Data Processing Agreement

AGREEMENT ON ENTRUSTMENT OF PERSONAL DATA PROCESSING

§1 General provisions

  1. 1. This Data Processing Agreement (DPA) is an integral part of the Agreement and the Privacy Policy and determines the principles of processing of personal data by the Operator at the request of the Client through the Operator’s Software.
    2. The DPA represents the entirety of the obligations and conditions of entrustment of personal data processing between the Client and the Operator in connection with the implementation of services and use by the Client of the Operator’s Software.

§2 Definitions

The wording used means:

a. Data Controller – means the Client who, alone or jointly with others, determines the purposes and means of processing Personal Data;

b. Audit – means the verification (including inspection) of the compliance of the processing of Personal Data through the Operator Software with the law, in particular with the GDPR and the DPA, excluding: (i) information containing business secrets or (ii) conducting penetration tests or other similar tests of the Operator Software. An Audit may be performed independently by the Client or through an auditor authorized by the Client, upon submission by the auditor of a power of attorney to act on behalf of the Client, whereby an Audit should not be performed by a competitor (within the meaning of the competition protection regulations) of the Operator;

c. Purpose of Processing – means the performance by the Operator of the obligations set out in the Agreement in connection with the provision of services to the Client;

d. Processing Activities – means any operations on Personal Data that the Processor will perform at the direction of the Data Controller;

e. Further Processor – means an entity used by the Processor in exercising the rights and obligations set forth in the Agreement and performing specific Processing Activities that will have access to Personal Data;

f. Personal Data – means any information about an identified or identifiable natural person to which processing is entrusted under the DPA;

g. EEA – means the European Economic Area as defined in the Agreement on the European Economic Area (OJ EU L of 3 January 1994 as amended), being the countries of the European Union and Norway, Iceland and Liechtenstein;

h. Client – an entrepreneur or another legal person or organizational unit not being a legal person but to which the law grants legal capacity, using the Service provided by the Operator under the Agreement; in the T&C the Client is referred to as a User;

i. Breach of Personal Data Protection – means a breach of protection of Personal Data leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure of, or unauthorized access to, Personal Data with respect to which Processing Activities are performed by a Processor or Further Processor, as applicable;

j. Data Protection Impact Assessment – means the assessment of the effects of planned processing operations on the protection of Personal Data referred to in Articles 35-36 of the GDPR;

k. Operator – means the company igdpr sp. z o.o. with its registered office in Warsaw, Twarda 18 Street (00-105 Warsaw), entered in the Register of Entrepreneurs of the National Court Register under the number KRS 0000911811, NIP: 5252870967;

l. Software – means a computer program within the meaning of the Act of 4 February 1994 on Copyright and Related Rights, including the iGDPR Website, made available by the Operator at https://www.igdpr.eu as part of the provided service.

m. Supervisory Authority – means the President of the Office for Personal Data Protection;

n. Processor – means the Operator that processes Personal Data at the express direction of the Client;

o. Agreement – means an agreement to provide services using the Software;

p. User – means a person using the Software, conducting business or acting on behalf of the Client.

q. GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);

r. Objection – means the Client’s objection to further entrustment of Personal Data processing by the Operator to a Further Processor. The objection must be made in writing under pain of invalidity.

§3 Personal Data

Processing ActivitiesType of Personal DataCategory of persons whom the Personal Data relatesCategories of Personal Data
Managing the entity’s compliance with GDPRName, surname, ID, e-mail address, telephone number, password, supervisor, subordinate staffEmployees, coworkers, customers, contractors, potential customersOrdinary data, specific data
Granting, managing and withdrawing authorisations to process personal data Name, surname, ID, e-mail address, telephone number, password, supervisor, subordinate staffEmployees, coworkersOrdinary data, specific data
Handling of data subjects’ requestsname, surname, e-mail, telephone number, address of residence, resident registration, PESEL, ID card number, other data provided by the data subjectEmployees, coworkers, customers, contractors, potential customersOrdinary data, specific data
Cooperation with data processors (controller, co-controllers, processors)Name, surname, ID, e-mail address, telephone numberRepresentatives of the controller, co-controller, processorOrdinary data, specific data

§4 Subject matter and duration of processing of Personal Data

  1. 1. The Client entrusts the Operator with the processing of Personal Data in connection with the Agreement, and the Operator accepts the Personal Data for processing.
  2. 2. The Operator may process Personal Data only for the purpose of performing its obligations under the Agreement, including the provision of certain functionalities and technical support for the Operator’s Software.
  3. 3. Operator may process Personal Data only for the period: (i) of the duration of the Agreement and (ii) from the termination or expiration of the Agreement until the Personal Data is deleted in accordance with the provisions of the Agreement and the DPA, unless the Client and the Operator agree on a different period for the processing of Personal Data by separate agreement.
  4. 4. The Operator shall process Personal Data upon the documented order of the Client. By documented order is meant processing in accordance with this Agreement, as well as orders issued in writing or electronically (e-mail).
  5. 5. The DPA shall terminate upon the termination of the Agreement.

