Concluded pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR)
1Introductory Provisions
1.1This Data Processing Agreement (hereinafter "DPA") is concluded between:
- Provider (Processor): DOMEUM platform s.r.o., ID: 24035921 (hereinafter "Processor")
- Customer (Controller): A natural or legal person using the DOMEUM Application (hereinafter "Controller")
1.2This DPA is an integral part of the General Terms and Conditions (GTC) and becomes effective upon the Customer's registration in the Application or upon conclusion of the Service Agreement.
2Subject of Processing
2.1The Processor undertakes to process personal data for the Controller, which the Controller stores in the DOMEUM software application (electronic construction log), for the purpose of providing software services, data hosting, backup, and ensuring the functionalities of the electronic construction log.
2.2Processing will take place for the duration of the Service Agreement and subsequently for the period necessary for data archiving according to the Controller's instructions or legal requirements.
3Nature and Purpose of Processing, Types of Personal Data
3.1. Purpose of Processing
Construction documentation management, attendance records at the construction site, construction project management, and communication between construction participants.
3.2. Categories of Data Subjects
Controller's employees, Controller's contractual partners (subcontractors), investors, technical supervision, H&S coordinators, and other persons present at the construction site.
3.3. Types of Personal Data
- Identification data (first name, surname, title, position)
- Contact data (email, phone)
- Activity records (who, when, what was entered in the log)
- Geolocation data (location of entry/login)
- Signature samples (simple or biometric signature)
- Photographs (if they capture identifiable persons at the construction site)
4Rights and Obligations of the Processor
4.1The Processor undertakes to process personal data only on the basis of documented instructions from the Controller, including issues of transfer of personal data to a third country or international organization, unless such processing is required by EU or Member State law. The Controller's use of the Application functionalities is also considered an instruction.
4.2The Processor shall ensure that persons authorized to process personal data (employees, temporary workers) are bound by confidentiality or are subject to a legal obligation of confidentiality.
4.3The Processor shall implement all measures required under Article 32 of the GDPR (Security of Processing), in particular:
- Encryption of data in transit (HTTPS/TLS) and at rest (encryption at rest)
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of systems
- Ability to restore availability of personal data in a timely manner in the event of a physical or technical incident (backup)
- Process for regularly testing and evaluating the effectiveness of implemented measures
4.4
The Processor will not use the Controller's data for its own marketing purposes or sell it to third parties.
5Engagement of Other Processors (Sub-processors)
5.1The Controller grants the Processor general authorization to engage other processors (subcontractors) for the purpose of fulfilling the Agreement.
5.2List of current material sub-processors as of the effective date of this DPA:
| Category | Description |
|---|---|
| Hosting and Cloud | Cloud infrastructure providers (e.g., Microsoft Azure, Amazon Web Services, Google Cloud) with data centers in the EU |
| E-mailing | Services for sending transactional emails (e.g., Mailgun, SendGrid, Ecomail) |
5.3The Processor shall ensure that sub-processors are bound by the same data protection obligations as the Processor.
6Assistance to the Controller
6.1The Processor shall assist the Controller in ensuring compliance with obligations under Articles 32 to 36 of the GDPR (security, breach notification, impact assessment), taking into account the nature of processing and information available to the Processor.
6.2If a data subject (e.g., Controller's employee) exercises their rights (e.g., erasure request) directly with the Processor, the Processor shall forward the request to the Controller for handling without undue delay. The Processor shall provide the Controller with technical assistance in handling such requests (e.g., data export).
7Incident Reporting
7.1
The Processor shall notify the Controller of any personal data breach (Data Breach) without undue delay after becoming aware of it, no later than within 48 hours.
8Termination of Processing and Data Deletion
8.1Upon termination of services related to processing, the Processor shall, at the Controller's choice, either delete all personal data or return them to the Controller (in machine-readable format), and delete existing copies, unless EU or Member State law requires storage of the personal data.
8.2
Exception for construction log:
The Controller acknowledges that pursuant to § 166 of the Building Act (Act No. 283/2021 Coll.), there is an obligation to archive the construction log for 10 years.
If the Controller requests data deletion before this period expires, the Processor will notify the Controller of a possible conflict with the law but will execute the deletion order (responsibility for compliance with the Building Act lies with the Controller). If the Controller does not renew the license, the Processor will enable data export for archiving purposes at the Controller's end.
9Final Provisions
9.1This agreement is governed by the laws of the Czech Republic. In case of conflict between this DPA and the GTC, this DPA shall prevail in matters of data protection.