Data entrustment agreement

Data Entrustment Agreement

hereinafter: the “Agreement”, concluded on the day of accepting the GTU of the Program Organizer between:

Service Provider and Program Organizer,

jointly referred to as the Parties, and each of them individually as the Party.

  1. General Provisions.

1.1. This Annex regulates the rules for the processing by the Service Provider of personal data entrusted by the Program Organizer.

1.2. The Parties agree that the Data Protection Law and other applicable legal provisions regulating the protection of personal data respectively under the Applicable Law, shall apply in regard to the processing of personal data.

1.3. The Program Organizer is the controller of personal data within the meaning of the Data Protection Law referred to in the Agreement.

1.4. The Program Organizer entrusts the Service Provider with the processing of personal data in accordance with the Data Protection Law.

1.5 The Service Provider is the entity processing personal data at the request of the Program Organizer within the meaning of the Data Protection Law.

1.6 The nature, purpose and scope of processing of personal data by the Service Provider is governed by the Agreement and Annex 1.

  1. Declarations of the Program Organizer.

2.1. The Program Organizer declares that personal data have been obtained and are processed in accordance with applicable law, including in accordance with the Data Protection Law.

2.2. The Program Organizer in particular confirms that personal data refer to:

2.2.1. persons who have given consent to the processing of their personal data for the purpose consistent with the terms of the Agreement;

2.2.2. persons whose personal data processing is necessary for the performance of the agreement, where the data subject is a party to the agreement, or for taking actions at the request of the data subject prior to the conclusion of the Agreement;

2.2.3. persons whose personal data processing is necessary to fulfil the legal obligation incumbent on the controller;

2.2.4. persons whose personal data processing is necessary in order to protect the vital interests of the data subject or of another natural person;

2.2.5. persons whose personal data processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

2.2.6. persons whose personal data processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

2.3. The Program Organizer confirms that the data subjects were notified of the processing of their data to the extent and in the manner required by the Data Protection Law.

2.4. The Program Organizer confirms that it is entitled to process personal data and entrust them to the Service Provider’s processing within the scope and for the purpose determined in the Agreement.

2.5. In the case of further entrustment of data processing, the Program Organizer confirms that it obtained the consent of the appropriate Data Controller required by the provisions of the Data Protection Law to entrust further processing of personal data for the purpose and scope specified in the Agreement.

  1. Instruction of the Program Organizer.

3.1. The Service Provider is obliged to process personal data only in accordance with the instructions provided by the Program Organizer, unless Applicable Law provides otherwise.

3.2. The Program Organizer’s instructions are included in the Agreement and Annexes or are ordered and implemented via the application, in particular through the features provided in the application, or in other agreed mode – e.g. by authorized persons via e-mail correspondence.

3.3. The Program Organizer ensures that all instructions transmitted to the Service Provider are compliant with the applicable law, including the provisions on the protection of personal data.

3.4. Any further instructions that go beyond the instructions specified in the Agreement must relate to the subject matter of the Agreement or the implementation of the Program by the Program Organizer.

3.5. If the implementation of further instructions generates costs for the Service Provider, the Service Provider is obliged to inform the Program Organizer about such costs along with an explanation of the amount of costs before implementing the instruction.

3.6. After Program Organizer confirms that it shall bear the costs of executing the instruction and after these are paid by the Program Organizer, the Service Provider is obliged to implement the instruction.

3.7. The Program Organizer also prepares instructions in writing, unless urgent nature or other special circumstances justify issuing instructions in electronic form. Instructions in a form other than in writing, in particular in electronic form, should be immediately documented in accordance with the provisions of the Agreement.

3.8. The Service Provider shall promptly inform the Program Organizer if in its opinion the instruction violates the provisions of the Data Protection Law or other provisions of Applicable Law and shall ask the Program Organizer to withdraw, change or confirm the disputed instruction.

3.9. While awaiting the decision of the Program Organizer, the Service Provider is entitled to suspend the implementation of the disputed instruction.

3.10. In case where the implementation of the instruction of the Program Organizer, despite providing explanations, would lead to violation of Applicable Law, the Service Provider is entitled to refrain from the implementation of this instruction.

3.11. Period of personal data entrustment.

3.11.1. The Program Organizer entrusts the Service Provider with the processing of personal data for the duration of the Agreement on cooperation concluded by the Parties or implementation of the Program.

3.11.2. The Parties declare that any change in the period of entrusting the processing of personal data must be agreed each time by the Parties by amending the Agreement or entering into a separate agreement, which shall specify the change of the processing period for the entrusted personal data.