§5 Technical and organizational measures

  1. 1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing Personal Data as well as the risks of varying for rights and freedoms of Personal Data subjects, the Operator shall ensure technical and organizational measures for the processing of Personal Data that are adequate to the type of Personal Data and the risk of violation of rights and freedoms. The minimum technical and organisational measures for Personal Data processing are specified in Appendix 1 to the DPA.
  2. 2. The Operator shall allow processing of Personal Data only by persons acting under its authority, whose access to the Personal Data is necessary for the performance of services specified in the Agreement.
  3. 3. The Operator shall ensure that persons acting under its authority who have access to Personal Data have been appropriately trained, including that they have been made aware of the regulations concerning the protection of Personal Data and their responsibility to protect Personal Data against unauthorized access, unwarranted modification, destruction, unlawful disclosure, or acquisition of Personal Data.
  4. 4. Operator shall oblige persons acting under its authority and having access to Personal Data to maintain secrecy with respect to the Personal Data processed.

§6 Further Processors

  1. 1. Pursuant to Article 28(2) of GDPR, the Client consents to the Operator’s use of Further Processors to process Personal Data in order to properly provide the services.
  2. 2. The list of Further Processors which the Operator uses or intends to use as at the date of the beginning of the term of the DPA is set out in Attachment No. 2 to the DPA. By entering into the DPA, the Client agrees to entrust Personal Data processing to the entities identified in Attachment No. 2 to the DPA.
  3. 3. The Operator shall inform the Client of its intention to use the services of another Further Processor at least 14 days prior to the commencement of use of the services of that Further Processor. Information about the Further Processor shall be provided to the Client’s email address. The new Further Processor shall be included in the amended content of Attachment No. 2. An amendment of Attachment No. 2 does not require an amendment to the DPA.
  4. 4. Within 7 days of receiving notice of the Further Processor, Client may object to the Further Processor.
  5. 5. In case of an Objection, the Operator has the right to propose another Further Processor. Objection to another Further Processor means termination of the Agreement effective at the end of the month following the month in which the Objection was filed. During the termination of the Agreement, Operator shall not provide another Further Processor with Personal Data for processing.
  6. 6. Where the Operator uses the services of a Further Processor, the Operator shall enter into an agreement with the Further Processor which imposes on the Further Processor the same data protection obligations as those set out in the DPA. The Agreement with the Further Processor shall in particular contain obligations concerning compliance with the provisions of the GDPR, including obligations to use technical and organisational measures for the processing of Personal Data that are appropriate to the type of entrusted Personal Data and the risk of violation of the rights of Personal Data subjects. The rights of the Further Processors shall not be broader than those of the Operator set forth in the DPA.
  7. 7. Operator shall be liable for the acts and omissions of Further Processors in accordance with the liability rules set forth in § 11 of the DPA.

§7 Client Support

Taking into account the nature of the Personal Data Processing Activities performed and the information available in connection with the provision of the Services, the Operator shall provide the Client with assistance in fulfilling the following obligations:

a. ensure appropriate technical and organizational measures for the processing of Personal Data by applying the technical and organizational measures specified in §5 of the DPA;

b. conduct a Data Protection Impact Assessment by providing Client with the necessary information regarding the processing of Personal Data in the Software needed for Client to conduct a Data Protection Impact Assessment;

c. responding to requests from Personal Data subjects within the scope laid down in Articles 15-22 of the GDPR by providing the following options to the Client upon request to iod@igdpr.eu: (i) export of Personal Data, (ii) erasure and restriction of processing of Personal Data, and (iii) rectification of Personal Data. If the person whose Personal Data are subject to the request is reported directly to the Operator as the Personal Data Processor, the Operator shall inform the Client without delay about the reported request and shall agree with the Client how to proceed in relation to the reported request;

d. notification of a Personal Data Breach to the Supervisory Authority and the obligation to notify Personal Data Subjects of a Breach of Personal Data Protection in accordance with Articles 33-34 of the GDPR.

§8 Breach of Personal Data Protection

1. The Operator shall notify the Client of a Breach of Personal Data Protection immediately, but no later than 36 hours after it is discovered.

