TERMS OF PERSONAL DATA PROCESSING

 

TERMS OF PERSONAL DATA PROCESSING

 

This document regulates the processing of personal data that ExpertSender processes on behalf of the Client (Data Controller) and constitutes an integral part of the Contract.

 

 

ExpertSender S.A., with a principal place of business located at:  Gdańsk (80-280) ul. C.K. Norwida 1, Poland,  VAT ID: PL 5862237116, entered into a National Court Register’s register of entrepreneurs by a District Court Gdańsk-North in Gdańsk, the VIII Commercial Division of the NCR (“KRS”) with a registration No.: 0000916101, with a share capital of PLN 108 760,00,

 

hereinafter referred to as „Processor”, 

§1 Definitions

The Parties of the Contract unanimously decide to give the below terms  the meaning as follows:

  1. Main Contract – jointly Order Form filed in by the Client together with Attachments and the Regulations, that constitute a service Contract concluded between the Controller and the Processor.
  2. Personal Data Processing Contract– the Contract on data processing on behalf of the Controller (hereinafter referred to as “Contract”)
  3. Personal Data –information relating to an identified or identifiable natural person, processed by the Processor under the Personal Data Processing Contract;
  4. Personal Data Breach – a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;
  5. Order Form – a separate document that includes the basic characteristics of providing Services on behalf of Controller, filed by the Controller to the Processor, which together with attachments and the Regulations forms the basis of the Parties obligations that is a service Contract concluded between the Client and the Processor. The Order Form may be filed in in writing or in document form – through e-mail exchange between the Parties.
  6. Subprocessor – entity whose services are provided to the Processor to execute specific data processing activates on behalf of the Controller;
  7. GDPR– Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
  8. EEA –European Economic Area.

§2 Subject of the Processing Contract and Parties’ statements

  1. On behalf of the Contract the Controller entrusts the Personal Data to the Processor to be processed. Subject and time of the processing, capacity and purpose of the processing, kinds of Personal Data as well as categories of data subjects, as described (but not limited to) below:
  2. Personal Data consists of the following :
  • name and surname;
  • profession;
  • date of birth;
  • gender;
  • Internet Protocol (IP) address;
  • residence address: street, house number, number of apartment, postal code, locality;
  • correspondence address: street, house number, number of apartment, postal code, locality;
  • registered residence: street, house number, number of apartment, postal code, locality;
  • e-mail address;
  • Phone number;
  • Mobile device ID;
  • Web Push ID;
  • Taxpayer Identification Number (TIN) or any foreign counterpart of such;
  • Employer Identification Number (EIN) or any foreign counterpart of such;
  • business register number (if applies to data subject);
  • identity card;
  • nr and series of the identity card;
  • passport/ residence card/ identity document (in case of a foreigner);
  • bank account;
  • bank account’s owner’s name and surname;
  • bank account’s owner’s address: street, house number, number of apartment, postal code, locality;
  • details on debt;
  • history of web browsing and online events;
  • anonymous visitor history that is attached to Personal Data once consent is given to the Controller;
  • history of mobile application interactions and events
  • purchase data (products, price, quantity, value)
  • data computed by the Processor based on the data provided by Controller such as Average Order Value or Customer Lifetime Value and others.

 

  1. Processes – personal data undergo processes as stated in the Main Contract.
  2. The Personal Data can be processes in the term of the Main Contract and the Contract

 

  1. The Controller declares that data processing is carried out on the grounds provided by art. 6 of the GDPR..
  2. The Processor declares that they provide sufficient resources, experience, professional knowledge in the scope of personal data security and qualified personnel, all of which allow the Processor to properly execute the Main Contract and the Personal Data Processing Contract as well as has implemented appropriate technical and organisational measures, described in Appendix nr 1 in such a manner that processing will meet the requirements as required by art. 32 of the GDPR.
  3. The Processor herein undertakes to process the Personal Data entrusted to them for processing only within the scope of the capacity, purposes and time ranged as declared in point 1 above..
  4. The Processor declares to process the Personal Data pursuant to herein Contract, GDPR and other legal regulations in regards to personal data security.

 

