Skip to content
Logmanager
Legal documents

Data Processing Agreement (DPA)

Preamble

This is a Data Processing Agreement (DPA) pursuant to Article 28(3) of Regulation (EC) No 2016/679 of the European Parliament and of the Council – General Data Protection Regulation (hereinafter referred to as the “Regulation”) signed between the Processor, which is the Czech company Logmanager a.s., ID No: 04667115,having its registered office at Zubatého 295/5, Smíchov, 150 00 Prague 5, registered in the Commercial Register maintained by the Municipal Court in Prague, Section B, Insert 21247 (hereinafter referred to as the “Processor”), and the Controller, who holds a license to the Logmanager software product (hereinafter referred to as “Product” or “Software”). 

The Processor and the Controller enter into this Agreement based on the terms and conditions set forth in the End User License Agreement (EULA) with respect to the Product, and is effective on the date the Controller confirms acceptance of this Agreement within the internal environment of the Product.

The Processor and the Controller are hereinafter collectively referred to as the Partiesand either of them individually as aParty“.

1. Initial Provisions

1.1. The Controller, as the Customer, has entered into an agreement with the Processor, as the Supplier, for the provision of a licence to the Logmanager information system, provision of updates, support and consulting services (hereinafter the “EULA“), under which the Processor has granted the Controller the right to use the Software under the terms of the EULA and under which the Processor provides support and makes further modifications and developments to the Software. Support means both Support provided under the EULA, i.e. post-sales support, including both user service and technical support, and support provided prior to entering into the EULA, i.e. pre-sales support for the purpose of evaluating the Services (all of the foregoing hereinafter referred to as “Support“).

1.2. The Software is operated as a Hosted Service (i.e. as an online cloud solution to which the Controller logs in via its infrastructure) or On-premise Product (i.e. as software provided for download, installation and use directly on the Controller’s infrastructure) within the meaning of the EULA, whereby the Processor is entitled to access the Controller’s internal systems or parts thereof and to interfere with such systems with the Controller’s consent for the purpose of providing performance under the EULA (in particular for the purpose of identifying and repairing defects, consulting services and support). The Controller’s internal systems to which the Processor may have access in the course of providing Support contain personal data of natural persons meeting the definition under Article 4(1) of the Regulation, in relation to whom the Controller is in the position of a Personal Data Controller within the meaning of Article 4(7) of the Regulation. 

1.3. Due to the Processor’s authority to access the Controller’s internal systems containing personal data managed by the Controller in the context of providing Support, the Processor is in the position of a Personal Data Processor within the meaning of Article 4(8) of the Regulation, and the Parties enter into this Personal Data Processing Agreement (hereinafter referred to as the “DPA“) for this reason within the meaning of Article 28(3) of the Regulation.

2. Subject, Purpose, Scope of Processing

2.1. The subject of processing is the performance of processing activities relating to personal data of clients, contractual partners, employees of the Controller or users of the Controller’s systems and other persons, whose personal data are stored by the Controller in internal systems and traceable in the context of providing Support stored by the Controller in internal systems and traceable in the context of providing Support in connection with the use of the functionalities of the Software (in particular, log analysis, data migration, monitoring and management of security events in the Controller’s internal systems, analysis of the behaviour of the Controller’s internal systems, consulting services or provision of Support). The personal data processing activities carried out may include consultation, storage, structuring, retrieval, classification, disclosure by transmission, anonymisation and pseudonymisation and erasure.

2.2. The Processor does not perform any operations with the personal data other than the above-mentioned, in particular does not interfere with them, does not change them, does not use them for its own purposes, nor does it transfer them to third parties. 

2.3. The categories of personal data subjects whose personal data are processed under this DPA are

  • a) the Controller’s contractual partners (clients, potential clients, suppliers) if they are natural persons, or specific representative and contact natural persons if they are legal persons;  
  • b) the Controller’s mployees and associates
  • c) users of the Controller’s systems and other persons whose personal data may be contained in data (in particular, logs) stored by the Controller in the Software and related systems. 