2. The application shall include:

a. a description of the circumstances of the incident constituting the Breach of Personal Data Protection and its established or suspected causes;

b. a description of the nature of the Breach of Personal Data Protection, including, to the extent possible, an indication of the categories and approximate number of individuals to whom the Personal Data relates and the categories and approximate number of Personal Data records affected by the Breach of Personal Data Protection;

c. a description of the possible consequences of the Breach of Personal Data Protection;

d. a description of the remedies applied by the Operator to minimize the possible negative effects of the Breach of Personal Data Protection.

3. Information on a Breach of Personal Data Protection shall be transmitted by the Operator to the e-mail address provided by the Client upon registration.

4. In the event of a Personal Data Protection Breach, the Operator shall immediately take the necessary technical and organisational measures to remedy the Personal Data Protection Breach and minimise its possible negative consequences.

§9 Transmission of information

1. The Operator will immediately inform the Client about:

a. any proceedings, in particular administrative or judicial, concerning the processing of Personal Data, any administrative decision or court ruling concerning Personal Data, addressed to the Operator, as well as any planned proceedings or ongoing inspections concerning the processing of Personal Data;

b. orders issued by the Client of the Operator regarding the processing of Personal Data, which, in the opinion of the Operator, constitute a violation of the provisions of the GDPR or other legal regulations on personal data protection.

2. The Operator shall, at the request of the Client, make available to the Client all information necessary to demonstrate compliance with the obligations set out in Article 28 of the GDPR.

3. The information will be forwarded to the Client’s e-mail address.

§10 Audits

  1. 1. The Client is entitled to conduct an Audit at any time. In particular, the Client is entitled to conduct an Audit in the following cases: (i) the obligation to conduct an Audit has been imposed by a Supervisory Authority or (ii) the conduct of an Audit is necessary to clarify a Breach of Personal Data Protection.
  2. 2. The Client is obliged to notify the Operator of the intention to carry out an Audit at least 7 working days before the planned date of commencement of the Audit. The notice should indicate the exact scope, date and persons authorized by the Client to conduct an Audit and be delivered to the e-mail address of the Operator.
  3. 3. If it is not possible to conduct an Audit on the date indicated by the Client, in particular due to the number of Audits requested by other customers, the Operator shall inform the Client about the first possible date of conducting the Audit. This provision shall not apply if the obligation to conduct an Audit has been imposed by the Supervisory Authority or if the Audit is necessary to clarify a Breach of Personal Data Protection.
  4. 4. The Operator shall determine the maximum duration of the Audit, which should not be longer than 3 working days, unless a longer period proves necessary due to the purpose of the Audit. In such case, the Parties shall agree on the maximum duration of the Audit.
  5. 5. Upon completion of the Audit, the Parties shall sign a protocol which includes the conclusions of the Audit, including the scope of possible changes in the scope of Personal Data processing by the Operator agreed by the Parties.
  6. 6. The Client shall bear the costs of the Audit on its own.
  7. 7. The Operator shall immediately inform the Client if, in its opinion, the order issued to it constitutes a violation of the GDPR or other provisions of the European Union or the relevant member state concerning the protection of personal data.

§11 Responsibility

  1. 1. The Operator shall be liable for damages caused by the processing only if it has failed to comply with the obligations imposed on it directly by the GDPR, or if it has acted outside the lawful instructions of the Client or contrary to such instructions, whereby the Operator shall be liable for damages up to the amount of the actual damage, but not more than the value of the performance under the Agreement for the period of provision of the Service, to the extent such limitation of liability is permitted under mandatory provisions of law.
  2. 2. The Operator shall be liable, to the abovementioned extent, in the event that the Further Processor fails to comply with its data protection obligations as set forth in the DPA.

§12 Termination of processing of Personal Data

  1. Po zakończeniu świadczenia usług związanych z przetwarzaniem Danych Osobowych, Operator usunie lub zwróci Klientowi wszelkie Dane Osobowe w terminie 30 dni, chyba że Klient zażąda zwrotu lub usunięcia Danych Osobowych niezwłocznie oraz w tych samych terminach usunie wszelkie ich istniejące kopie, chyba że prawo Unii lub prawo państwa członkowskiego pozwala na dalsze przetwarzanie Danych Osobowych.
  2. 2. Operator shall ensure that all Further Processors delete Personal Data in accordance with the terms of this paragraph.
  3. 3. If the Operator, on the basis of legal provisions, will process Personal Data after the termination of services, the Operator shall immediately inform the Client about the occurrence of such circumstances. In this situation, the Operator shall process Personal Data only to the extent and for the purpose arising from the provisions of the law, and shall delete the Personal Data immediately thereafter.

