Data Processing Agreement
DATA PROCESSING AGREEMENT
For the purposes of this Agreement, the following definitions shall apply:
1) Controller – Kancelaria Prawnicza ARGOS adw. Wojciech Lubelski i Wspólnicy sp. k., Kościuszki 6/4, 40 – 049 Katowice, NIP: 6341000903, KRS: 0000749035, represented by the general partner Wojciech Lubelski;
2) Processor – the person who concludes the Main Contract with the Controller;
3) Parties – Controller and Processor;
4) Main Contract – an agreement under which the Processor undertook to provide legal services to the Controller;
5) Agreement– this agreement entrusting the processing of personal data.
a) The Controller and the Processor are parties to the Main Contract,
b) The Controller is a personal data controller,
c) in connection with the performance of the Main Contract, there is a need for the Processor to process personal data provided to him by the Controller
the Parties in accordance with Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter: “GDPR”), agree to conclude this Agreement:
§ 1 [Subject of the Agreement]
1. The Controller entrusts the Processor with the processing of personal data necessary for the execution of the Main Contract, on the terms and for the purpose specified in this Agreement.
2. The Processor undertakes to process the personal data entrusted to it in accordance with this Agreement, GDPR and other provisions of law, so that the processing protects the rights of data subjects, in particular the right to the protection of personal data.
3. The Processor undertakes to apply security measures that meet the requirements of GDPR.
§ 2 [Duration of the Agreement and personal data processing]
1. This Agreement is concluded on the date of conclusion of the Main Contract and shall be valid from that date for an indefinite period of time, but not longer than the duration of the Main Contract. The term of the Agreement shall also be the duration of data processing by the Processor, within the meaning of Article 28 of GDPR.
2. Either Party may terminate this Agreement by giving 14 days’ notice. Termination of the Agreement by a Party shall be equivalent to termination of the Main Contract by that Party. However, the previous sentence shall not apply if the Parties decide otherwise or if further provision of services by the Processor to the Controller under the Main Contract will not involve processing of any personal data on his behalf by the Processor and the Main Contract may be further performed in accordance with the Regulation.
3. The Controller may terminate this Agreement with immediate effect if the Processor:
a) despite his obligation to remedy the deficiencies found during the inspection fails to remedy them within the specified period;
b) processes personal data in a manner inconsistent with the Agreement or GDPR;
c) entrusts the processing of personal data to another entity without the consent of the Controller.
§ 3 [Nature and purpose of data processing]
1. The Processor will process the entrusted data using IT systems and paper documentation. The processing may be carried out with the frequency required for the performance of obligations under the Main Contract, using the technology available to the Processor.
2. The processing of personal data may include operations such as: recording, organising, arranging, storing, adapting or modifying, downloading, browsing, using, matching or combining, limiting, deleting or destroying personal data, subject to the limitations imposed by the Agreement and as necessary for the purposes of the processing, including those set out in this Agreement and the Main Contract.
3. Personal data entrusted by the Controller will be processed by the Processor solely for the purpose of the Main Contract.
4. The Processor will not use the services of electronic service providers (the so-called clouds, transfers) unless the Controller expressly communicates with him/her in this way.
§ 4 [Types of processed data and categories of data subjects]
1. The Processor will process the following data if entrusted under the Agreement and the Main Contract:
(a) common data such as:
* forenames and surnames
* home address
* correspondence address
* PESEL number and date of birth
* NIP, REGON number
* series and number of ID card or other identity document
* telephone number
* e-mail address
* IP address
* forenames and surnames of parents, children and other family members
* bank account number
* registration number and VIN number of the vehicle
* in the case of insurance proceedings – information concerning the circumstances of the insurance event, its consequences, reported claims and the course of proceedings, information concerning the concluded insurance agreement
* data concerning completed civil and administrative court proceedings
b) data of special categories and criminal data such as:
* medical records and other information on health condition and course of treatment
* information on convictions and prohibited acts or related security measures
c) unstructured data – content with potential and probable content of personal data (entries, text documents, images, recordings, films, correspondence).