2.4. The processing concerns the following categories of personal data:

  • a) identification data (in particular, name, surname, date of birth, birth number, ID number, VAT number)
  • b) contact details (in particular, home and business address, e-mail address, telephone number)
  • c) descriptive data (in particular, bank details, copies of documents, order history, etc.)
  • d) special sensitive data (in particular, data relating to trade union membership, financial situation, health or the sex life or sexual orientation of a natural person) 

3. Processing on the Instructions of the Controller

3.1. The processing of personal data is an incidental obligation of the Processor under the EULA. The Processor is obliged to process personal data only on the basis of documented instructions from the Controller (especially in the case of the provision of Support).

3.2. A separate instruction from the Controller is not required if the processing results from the EULA and is part of the Processor’s obligations under the EULA (in particular in the case of Software development). The obligations set out in the EULA shall be deemed to be an instruction from the Controller for this purpose.

4. Duration of Processing of Personal Data and Deletion of Personal Data

4.1. The duration of the processing of personal data under this Agreement depends on the duration of the EULA. If the Parties change the terms and conditions of the provision of the Software in a way that will affect the personal data processing activities under this Agreement (in particular, if they change the licensing model for the provision of the Software), the processing period shall depend on the period for which the performance of the activities under this Agreement is necessary to fulfil the obligations of the Processor under the EULA.

4.2. The Processor acknowledges that it is not entitled to process personal data disclosed to it by the Controller under the EULA without a valid data processing agreement.

4.3. When terminating services related to the processing of personal data, the Processor is obliged to proceed in accordance with the instructions from the Controller. Unless otherwise requested by the Controller, the Processor is obliged to delete the processed personal data (copies of the database or its parts) immediately after the purpose of their acquisition has expired (in particular, detection and elimination of defects, testing of functionality, testing of modifications and customizations, migration). In particular, the Processor is obliged to comply with the principle of storage limitation and not to process any personal data for more than 6 months after the termination of the EULA.

4.4. For the purposes of Article 4.3, the deletion of personal data shall be deemed to be the irreversible deletion of electronic data containing personal data from all data storage devices. 

4.5. The Processor is obliged to create a record of the erasure of personal data, which it shall provide to the Controller upon request.

5. Place of Personal Data Processing

5.1. The place of personal data processing is the Czech Republic or another member state of the European Union where the Processor’s servers are located. In connection with the personal data processing carried out for the Controller, the Processor is not entitled to transfer personal data to third countries or an international organisation, nor to carry out the processing of personal data on devices located in third countries. 

5.2. Any personal data processing in a third country outside the EU is only possible with the prior written consent of the Controller and only if the conditions for transfer to the third country set out in Article 44 et seq. of the Regulation.

6. Other Conditions for Personal Data Processing

6.1. The Processor is not entitled to involve any other Processor (even in the capacity of a hosting or data storage provider or server operator) in the processing of personal data processed by the Processor under the EULA without the prior consent of the Controller. 

6.2. The Processor shall take such technical and organisational measures as are appropriate to the risks arising from the nature of the processing of personal data under this DPA, in particular: 

  • a) encrypt the contents of the database,
  • b) not to provide any third party with access to personal data and the means of accessing it (in particular, personal computers, data storage devices, servers, databases and Software used for the performance of the EULA and the keys and passwords that enable access to them);
  • c) not use any third party online services to store or otherwise process personal data without the prior consent of the Controller;
  • d) secure any storage, devices, networks or services used to process personal data with two-factor authentication;
  • e) ensure that servers used for personal data processing activities are located in the data centre with protection against unauthorised access and with sufficient protection against power and connectivity failure;
  • f) implement electronic protection measures in the form of antivirus and anti-malware Software on all devices used to process personal data under this DPA;
  • g) comply with all the Controller’s internal rules regarding the security of data and electronic information, if the Controller so requires and if the Processor is demonstrably familiar with them;
  • h) ensure that access to databases containing personal data processed under the EULA is only granted to employees of the Processor who are instructed to comply with security measures and who are bound by a duty of confidentiality to the extent necessary to fulfil the obligations under this Article, whereby the duty of confidentiality of such employees may not be linked to the duration of the EULA or limited in time in any way.

6.3. In the event that the Controller informs the Processor that any data subject has exercised its right to information, erasure, restriction of processing, transfer of personal data, or otherwise, the Processor shall provide the Controller, upon request, with all personal data of the data subject that it processes in the performance of the EULA, provide it to the Controller in one of the standard formats, and if this is not possible, then provide the Controller with access to such personal data.