§13 Final provisions

  1. 1. The DPA is governed by Polish law.
  2. 2. Disputes between the Parties shall be resolved by the Polish courts with jurisdiction over the Respondent’s registered office.
  3. 3. In matters not regulated in the DPA, the provisions of the Agreement and the Civil Code, as well as GDPR and other legal acts regulating the principles of personal data protection shall apply.
  4. 4. In the event of any discrepancy between the provisions of the DPA and the provisions of the Agreement, the provisions of the Agreement shall prevail.

ANNOUNCEMENTS:

Annex No 1List of technical and organizational measures.
Annex No 2List of Further Processors.

Annex No 1

I. SECURITY OF PERSONAL DATA

1. Organizational safeguards:

a. The Operator has an Information Safety Policy that governs the protection of personal data by the Operator, including an incident management policy;

b. The Operator provides initial and periodic data protection and information security training to employees;

c. The Operator grants employees personal authorisations to process personal data. Authorizations are verified periodically.

2. Physical security safeguards:

a. Operator has segregated secure areas where Personal Data is processed;

b. The Operator has applied appropriate security measures, i.e. access control, physical protection, CCTV monitoring.

3. Access control safeguards:

a. Each employee of the Operator has a separate, unique access account to IT systems where Personal Data are processed;

b. The operator has a policy of strong passwords, changing passwords and locking accounts;

c. Operator has implemented encryption for mobile devices that process Personal Data;

d. remote access to Personal Data is centrally managed and controlled.

4. Operational security safeguards:

a. Operator’s IT systems and Software used to process Personal Data are regularly updated, verified for vulnerability, and protected by anti-virus systems;

b. The Operator uses firewall protection to prevent unauthorized access to systems and networks;

c. web access filtering is applied. Systems have been implemented to monitor network traffic, and anomalies detected are logged and reported.

II. SOFTWARE SAFETY

The Operator’s Systems security features have been selected based on the OWASP ASVS standard and best security practices.

The following protections are applied in the Operator’s Systems:

1. Architectural safeguards:

a. The software is periodically tested using penetration testing;

b. Components of the Software architecture are monitored for vulnerabilities;

c. Network security is applied at the interface to the Internet.

2. Authentication safeguards: verification of the identity of the sender is applied during communication to ensure that only authorised parties can be authenticated and that the authentication data are stored and transported in a secure manner.

3. Session management security: session management mechanisms have been implemented, by means of which user interaction is supervised and secure. Sessions are unique for each user and cannot be guessed or shared.

4. Access control safeguards: access is provided only to those resources to which consent has been given. Those gaining access have valid credentials and users are associated with defined sets of roles and permissions.

5. Zabezpieczenia dotyczące obsługi złośliwych danych wejściowych: jest stosowana walidacja danych wejściowych zapewniająca poprawność i dostosowanie do zamierzonych celów.

6. Security features with respect to inactive cryptographic mechanisms: it is ensured that all cryptographic modules that fail, do so securely. Access to keys is managed in a secure manner.

7. Safeguards for error handling and logging: security event logging mechanisms are applied and all logged information is handled and stored securely.

8. Safeguards with respect to data protection mechanisms: data is protected from unauthorised viewing or disclosure, both during transmission and during storage. Data is protected from malicious creation, modification or deletion by unauthorised persons and is only accessible to authorised users when needed.

9. Communication safeguards:

a. A secure connection is used for all connections (external and internal) that are authenticated or associated with sensitive data or functions;

b. Mechanisms are provided to prevent degradation of the security performance of the connection;

c. The strongest encryption algorithm available is used.

10. Http configuration safeguards: secure character sets in headers are provided and information about the version of the systems component is not revealed.

11. File and resource safeguards: it is ensured that untrusted file data is handled securely and that source files received from untrusted sources are stored outside the root directory with restricted permissions.

12. Security of webservices safeguards: validation of all input parameters, which are transmitted from less to more trusted layers, is ensured.

13. Security of the configuration process safeguards: security, during software changes and the use of up-to-date libraries and platforms, is ensured and communication between components is encrypted and authenticated.

 

Annex No 2 (Further Processors)

No. Name Purpose of further entrustment
1. Microsoft Ireland Operations Limited
iGDPR software hosting
2.
Stripe Payments Europe, Ltd.
Handling of Service Fees
3. Aequam Sp. z o.o.Development, administration and maintenance Services
4. LINK Mobility Poland sp. z o.o.
Support of sms communication related to the Service
5. MaxSorce Finanse S.c.
Accounting for Service Fee
6.YouCanBookMe Ltd.
Handling the appointment of iGDPR webinars