General Terms and Conditions

1. Introductory Provisions

1.1 These General Terms and Conditions ("GTC") govern the rights and obligations between STAFFINO s. r. o., with its registered seat at Teslova 26, Bratislava 821 02, Slovak Republic, ID No.: 47 645 407, registered in the Commercial Register of the District Court Bratislava III, Section: Sro, Insert No.: 182752/B (the "Provider") and the customer who ordered the Review Radar service by signing the Order Form (the "Client").

1.2 By signing the Order Form, the Client confirms that it has familiarized itself with these GTC and agrees to them in full. These GTC form an integral part of the contractual relationship between the Provider and the Client.

1.3 The Order Form together with these GTC (including Annex No. 1 – Data Processing Terms) constitute the complete agreement between the Parties (the "Agreement").

1.4 In the event of a conflict between the Order Form and these GTC, the provisions of the Order Form shall prevail.

2. Definitions

2.1 "Review Radar" or "Service" means the web-based analytical platform operated by the Provider that collects publicly available reviews from online platforms (e.g. Google Maps, Trustpilot, Seznam.cz and others), analyzes them using artificial intelligence, and provides the Client with competitive analysis and insights.

2.2 "Order Form" means the document signed by the Client specifying the scope of the Service, the fee, the duration, and other terms of the order.

2.3 "Public Review Data" means reviews, ratings, star scores, reviewer names/nicknames, dates, and related data that are publicly available on third-party online platforms.

2.4 "Client Data" means data uploaded by the Client to the Service, including but not limited to lists of locations, internal metrics, and other information provided by the Client.

2.5 "Fee" means the fee for the use of the Service as specified in the Order Form.

2.6 "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Regulation (EU) 2016/679 (GDPR).

2.7 "Processing" means any operation performed on Personal Data, such as collection, recording, organization, storage, use, disclosure, or deletion.

3. Subject Matter and Scope of Services

3.1 The Provider undertakes to grant the Client a license to use the Review Radar Service, through which the Client may in particular, but not exclusively: (a) monitor public reviews of its locations and competitor locations; (b) compare performance and identify drivers of shopping behaviour in specific locations; (c) utilize analyses and insights generated by artificial intelligence.

3.2 The specific scope of the Service, including the number of locations, review sources, and other parameters, is set out in the Order Form.

3.3 The Client acknowledges that the Service collects and analyzes publicly available reviews from third-party platforms. The availability and scope of such data depend on the accessibility of reviews on the respective platforms. The Provider reserves the right to discontinue collection from any third-party platform if the Provider determines that continued collection is not possible or not advisable due to changes in the platform's terms, technical restrictions, or applicable law. In such case, the Client shall not be entitled to a refund or reduction of the Fee, unless the discontinued source constitutes the sole or predominant source specified in the Order Form.

3.4 The Service includes the collection and analysis of publicly available data from third-party platforms. The Provider determines the methods and means of such collection and analysis as part of the operation of the Service.

The Provider shall not be liable for: (a) the availability, accessibility, or continued provision of data by third-party platforms; (b) any changes to third-party platforms, including their terms of use, technical restrictions, or policies; (c) the legality, accuracy, or completeness of publicly available data made available by third parties; (d) any claims arising from the Client’s selection of competitors, locations, or other parameters within the Service; or (e) any use of the Service or data by the Client in violation of applicable laws or third-party rights.

Without prejudice to Article 9.3, nothing in this Article 3 shall exclude or limit the Provider’s liability for damage caused intentionally (within the meaning of § 386 of Act No. 513/1991 Coll. Commercial Code) or for any other liability that cannot be excluded or limited under generally binding legal regulations.

4. License and Usage Rules

4.1 Based on this Agreement, the Client shall be entitled to use every instance of the Service: (a) in a non-exclusive manner; (b) in a territorially unlimited area; (c) within the duration of this Agreement; (d) for purposes for which this Service is designed, i.e. in particular, for those stated in Article 3 hereof.