§3 Duties of the Processor

  1. The Processor undertakes to process Personal Data within the time frame as set by the Controller and to anonymize, return or delete all indicated Personal Data only upon the Controllers’ instruction, which shall be in written form under pain of invalidity or in electronic form, as well in accordance to the Controller’s guidelines, within the scope of those guidelines and instructions.
  2. The Processor is hereby obliged to process the Personal Data only on documented instructions from the Controller unless required to do so by Union or Polish law; in such a case, within 1(say: one) day before the processing takes place the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. This Contract constitutes as such written instruction, in accordance this section.
  3. The Processor ensures that persons authorised to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  4. The Processor, taking into account the nature of the processing and within their capacities, assists the Controller for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III, through the following:
  5. the Processor shall notify the Controller about a received demand from the data subject. The notification shall occur within 5 (say: five) working days from the day the demand has been received by the Processor. For the avoidance of doubt, the Parties unanimously decide that the Processor is not authorized or obliged to perform any tasks to independently  carry out the data subject’s demand;
  6. in case the fulfilment of the data subject’s demand deems it necessary to obtain certain information or documents from the Processor, the Processor shall deliver them to the Controller within 7 (say: seven) days from the day of receiving the Controller’s request in written or electronical form.
  7. The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32to 36 through the following:
  8. notifying the Controller about Personal Data Breach in accordance to the stipulations of § 4 of the Contract;
  9. implementation of appropriate technical and organisational measures as described in Appendix nr 1 to the Contract .
  10. The Processor is obliged, upon the Controller’s written instruction, to correct, update, limit the processing or to delete any Personal Data as indicated by the Controller. The performance of the aforementioned obligation happens within 7 working days from the Day of receiving the instruction.
  11. In case when – in the opinion of the Processor – the Controller’s instruction violates the GDPR or any other Union or Polish laws regarding personal data security, the Processor shall inform the Controller of this violation within and up to 5 (say: five) working days of the day when the Processor received the instruction.

§4 Notification of a Personal Data Breach 

  1. The Processor shall notify the Controller within 48 hours after becoming aware of a Personal Data Breach. The notification is sent towards the following e-mail address as supplied by the Controller in the Order Form.
  2. The notification of the Personal Data Breach contains a description of the Breach, its causes and possible consequences, if such have been determined within the time frame states in section 1 above.

 

§5 Audits

  1. The Parties hereby declare that upon art. 28 sec. 3 let. h) GDPR, the Controller is authorized to the following:
  2. requesting information from the Processor on the Contract’s execution, while the Processor retains the right to deliver those information at their own discretion in written or electronical form, within 7 (say: seven) working days of the day of receiving the Controller’s demand;
  3. undertaking audits as stipulated in herein paragraph.
  4. Audit in regards to the correctness of the processing of Personal Data may be conducted by the Controller or another auditor mandated by the controller, upon prior notice of the Processor. The aforementioned notice should be sent at the minimum of 10 (say: ten) working days before the planned date of the audit and describes the planned place of the audit, the scope of activities and persons authorities by the Controller to carry out the audit.
  5. The audit may only be carried out on working days, during the work hours of the Processor and in places where data is processed. The audit cannot be done more often than 2 (say: two) times per calendar year, with a minimum break of 3 (say: three) months between each audit.
  6. The persons authorized to carry out the audit are authorized to enter rooms and premises where data are processed, granted access to the data processing records as well to IT systems with which the Processor ensured safety and correctness of the Personal Data processing.
  7. The Processor is not obliged to provide technical or organizational means to the Controller mid-audit necessary for its execution. Each Party bears their own costs related to the execution of the audit.
  8. The Processor hereby declares to eliminate all irregularities found during the audit, in a within the time limit as set by the Controller, no shorter than 30 (say: thirty) working days.

§6 Subprocessors

  1. The Controller hereby grants general authorization to the Processor to make use of services provided by other Subprocessors within the range of this Contract. A list of Subprocessors valid on the day of signing of the Contract, is encased in Appendix nr 2.
  2. The Processor shall inform the Controller of any intended changes concerning the addition of a new Subprocessor, supplying their details. The Controller has the right to reasonably object to such a Subprocessor within 3 (Say: three) working days of the day upon which the information has been received by the Controller.
  3. In case of relaying on a Subprocessor’s services, the Processor ensured that the same data protections obligations as set out in this Contract are imposed on the Subprocessor .
  4. At the Controller’s written request, the Processor without delay shall provide a copy of such an agreement with the Subprocessor and any subsequent amendments to the Controller. The Processor may redact the text of the agreement prior to sharing the copy to the extent necessary to protect business secret or other confidential information, including personal data.

§7 Transfer of personal data to a third country or an international organization

  1. The Processor hereby declares that Personal Data are not and will not be transferred to a third country outside of the EEA or to an international organization.
  2. The exception of the rule mentioned in sec. 1 above is when the Controller will authorize the Processor a priori in writ, allowing the Personal Data to be transferred outside of the EEA or to an international organisation, while the authorization shall apply to a singular entity or area outside the EEA or if such transfer is done due to unconditionally binding laws, then before the transfer is executed the Processor will notify the Controller about such a obligation, unless the binding laws explicitly forbid such a notification.

§8 Term of the Contract

  1. The Contract is in force during the term of the Main Contract.
  2. Termination or expiry of the Main Contract means termination of this Contract, unless a case when general provisions in the Main Contract state that services provided are currently executed and shall be carried out till their end. In such a case, this Contract stays in force as long as those services are completed.
  3. Regardless of the Controller’s rights as stated in§ 3 sec. 1 of the Contract, no later than within 30 days from the termination date of the Contract, the Processor shall return all of the Personal Data to the Controller and will remove all existing copies of the Personal Data (including the data within the Processor’s systems).
  4. The Processor shall be entitled to terminate the Contract, after having informed the Controller that its instructions infringe applicable legal requirements and when the Controller insists on further compliance with the instructions.

