Data Processing Agreement
This Data Processing Agreement (the "DPA") forms an integral part of the General Business Terms and Conditions (the "Terms") between the Provider and the Client. It regulates the processing of personal data when the Client acts as an institution or educational entity.
Last Updated: May 2026
Definitions and Interpretation
1.1. “Controller” means the Client (institution) who determines the purposes and means of the processing of personal data.
1.2. “Processor” means the Provider operating the website www.schoolpressclub.com.
1.3. “GDPR” means Regulation (EU) 2016/679 (General Data Protection Regulation) and any applicable Czech national data protection legislation (specifically Act No. 110/2019 Coll.).
1.4. Terms such as “personal data”, “processing”, “data subject”, and “personal data breach” shall have the meanings ascribed to them in Article 4 of the GDPR.
Scope, Nature, and Purpose of Processing
2.1. Subject Matter: The Processor provides a digital platform enabling the Controller to design, create, manage, and publish school newspapers.
2.2. Purpose of Processing: Processing is executed solely to provide, maintain, secure, and optimize the digital services of the Platform as requested by the Controller.
2.3. Duration of Processing: The data shall be processed for the duration of the active subscription or until the Controller deletes the account or requests a data purge.
2.4. Categories of Data Subjects: Individuals, students, pupils, teachers, school staff, and contributors authorized by the Controller to access the Platform.
2.5. Categories of Personal Data: Names, email addresses, school affiliation, account roles, and content/media data (including text articles and photographs/images uploaded into the newspaper layouts).
Obligations of the Processor
Pursuant to Article 28 of the GDPR, the Processor covenants and agrees to:
3.1. Instructions: Process personal data strictly on behalf of and in accordance with the documented instructions of the Controller, including instructions regarding cross-border data transfers.
3.2. Confidentiality: Ensure that all personnel authorized to process the personal data have committed themselves to strict confidentiality or are under an appropriate statutory obligation of secrecy.
3.3. Security Measures: Implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, satisfying the requirements of Article 32 GDPR (including access control, encryption, and regular data backups).
3.4. Assistance: Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, in fulfilling the Controller’s obligation to respond to requests from Data Subjects exercising their rights under Chapter III of the GDPR (e.g., rights of access or erasure).
3.5. Breach Notification: Notify the Controller without undue delay (and no later than 48 hours) after becoming aware of any accidental, unauthorized, or unlawful personal data breach on the Platform’s servers.
Sub-processors
4.1 Prior Authorization: The Controller grants a general written and/or electronic authorization to the Processor to engage third-party sub-processors to support platform operations (e.g., cloud hosting providers, secure payment gateways, automated invoicing systems).
4.2. Contractual Equivalence: The Processor shall impose the same data protection obligations on any engaged sub-processor as those set out in this DPA.
4.3. Current Infrastructure Vendors: The Controller acknowledges and agrees that the Processor utilizes the following core infrastructure sub-processors for data hosting and transactional platform operations:
- Cloud Server Infrastructure & Data Storage: Web4u.cz (operated by Web4u s.r.o.), Hukot.net (operated by subreg.cz s.r.o.) / Wedos Internet, a.s., utilizing high-security data centers located strictly within the Czech Republic and the European Union.
- Transactional Billing & E-commerce Gateway: Stripe Payments Europe, Limited / ComGate Payments, a.s., ensuring fully encrypted, GDPR-compliant payment processing.
- Automated Invoicing & Accounting System: Fakturoid s.r.o. / Vyfakturuj.cz (operated by Redbit s.r.o.), used exclusively for generating legally required tax documents.
- Banking & Transaction Settlement: UniCredit Bank Czech Republic and Slovakia, a.s. used strictly for receiving and processing bank transfers and maintaining business transaction histories.
Audits and Compliance
5.1. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR.
5.2. The Processor shall allow for and contribute to reasonable audits or digital inspections conducted by the Controller or an authorized independent auditor, provided that such audits are requested at least 14 business days in advance, happen during standard working hours, and do not disrupt the operational security of other clients hosted on the Platform.
Termination and Data Deletion
6.1. Upon termination of the contractual relationship or upon an explicit digital account deletion request by the Controller, the Processor shall delete or return all personal data to the Controller, and delete existing copies, unless European Union or Czech Republic law commands the retention of specific transaction logs or accounting tax records (such as billing data which must be archived for 10 years).
6.2. Public newspaper issues explicitly preserved under the permanent public historical archive option (Section 7.2 of the Terms) are excluded from automatic deletion unless a specific, individualized removal request is made by the authorized author or the Controller.
Final Provisions
7.1. This Agreement is governed by the laws of the Czech Republic.
7.2. Should any clause of this DPA conflict with the main Terms and Conditions, the provisions of this DPA shall prevail specifically regarding data protection matters.