4.2 The Client declares that it will abstain from using the Service in a manner or for other purposes to those stipulated in this Agreement or at the Provider's web page. The Client undertakes in particular, but not limited to, to refrain from: (a) Service reverse analysis, i.e. it must not in any way use knowledge of ideas, processes, structure, algorithm and used methods on the basis of which the Service is designed and which it contains; (b) circumventing the Service's security systems; (c) gaining access to the Service in a fraudulent manner, or in another manner that represents a breach of generally binding legal regulations; (d) gaining access to accounts of other Provider's clients; (e) allowing unauthorized personnel (to any third parties) access and/or use of the Service; (f) amending, changing or otherwise modifying the Service; (g) extracting, scraping, or systematically downloading data from the Service for purposes other than the Client's own internal business use; (h) using data obtained through the Service to create a competing product or service.

4.3 The license to use the Service is granted to the Client solely for its own business use and for the purpose stated in Article 3 of the Agreement. The Client may not, either for or without remuneration (financial or otherwise), without a prior written consent of the Provider, in any way further sublicense, assign the rights and duties arising hereunder, lend, lease, or in any other manner transfer the license to use the Service to any third party.

4.4 The Client shall not make copies of the Service or any data obtained through the Service for any purpose other than use of the Service for the purpose specified in Article 3 hereof.

4.5 Using the Service in a manner different from the one permitted by the Provider, except for the cases when the Provider gives an explicit, specific, and written approval or in case the Client is entitled to act in such manner on the basis of generally binding legal regulations in force and effect, is strictly prohibited.

5. Fee and Payment Conditions

5.1 The Client undertakes to pay to the Provider the fee for the use of the Service in accordance with the Order Form (the "Fee"). The Fee shall be payable on a monthly or annual basis, as specified in the Order Form.

5.2 In the case of a monthly subscription, the Provider shall issue an invoice for each calendar month. The Fee shall be payable within fifteen (15) days of the date of the invoice, unless otherwise stated in the Order Form.

5.3 In the case of an annual subscription, the Provider shall issue an invoice immediately upon signing of the Order Form. The Fee for the annual period shall be payable within fifteen (15) days of the date of the invoice, unless otherwise stated in the Order Form.

5.4 In the case of auto-renewal (as defined in Article 10.3), the Provider shall issue an invoice thirty (30) days prior to the expiry of the period for which the Agreement was concluded, and the Fee for the next period is payable within fifteen (15) days of the date of invoice, unless otherwise stated in the Order Form.

5.5 The Fee may be paid by bank transfer to the Provider's bank account specified in the invoice, or by payment card or other electronic payment method, if such option is made available by the Provider.

5.6 If the Parties agreed to payment of the Fee by payment card or other electronic payment method, the payment processing shall be governed by the terms of the respective payment service provider. The Provider shall not be liable for failures of third-party payment systems.

5.7 An invoice is considered paid at the moment of crediting the due amount to the Provider's bank account or at the moment of successful authorization of the card payment.

5.8 The Provider shall be entitled to unilaterally increase the Fee by 3% after every twelve (12) month period considering the rate of inflation. The increase in the Fee shall be effective upon auto-renewal of the Agreement.

5.9 If the Fee does not state whether it includes or excludes VAT, it is understood that the Fee is stated excluding VAT and VAT shall be added at the applicable statutory rate.

5.10 Should the Client be in delay with payment, the Provider is entitled to suspend the Client's access to the Service and claim statutory default interest.

5.11 The Client shall not be entitled to unilaterally set off any of its receivables against payments to be paid hereunder or make any deductions against such payments.

5.12 The Client shall raise any objections to the invoice in writing within the payment term. Failure to object or payment of the invoice shall constitute acceptance. In case of legitimate objections, a new payment term of ten (10) days commences from the date of delivery of the corrected invoice.

5.13 Each Party shall bear its own payment transfer costs.

5.14 The Provider shall be entitled to unilaterally set off any of its receivables or claims against the Client, including receivables which are disputed, not yet due, or time-barred, against any receivables or claims of the Client against the Provider.

6. Client's Obligations

6.1 The Client undertakes to provide the Provider with all necessary data and information required to deliver the Service without undue delay.

6.2 The Client is responsible for the data it uploads to the Service, including its accuracy, completeness, and legality.

