Personal Data Processing Agreement
(entrusting of personal data processing to the Vendor)
This Personal Data Processing Agreement („DPA”) contains provisions concerning personal data processing in compliance with Regulations of Using the CatManSpace.com Solution (the “System”) in the Software as a Service (“SaaS”) model (“Regulations”).
The DPA is an integral Attachment to the Regulations mentioned above.
The Parties of this Personal Data Processing Agreement are:
The Customer, using the System in the SaaS model (the „Controller”),
The Vendor (C&S Software Sp. z o.o.), providing the System int the SaaS model (the „Processor”).
- “GDPR” – “REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)”.
- Polish Legal Regulations Implementing GDPR – Polish Legal Act of May, 10 on personal data protection.
- Notions “personal data”, „personal data processing”, „controller”, „processor”, „personal data breach” have meaning and are in this DPA understood and interpreted in compliance with their definitions in GDPR.
- „Service Providing Agreement” – binding Framework Agreement for IT services in the scope of access to the “CatManSpace.com” Solution and the Statement of Work to this Framework for Providing the CatManSpace.com Solution In the SaaS model, concluded between the Controller and the Processor, comprised provisions on taking cognizance and acceptation of the Regulations.
- “Personal Data Processing Agreement”, „DPA” – this agreement, entrusting processing of personal data if the Customer to the Vendor, constituting the integral attachment to the Regulations. The purpose of this DPA is to prescribe conditions of personal data processing in compliance with GDPR requirements.
Entrusting of personal data processing
- The Customer represents, that he is the personal data Controller, in terms of article 4 of GDPR, of personal data concerning:
a) System users, with assigned named access accounts to components of central server environment,
b) System users, designated by the Controller, as authorized to communicating of service requests and questions to Vendor provided System support and maintenance teams
c) Other natural persons, which personal data may be, by Controller initiative, stored in System database.
including their identification data (names, surnames), contact data (phone numbers, e-mail addresses, workplace addresses), business and professional data (positions, project roles, enterprise department names) and others.
- The Controller entrust to the Processor, in compliance with GDPR article 28, personal data concerning categories mentioned above, for data processing, on rules and with the aims determined in this DPA.
- The Processor commits itself to processing of personal data, entrusted to him, in compliance with this DPA, provisions of GDPR and other rules of generally applicable legislation relating to data protection and privacy of data subjects,
- The Processor declares that applies security measures satisfying GDPR requirements.
Subject, scope and goal of personal data processing
- The goal of entrusting of personal data processing is to enable of effective accomplishment of concluded Service Providing Agreement.
- Personal data, entrusted by the Controller to the Processor shall be processed by the Processor solely for effective performance of tasks specified in Service Providing Agreement and the Regulations, i.e. coming within the sphere of activities specified in the mentioned Agreement, concerning of enabling of usage of the System in the SaaS model.
- Processing of personal data, entrusted by the Controller to the Processor, in any scope and goal other than specified in provisions mentioned above, i.e. out of authorizations granted in this DPA are unacceptable.
- The Processor commits itself, when processing personal data, entrusted to him, to protect them by means of applications of appropriate technical and organizational measures, guaranteeing adequate security level, corresponding to the risks of personal data processing, mentioned in article 32 of GDPR.
- The Processor commits itself to due diligence in processing of personal data entrusted to him.
- The Processor commits to issue of individual letters of authorization for all persons, which will process entrusted personal data in order to execute the Agreement.
- The Processor commits to preserve obligations of confidentiality (described in art. 28 pt. 3b of GDPR) of personal data processed by his employees and contractors, authorized by him to process personal data in order to execute the Agreement, during their employment by the Processor as well as after cessation of their employment.
- After completion of services covered by the Agreement, and concerning of personal data processing, the Processor shall return to the Controller any personal data and shall erase any copies of them, if any copies have been performed, unless provisions of applicable law dictate further storage of these personal data.
- As far as possible and in indispensable scope, the Processor shall help the Controller to redeem his duties concerning responses to demands of data subjects and duties described in articles 32-37 of the GDPR, accordingly to article 28, pt. 3f of the GDPR.