3.12. The purpose of processing entrusted personal data.

3.12.1. A detailed description of the purpose of entrusting the processing of personal data is included in the Annex 1.

3.12.2. The Parties declare that any change in the purpose of entrusting the processing of personal data is implemented through the features available in the application, by means of which the Program Organizer issues instructions for the Service Provider and may additionally be confirmed by the Parties by amending in writing the Agreement or entering into a separate agreement, which shall specify the change of the purpose of the processing of the entrusted personal data.

3.13. List of places where entrusted personal data are processed.

3.13.1. Detailed description of places where entrusted personal data are processed is included in the Annex 1.

3.13.2. The Parties declare that any change of the place of processing of entrusted personal data is implemented through the features available in the application, by means of which the Program Organizer issues instructions in this regard for the Service Provider and it may be additionally confirmed by the Parties by amending in writing the Agreement or entering into a separate agreement in writing, including electronic form, which shall specify the change of the place where entrusted personal data are processed.

3.14. The scope of processing of entrusted personal data.

3.14.1. Detailed description of the scope of processing of entrusted personal data is included in the Annex 1.

3.14.2. The Parties declare that any change in the scope of processing of entrusted personal data is implemented through the features available in the application, by means of which the Program Organizer issues instructions for the Service Provider and may additionally be confirmed by the Parties by amending in writing the Agreement or entering into a separate agreement in writing, including electronic form, which shall specify the change of the scope of processing of entrusted personal data.

  1. Declarations of Service Provider.

4.1. The Service Provider undertakes to perform the Agreement with the utmost professional diligence in order to secure the legal, organizational and technical interests of the Program Organizer in the processing of entrusted personal data.

4.2. The Service Provider, taking into account the risk of violation of the rights and freedoms of natural persons and the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of personal data, undertakes to implement in accordance with the requirements of the Data Protection Law technical and organizational measures to ensure a level of security appropriate to the risk and categories of data subject to protection, in particular to protect personal data against damage, destruction and disclosure to unauthorized persons. Description of implemented technical and organizational measures is available at the request of the Program Organizer.

4.3. The Service Provider may at any time change the implemented measures, provided that they do not guarantee a lower level of protection than the measures in force at the time of conclusion of the Agreement.

4.4. The Service Provider undertakes to provide the Program Organizer with information about current technical and organizational measures along with the information on changes in the scope of implemented measures, immediately after making any changes.

4.5. The Service Provider undertakes, at the request of the Program Organizer, to provide other information necessary to demonstrate compliance with the obligations set out in the Data Protection Law.

4.6. The Service Provider undertakes not to create any working copies of entrusted personal data, except situations when it is required for the proper implementation of the Agreement.

4.7. The Service Provider undertakes to immediately destroy all working and emergency copies of entrusted personal data created during their processing after their use.

4.8. The Service Provider undertakes to notify the Program Organizer within 1 (one) business day of:

4.8.1. control of the compliance of the processing of entrusted personal data carried out by the supervisory authority in the scope of implementation of the provisions of the Data Protection Law in any organizational unit of the Service Provider,

4.8.2. administrative decisions issued by the supervisory authority in the scope of implementation of the Data Protection Law and complaints  under consideration regarding the implementation by the Service Provider of the provisions of the Data Protection Law regarding entrusted personal data.

4.9. The Service Provider undertakes to protect personal data against disclosure to unauthorized persons, removal by an unauthorized person, damage, destruction or loss, and will take all necessary steps to keep personal data confidential and protect them in accordance with the applicable provisions of the Data Protection Law.

4.10. The Service Provider declares that all persons authorized to process personal data have undertaken to keep them secret or are subject to an appropriate statutory obligation of secrecy in accordance with the Data Protection Law, and that the Service Provider is responsible for their actions or omissions as for its own.

4.11. The Service Provider undertakes to keep records of employees employed for the processing of personal data or having access to IT systems in which personal data are processed, as well as it will familiarize them with the content of the provisions of the Data Protection Law and the rules for the protection of personal data and responsibility for not respecting them.

4.12. The Service Provider undertakes to support the Program Organizer, in its capacity and to a reasonable extent, in fulfilling its obligations towards data subjects, in particular by applying appropriate and possible technical and organizational measures necessary for the Program Organizer to enable persons to exercise their rights under the Data Protection Law.

4.13. The Service Provider undertakes to support the Program Organizer in performing the tasks provided for in the provisions of the Data Protection Law, by providing the necessary information.