6.3 The Client undertakes to use the Service only for lawful purposes and shall not infringe the rights of third parties, including data protection rights.

6.4 The Client shall ensure that all users with access to the Client's account maintain appropriate security of login credentials and shall notify the Provider immediately of any unauthorized access or security breach.

7. Provider's Obligations

7.1 The Provider shall provide the Client with access to the Service in accordance with the scope and parameters specified in the Order Form.

7.2 The Provider shall exercise maximum effort to ensure the availability and security of the Service, although the Provider does not guarantee uninterrupted access, error-free operation, or specific results from using the Service.

7.3 The Provider shall comply with all generally binding legal regulations, including data protection regulations (GDPR), when processing data on behalf of the Client as set out in Annex No. 1 – Data Processing Terms.

7.4 The Provider shall notify the Client without undue delay (and no later than seventy-two (72) hours from becoming aware) of any confirmed or reasonably suspected Personal Data breach affecting the Client's data. Such notification shall include, to the extent ascertainable at the time of notification: (a) the nature and scope of the breach; (b) the categories and approximate number of data subjects affected; (c) the likely consequences of the breach for the affected data subjects; (d) the measures taken or proposed by the Provider to address the breach and mitigate its effects; (e) the contact point of the Provider for further inquiries. If the full scope of the breach is not yet ascertained at the time of the initial notification, the Provider shall provide such information progressively as it becomes available.

7.5 The Provider shall provide the Client with information necessary to fulfill its data protection obligations, including details of sub-processors, processing locations, and data subject rights handling procedures.

8. Intellectual Property

8.1 All intellectual property rights in the Service, including source code, algorithms, trademarks, and documentation, remain the exclusive property of the Provider or its licensors. The Client may not claim any ownership or rights to the Service beyond the license granted herein.

8.2 The Client retains ownership of its own data (Client Data) uploaded to the Service. By uploading Client Data, the Client grants the Provider a license to use it for providing the Service and generating insights and analytics.

8.3 For the avoidance of doubt, all insights, analyses, methodologies, and aggregated data generated by the Service shall be the exclusive property of the Provider and may be used by the Provider for research, service improvement, and benchmarking purposes.

9. Liability

9.1 The Provider's total liability for any claim arising out of or related to the Service, whether in contract, tort, or otherwise, shall not exceed the total amount paid by the Client in the twelve (12) months immediately preceding the claim.

9.2 In no event shall the Provider be liable for any indirect, incidental, special, consequential, punitive, or lost profit damages, even if the Provider has been advised of the possibility of such damages.

9.3 The liability limitations set forth in Articles 9.1 and 9.2 shall not apply to damage caused intentionally (within the meaning of § 386 of Act No. 513/1991 Coll. Commercial Code) or to any other liability that cannot be excluded or limited under generally binding legal regulations in force and effect.

9.4 The Provider shall not be liable for disruptions caused by circumstances beyond its reasonable control, including but not limited to acts of God, pandemics, cyberattacks, third-party failures, or illegal actions of third parties (force majeure events).

9.5 The Provider does not warrant that the Service will meet the Client's specific requirements or that the results generated by the Service will be accurate, complete, or fit for any particular purpose.

9.6 The Client assumes all responsibility for any decisions made based on information, insights, or recommendations provided by the Service and shall not hold the Provider liable for such decisions.

9.7 The Service uses artificial intelligence and machine learning technologies. The Provider does not guarantee that AI-generated analyses will be error-free or suitable for all use cases. The Client shall not rely solely on AI-generated insights for critical business decisions.

10. Duration and Termination

10.1 The Agreement shall commence on the date of signing the Order Form and shall continue for the period specified therein (the "Initial Term").

10.2 Unless either party provides notice of non-renewal in accordance with Article 10.3, the Agreement shall automatically renew for the same period on which it was concluded (the "Auto-renewal").

10.3 This Agreement shall be automatically renewed for the same period on which it was concluded, unless the Client notifies the Provider: (a) in writing no later than three (3) months before the expiry of the period for which the Agreement was concluded; or (b) by cancelling the subscription through the Client's account interface on the Service's website no later than three (3) months before the expiry of the period, that it has no interest in auto-renewal.

