Having regard to the provisions on the protection of personal data, including Article 28 of GDPR, the Parties enter into the following agreement:
1. DEFINITIONS
For the purposes of this Agreement, the following terms shall have the following meanings:
1.1. Personal data – means any Administrator Data relating to an identified or identifiable natural person to the extent such information is protected as personal data under applicable regulations;
1.2. NOZBE – means the application used in the course of the Agreement by the Administrator, provided by the Processor, in which personal data entrusted by the Administrator are processed;
1.3. Regulations – means the personal data protection laws in force in Poland, in particular: Regulation (EU) 679/2016 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (OJ L 119 of 2016, p. 1) (hereinafter referred to as “GDPR”), and the Act of 10 May 2018 on personal data protection (Journal of Laws of 2018, item 1000) (hereinafter referred to as the “Act”);
1.4. Terms of Service – means the terms and conditions of using NOZBE available at nozbe.com/terms;
1.5. Entrustment Agreement – means this agreement including any of its amendments, annexes and attachments, provided that they are made in writing and signed by both Parties.
2. REPRESENTATIONS OF THE PARTIES
2.1. The Administrator declares that he is the administrator of personal data entrusted for processing to the Processor, and that he collects and processes personal data in accordance with the regulations.
2.2. The Parties declare that the Entrustment Agreement was concluded for the purpose of fulfilling obligations specified in the regulations in connection with the use of NOZBE by the Administrator and accepting the Terms of Service by the Administrator.
2.3. Each of the Parties to the Agreement, acting as the Administrator of Personal Data provided under this Agreement, undertakes not to transfer any personal data outside the European Economic Area, unless:
2.3.1. the transfer takes place to a country approved by the European Commission as providing adequate protection pursuant to Art. 45 of the GDPR act;
2.3.2. there are appropriate safeguards in accordance with Art. 46 of the GDPR; or
2.3.3. one of the derogations for the specific situations listed in Article 49 of the GDPR applies for the transfer of data.
3. SUBJECT MATTER OF THE AGREEMENT
3.1. The Administrator entrusts the Processor with personal data processing, and the Processor undertakes to process them in accordance with the regulations and Agreement for the sole purpose of using NOZBE by the Administrator.
3.2. The Processor may process personal data only to the extent and for the purpose set out in the: Agreement, regulations and documented orders of the Administrator.
3.3. This agreement is a documented Administrator’s instruction to process by the Processor personal data provided to him by the Administrator in the performance of this agreement, including an instruction to transfer personal data outside the EEA.
4. THE PURPOSE, SCOPE AND NATURE OF THE PROCESSING
4.1. The Processor may process in NOZBE personal data specified in the definition of personal data. The Processor shall use these data to perform, in particular, the following operations: storage or, upon receiving such order from the Administrator, deletion. The processing of personal data is aimed at enabling the Administrator to use NOZBE.
4.2. The Processor undertakes to process personal data in NOZBE on a permanent basis.
4.3. The Administrator declares that the nature of the personal data entrusted with this Agreement does not include special categories of personal data within the meaning of Art. 9.1 of the GDPR and data on criminal convictions and offenses within the meaning of Art. 10 of the GDPR.
4.4. Personal data shall be processed by the Processor in electronic form in NOZBE.
4.5. The Processor will receive personal data from the Administrator.
4.6. The Administrator will entrust, in particular, the personal data of the following categories of persons: administrator, administrator’s employees, administrator’s contractors.
5. PROCESSING ENTRUSTMENT RULES
5.1. When processing personal data entrusted to him, the Processor undertakes to secure them by applying appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risks related to the processing of personal data, as referred to in Article 32 of the Regulation. In particular, the Processor declares that the server infrastructure is based on Amazon AWS and Heroku. The servers and their copies are located in Ireland, Germany and France. Both Amazon AWS and Heroku provide their services with a high level of security - details are described in the documents published at https://aws.amazon.com/compliance/gdpr-center/ and https://www.heroku.com/policy/security.
5.2. Pursuant to Article 28(3)(b) of GDPR, the Processor undertakes to preserve the secrecy of personal data entrusted to him by the Administrator.
5.3. The Processor ensures that the persons who have access to personal data preserve them and methods of their protection in secrecy. The obligation to preserve secrecy shall continue to apply after the completion of the Entrustment Agreement and ceasing employment at the Processor.
5.4. The Processor declares that, pursuant to the obligation to preserve the secrecy of entrusted data, they will not be used, disclosed or made available without the Administrator’s written consent for other purposes than the implementation of the cooperation agreement or those arising from the law.
5.5. The Parties shall make every effort to ensure that the means of communication they use to receive, transmit and store personal data guarantee protection against unauthorized access of third parties that are unauthorized to disclose, make available and become familiar with their content. In particular, the Processor informs that to ensure the maximum security of personal data, disks with the database and files sent to NOZBE are encrypted with the AES-256. Additionally, to increase the security level of files and sensitive documents, each file separately uploaded to NOZBE (as a comment or other attachment) is encrypted with an individual encryption key.
5.6. The Processor undertakes to regularly perform security tests - internal and commissioned by specialized external companies.
5.7. The person dedicated to contact in matters related to the performance of this contract is Tomasz Kapelak, tom@nozbe.com. Changing a dedicated person does not require an annex, but only informing the Administrator via e-mail.
