loss of personal data, unauthorised transfers or other unauthorised processing, as well as other misuse of personal data, cannot occur and be modified and, where appropriate, modified accordingly,
e) notify the operator of a personal data breach without undue delay after it has been detected,
f) taking into account the nature of the processing, assist the operator as much as possible with appropriate technical and organisational measures in fulfilling his obligation to respond to requests for the exercise of the rights of data subjects within the meaning of Articles 13 to 22 of the GDPR. In the event that the data subject turns to the intermediary for the exercise of rights within the meaning of Articles 13 to 22 of the GDPR, the intermediary shall transmit this request to the operator without undue delay.
- The intermediary shall keep records of all categories of processing activities carried out on behalf of the operator, including:
a) The intermediary shall keep records of all categories of processing activities carried out on behalf of the operator, including:
b) the categories of processing carried out on behalf of the operator,
c) information on the transfer of personal data to a third country or international organisation,
d) a general description of the technical and organisational security measures.
- The Contracting parties undertake to provide each other with the necessary cooperation in dealings and dealings with the Office for The Protection of Personal Data and with data subjects or other persons concerned by the processing of personal data and shall make the necessary efforts to remedy the unlawful situation in relation to the data processed under the contract as soon as such occurs.
- In connection with the operation of the VeriFace service, the operator gives consent to the intermediary to involve other intermediaries who will be directly involved in the provision of performance within the meaning of the contract and business conditions. Other intermediaries may in particular be controlled or controlling persons of the intermediary pursuant to § 66a of Act No. 513/1991 Zb. Commercial Code, as amended, and their controlled or controlling persons, as well as other natural persons who cooperate with the intermediary or with these legal entities on the basis of a commercial relationship. The intermediary hereby undertakes to enter into a contract for the processing of personal data with other intermediaries that meets the conditions of this agreement, GDPR and confidentiality agreement. The intermediary shall be responsible for the performance of other intermediaries as if it were acting alone.