1. INTRODUCTORY PROVISIONS
   1. These Data Protection Rules (‘Rules’) of the company VSHosting s.r.o., with registered office at Prague 10 – Sodomkova 1579/5, Hostivař, postcode 10200, company registration number: 615 05 455, registered in the Commercial Register maintained by the Municipal Court in Prague, Section C, entry no. 29746 (‘Provider’) regulate the rights and obligations of the contractual parties in the area of protection of data related to a Contract for the Provision of Services “Snackhost” (‘Service’ and ‘Contract for the Provision of Services’) concluded between the Provider and another natural or legal person (‘User’).
   2. The Rules form an inseparable part of a Contract for the Provision of Services. Terms used in the Rules have the same meaning as the same terms used in a Contract for the Provision of Services (including the Terms of Business).
2. PROTECTION OF SAVED AND TRANSMITTED DATA 
   1. The Provider shall not have access to the content of non-public data belonging to the User saved within the Cloud Server Service on the Provider’s server. The Provider shall not control such non-public data belonging to the User saved within the Cloud Server Service. Members of the Provider’s user support shall not have access to physical servers used by the Provider to provide the Cloud Server Service.
   2. The Provider shall have access to the content of the User’s data saved within the Cloud Hosting Service on the Provider’s server. The Provider shall not carry out preventative control of the content of non-public data belonging to the User saved within the Cloud Hosting Service. The Provider undertakes to treat as confidential the data saved by the User in this way.
   3. The Provider does not save user passwords or private parts of Users’ SSH keys.
   4. The User acknowledges that the Provider shall keep for a period of six (6) months operational and localisation data relating to the Service within the meaning of the directive of the European Parliament and of the Council 2006/24/ES dated 15 March 2006 on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/ES. The Provider shall provide operational and localisation data exclusively to public authorities and in accordance with generally binding legislation.
3. PROTECTION OF THE USER’S PERSONAL DATA
   1. If the User is a natural person, the Provider shall comply with their information duty within the meaning of article 13 of the Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation) through a separate document called Personal Data Processing Information. 
4. PROTECTION OF PERSONAL DATA OF THIRD PARTIES 
   1. In connection with the operation of the Service, the Provider may (at the User’s instigation) process personal data of natural persons saved by the User within the Service. The contractual parties are aware of the fact that, in these circumstances, the User acts as a personal data administrator and the Provider is in a position of a processor of personal data. For these reasons, the User as the personal data controller authorises the Provider as the personal data processor to process personal data under the conditions specified below. 
   2. However, the User may not save within the Service personal data of special categories within the meaning of article 9(1) of the Regulation. 
   3. The Provider shall process personal data for as long as a Contract for the Provision of Services is effective. 
   4. The category of data subjects whose personal data is processed by the Provider includes, in particular, customers, clients or other persons who are in a contractual or a similar relationship with the User (‘Clients’) and the User’s employees. The Provider shall process all types of personal data of the User’s Clients or employees that the User saves within the Service. 
   5. The purpose of processing of personal data by the Provider is performance of a Contract for the Provision of Service. The Provider shall process personal data by automated processes of recording, saving, limitation or deletion. 
   6. The Provider shall process personal data solely on the basis of the User’s verified instructions, including instructions regarding the transfer of personal data to a third country or to an international organisation, unless such processing is already prescribed by Union law or by the Member State law which applies to the User. The User’s instructions may also be contained in a Contract for the Provision of Services. After the Contract for the Provision of Services has been discharged, the Provider shall delete all personal data (this is the User’s instruction), unless generally binding legislation requires further retention of the respective personal data. 
   7. To the extent laid down by generally binding legislation, the Provider undertakes to implement measures preventing unauthorised or accidental access to personal data, its change, destruction or loss, unauthorised transmission, other unauthorised processing or other misuse of Personal Data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Provider shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the relevant risk. The User acknowledges and agrees that the safety of the server application layer of computer programs located on the Provider’s server is strongly dependent on the selection of computer program(s) activated for the purposes of the operation of the server, including the up to dateness of such computer program(s). The Provider is not the author of such computer program(s) and their development is secured by third parties. The User acknowledges and agrees that they are fully responsible for safety risks connected with non-implementation of technical measures sent to them by the Provider whilst a Contract for the Provision of Services is effective for the purpose of securing personal data. 
   8. The Provider shall not include any other processor in the processing of personal data of without a prior specific or general written consent of the User. The User hereby agrees to include other processors in the processing of personal data by the Provider, specifically persons responsible for compliance by the Provider with their obligations arising from a Contract for the Provision of Services, in particular persons assisting with the operation of the Provider’s devices. The Processor shall inform the User of all intended changes relating to the hiring of other processors or their replacement and shall thus provide the User with an opportunity to raise objections against such changes. If the Processor hires another processor of personal data in order to carry out some activities of data processing in the name of the User, such further processor must be obligated on the basis of a contract to comply with the same data protection obligations as those specified in a Contract for the Provision of Services, in particular the provision of sufficient guarantees with regard to the implementation of suitable technical and organisational measures so that the processing of personal data complies with the requirements of the Regulation. In the event that the User suffers loss in connection with the Provider’s liability in the area of personal data protection, clause 13.7 of the Terms of Business relating to the Contract for the Provision of Services shall apply. 
   9. The Provider shall take into account the nature of processing of personal data. The Provider shall assist the Controller by way appropriate technical and organisational measures if possible to comply with the User’s obligations to respond to requests to exercise the rights of data subjects specified in Section III of the Regulation at the User’s expense. The Provider shall pass over to the User without undue delay requests to exercise rights of a data subject potentially raised against the Provider. The Provider shall assist the User with ensuring compliance with obligations set out in articles 32 to 36 of the Regulation, taking into account the nature of processing of personal data and information available to the Provider in return for remuneration potentially agreed in a separate contractual agreement of the parties. 
   10. The Provider undertakes to treat the processing of personal data as confidential. The Provider undertakes to ensure compliance with the confidentiality obligation regarding the processing of Personal Data on the part of their employees and other persons working with personal data.
   11. The Provider undertakes to provide to the User at the User’s expense all information necessary to prove that obligations specified in a Contract for the Provision of Services have been complied with and shall allow, at the User’s expense, audits of personal data including inspections carried out  by the User or by an auditor authorised by the User and shall contribute to such audits, including notifying the User that, in the Provider’s view, the User’s instruction breaches generally binding legislation in the area of personal data protection. Notwithstanding the above, the contractual parties have agreed that the Provider may not provide and shall not provide the User with such access to the Provider’s server which would decrease the level of protection of data belonging to other contractual partners of the Provider or which would lower the level of security of personal data or other data secured by the Provider, including circumstances which could lead to the Provider’s server being compromised. The amount of the Provider’s remuneration for the provision of cooperation to the User pursuant to this clause shall be governed by the Price List. 
5. SENDING OF COMMERCIAL COMMUNICATIONS AND SAVING OF COOKIES
   1. The User consents to the sending of information relating to the Provider’s services or business to the User’s emails address, as well as to the sending of the Provider’s commercial communication to the User’s emails address. 
   2. The User consents to the saving of so-called cookies on their computer. In the event that it is possible to perform the Provider’s obligations arising from a Contract for the Provision of Services without cookies being saved on the User’s computer, the User may withdraw their consent pursuant to the previous sentence at any time.

In Prague on 25th May 2018

CE Online Systems s.r.o.