10.4 In the case of a monthly subscription, the Client may terminate the Agreement: (a) in writing with one (1) month's notice to the end of the calendar month; or (b) by cancelling the subscription through the Client's account interface on the Service's website, effective at the end of the current billing period.

10.5 The Agreement may be terminated only from the following reasons: (a) upon the expiry of the period on which the Agreement was concluded, if Auto-renewal according to Article 10.3 does not occur; (b) by notice in accordance with Article 10.4 in the case of monthly subscription; (c) in accordance with Article 13.2 (Client disagreeing with GTC amendments); or (d) by the Provider for material breach as set out in Article 10.6.

10.6 The Provider may terminate the Agreement immediately without notice if: (a) the Client materially breaches the Agreement and fails to cure such breach within fifteen (15) days of written notice; (b) the Client fails to pay any undisputed amount due and fails to cure such failure within fifteen (15) days of written notice; (c) the Client uses the Service in violation of generally binding legal regulations or infringes third-party rights; or (d) the Client becomes insolvent or enters liquidation.

10.7 Upon termination of the Agreement, the Client's right to use the Service immediately ceases. The Provider shall, without undue delay and no later than thirty (30) days after termination, delete or securely destroy all Client Data, unless required by law to retain it.

10.8 For the avoidance of doubt, regardless of the manner of termination of this Agreement, the Client shall not be entitled to claim paid Fee or its part.

10.9 Termination shall not relieve the Client of any payment obligations accrued before the termination date or any obligations that by their nature are intended to survive termination.

10.10 Upon termination, Articles 8 (Intellectual Property), 9 (Liability), 11 (Confidentiality), 14.3 (Governing Law), and 14.4 (Dispute Resolution), as well as Article A.6 of the DPA, shall survive.

10.11 If material legal changes are required by generally binding legal regulations, and the Parties cannot agree on necessary amendments within three (3) months, either Party may terminate the affected services with three (3) months' written notice.

11. Confidentiality

11.1 Each party agrees to keep confidential all non-public information disclosed by the other party during the course of this Agreement, including trade secrets, business strategies, pricing, and technical specifications ("Confidential Information").

11.2 Confidential Information does not include information that: (a) is or becomes publicly available through no breach of this Agreement; (b) was rightfully known to the receiving party prior to disclosure; (c) is independently developed without use of the discloser's information; or (d) is rightfully received from a third party without breach of confidentiality.

11.3 The receiving party may disclose Confidential Information only to its employees, contractors, and advisors who have a documented legitimate need to know and are bound by written confidentiality obligations no less protective than those herein.

11.4 Confidential Information shall be used only for purposes related to performing or enforcing obligations under this Agreement. Use for any other purpose is strictly prohibited.

11.5 If either party is required by law, court order, or regulatory authority to disclose the other party's Confidential Information, it shall provide prompt notice (unless prohibited by law) to allow the other party to seek protective measures or seek a protective order.

11.6 Confidentiality obligations shall continue for a period of three (3) years after termination of the Agreement, except that trade secrets shall remain confidential for so long as they qualify as trade secrets under applicable law.

11.7 The Provider may use anonymized, aggregated data from the Service for analytics, research, and service improvement purposes, provided that no Client Data can be identified or attributed to the Client and the aggregation contains data from at least five (5) independent clients.

11.8 The Provider may reference the Client as a user of the Service in marketing materials, case studies, or customer lists, unless the Client opts out by written notice.

11.9 Waiver of any breach of confidentiality by either party shall not constitute a waiver of any subsequent or other breach.

11.10 The Provider shall maintain a documented data breach incident log and notify the Client of any breaches affecting the Client's Confidential Information or Personal Data within seventy-two (72) hours of discovery, including the nature, scope, and measures being taken to remediate.

12. Communication and Notices

12.1 Any notice required by the Agreement shall be in writing and delivered via email to the addresses specified in the Order Form or as updated by either party.

12.2 Notices via email shall be deemed delivered upon sending, unless the sender receives a delivery failure message. For legal notices, either party may also use registered mail, with delivery deemed three (3) business days after posting.