2. The Processor will process the following personal data if entrusted under the Agreement and the Main Contract:
* Controller’s employees
* persons with whom the Controller cooperates on the basis of civil law contracts
* Controller’s commercial contractors
* Controller’s clients and the data provided by these clients
§ 5 [Obligations and rights of the Controller]
1. The Controller declares that he processes the personal data entrusted on the basis of the Agreement in accordance with the applicable law, in particular in accordance with the GDPR.
2. The Controller undertakes to cooperate with the Processor within the scope of personal data processing entrusted to him, including providing the Processor, at his/her request, with the necessary information to perform the Agreement in accordance with applicable law, including the GDPR.
3. The Controller shall have the right to audit the performance of the obligations referred to in this Agreement by the Processor. In particular, the Controller may carry out inspections or authorize an external auditor to do so. The audit should be carried out in a manner that does not hinder the Processor from conducting his activities. The Parties shall agree on the date of the audit in writing or by e-mail at least 7 days in advance. The audit will be carried out in accordance with applicable laws.
§ 6 [Obligations and rights of the Processor]
1. The Processor undertakes to:
a) process the data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country or an international organisation – unless such an obligation is imposed on it by the law of the European Union or Polish law; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest; The Controller under this Agreement instructs the Processor to process any personal data provided to the Processor in accordance with the Agreement and the Main Contract, in order to perform the Main Contract; the Parties agree that any transfer of personal data in the performance of their obligations under the Main Contract constitutes an order to process the data by the Processor, unless the Controller decides otherwise;
b) ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
c) takes all measures required pursuant to Article 32 of the GDPR (security of processing);
d) respect the conditions referred to in § 7 for engaging another processor;
e) assist the Controller – while taking into account the nature of the processing – by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of GDPR (rights of the data subject);
f) assist the Controller – while taking into account the nature of processing and the information available to the Processor – in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (personal data security and data protection impact assessment and prior consultation);
g) after the end of the provision of services relating to processing, at the choice of the Controller – delete or return all the personal data to the Controller , and deletes existing copies unless European Union or Polish law requires storage of the personal data
h) make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
2. In connection with the obligation referred to in paragraph 1.b., the Processor shall only allow the processing of personal data by persons who: a) have been authorised to process personal data, on the basis of a written authorisation issued to them by the Processor;
b) have submitted a declaration of secrecy in relation to the personal data entrusted to them.
3. In connection with the obligation referred to in paragraph 1.g., the Processor shall, upon completion of the services related to the processing, delete personal data and any existing copies thereof, without a separate request from the Controller, unless the Controller requests to return the data to him in advance. The above does not apply if European Union law or Polish law requires that personal data be stored by the Processor.
4. In connection with the obligation referred to in paragraph 1.h., the Processor shall:
a) immediately inform the Controller if, in Processor’s opinion, the order issued to him is in violation of GDPR, other European Union regulations or Polish law on data protection;
b) undertake to remedy the deficiencies found during the inspection within a period indicated by the Controller, which shall not exceed 7 days.
5. The Processor undertakes to:
a) exercise due diligence in processing the personal data entrusted to him;
b) process the personal data provided by the Controller in a way that protects it from being made available to unauthorised persons. The Processor is obliged to prevent unauthorised persons from collecting the personal data provided to the Processor by the Controller and to prevent their processing that would be in violation of law or Agreement;
c) provide appropriate technical and organizational measures to ensure an adequate level of security corresponding to the risks associated with the processing of personal data referred to in Article 32 of the GDPR (processing security);
6. The Processor, upon finding a personal data protection breach, shall report it to the Controller without undue delay, but not later than within 2 days from the breach.
