Data processing agreement

Data processing agreement

concluded between:

An entity that enters into an agreement with the Processor for the provision of services and the data of which is provided in the registration form,

hereinafter referred to as the “Controller“

and

BYDISCOVERY Sp. z o.o., Rynek 60, 50-116 Wrocław, Poland, KRS 0001003223, NIP 8971914669, REGON 523702674

hereinafter referred to as the “Processor“, 

hereinafter referred to as a “Party”, and collectively as “Parties”.

§1. Definitions

For the purposes of the Agreement, the Controller and the Processor agree on the following meaning of the terms listed below:

1. Personal Data – data within the meaning of Article 4(1) of Regulation 2016/679, i.e. any information relating to an identified or identifiable natural person;
2. Personal Data Processing – whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction within the meaning of Article 4(2) of Regulation 2016/679;
3. Agreement – this agreement;
4. Master Agreement – agreements concluded by the Controller and the Processor for the provision of services with the content set out in the Terms and Conditions;
5. Regulation 2016/679 – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119 of 2016, p. 1).

§2. Representations of the parties

The Parties declare as follows:

1. The Parties declare that the Agreement has been concluded in order to perform the obligations referred to in Article 28 of Regulation 2016/679, in connection with the conclusion of the Master Agreement,
2. The person entering into the Master Agreement and providing personal data to the Processor has the appropriate authority to represent the Controller,
3. The Controller declares that it is a controller of Personal Data within the meaning of Article 4(7) of Regulation 2016/679, i.e. an entity that alone or jointly with others determines the purposes and means of the processing of Personal Data,
4. The Processor declares that it is a processor within the meaning of Article 4(8) of Regulation 2016/679 under the Agreement, which means that it will process Personal Data on behalf of the Controller.

§3. Subject and duration of processing

1. The Controller entrusts the Processor to process the Personal Data and the Processor undertakes to process it in accordance with the law and the Agreement.
2. The Agreement is concluded for the duration of the Master Agreement and the performance of all obligations under the Agreement and the Master Agreement.

§4. Purpose and general principles of processing

1. The Processor may only process Personal Data to the extent and for the purpose provided for in the Agreement.
2. The purpose of the entrustment of the Processing of Personal Data is the performance of the Master Agreement, including in particular the performance by the Processor of the service of providing the BYDISCOVERY application and the BYDISCOVERY Widget as well as the performance of the services through them.
3. The scope of the Personal Data processed by the Processor under the Agreement includes the categories of Personal Data each time entrusted to the Controller for processing via the BYDISCOVERY application and the BYDISCOVERY Widget.
4. The scope of Personal Data processed by the Processor under the Agreement includes data of customers and potential customers of the Controller.
5. The Processor shall only process Personal Data upon the documented order of the Controller. A documented order is deemed to be an order to process data included in the Master Agreement.
6. When processing Personal Data, the Processor shall comply with the principles set out in the Agreement.

§5. Specific rules on the entrustment of processing

1. Prior to commencing the Processing of Personal Data, the Processor shall adopt the security measures for the Personal Data referred to in Article 32 of the GDPR, in particular:

1. taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons of varying probability and severity, it shall apply technical and organisational measures ensuring the protection of the Personal Data processed to provide a degree of security appropriate to the risk. The Processor should adequately document the application of these measures, and keep these measures updated in consultation with the Controller,
2. shall ensure that any natural person acting under the authority of the Processor who has access to the personal data processes it in accordance with the Controller’s orders, including the Controller’s directions and instructions, for the purposes and to the extent provided for in the Agreement, 
3. shall keep a register of all categories of processing activities carried out on behalf of the Controller as referred to in Article 30(2) of Regulation 2016/679 and make it available to the Controller upon request, unless the Processor is exempted from this obligation pursuant to Article 30(5) of Regulation 2016/679.
4. The Processor shall ensure that persons having access to the Processing of Personal Data shall keep it and the means of securing it confidential, with the obligation of confidentiality also existing after the performance of the Agreement and the termination of employment with the Processor. To this end, the Processor shall only allow persons who have signed an obligation to keep the Personal Data and the means of securing it confidential to process the data.