- After detection of personal data breach, the Processor, without any unnecessary delay, reports the breach to the Controller in 24 hours from the moment of personal data breach detection.
- Accordingly to article 28 pt. 3h of GDPR the Controller is authorized to make inspection, if measures applied by the Processor for processing and securing personal data entrusted, are complaint with provisions of this DPA.
- The Controller shall execute his inspection privilege in working hours of the Processor and with appropriate warning (minimum 3 days ahead).
- The Processor commits itself to remove any breaches encountered during inspection in a date limit stated by the Controller, not longer than 7 calendar days.
- The Processor shall make available to the Controller any information needed to demonstrate, that all duties described in article 28 of GDPR are fulfilled.
Further entrusting of personal data
- Accordingly to article 28 pt. 2 of GDPR, the Processor may entrust the personal data, covered by this DPA for further processing, only in order to execute provisions of Service Providing Agreement, to the provider of IT environment Microsoft Azure, in compliance with current license conditions of Microsoft, concerning „Cloud Services”, published on Microsoft website: http://www.microsoftvolumelicensing.com and covering conclusion of appropriate data processing agreement, concerning entrusted data.
- Any changes, intended by the Processor, concerning addition or replacement of further processors mentioned in pt. 1 above or arranged by the Controller and Processor in writing, require to obtain prior writing approval by the Controller, entrusting personal data processing.
- Any other processors, mentioned in pt. 1 and 2 above shall fulfill the same guarantees and duties, as determined in this DPA for the Controller, and described in article 28 pt. 4 of GDPR.
- The Processor is fully responsible against the Controller for not fulfilling of duties concerning personal data protections, by other processors, mentioned in pt. 1 and 2 above.
- The Processor is responsible for making available or usage of personal data inconsistently with content of this DPA, in particular for making available of entrusted personal data to the non-authorized persons.
- The Processor is responsible for any possible damages resulting for the Controller or third parties in effect of processing if personal data entrusted, inconsistently with this DPA.
- The Processor commits to immediate reporting to the Controller about any proceedings, in particular administrative or judicial, concerning of processing by the Processor of personal data determined in the DPA, about any administrative decision or judgement concerning of processing of these data, addressed to the Processor, as well as about all planned, if it is known, or performed inspections and audits conducted by inspectors authorized by the President of Personal Data Protection Office. This section concerns personal data entrusted to the Processor by the Controller only.
- In the case of any penalties imposed on the Controller for breaches in application of GDPR (or Polish Legal Regulations introducing the GDPR) because of the Processor activities, the Processor commits to cover the imposed penalties in full.
- This Personal Data Processing Agreement is applicable for the whole term of applicability of the Service Providing Agreement.
- Expiration or termination of this DPA equals in simultaneous expiration or termination of the Service Providing Agreement.
- Expiration or termination of the Service Providing Agreement equals in simultaneous expiration or termination of this DPA.
Termination of the Agreement
- The Controller may terminate this DPA with immediate effect, when the Processor:
a) Despite of the obligation to remove breaches determined during inspection performer, do not remove them up to prescribed date;
b) Processes personal data in a way not compliant with this DPA;
c) Has entrusted personal data processing to the other processor without the information and approval of the Controller.
- Termination of this DPA with immediate effect equals in simultaneous termination, with immediate effect, of the Service Providing Agreement.
- Termination of the Service Providing Agreement with immediate effect equals in simultaneous termination, with immediate effect, of this DPA.
- The Processor commits to preserve the confidentiality of all information, data, documents and others media, in particular concerning personal data entrusted to the Processor and his employees by the Controller and his co-workers and personal data of the Controller achieved in any other way, planned or accidental, in any form (oral, in writting and by electronic media). Any data obtained shall be always treated as confidential.
- The Processor declares, that because of confidentiality obligations, these data shall not be used, published or made available without consent of the Controller in writing, unless reveal of information acquired results from applicable provisions of law or the Agreement.
- All changes and amendments to this DPA have to be provided in writing.
- In matters not covered by this DPA, provisions of the GDPR, Polish Legal Regulations introducing the GDPR, and Polish Civil Code will be applicable.