§ 7 [Sub-processing]
1. The Processor will not use the services of another processor without the prior detailed or general written consent of the Controller. In the case of a general written consent, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of other processing entities, thus giving the Controller the opportunity to object to such changes.
2. If the Processor has obtained the consent referred to in paragraph 1, he may entrust personal data covered by this Agreement to further processing only for the purpose of the proper performance of the Main Contract.
3. If the Processor uses the services of another processor to perform specific processing activities on behalf of the Controller, he undertakes to impose the same data protection obligations on this entity as those contained in the Agreement, in particular the obligation to provide sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR. If this other processor fails to fulfil its data protection obligations, full responsibility shall lie with the Processor.
§ 8 [Record of categories of processing activities]
1. Processor and, where applicable, the Processor’s representative shall maintain a record of all categories of processing activities carried out on behalf of a Controller, if:
a) Processor employs 250 people or more,
b) the processing carried out by Processor is likely to result in a risk to the rights and freedoms of data subjects,
c) the processing is not occasional,
d) the processing includes special categories of data as referred to in Article 9.1. of the GDPR or personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
2. The register referred to in paragraph 1 shall contain the following information:
a) the name and contact details of the Processor and of each controller on behalf of which the Processor is acting, and, where applicable, of the controller’s or the Processor’s representative, and the data protection officer;
b) the categories of processing carried out on behalf of each controller;
c) where applicable, transfers of personal data to a third country or an international organisation, including the identification of that third country or international organisation and, in the case of transfers referred to in the second subparagraph of Article 49.1. of the GDPR, the documentation of suitable safeguards;
d) where possible, a general description of the technical and organisational security measures referred to in Article 32.1. of the GDPR.
§ 9 [Liability and information duty]
1. The Processor is responsible for providing access to or using personal data that is not in accordance with the Agreement, and in particular for providing access to personal data entrusted for processing to unauthorized persons.
2. The Processor undertakes to immediately inform the Controller of:
a) any proceedings, including administrative or judicial proceedings, concerning the processing of personal data specified in the Agreement by the Processor,
b) any administrative decision or ruling concerning the processing of personal data specified in the Agreement addressed to the Processor,
c) any planned (if known) or conducted controls and inspections concerning the processing of personal data specified in the Agreement by the Processor, in particular those conducted by inspectors authorized by the President of the Office for Personal Data Protection (Prezes Urzędu Ochrony Danych Osobowych).
§ 10 [Confidentiality]
1.The Processor undertakes to keep confidential all information, data, materials, documents and personal data received from the Controller and persons cooperating with him, as well as personal data obtained in any other way, intended or accidental in any form (including oral, written or electronic), both during the term of this Agreement and after its termination, expiration, withdrawal from it or conclusion in any other way.
2. The Processor declares that the data referred to in paragraph 1 above shall not be used, disclosed or made available without the written consent of the Controller for any purpose other than the execution of the Agreement and the Main Contract, unless the necessity to disclose the information held results from the Agreement or the applicable regulations, including the GDPR.
§ 11 [Final provisions]
1. Any amendments and modifications to this Agreement shall be in writing in order to be valid (rigour of nullity).
2. If any provision of the Agreement is or becomes invalid or ineffective for any reason, this shall not affect the validity and effectiveness of the remaining provisions. In such a case, the Parties shall replace the invalid or ineffective provisions with those which are economically most compatible with their original intentions. Accordingly, the obligation referred to in the first sentence shall also apply if a gap needs to be filled in the execution of this Agreement.
3. The Parties declare that the e-mail addresses provided in the course of concluding the Main Contract are appropriate for the delivery of correspondence between them and undertake to notify the other Party of any change to this data. In case of negligence of this obligation, the correspondence sent to the last indicated address shall be presumed to have been duly delivered.
4. The court having jurisdiction over disputes arising from this Agreement shall be the court having jurisdiction for the Controller’s seat.
5. In matters not regulated in this Agreement, the provisions of the Civil Code and the GDPR shall apply.