§6. Further obligations of the processor

1. The Processor undertakes to assist the Controller in complying with the obligations set out in Articles 32 to 36 of Regulation 2016/679; in particular, the Processor undertakes to provide the Controller with information and to comply with the Controller’s orders concerning the measures in place to safeguard the Personal Data, and the Processor undertakes to provide the Controller with information concerning personal data infringements within 24 hours of the discovery of an event that constitutes a personal data infringement. 
2. The Processor undertakes to assist the Controller, through appropriate technical and organisational measures, in complying with its obligation to respond to requests from data subjects with regard to the exercise of their rights set out in Articles 15 to 22 of Regulation 2016/679, and in particular the Processor undertakes to inform the Controller of a request made by a data subject within 5 days of receiving such request.
3. The Processor undertakes to comply with any instructions or recommendations issued by a supervisory authority or an EU advisory authority in charge of the protection of Personal Data, with regard to the Processing of Personal Data, in particular in relation to the application of Regulation 2016/679.
4. The Processor undertakes to inform the Controller immediately (according to the method of contacting or sending notices indicated in the Master Agreement) of any proceedings, in particular administrative or judicial ones, concerning the Processing of the entrusted Personal Data by the Processor, of any administrative decision or ruling concerning the Processing of the entrusted Personal Data directed at the Processor, as well as of any audits and inspections concerning the Processing of the entrusted Personal Data by the Processor, in particular those carried out by a supervisory authority. 

• §7. Outsourcing of processing

1. The Processor may use the services of another processing entity (sub-processor).
2. The Controller agrees to the outsourcing of the processing of the entrusted Personal Data, in particular to companies cooperating with the Processor, entities providing personnel, accounting and IT services to the Processor.
3. In the case of outsourcing of the processing of Personal Data, the outsourcing of processing shall be based on an agreement pursuant to which the subcontractor (sub-processor) undertakes to perform the same duties as those imposed on the Processor under the Agreement.
4. The Processor shall ensure that subcontractors (sub-processors) entrusted with data processing apply at least an equivalent level of protection of Personal Data as the Processor.

§8. Audit of the processor

1. The Controller is entitled to verify compliance by the Processor with the rules for the processing of Personal Data pursuant to Regulation 2016/679 and the Agreement, by means of the right to request any information concerning the entrusted Personal Data.
2. The Controller shall also have the right to carry out audits or inspections of the Processor regarding the compliance of the processing operations with the law and the Agreement. The audits or inspections referred to in the preceding sentence may be carried out by third parties authorised by the Controller. The audits and inspections shall be carried out after the date and manner of carrying them out have been agreed between the Parties.
3. The Processor undertakes to inform the Controller immediately if, in the Processor’s opinion, an order given to it constitutes a breach of Regulation 2016/679 or other legislation on data protection.

§9. Responsibility of the parties

1. The Processor shall be liable for damages that occur to the Controller or third parties as a result of the processing of Personal Data by the Processor that does not comply with the Agreement. The Processor’s liability for the acts and omissions of subcontractors (sub-processors) is waived.
2. In the event of non-performance or improper performance of the Agreement by the Processor or infringement of the regulations on personal data processing, the Processor undertakes to pay compensation, however, the total liability of the Processor (towards the Controller and towards third parties) shall be limited to PLN 2,000.

§10. Termination of entrustment of the processing

1. Upon termination of the processing services, the Processor is obliged, at the Controller’s request, subject to paragraph 2, to cease Processing the Personal Data and to delete from its records and IT systems all Personal Data and existing copies thereof.
2. Notwithstanding the cessation of the services relating to the entrustment of the Processing of Personal Data, the Processor is entitled to process data relating to the confirmation of the performance of the service to the Controller.
3. The deletion of personal data referred to in paragraph 1 shall be understood as destruction of Personal Data or its modification in such a way that it prevents the identification of the data subject.
4. The deletion of the data must be documented by a written declaration signed by persons authorised by the Processor. The Processor undertakes to provide the Controller with a declaration of deletion of Personal Data within 7 days of such request being made by the Controller.
5. Termination of the Master Agreement at any time and in any manner by either Party shall result in the expiry of the Agreement. 
6. The Controller shall be entitled to terminate the Agreement with immediate effect in the event that:
7. the supervisory authority determines that the Processor is not complying with the personal data processing rules in respect of the data entrusted by the Controller,
8. The Controller, as a result of the audit referred to in § 8 of the Agreement, determines that the Processor is not complying with the Personal Data Processing rules in respect of the data entrusted to it by the Controller and a 14-day deadline to remedy the infringements has expired without effect,
9. The Processor has used Personal Data contrary to the Agreement or the law, has improperly processed the entrusted Personal Data despite prior requests to change the manner of processing, or has entrusted the processing of Personal Data to another entity without the consent of the Controller.

§11. Final provisions

1. Any amendment to the Agreement must be made in documentary form otherwise being null and void.
2. The Agreement is concluded in a clickable form by accepting its terms and conditions by selecting the appropriate checkbox when logging in for the first time to the system provided by the Processor.
3. In matters not regulated by the Agreement, the provisions of the Civil Code Act of 23 April 1964 (i.e. Journal of Laws of 2017, item 459 as amended), as well as the provisions of Regulation 2016/679 shall apply.
4. Disputes arising in connection with the performance of the Agreement shall be settled by the court having jurisdiction over the registered office of the Processor. The applicable law shall be the Polish law.