13. Amendments to GTC

13.1 The Provider may amend these GTC at any time by providing written notice to the Client. Amendments shall take effect thirty (30) days after the notice is sent.

13.2 If the Client does not agree with the proposed amendments, it may terminate the Agreement in writing within the thirty (30) day notice period.

13.3 Continued use of the Service after the thirty (30) day notice period shall constitute acceptance of the amended GTC.

13.4 Amendments to GTC shall not apply retroactively to any claim or dispute arising before the amendment takes effect.

14. Final Provisions

14.1 The Agreement constitutes the entire agreement between the parties regarding the subject matter and supersedes all prior agreements, understandings, negotiations, and discussions, whether written or oral.

14.2 If any provision of the Agreement is found to be invalid or unenforceable, the remaining provisions shall remain in full force and effect, and the invalid provision shall be modified to the minimum extent necessary to make it enforceable.

14.3 The Agreement shall be governed by and construed in accordance with the laws of the Slovak Republic, specifically Act No. 513/1991 Coll. Commercial Code, as amended, without regard to conflicts of law principles.

14.4 Any dispute arising out of or related to the Agreement that cannot be resolved amicably shall be submitted to the exclusive jurisdiction of the courts of the Slovak Republic.

14.5 Either party may not assign any rights or obligations under the Agreement without the prior written consent of the other party, except that the Provider may assign its rights to an affiliate, successor, or acquirer without prior consent, provided the assignee assumes all obligations.

14.6 The failure of either party to enforce any right or provision shall not constitute a waiver of that right or provision, nor shall it limit the right to enforce such right or provision at a later time.

14.7 These GTC are effective from the date stated on the title page and shall apply to all Order Forms signed thereafter.

14.8 The Provider reserves the right to discontinue or materially modify the Service with thirty (30) days' written notice. If the Client does not agree with such modification, it may terminate pursuant to Article 13.2.

A.1 Scope and Categories of Processing

A.1.1 The Client ("Data Controller") engages the Provider ("Data Processor") to process Personal Data for the purpose of providing the Review Radar Service. The roles of Data Controller and Data Processor as defined in this clause apply to the processing of Category A data (Article A.1.7). For Category B data (Article A.1.8), the Provider acts as an independent Data Controller as specified therein.

A.1.2 The Provider, as Data Processor, shall process Personal Data only on documented instructions from the Client, as Data Controller, and shall not process Personal Data for any other purpose unless required by generally binding legal regulations.

A.1.3 Processing includes: (a) collection of Personal Data from Client Data and public sources; (b) analysis, comparison, and aggregation of Personal Data; (c) storage of Personal Data in secure systems; (d) provision of reports and insights based on processed Personal Data; and (e) deletion of Personal Data upon Client request or Agreement termination.

A.1.4 The Provider may engage sub-processors to assist in fulfilling its obligations (see Article A.4).

A.1.5 Personal Data shall be processed under the confidentiality and security standards specified in this DPA and in compliance with all generally binding legal regulations, including Regulation (EU) 2016/679 (GDPR).

A.1.6 Processing shall be limited to the Personal Data categories, data subjects, and purposes specified in Article A.2.

A.1.7 Category A – Client Location Reviews

Public reviews collected from third-party platforms relating to the Client's locations are processed by the Provider as a Data Processor on behalf of the Client (Data Controller). The Client determines the purposes and conditions of the processing and is therefore considered the Data Controller within the meaning of Regulation (EU) 2016/679. The legal basis for processing Category A data is the Client's legitimate interest in evaluating and improving the services provided at its locations. The Provider processes this data solely to deliver the Service as specified in the Agreement.

A.1.8 Category B – Competitor Location Reviews

For the purposes of processing competitor location review data (Category B), the Provider acts as an independent Data Controller within the meaning of Article 4(7) GDPR, as it determines the essential purposes and means of such processing, including the methods of collection, analysis, and presentation of data within the Service.

The Client may indicate competitor entities or locations to be included in the analysis; however, such indication does not constitute an instruction to process Personal Data on behalf of the Client, and does not affect the Provider’s role as an independent Data Controller.

