Personal data entrustment agreement

§1. Entrustment of Personal Data Processing

  1. The Data Controller entrusts the Processor with personal data for processing, under the terms and for the purposes specified in this Agreement, pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) – hereinafter referred to as the Regulation.
  2. The Processor undertakes to process the entrusted personal data in accordance with this Agreement, the Regulation, and other universally applicable laws that protect the rights of data subjects.
  3. The Processor declares that it applies security measures that meet the requirements of the Regulation, particularly those arising from Article 32 of the Regulation.

§2. Scope and Purpose of Data Processing

  1. The Data Controller entrusts the Processor with data for the purpose of storing it on the Processor's infrastructure (data hosting).
  2. Data stored on the Processor's infrastructure remains the exclusive property of the Data Controller.
  3. The Processor will process the data entrusted under this Agreement, including basic data such as first names, last names, email addresses, phone numbers, URLs associated with Profiles, and other data related to the Profile of the data subject.
  4. The personal data entrusted by the Data Controller will be processed by the Processor solely for the purpose of providing the Service.

§3. Obligations of the Processor

  1. The Processor undertakes to secure the entrusted personal data during processing by implementing appropriate technical and organizational measures that ensure an adequate level of security corresponding to the risk associated with the processing of personal data, as referred to in Article 32 of the Regulation.
  2. The Processor commits to exercising due diligence when processing the entrusted personal data.
  3. The Processor undertakes to grant authorization to process personal data to all individuals who will process the entrusted data for the purpose of executing this Agreement.
  4. The Processor commits to ensuring that individuals authorized to process personal data for the purpose of executing this Agreement maintain the confidentiality of the processed data, both during their employment with the Processor and after its termination.
  5. The Processor, to the extent possible, assists the Data Controller in fulfilling the obligation to respond to requests from data subjects and in complying with the obligations set forth in Articles 32-36 of the Regulation.
  6. Upon detecting a personal data breach, the Processor shall notify the Data Controller without undue delay, within 24 hours.

§4 Right of control

  1. The Data Controller, in accordance with Article 28(3)(h) of the Regulation, has the right to inspect whether the measures implemented by the Processor for processing and securing the entrusted personal data comply with the provisions of this Agreement.
  2. The Data Controller will exercise the right of inspection during the working hours of the Processor, with a minimum of five days' notice to the Processor
  3. The Processor agrees to rectify any deficiencies identified during the inspection within a period not exceeding 7 days.
  4. The Processor will provide the Data Controller with all necessary information to demonstrate compliance with the obligations set out in Article 28 of the Regulation.

§5. Further Entrustment of Data Processing

  1. The Processor may entrust the personal data covered by this Agreement for further processing by subcontractors only for the purpose of executing the Agreement.
  2. The subcontractor mentioned above must meet the same guarantees and obligations as those imposed on the Processor under this Agreement.
  3. The transfer of the entrusted data to a third country may only occur upon the written instruction of the Data Controller, unless such an obligation is imposed on the Processor by Union law or the law of a Member State to which the Processor is subject.
  4. The Processor is fully liable to the Data Controller for any failure of the subcontractor to fulfill the data protection obligations.

§6. Liability of the Processor

  1. The Processor is responsible for disclosing or using personal data in a manner inconsistent with the Agreement, particularly for disclosing the entrusted personal data to unauthorized persons.
  2. The Processor undertakes to promptly inform the Data Controller of any proceedings, particularly administrative or judicial, concerning the processing of personal data specified in the Agreement, any administrative decision or ruling regarding the processing of such data directed to the Processor, and any planned, if known, or ongoing inspections and audits concerning the processing of such personal data by the Processor, particularly those conducted by inspectors authorized by the President of the Personal Data Protection Office. This paragraph applies exclusively to the personal data entrusted by the Data Controller.
  3. The Processor fulfills the obligation described above unless informing the Data Controller is restricted or prohibited by a decision of authorized bodies or legal provisions.

§7. Duration of the Agreement

  1. This Agreement is effective from the date of its signing for the duration of the Service.
  2. Upon the expiration of this Agreement, the Processor will either retain or cease to process the personal data entrusted by the Data Controller, depending on the Data Controller's decision.
  3. If the Data Controller does not specify otherwise, the personal data entrusted by the Data Controller will be stored on the Processor's infrastructure. These data will be retained exclusively for the use of the Data Controller.
  4. The Processor agrees to secure access to the data stored as per point 3. The data will be stored for a period of 5 years. The Data Controller has the right to request the deletion of the data specified in point 3 at any time, and the Processor agrees to promptly delete the data from its infrastructure.

§8. Termination of the Agreement

  1. The Data Controller may terminate this Agreement with immediate effect if the Processor:
    a) fails to remedy deficiencies identified during the inspection within the specified time frame;
    b) processes personal data in a manner inconsistent with the Agreement.

§9. Confidentiality Obligations

  1. The Processor agrees to maintain the confidentiality of all information, data, materials, documents, and personal data received from the Data Controller and its collaborators, as well as data obtained in any other way, whether intentional or accidental, in oral, written, or electronic form ("confidential data").
  2. The Processor declares that, in connection with the obligation to maintain the confidentiality of confidential data, such data will not be used, disclosed, or made available without the written consent of the Data Controller for any purpose other than the execution of the Agreement, unless the disclosure of the possessed information is required by applicable law or the Agreement.

§10. Final Provisions

  1. In matters not regulated by this Agreement, the provisions of the Civil Code and the Regulation shall apply.
  2. The applicable law for resolving any disputes between the Data Controller and the Processor will be Polish law (choice of governing law clause).