New blog post
When automation fails because of… a calendar.
Read more!

Terms of personal data processing

Personal Data Processing Contract

This document regulates the processing of personal data that ExpertSender processes on behalf of the Client (Data Controller) and constitutes an integral part of the Contract.

ExpertSender S.A., with a principal place of business located at: Gdańsk (80-280) ul. C.K. Norwida 1, Poland, VAT ID: PL 5862237116, entered into a National Court Register’s register of entrepreneurs by a District Court Gdańsk-North in Gdańsk, the VIII Commercial Division of the NCR (“KRS”) with a registration No.: 0000916101, with a share capital of PLN 108 760,00,

§1 Definitions

  • Main Contract – jointly Order Form filed in by the Client together with Attachments and the Regulations, that constitute a service Contract concluded between the Controller and the Processor.
  • Personal Data Processing Contract – the Contract on data processing on behalf of the Controller (hereinafter referred to as “Contract”)
  • Personal Data – information relating to an identified or identifiable natural person, processed by the Processor under the Personal Data Processing Contract;
  • Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  • Order Form – a separate document that includes the basic characteristics of providing Services on behalf of Controller…
  • Subprocessor – entity whose services are provided to the Processor to execute specific data processing activates on behalf of the Controller;
  • GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council…
  • EEA – European Economic Area.

§2 Scope of processing

The Processor shall process Personal Data only to the extent necessary to provide the Services described in the Main Contract.

§3 Obligations of the Processor

The Processor undertakes to process the Personal Data in accordance with applicable laws, including the GDPR, and only on documented instructions from the Controller.

§4 Obligations of the Controller

The Controller is responsible for the lawfulness of the Personal Data processing and must provide accurate instructions to the Processor.

§5 Confidentiality

The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation.

§6 Security of processing

The Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

§7 Subprocessing

The Controller authorises the Processor to use Subprocessors listed in Appendix 2. The Processor shall enter into a written agreement with each Subprocessor.

§8 Data subjects’ rights

The Processor shall assist the Controller in responding to requests for exercising the data subject’s rights.

§9 Personal Data Breach

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach.

§10 Deletion and return of data

Upon termination of the Contract, the Processor shall delete or return all Personal Data to the Controller unless Union or Member State law requires storage.

§11 Final provisions

This Contract is governed by the laws of Poland. Any disputes shall be resolved by the competent court in Gdańsk, Poland.

Appendix 1: Technical and organisational means of security

Confidentiality

  • Access to data restricted to authorised personnel only.
  • Confidentiality agreements signed by all employees.

Integrity

  • Data encryption in transit and at rest.
  • Audit logs maintained and reviewed regularly.

Availability

  • Regular backups stored in secure locations.
  • Redundant infrastructure to ensure service uptime.

Appendix 2: Subprocessors

  • AWS – cloud infrastructure provider
  • Mailgun – email delivery service
  • Cloudflare – content delivery and security