The Client processes any data made available through the Service as a separate and independent Data Controller for its own internal business purposes.

Each Party shall be independently responsible for complying with its respective obligations under applicable data protection laws, including providing appropriate transparency information to data subjects and handling data subject rights requests relating to its own processing activities.

Both Parties acknowledge that a balancing test under Article 6(1)(f) GDPR has been considered for the processing of Category B data. The legitimate interests pursued are: (i) the Provider’s interest in operating and improving the analytical service, and (ii) the Client’s interest in competitive market analysis. The data subjects’ reasonable expectations are taken into account: individuals posting reviews on publicly accessible platforms may reasonably expect that their reviews are accessible and may be analyzed. The processing is limited to publicly available review content (low sensitivity), does not involve special categories of data, and is restricted in purpose to the provision of the Service. The Provider maintains a privacy policy (available at its website) that discloses this processing to data subjects. Either Party may request a review of this balancing test if changes in data protection law or regulatory guidance so require. The Parties are not joint controllers within the meaning of Article 26 GDPR with respect to Category B data.

A.1.9 Category C – Incidental Personal Data

Review text may incidentally contain Personal Data of third parties, including but not limited to names of store employees, customer names, or contact information mentioned in customer reviews. Both Parties commit to processing this incidental Personal Data, each acting as an independent Data Controller, only for the purposes of the Service and not to extract, separately analyze, sell, or use it for any purpose other than providing the Service. The processing of such incidental Personal Data is based on the legitimate interest of both Parties in providing and using the Service, and on the basis of generally binding legal regulations that permit such incidental processing.

A.2 Personal Data Processed

A.2.1 Categories of Personal Data processed under this Agreement include: (a) Names and nicknames of reviewers; (b) Email addresses (if provided in public reviews); (c) Location information (store/branch names and addresses); (d) Review text and metadata (dates, ratings, star scores, themes); (e) IP addresses and device identifiers (from logs, if applicable); (f) User behavioral data (location visits, interaction patterns).

A.2.2 Data subjects comprise: (a) Individuals who have posted public reviews on third-party platforms; (b) Individuals who have visited the Client's or competitor locations; (c) Individuals referenced in Client Data provided by the Client; (d) Client employees with access to the Service.

A.2.3 Processing purposes: (a) Competitive analysis and market intelligence; (b) Service delivery and analytics; (c) AI-generated insights and recommendations; (d) Security monitoring and fraud prevention; (e) Service improvement and research (anonymized, aggregated only).

A.3 Processing Rules

A.3.1 Personal Data shall be processed only for the purposes specified in the Order Form and this DPA. The Provider shall ensure that all processing is fair, transparent, and lawful.

A.3.2 The Provider shall implement appropriate technical and organizational measures to ensure the security, integrity, and confidentiality of Personal Data, including encryption, access controls, regular security audits, and intrusion detection systems.

A.3.3 The Provider shall ensure that authorized personnel have access to Personal Data only on a strictly need-to-know basis and are bound by documented confidentiality obligations.

A.3.4 The Provider shall maintain processing records that document when Personal Data was collected, processed, accessed, disclosed, and deleted, consistent with GDPR Article 5(2) (accountability).

A.3.5 The Provider, as Data Processor, shall not sell, share, or disclose Personal Data to third parties without the Client, as Data Controller,'s explicit prior written consent, except to sub-processors as authorized under Article A.4 or as required by law.

A.3.6 The Provider shall use Personal Data only to provide the Service and may not use it for profiling, direct marketing, secondary analysis, AI model training (outside of the Service), or other purposes beyond the scope of the Agreement, unless explicitly authorized by the Client, as Data Controller, in writing.

A.3.7 The Client, as Data Controller, retains the right to request deletion, correction, or restriction of Personal Data, and the Provider, as Data Processor, shall comply with such requests without undue delay (within ten (10) business days).

A.3.8 The Provider, as Data Processor, shall delete or securely destroy all Personal Data within thirty (30) days of termination of the Agreement, unless required by generally binding legal regulations to retain it. The Provider shall provide the Client with written confirmation of deletion.