§9 Confidentiality arrangements

  1. The Processor undertakes to keep secret any information, data, resources, documents and Personal Data obtained from the Controller as well as the Controller’s collaborators and all data acquired in a different way, on purpose or not, in verbal, written or electronical form.
  2. The Processor declares that due to the confidentiality obligations to keep all the information states in sec. 1 above secret, these data will not be used, disclosed or shared without the Controller’s written permission, unless such disclosure is dictated by binding legal rules, the Main Contract and this Contract.

§10 Liability

The Parties unanimously agree that the Processor’s liability shall be limited to the amount of insurance as evidenced by a current policy of liability insurance to the extent that the policy covers. The Processor undertakes to maintain, throughout the term of this Contract, liability insurance for the entire term of the Contract with a sum insured of not less than PLN 1,000,000 (one million).

 

With respect to activities and events not covered by the aforementioned policy, the Processor liability shall be limited to the amount representing the sum of the remuneration paid by the Client in the last six (6) months preceding the date of discovery of the violation.

 

The Processor hereby declares that as of the date of conclusion of the Contract, it has a current liability insurance policy, which also includes insurance for cyber risks and risks related to GDPR, in addition to ISO/IEC 27001:2022 certification.

 

§11 Final provisions

  1. This Contract is made in two identical counterparts, one for each Party.
  2. The Appendixes mentioned in Contract constitute an integral part of the Contract.
  3. Any disputes arising from this Contract or from the Main Contract shall be referred for consideration to the common court as stated in the Main Contract.
  4. Any additions or changes to this Contract shall remain null and void unless made in writing.
  5. This Contract replaces any other verbal or written agreements, arrangements settlements and contracts in the scope regulated by the Contracts provisions, which become null and void with the day of signing the Contract.

Appendix nr 1

Technical and organisational means of security

 

  1. Confidentiality

 

1.1. Physical access control

 

1.1.1. The buildings included or used as parts of the Processor’s enterprises are secured with appropriate alarm systems.

 

1.1.2. The entry door to whichever building as described in section above are fitted with the following closing systems: Access controls system that includes the usage of key cards or manual lock systems.

 

1.1.3.    Access permission to the systems above are documented with the submission of the surname of the person permitted.

 

1.1.4.    Entrance of persons outsider of the Processor’s enterprises, including visitors, to Any of the buildings mentioned above, are documented with the submission of the person’s surname Or their presence and stay on the premises is allowed only in the company of the Processor’s employees.

 

1.2.       IT resources accessibility control

 

1.2.1.    The Processor’s network is secured from public network by the implementation of IP security measures.

 

1.2.2.    The employees are obliged to abide the following rules in regards to passwords:

  • each employee is granted an individual password to access a computer and is obliged to keep it secret;
  • there are no group passwords;
  • A periodical change of password is enforced.

 

1.2.3.    Anti-virus system is used throughout the servers.

 

1.2.4.    Anti-virus system is used on all working stations.

 

1.2.5.    System actualization linked to security are regularly and automatically uploaded into the existing software.

 

1.3.       Users’ accessibility access to data control

 

1.3.1.    Documented concept or roles and permission exists.

 

1.3.2.    The process of granting permissions is documented, with surname of authorized persons submitted.

 

1.3.3.    If there is a possibility of manual conservation/manual access, it is carried out with upmost care.

 

1.4.       Data separation control

 

1.4.1.    The concept of permissions to the above mentioned clients/networks segments ensures that the data may not be accessed by those employees of the Processor who have not been authorized to process the Controller’s data.

 

1.4.2.    The employees are obliged in writ not to use any information rising from the Controller’s data banks for other projects/for other purposes.

 

  1. Integrity

 

2.1.       Data sharing control

 

2.1.1.    Local disks on portable working stations are coded to ensure the protection of the Controller’s data.

 

2.1.2.    Data carriers with spare copies are safely stored.

 

2.1.3.    Portable devices are equipped with secure measures..

 

2.2.       Data implementation control

 

2.2.1.    As means of recording the deletion or modification of the Controller’s data, for each employee of the Processer separate files are created with the usage of their surname or login.

 

  1. Accessibility

 

3.1.       Accessibility control

 

3.1.1.    Security copies of the Controller’s data are performed regularly.

 

  1. Personal data processing control

 

4.1.       Task control

 

4.1.1.    The Processor’s employees who process Personal Data of the Controller are permitted access to those data and have undertaken in writ to keep all the information in regards to the processing in confidence and secrecy.

 

4.1.2.    The Processor’s employees undergo trainings in regards to Personal Data security and protection.

 

4.1.3.    The Processor  procedures of regular verification, assessment and evaluation of the technical and organisational means of security and their effectiveness to ensure a secure and correct processing in accordance to art. 32 sec. 1 GDPR.

 

4.2.2.    Within the Processor’s enterprise procedures on how to behave in case of data breach, including Personal Data Breach, are in existence.

 

Appendix nr 2

Subproccesors

1. IQ PL Spółka z ograniczoną odpowiedzialnością with registered office in Gdańsk,

2. Microsoft Ireland Operations Limited