6. FURTHER OBLIGATIONS OF THE PROCESSOR
6.1. The Processor undertakes to assist the Administrator in fulfilling his obligations pursuant to Articles 32-36 of GDPR. In particular, the Processor will assist the Administrator in responding to the requests of data subjects, including: the right to information, access and copy of data, rectification, the right to delete, the right to limit processing, the right to transfer data, the right to objection to data processing, the right not to be subject to automated decision making, including profiling.
6.2. The Processor is obliged to provide the Administrator with information about the occurrence of an incident related to the violation of the personal data processing rules within 48 hours from the occurrence or suspected occurrence of the incident. The Processor will not report the breach to the supervisory authority without consulting the Administrator.
6.3. In the event of an incident (breach), the Processor undertakes to cooperate with the Administrator to the extent necessary, and also to make the effects of the breach for the protection of personal data.
6.4. The Processor is obliged to keep a register of categories of data processing activities on behalf of the administrator.
6.5. The Processor is obliged to inform the Administrator of each case when data processing is required by the EU law or the law of a Member State, with regard to the personal data processing other than in accordance with the documented Administrator’s instruction, unless the law prohibits the provision of such information due to important public interest.
6.6. Taking into account the state of technical knowledge, the cost of implementation and the nature, scope, context and purposes of processing as well as the risk of violating the rights or freedom of natural persons with different probabilities and severity, the Processor is obliged to implement all appropriate technical and organizational measures to ensure the level of security corresponding to this risk, in particular: personal data pseudonymization and encryption; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident; regularly testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of processing. When assessing whether the level of security is appropriate, the risk associated with the processing, in particular resulting from accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed, is taken into account.
7. SUB-ENTRUSTMENT OF PROCESSING
7.1. The Processor may entrust personal data covered by the Entrustment Agreement for further processing by subcontractors in order to fulfill the Entrustment Agreement, i.e., ensure the safety of personal data and/or NOZBE. Sub-processing may only take place on the basis of a personal data sub-contract. The Processor is obliged to inform the Administrator about sub-processing of personal data. Due to the need to ensure the security of personal data (back-up), sub-entrustment does not require prior approval by the Administrator.
7.2. The processing of entrusted data shall be done in accordance with the terms and conditions specified in the data entrustment agreement and the Terms of Service.
7.3. The subcontractor referred to in § 7 paragraph 1 of the Agreement shall provide the same assurances and comply with the same obligations as those imposed on the Processor in the Entrustment Agreement, in particular, they should ensure the implementation of appropriate technical and organizational measures in accordance with the GDPR and the protection of the rights of data subjects.
7.4. The Processor shall be fully liable towards the Administrator for failure to meet the data protection obligations imposed on the subcontractor and laid down in the Entrustment Agreement.
8. LIABILITY
8.1. Each Party shall be responsible for damage caused to the other Party and to third parties in connection with the implementation of the Entrustment Agreement.
8.2. The Processor shall be liable for providing or using the personal data inconsistently with the Entrustment Agreement and, in particular, for providing unauthorized persons with access to the personal data entrusted for processing.
9. THE PROCESSOR’S AUDIT
9.1. Pursuant to Article 28(3)(h) of GDPR, the Administrator of data shall have the right to scrutinize whether the measures applied by the Processor in processing and securing entrusted personal data comply with the provisions of the Entrustment Agreement.
9.2. The Processor shall provide the Administrator with all information necessary to demonstrate compliance with the obligations set out in Article 28 of GDPR.
9.3. The Processor shall immediately notify the Administrator when he deems that an order received by him violates the regulations.
9.4. Having regard to the scope of the audit and costs associated with it, the Processor may charge the Administrator with a reasonable and justified fee in connection with the audit.
9.5. The Processor provides the Administrator with all the information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR and enables the Administrator or an auditor authorized by the Administrator to carry out audits, including inspections, and contributes to them.
10. CEASING THE PROCESSING ENTRUSTMENT
10.1. After the end of the provision of services connected with the processing of personal data, the Processor, depending on the Administrator’s decision, shall either remove or return all personal data, and remove all of their existing copies on any storage media, which shall not affect the lawfulness of processing performed by the Processor during the term of the Entrustment Agreement.
11. FINAL PROVISIONS
11.1. The Entrustment Agreement is concluded for an unlimited period of time commencing on 25 May 2018.
11.2. Ending the use of NOZBE by deleting the account in NOZBE results in the termination of the Entrustment Agreement and deletion of personal data.
11.3. If any of the provisions of the Agreement proves invalid or unenforceable, such partial invalidity, illegality or unenforceability of a provision shall not affect the validity of the remaining provisions of the Agreement. The Parties shall undertake negotiations to replace invalid or unenforceable provisions of the Agreement with new provisions.
11.4. Any changes and additions to the content and provisions of the Entrustment Agreement require written form in order to be effective.
11.5. The Parties shall make every effort to ensure that the means of communication they use to receive, transmit and store confidential information guarantee the protection of confidential data including, in particular, personal data entrusted for processing, against the unauthorized access of third parties unauthorized to become familiar with their content.
11.6. The Parties are mutual administrators of the data specified in the introduction (recitals) of the Entrustment Agreement.
11.7. In matters ungoverned by the Agreement, the generally applicable regulations of the Polish law, including the provisions of the Civil Code, shall apply.
11.8. The Agreement has been prepared in two identical copies, one for each Party.