A.3.9 The Provider shall make reasonable efforts to restore Personal Data in the event of accidental loss, provided that the Client shall bear reasonable costs associated with such restoration. The Provider does not guarantee full restoration in all circumstances.

A.3.10 The Provider shall not transfer Personal Data outside the European Economic Area (EEA) without the Client, as Data Controller,'s prior written consent and without implementing appropriate safeguards, including Standard Contractual Clauses or other mechanisms approved by the European Commission.

A.4 Sub-processors

A.4.1 The Provider, in its capacity as Data Processor, may engage sub-processors to assist in processing Personal Data, including cloud storage providers, analytics services, content delivery networks, security providers, and other technical service providers.

A.4.2 The Provider shall provide the Client with a current list of authorized sub-processors, which is published and maintained at https://staffino.com/business/legal/subprocessors/. The Provider shall notify the Client of any changes, additions, or replacements by publication at the above address at least two (2) weeks in advance of the date of the intended commencement of the engagement.

A.4.3 The Client may object to the engagement of a new sub-processor by providing written notice within fifteen (15) days of the notification. If the Client objects on reasonable grounds (e.g., data protection risk, conflict of interest), the Parties shall negotiate in good faith to resolve the objection.

A.4.4 If the Parties cannot resolve an objection, the Client may terminate the affected portion of the Agreement without penalty and without loss of paid Fees for the remainder of the Agreement term.

A.4.5 Each sub-processor shall be bound by a written data processing agreement no less protective than this DPA, including confidentiality, security, and deletion obligations.

A.5 Processing Location and Data Subject Rights

A.5.1 Personal Data shall be processed primarily within the European Economic Area (EEA). Any transfer outside the EEA requires the Client, as Data Controller,'s prior written consent and appropriate legal safeguards in accordance with GDPR Chapter V.

A.5.2 The Provider, as Data Processor, shall, upon the Client's request, provide reasonable assistance to the Client in fulfilling data subject rights under GDPR, including rights of access, correction, erasure, restriction of processing, portability, and objection. The Provider shall respond to such requests within ten (10) business days.

A.5.3 The Client, as Data Controller, remains responsible for responding to data subject requests and determining whether disclosure is required by generally binding legal regulations. The Provider shall cooperate and provide necessary information and assistance to the Client without undue delay.

A.5.4 The Provider, as Data Processor, shall assist the Client, as Data Controller, in fulfilling its obligations regarding Data Protection Impact Assessments (DPIAs) and Prior Consultation obligations under GDPR Articles 35-36 by providing relevant information about processing activities and security measures.

A.5.5 If the Client receives a request from a data subject or supervisory authority, the Provider, as Data Processor, shall, at the Client's request, assist the Client in providing a lawful response without undue delay.

A.6 Liability for Data Processing

A.6.1 The total liability of the Provider for any damages arising from or in connection with the processing of Personal Data under this Annex shall be governed by and limited to the liability cap established in Article 9.1 of these GTC. For the avoidance of doubt, claims arising from Personal Data processing under this Annex and claims arising from other provisions of the Agreement shall be aggregated for the purpose of applying the liability cap.

A.6.2 The liability limitations set forth in Article 9.1 and this Article A.6 are without prejudice to the rights of data subjects under Article 82 of Regulation (EU) 2016/679 (GDPR). Nothing in this Agreement shall limit or exclude the rights of third parties, including data subjects, to claim compensation for damages caused by a breach of GDPR, to the extent such limitation or exclusion is not permitted under generally binding legal regulations.

A.7 Applicable Law

A.7.1 This DPA shall be governed by the laws of the Slovak Republic, specifically Act No. 513/1991 Coll. Commercial Code, as amended, and by Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation).

A.7.2 The Parties undertake to comply with all requirements of Regulation (EU) 2016/679 (GDPR) and other generally binding legal regulations relating to personal data processing.

A.7.3 If material legal changes in data protection law are required, and the Parties cannot agree on necessary amendments within three (3) months of such legal change, either Party may terminate the affected services with three (3) months' written notice without penalty.