4.14. The Service Provider undertakes to provide the Program Organizer with assistance, but only to the extent in which the Program Organizer’s obligations cannot be fulfilled by the Program Organizer by other means with respect to supporting the Program Organizer in performing data protection impact assessment and prior consultation with the supervisory authority. The Service Provider shall inform the Program Organizer about the costs of such assistance and after the Service Provider confirms that these costs have been incurred, the Program Organizer shall provide the required support.

4.15. The Service Provider undertakes to notify the Program Organizer without undue delay from the moment of receiving reliable, confirmed information about the Service Provider’s or its subcontractor’s obligation under the Applicable Law to process personal data in a way that goes beyond the Program Organizer’s instructions. In this case, before starting such processing, the Service Provider will inform the Program Organizer about the legal obligation, unless the law prohibits the provision of such information due to important public interest; in this case, the notification of the Program Organizer is specified by the legal requirement under Applicable Law.

4.16. The Service Provider undertakes to inform the Program Organizer immediately of any events resulting or likely to result in a violation of the protection of personal data, in particular those leading to a violation of the privacy of the persons whose data have been entrusted.

4.17. The Service Provider undertakes to support the Program Organizer within the scope of the Program Organizer’s compliance, where applicable, with the obligation to inform the supervisory authority or the data subject by providing information available in accordance with the provisions of the Data Protection Law.

4.18. In the event of a breach of personal data protection by the Service Provider, the Program Organizer is entitled, in particular, to reimbursement of all reasonable costs of a legally concluded trial, including legal representation and possible damages awarded by a final judgment for the benefit of persons affected by the breach, regardless of contractual penalties and compensation claims due to the Program Organizer on the basis of the Agreement.

  1. Rules for the use of subcontractors

5.1. In order to ensure proper implementation of the Agreement, the Program Organizer agrees that the Service Provider may use subcontractors and further entrust them with the processing of personal data. 

5.2. The Service Provider indicates the subcontractors it will use in Annex 1 and undertakes to constantly update the data contained therein.

5.3. The Program Organizer has the right to object to the Service Provider’s use of the indicated subcontractor within 14 days of receiving information about the planned change.

5.4. If the Program Organizer does not object within 14 days as of receiving information about the planned change, it is deemed that it consented to such a change.

5.5. After receiving the objection from the Program Organizer, the Service Provider within 30 days will establish the procedure in connection with the received objection. After this period, either Party may terminate the Agreement in accordance with the provisions of the Agreement or the Program Organizer GTU.

5.6. If the implementation of the Program is agreed for a definite period of time, the Parties agree that the objection to the subcontractor constitutes a premise for termination of the legal relationship on the basis of which the Program Organizer implements the Program with the use of the Application and both agreements terminate with a 14 (fourteen) day notice period at the end of the billing period.

5.7. Further entrusting of the processing of personal data may take place only within the limits and for the purpose of provision of the Service.

  1. Return or erasure of the data.

6.1. The Service Provider shall erase or transfer the entrusted personal data to the Program Organizer in a manner specified by the Program Organizer, within 7 days from the end of the Agreement, in the following cases:

6.1.1. in the event of termination of the Agreement,

6.1.2. at every request of the Program Organizer.

  1. Power of audit of Program Organizer.

7.1. The Program Organizer has the right to perform periodic audits of the implementation of the processing of entrusted personal data by the Service Provider.

7.2. Audits performed by the Program Organizer may be carried out by the Program Organizer’s employees or through an independent auditor authorized by the Program Organizer to carry out audit activities.

7.3. The Program Organizer undertakes that an entity conducting direct or indirect activity competitive to the activity conducted by the Service Provider will not be appointed as an authorized auditor.

7.4. Competitive activity means any activity, paid or unpaid, in the country or abroad, regardless of the legal form, which is conducted within the same or similar subject range and addressed to the same public, coinciding – even partially – with the scope of the core or a by-side business of the Service Provider or entities from the Service Provider group in the world. In order to assess whether a given entity is competitive, not only the subject of activity of such entity, resulting from the content of the agreement establishing it and the subject of activity actually performed by this entity will be taken into account.

7.5. In the event of commissioning the audit to entities competitive to the Service Provider, the Service Provider is entitled to refuse to proceed with the audit until another entity is appointed to conduct the audit on behalf of the Program Organizer or until further procedure is agreed between the Program Organizer and the Service Provider.

7.6. The audit may only concern personal data entrusted for processing under the Agreement and will be limited to the registered seat of the Service Provider and devices used to process personal data as well as personnel involved in processing activities covered by the Agreement.

