Data processing amendment
- In connection with the establishment of cooperation consisting in the Service Provider providing Services to the User, the User entrusts the Service Provider with personal data pursuant to art. 28 GDPR for processing on the terms set out in this Agreement.
- Under this Agreement, the User acts as the Administrator of personal data entrusted within the meaning of art. 4 point 7 of the GDPR, and the Service Provider as a processor within the meaning of art. 28 GDPR.
- The Service Provider undertakes to process the personal data entrusted to it in accordance with this contract, the GDPR and other provisions of generally applicable law that protect the rights of data subjects.
- The User entrusts to the Recipients personal data for processing, in particular their email addresses.
- This Agreement is also an instruction issued by the User to process personal data by the Service Provider and persons authorized by the Service Provider to process personal data, including the employees of the Service Provider and other processing entities whose services the Service Provider uses in connection with the provision of Services.
- On the personal data referred to in section 1 the operations referred to in art. 4 point 2 GDPR, necessary to provide Services.
- The Service Provider will process the personal data entrusted to them in order to provide Services, perform the legal obligations by the Service Provider, detect and prevent abuse, create lists, analyses and statistics.
- The Service Provider will process the personal data entrusted to them for the duration of the Services, unless the Service Provider is obliged to process personal data for a long time, under generally applicable law, in particular in order to fulfill the obligations arising from art. 180a of the Telecommunications act of 16 July 2004. After completing the processing of entrusted personal data, the Service Provider undertakes to delete them.
- The entrusted personal data will be processed in IT systems.
- The Service Provider will process Recipients' personal data within the EEA. For some services the Processor may transfer personal data of Recipients to third countries.
- The Service Provider undertakes to exercise due diligence in the processing of personal data entrusted to them. For this purpose, the Service Provider uses technical and organizational measures within the meaning of art. 32 GDPR, adequate to the type of personal data entrusted to them.
- The Service Provider undertakes to ensure that the entrusted personal data is processed only by persons who have been authorized to process personal data in order to provide the Services.
- The Service Provider undertakes to provide, in accordance with art. 28 section 3 letter b GDPR, that persons who authorize the processing of personal data in order to provide the Services, undertake to maintain confidentiality regarding such data, both during their employment with the Service Provider and after its termination.
- If the Service Provider receives an application from the Recipient related to the processing of personal data, they will send such an application in the form of an electronic message to the User for further processing by the User. The Service Provider is not entitled or obliged to handle the application itself, unless otherwise provided by applicable law.
- If the Service Provider receives a request to grant access or information on the Recipients' personal data from the competent supervisory body regarding the Recipients' personal data, they will notify the User of this fact in the form of an electronic message and will provide them with the request received in the form of an electronic message. The Processor is not entitled or obliged to settle the request itself, unless otherwise provided by applicable law.
- The Service Provider undertakes to immediately inform the User about any incidents resulting in a violation of the Recipients' personal data.
- The Service Provider undertakes to provide the User, at their request, with all information necessary to demonstrate compliance with the obligations set out in the GDPR.
- The User guarantees that personal data is processed for lawful purposes, and that the Service Provider does not process more personal data than is required to meet these purposes. In addition, the User undertakes to ensure that at the time of providing the Service Provider's data, there will be a valid legal basis for their processing, including in particular the consent of the Recipient, expressed in a correct way. At the request of the Service Provider, the User undertakes in writing to indicate or document the basis for the processing of personal data.
- Taking into account the nature, scope, context and purposes of processing as well as the risk of violation of the rights or freedoms of natural persons of different probability and severity of threat, the User shall implement appropriate technical and organizational measures so that the processing takes place in accordance with this Regulation and to be able to demonstrate it. These measures are reviewed and updated as necessary.
- The User submits requests for an audit to the Service Provider to the Service Provider's Data Protection Inspector.
- After the Service Provider receives the request referred to in section 1, the Parties shall discuss and agree in advance:
1. the specific start date (dates), scope and duration of the audit;
2. security and confidentiality rules applicable to auditing.
- The Service Provider may charge a fee (based on reasonable costs of the Processor) for each audit. The Service Provider will provide the User with additional details about any applicable fees and the basis for their calculation, before such a review or audit. The User will be responsible for all fees charged by the auditor appointed by the User to perform such an audit.
- In connection with art. 28 section 3 let. h GDPR the Service Provider is entitled to raise objections regarding the scope of the audit or auditor.
- The User agrees that the Service Provider may use the services of further processors in the processing of recipients' personal data in accordance with art. 28 section 2 GDPR only for purposes related to the performance of Services, this applies to the following further processors:
1. Global Email Solutions sp. z o. o. with headquarters in Szczecin at ul. Wojciechowskiego 1A, 71-476 Szczecin, Poland with the KRS number: 0000561120;
2. DigitalOcean LLC with headquarters in 101 Avenue of the Americas, 10th Floor, New York, NY 10013, United States.
3. Cherry Servers UAB with headquarters in 74 Tilzes street, 3rd Floor, Siauliai, Lithuania.
5. Google Ireland LTD with headquarters in Gordon House, Barrow Street, Dublin 4, Ireland.
6. HelpScout with headquarters in 1401 Walnut St #220, Boulder, CO 80302, United States.
7. Stripe LTD with headquarters in 510 Townsend Street San Francisco, CA 94103 United States
- The Service Provider is obliged to conclude a processing contract with the further Processor, according to which the further Processor will be obliged to meet the same obligations as the Service Provider, in particular the obligations regarding the use of technical and organizational measures that will be adequate to the type of personal data of the Recipients entrusted and the risk of infringing Recipients' rights. The rights of further processing entities will not be broader than the rights of the Service Provider specified in these regulations.
- The Service Provider, in the event of extension of the group of further Processors, referred to in section 1, shall inform the User about this fact by email.
- The User has the right to object to further entrusting the processing of personal data of Recipients by the Service Provider to a further Processor. Opposition requires a written form, otherwise being null and void.
- Expressing the objection referred to in section 4 causes the User's Account to be deleted, which pursuant to § 8 section 4 of the Regulations terminates the concluded Contract for the provision of Services.
This Contract is effective from the date of its conclusion for the time of providing Services.
In unregulated matters, the provisions of national law and the GDPR shall apply.
The court having jurisdiction to hear disputes arising from this Contract shall be the competent court in Szczecin.