6.4. If the Processor discovers that there has been any personal data breach on its side or on the side of the Controller, it is obliged to inform the Controller of this fact immediately, but no later than within 72 hours of discovery, stating at least the manner of the breach, the categories of personal data affected, the definition of the subjects whose personal data are affected, a description of the likely consequences of the breach and a description of the measures that the Processor has taken to address the personal data breach, including, where appropriate, measures to mitigate any adverse effects, if the breach has occurred on its part and if the information is discoverable by the Processor by means proportionate to the purpose of the EULA.

6.5. In the event that the Office for Personal Data Protection carries out an inspection of the compliance of the processing of personal data on the part of the Controller, the Processor is obliged to provide the Controller with all cooperation in this inspection, in particular by providing records of the deletion of personal data, documenting the conditions for the security of personal data and allowing personal inspection of the processing of personal data on the premises of the Processor.

6.6. If the Controller invites the Processor to delete certain personal data processed under the EULA, the Processor is obliged to do so within 72 hours of receipt of the call and, upon the Controller’s request, to send the Controller a record or other evidence of such deletion within that period. Personal data processed otherwise than by electronic means (in particular in the form of documents) on the basis of this invitation shall be transmitted by the Processor to the Controller by means of transmission of the corresponding documents, unless the Controler requests another way of dealing with such data (their disposal).

6.7. The Processor shall allow the Controller or persons authorised by it to check compliance with its obligations under this Article of the DPA, in particular to check the conditions for the security of personal data.

7. Other Rights and Obligations of the Parties

7.1. The Controller shall ensure that the purpose of the processing of any personal data processed by the Processor under this DPA is in accordance with the law and that the processing is covered by an appropriate legal basis at all times. The Processor shall not be liable for any overstepping of the purpose of processing by the Controller and any violation of the legal basis for processing as defined by the Controller, unless caused by a breach of this DPA by the Processor.

7.2. The Controller acknowledges that as the Controller, it is primarily and fully liable for the harm it causes by processing personal data in breach of the Regulation. The Processor is not obliged or authorised to check whether the Controller complies with its obligations in personal data processing. 

7.3 In particular, the Controller is obliged to comply with the principles set out in Article 6 of the Regulation when processing personal data, and the Software enables the Controller to comply with the obligations set out in the Regulation. It is the Controller’s responsibility to consider what personal data it will process through the Software and for how long, in order to comply with the principles of data minimisation and storage limitation. The Controller is also obliged to inform the data subjects of the purpose, scope and duration of the processing as well as the lawful grounds for processing their personal data (the principle of lawfulness, fairness and transparency and the principle of purpose limitation).

7.4 All remuneration payable to the Processor for performing personal data processing activities under this Agreement is included in the remuneration paid by the Controller under the EULA. The Processor shall not be entitled to any separate remuneration for the performance of its obligations under this DPA.

7.5. This DPA shall terminate upon the end of the period of personal data processing within the meaning of Article 4.1.

8. Final Provisions

8.1. This DPA is governed by the Regulation. To the extent of the obligations not regulated by the Regulation, this DPA is governed by Act No. 89/2012 Coll., the Civil Code.

8.2. If the EU Commission or the Supervisory Authority adopts standard contractual clauses within the meaning of Article 28(7) or (8), the Processor shall make modifications to this DPA as necessary and the Controller shall adopt such modifications in accordance with the procedure set out in Article 8.3 of this DPA.

8.3. This DPA may be updated by the Processor. The current version will be published at https://logmanager.com/dpa and in the internal environment of the Product, and the Controller will be notified. If the Controller continues to use the Product after the revised DPA is published, the Controller will be deemed to have accepted the new version of the DPA. 

8.4. Contractual relations that are not expressly regulated by this Agreement are governed by the relevant legal regulations in force in the Czech Republic.

8.5. This DPA shall also be binding on the successors in title of the Parties.

8.6. If any provision of this Agreement is found to be invalid or ineffective, the remaining provisions of this Agreement shall remain valid and effective to the maximum extent permitted by applicable law. The Parties further agree to replace the invalid and unenforceable provision with a mutually acceptable, valid and enforceable provision that reflects the content and purpose of this Agreement.

8.7. Any waiver of any claim of breach, objection or any other omission related thereto shall not affect and shall not be claimed by the Parties hereto or deemed to be consent to such breach, act or omission unless there is written acknowledgment of the foregoing by the Party against whom the waiver is asserted.  

Updated on December 2, 2025