DATA PROCESSING AGREEMENT
concluded in Katowice on ___________ between:
iPresso SA with its seat in Katowice, 40-514 Katowice, ul. Ceglana 4, entered into the Register of Entrepreneurs of the National Court Register kept by the District Court Katowice Wschód in Katowice, VIII Commercial Division of the National Court Register under number 0000421253, NIP number: 634 267 80 33 represented by:
Michał Wojciechowski - President of the Management Board,
Karolina Sypuła - Vice-President of the Management Board
hereinafter referred to as: "Processor"
hereinafter referred to as: "Administrator"
hereinafter referred to as the "Party", and jointly as "Parties".
Considering that the Processor and the Administrator are bound by the Contract for the provision of iPresso.com services, concluded on the basis of the Regulations for the provision of iPresso.com services (hereinafter referred to as: Contract for services), the Parties, pursuant to the provisions on the protection of personal data, conclude this agreement (hereinafter referred to as: "Agreement"), with the following content:
Statements of the Parties
- The Administrator declares that he is the administrator of personal data within the meaning of Regulation (EU) 2016/679 Of The European Parliament And Of The Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as the General Data Protection Regulation), which is processed in accordance with applicable law. The Administrator also declares that he concludes this Agreement for the purpose directly related to his business or professional activity.
- The Administrator entrusts personal data to the Processor, and the Processor undertakes to process the personal data entrusted to him for the purpose and scope specified in this Agreement.
Purpose, scope, place, type of data, categories of persons, nature of processing entrusted personal data
- The Administrator entrusts the processing of personal data in the field of personal data that has been collected by him in accordance with applicable law, as part of the use of the iPresso Service, provided by the Processor in the IT system of the ipresso.com website. The scope of processed personal data includes personal data entered by the Administrator in the iPresso Application, in particular data of contractors, employees and associates of the Administrator, which are necessary for the performance of the Contract for services concluded between the Parties, (e.g. name, email, phone numer and traditional mail information).
- The purpose of the processing by the Processor of personal data entrusted by the Administrator is only the provision of services covered by the Contract for services, consisting of:
a) providing the Administrator with IT tools, ensuring the possibility of marketing automation and performing activities related to
the collection and processing of data;
b) storing personal data entered by the Administrator on the terms specified in the Regulations for the provision of iPresso.com services,
c) updating programs related to bookkeeping in relation to
changes in mandatory provisions of Polish law,
d) archiving data and securing them against loss,
- The processor undertakes not to use the entrusted personal data for other purposes.
- The processor undertakes to process the entrusted personal data only for purposes related to the implementation of the Contract for services and only to the extent that is necessary to achieve these purposes.
- The processor, taking into account the nature of the processing and the information available to him, undertakes to assist the Administrator in fulfilling the obligations set out in art. 32-36 of General Data Protection Regulation. In particular, the processor undertakes to provide the Administrator with information on the personal data security measures applied, personal data breaches within twenty-four (24) hours from the incident, and to notify the data subjects of this, if requested by the Administrator.
- The processor will process personal data in paper form and with the use of IT systems. The processing of personal data is understood as all operations performed on personal data, such as: collecting, recording, organizing, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, distributing or otherwise sharing, matching or combining, restriction, removal or destruction.
Principles of personal data processing
- The Parties undertake to perform the obligations arising from this Agreement with the highest professional diligence in order to secure the legal, organizational and technical interests of the Parties in the processing of entrusted personal data.
- The processor undertakes to apply technical and organizational measures to secure the personal data entrusted for processing appropriately to the threats and categories, in particular to protect them against disclosure to unauthorized persons, removal by an unauthorized person, processing in violation of the law and alteration, loss, damage or destruction.
- The processor declares that the IT systems used to process the entrusted data meet the requirements of the currently applicable law.
- The processor processes personal data only on the documented Administrator's request.
- The processor declares that it has the resources, experience, expertise and qualified personnel that enable it to properly perform the Data Processing Agreement and to implement appropriate technical and organizational measures so that the processing meets the requirements of the General Data Protection Regulation.
- The processor declares that he has taken effective technical
and organizational measures to protect personal data against disclosure to unauthorized persons, removal by an unauthorized person, processing
in violation of the law and damage, destruction, loss or unjustified modification.
- The processor, taking into account the nature of the processing, as far as possible helps the Administrator, through appropriate technical and organizational measures, to fulfill the obligation to respond to the requests of the data subject, in the scope of exercising his rights.
- The processor undertakes to keep personal data secret and the methods of securing them, including after the termination of the Agreement, and undertakes to ensure that its employees and other persons authorized to process the entrusted personal data, undertake to keep personal data, and methods of securing them, confidential, including after the termination of the Agreement.
- The processor, after the completion of the provision of services related
to processing, depending on the Administrator's decision, deletes or returns to him all personal data and deletes all existing copies, unless specific legal provisions require the storage of personal data.
- The processor provides the Administrator with all information necessary to demonstrate compliance with the obligations set out in this Agreement and allows the Administrator or an auditor, authorized by the Administrator to conduct audits, including inspections, and contribute to them.
Sub-processing of data
- The processor may commission the performance of specific activities within the scope of the Agreement to persons, who are not its employees only after obtaining the prior written consent of the Administrator. The consent may be given in electronic form. In the event of obtaining consent, the Processor is obliged to further entrust data processing on conditions at least as restrictive as those specified in this contract.
- The processor undertakes that further entrusting of personal data to external entities will be carried out in accordance with the requirements of applicable legal regulations in the field of personal data protection.
Responsibility of the Parties
- The administrator is responsible for compliance with the law on the processing and protection of personal data according to the General Data Protection Regulation.
- The above does not exclude the responsibility of the Processor for the processing of the entrusted data contrary to the Agreement.
- The processor is liable for damages caused by processing if it has not fulfilled the obligations imposed on it hereby, or if it has acted outside the Administrator’s lawful instructions or contrary to these instructions.
- The processor is not responsible for making the entrusted personal data available to unauthorized persons, taking by an unauthorized person, damaging or destroying these personal data if the reason for the above is the Administrator's action or omission consisting in particular providing information authorizing access to the service to third parties, as well as any other behavior related to the Service in the area managed by the Administrator.
Duration of the contract and its termination
- This Agreement is valid from the moment the Parties conclude the Contract for services and is concluded for a definite period necessary to provide the Services. The Agreement is valid until the end of the subscription period for the Service, with the proviso that the extension of the subscription period for the Service results in the extension of this Agreement without the need for additional declarations of will by the Parties.
- After the expiry of the data processing period resulting from the Contract for services, the Processor deletes the data, unless the relevant provisions of national or EU law require the Processor to store these personal data for another statutory period of time.
- This Agreement shall be terminated at any time when the Administrator deletes his account from the iPresso.com system, as a result of which all data stored in the Processor's system are irretrievably deleted, unless the relevant provisions of national or EU law require the Processor to store these personal data for another statutory period of time.
- Any changes hereto should be made in the form of an Annex hereto.
- In matters not covered by this Agreement, the provisions of the Civil Code and other provisions of generally applicable polish law shall apply.
- If this Agreement refers to legal provisions, this also means other provisions on the protection of personal data, as well as any amendments that will enter into force after the date of the conclusion hereof, as well as legal acts that will replace the indicated laws and regulations.
- This Data Processing Agreement is valid for the duration of the Contract for services indicated above.