Legal Documents

Data Processing Agreement

Data Processing Agreement in the above version shall apply from 15 October 2020.

1. GENERAL PROVISIONS

1.1 The following Data Processing Agreement constitute an integral part of the Terms and Conditions for the provision of the Certifier service by electronic means (hereinafter referred to as the "Service") to natural persons, legal entities or other organisational units with legal capacity (hereinafter referred to as the Administrator) by the Service Provider - Certifier spółka z ograniczoną odpowiedzialnością with its registered office in Krakow ul. Grodzka 42/1 31-044, Krakow, entered into the National Court Register under KRS number 0000863560, Tax Identification Number 6762586390 and REGON 38724280300000 (hereinafter referred to as the "Processor") and applies when the Administrator, via the Certifier Service, collects or processes personal data within the meaning of the provisions of Regulation 2016/679 - Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016. on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46,’EC’ (General Data Protection Regulation) (OJ EU. L. of 2016 No. 119, p. 1) (hereinafter: FRA).

1.2 The controller entrusts the Processor with the processing of personal data within the meaning of Article 28 of the GDR to the extent resulting from the General Rules of Procedure. In particular, it concerns the personal data of the Administrator’s customers and potential customers stored by the Processor in the CRM system, as well as possible personal data transferred during phone calls recorded by the Administrator, if they are stored by the Processor.

1.3 The Processor undertakes to process personal data within the scope and under the rules specified in these Rules and Regulations, the Act and relevant executive acts issued on its basis. Personal data entrusted to the Processor on the basis of these Regulations shall be processed on the territory of countries belonging to the European Economic Area. The Processor shall not be entitled to any additional remuneration for the performance of the services specified in this Agreement other than that specified in the Main Agreement.

2. STATEMENT BY THE PARTIES

2.1 The parties agree that the Administrator of personal data within the meaning of Article 4 point 1) of the TDC entrusted to the Processor on the basis of these Rules is the Data Controller.

2.2 The controller declares that the personal data entrusted to the Processor for processing are collected in accordance with the applicable law.

2.3 The Processor declares that it has at its disposal appropriate technical and organisational means, knowledge and qualified personnel, which enables it to properly perform these Regulations entrusting the processing of personal data and ensure the compliance of the processing with the provisions of law and protection of the rights of the data subjects. The processor provides sufficient guarantees of implementing appropriate technical and organisational measures to ensure that the processing meets the requirements of the PDPA.

2.4 The processor processes personal data only on documented instructions from the Administrator.

3. SCOPE OF DATA ENTRUSTMENT

3.1 The scope of personal data processing entrusted to the Processor includes: the following personal data of customers using or intending to use services provided by the Data Administrator:

• surname and first name

• e-mail addresses

• IP addresses

• telephone number

3.2 Moreover, the Administrator shall entrust the processor with the personal data of the Administrator’s customers and potential customers, as well as any personal data provided during telephone calls recorded by the Administrator, if they are stored by the processor, in the following scope: identification data of the caller, contact details.

3.3 The entrustment referred to in this Agreement includes the processing of personal data in order to perform the following activities by the Processor: storing personal data in systems integrated with the Certifier Service, referred to in the Main Regulations, making back-up copies of personal data, storing recorded telephone conversations in which personal data is provided. Personal data will therefore be: collected, organised, recorded, structured, stored, processed, transmitted, made available, deleted or destroyed.

3.4 The processor is entitled to process personal data entrusted by the Administrator only to the extent and for the purpose related to the implementation of these Regulations and the Main Regulations. A change of the purpose or scope of the processed data requires an amendment of these Terms and Conditions.

4. OBLIGATIONS OF THE PARTIES

4.1 When processing personal data related to the execution of these Terms and Conditions, the Processor is obliged to comply with the applicable laws on personal data protection and to follow the Administrator’s instructions on the principles of processing the entrusted personal data and on personal data security.

4.2 The processor undertakes to process personal data in accordance with the applicable legal regulations only to the extent necessary for the performance of the activities described in point 4.1. 3.4 of these Regulations. The processor acknowledges that processing of personal data by it in a wider scope or for other purposes, in the absence of an appropriate legal basis, will constitute a breach of the PDO Agreement and legal regulations and may constitute a basis for termination or non-renewal of the Cooperation Agreement.

4.3 The processor declares that it has at its disposal appropriate technical and organisational measures to protect personal data against unauthorised persons, taking them away by an unauthorised person, processing in breach of the law and damage, destruction or unjustified modification in accordance with the applicable law.

4.4 Before starting the processing of personal data, the processor must take the Personal Data Protection Measures referred to in Article 32 of the TYPE, and in particular: taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons with different probability and seriousness of the threat, it is obliged to apply technical and organisational measures to ensure the protection of the personal data being processed, in order to ensure a level of security corresponding to this risk.

4.5 The processor must ensure control over what personal data, when and by whom they have been entered into databases and to whom they are transmitted, especially when they are transmitted by means of data transmission devices.

4.6 All confidential information and documents containing personal data transmitted electronically and the communication channel shall be secured with the use of cryptographic protection measures.

4.7 In the case of data processing with the use of an IT system, its operation and the devices included in it, used for the processing of personal data, only persons authorised to do so by name and trained by the Processor may be admitted.

4.8 The processor is obliged to keep a list of natural persons employed in the processing of personal data (regardless of the legal basis of employment) in connection with the performance of the PDO Agreement.

4.9 The processor, at the request of the Administrator, is obliged to immediately provide the Administrator with a list of persons employed in the processing of personal data (regardless of the legal basis of employment).

4.10 The processor undertakes to keep the personal data and ways of securing them in secret, including also after the termination of the PDO Agreement, and undertakes to ensure that its employees and other persons authorised to process the entrusted data, referred to in sec. 8 above, undertake to keep the personal data and ways of securing them in secret, including also after the termination of the PDO Agreement.

4.11 The processor shall process the entrusted data in its registered office and in remote locations at the sub-processors of the entrustment also outside the European Economic Area.

4.12 In the event that a third party takes legal action against the Processor and/or the Data Controller related to the violation of the rules of personal data processing, the Parties undertake to cooperate in order to take appropriate legal steps aimed, in particular, at dismissing or rejecting the third party’s claims by the competent court, lodging an appeal or concluding a settlement, as well as other legal actions.

5. LIABILITY

In the event of a breach by either of the Parties of the principles of personal data processing, as set out in the Agreement, Act or relevant executive acts, and the other Party suffers any damage in this connection, the Party guilty of the breach shall be obliged to cover the damage suffered by the other Party, whereby the Parties limit their liability to so-called "damnum emergens" and exclude liability for so-called lost profits ("lucrum cessans").

6. DURATION

The Terms and Conditions are concluded for the duration of the Terms and Conditions of providing the Certifier service.

The Parties allow for the possibility of amending or early termination of these Regulations by mutual agreement.

In the event of expiration of these Terms and Conditions, the Processor undertakes to make it possible to copy any data entrusted by the Administrator, and then to delete the entrusted data within 14 days from expiration at the latest.

The Administrator may make a copy of the Terms of Use, however, not earlier than before the data has been copied by the Administrator, unless the Administrator has previously waived the possibility of making a copy in writing.