7.7. The audit shall be carried out as quickly and efficiently as possible, and shall last no longer than two (2) business days.

7.8.The audit will take place no more than once a year, unless a greater frequency of audits of the  Service Provider is required in accordance with the law or by the competent supervisory authority, or it takes place immediately after finding a significant breach of personal data processed under the Agreement.

7.9. The audit shall be carried out during the regular working hours of the Service Provider, in a manner that does not interfere with the Service Provider’s business activity and in accordance with the applicable security standards of the Service Provider.

7.10. The Program Organizer shall inform the Service Provider about the intention to carry out the audit by email or letter at least 14 working days before the planned audit date.

7.11. The Service Provider undertakes to confirm readiness to carry out the audit in accordance with the notification within 3 business days after receiving the notification.

7.12. In the event it is not possible to carry out the audit within the planned time or under other unexpected obstacles beyond Service Provider’s capacity, the Service Provider shall notify the Program Organizer of such circumstances and propose a new date of audit, no later than within 7 business days from the date of the audit.

7.13. The costs arising from or incurred in connection with the audit shall be borne by each Party in accordance with the amount of incurred costs.

7.14.The audit may not be aimed at or lead to the disclosure of legally protected secrets, including trade secrets of any of the Parties.

7.15. The Program Organizer undertakes to prepare a report summarizing the findings of the audit. The report shall be provided to the Service Provider and shall constitute confidential information about the Service Provider, which cannot be disclosed to third parties without the consent of the Service Provider, unless required by applicable law.

7.16.The Service Provider undertakes to remove any violation found during the audit in the course of processing of personal data or violation in the implementation of the Agreement within 7 days from finding a violation or indicating the violation in the report summarizing the findings of the audit.

7.17. If the Service Provider has a certification referred to in the provisions of the Data Protection Law or in case it applies codes of conduct referred to in the provisions of the Data Protection Law, the Program Organizer’s audit powers may also be exercised by the Service Provider referring to the results of monitoring the rules of certification or the code of conduct. In such case, the audit shall only cover matters that cannot be sufficiently clarified by presenting such monitoring results by the Service Provider.

This Agreement applies from 25/05/2018.

The update of the document is valid from …… / …. / 2021.

Annex 1 to the Data Entrustment Agreement concluded between the Service Provider and the Program Organizer.

  1. Nature of the processing of personal data.

1.1. The processing of personal data shall be manual and automatic.

1.2. Personal data shall be processed only by persons authorized to process personal data.

1.3. Personal data shall be processed by the Service Provider’s IT systems and the IT systems of subcontractors.

  1. Purpose of processing personal data.

2.1. Entrusting the processing of personal data includes data processing for the following purposes:

2.1.1.collection of personal data;

2.1.2. storage of personal data;

2.1.3. sharing of personal data;

2.1.4.development of personal data;

2.1.5. editing of personal data;

2.1.6. erasure of personal data.

  1. Categories of data subjects. 

3.1. Entrusting the processing of personal data includes processing of the following categories of data subjects (jointly referred to as Program Participants):

3.1.1. Employees;

3.1.2. Associates;

3.1.3. Contractors;

3.1.4. Representatives;

3.1.5. other categories of data subjects processed by Program Organizer.

  1. The scope of entrusted Personal Data.

4.1. Entrusting the processing of personal data includes data processing in the following scope:

4.1.1. data of the Program Participant:

4.1.1.1. first name;

4.1.1.2. surname;

4.1.1.3. e-mail address;

4.1.1.4. phone number;

4.1.1.5. other types of data determined by the Program Organizer via the Application.

  1. The period of processing of entrusted Personal Data.

5.1. Entrusting the processing of personal data includes the processing of data from the moment the Agreement is concluded for a period of 24 hours after the termination or expiry of the Agreement.

  1. List of places where entrusted Personal Data are processed.

6.1. Entrusting the processing of personal data includes data storage in the places indicated in the document: http://nais.co/legal/nais-subprocesors/.

6.2. According to the current interpretation of the obligations of the Personal Data Controller and Processor, the list of the locations of the processing of personal data includes own and leased data processing areas in connection with the management of the separated office and technical space for the purpose of server colocation. 

  1. Subcontractors.

7.1. In order to implement further entrustment of the processing of Program Organizer personal data, in connection with ensuring the proper performance of the agreement, the Service Provider uses the  Subprocessors – subcontractors indicated in the document: http://nais.co/legal/nais-subprocesors/ 

This document applies from 25/05/2018.

The update of the document is valid on UK market from 26/05/2021.