General Terms and Conditions of Personal Data Processing at KRISPOL
- These General Terms and Conditions of Personal Data Processing refer to the rules of contracting the personal data processing by KRISPOL sp. z o.o. with its registered office in Psary Małe and to the rules of data processing when KRISPOL sp. z o.o. receives personal data for processing and is a processor.
- The contents of the personal data processing agreement shall take precedence over these terms and conditions.
- The rules on contracting the processing and the processing of personal data are consistent with the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ of the EU no. L 119, p. 1), hereinafter referred to as the GDPR.
- The processing of personal data will be carried out during the period of cooperation between the Partner and KRISPOL and during the period of termination of such cooperation, if it is necessary to pursue claims or defend rights, if it is required by law or if there is any other basis consistent with the GDPR.
- The nature and purpose of the processing results from the nature of the legal relationship between KRISPOL and the Partner as well as from the nature of the cooperation.
- The processing will involve personal data (hereinafter referred to as: “the data”) specified in the Annex to the personal data processing agreement (hereinafter referred to as: “the Agreement”).
- The categories of persons whose data will be processed will be defined in the Annex to the Agreement.
- The Processor may contract specific data processing operations (“sub-processing’) by means of a written sub-processing agreement (“Sub-processing Agreement’) to other processors. “(“Sub-processors”), subject to prior approval of the Sub-processor by the Controller or absence of objection. The list of Sub-processors accepted by the Controller shall constitute an Annex to the Agreement.
- Contracting the processing of Data to Sub-processors outside the List of Accepted Sub-processors requires prior notification to the Controller, so that he/she can express his/her objection. The Controller may, for justified reasons, submit documented objections to contracting Data processing to a specific Sub-Processor. In the event of such objection, the Processor shall not be entitled to contract the Data processing to the Sub-Processor objected against, and if the objection concerns the current Sub-Processor, the Processor shall immediately terminate the sub-contracting to the Sub-Processor objected against. Any doubts as to the legitimacy of the objection and possible negative consequences shall be reported by the Processor to the Controller sufficiently in advance to ensure the continuity of the processing.
- When contracting such processing, the Processor shall be obliged to oblige the Sub-Processor to perform all of the Processor’s obligations under this PDPA, except those which are not applicable due to the nature of the specific sub-processing.
- The processor shall ensure that the Sub-processor submits to the controller an undertaking of fulfilment of the obligations referred to in the preceding paragraph. This may be done by signing an appropriate declaration addressed at the Controller together with signing the Sub-processing Agreement, containing the list of obligations of the Sub-Processor.
- The Processor shall not be entitled to transfer the entire performance of the Agreement to the Sub-Processor.
- The Processor shall process the Data only in accordance with the contractual terms or in accordance with the documented orders or instructions of the Controller.
- The Processor declares that it does not transfer the Data to a third country or international organisation (i.e. outside the European Economic Area (“the EEA”). The Processor also declares that he does not use subcontractors that transfer the Data outside the EEA.
- Where a Processor intends or is under an obligation to transfer Data outside the EEA, he shall inform the Controller thereof to enable the Controller taking decisions and actions necessary to ensure the lawfulness of the processing or the termination of the processing.
- The Processor shall obtain from the persons authorized to process the Data in performance of the Agreement documented undertakings to keep confidentiality, and shall, if necessary, ensure that such persons are subject to a statutory obligation of confidentiality.
- The processor shall ensure data protection and take the data protection measures referred to in Article 32 of the GDPR, in accordance with the further provisions of the Agreement.
- The Processor shall comply with the conditions of the use of another processor (Sub-Processor) services.
- The Processor undertakes to respond to the requests of the data subject towards the Controller in the scope of exercising the rights set forth in Chapter III of the GDPR (“Rights of the Data Subject”). The Processor declares that he shall ensure that the Rights of the Data Subject with regards to the transferred data shall be appropriately handled. Details of handling the Rights of the Data Subject shall be agreed between the Parties.
- The Processor shall co-operates with the Controller in the performance of the Controller’s duties in the area of personal data protection, referred to in Articles 32-36 of the GDPR (data protection, reporting infringements to the supervisory authority, notifying the persons affected by the data protection breach, assessing the impact on data protection and prior consultation with the supervisory authority).
- If the Processor becomes aware of any doubts as to the lawfulness of the orders or instructions issued by the Controller, the Processor shall immediately inform the Controller of such doubts (in a documented form together with a justification).
- The processor declares that he will comply with the principles of data processing specified in the GDPR, including data minimisation (Article 25 (2) of the GDPR) and privacy by design (Article 25 (1) of the GDPR).
- When planning to make changes in the manner of data processing, the Processor is obliged to inform the Controller in advance of the planned changes in such a way and within such time limits as to provide the Controller with a real opportunity to react, if the changes planned by the Processor in the Controller’s opinion threaten the agreed level of data security or increase the risk of infringement of personal rights or freedoms as a result of the processing of the Data by the Processor.
- The Processor undertakes to limit access to the Data to persons whose need to obtain it for the purpose of the performance of the Agreement and who are duly authorized thereto.
- If the Processor uses automated processing, including profiling, referred to in Article 22(1) and (4) of the GDPR with the view to the performance of the Agreement, the Processor shall inform the Controller thereof for the purpose and to the extent necessary for the performance of the information obligation by the Controller.
- The processor shall provide the persons authorised to process the data with adequate training in the area of personal data protection.
- The Administrator shall be obliged to cooperate with the Processor in the performance of the Agreement, to provide the Processor with explanations in the event of doubts as to the legality of the Administrator’s instructions, as well as to perform his detailed duties in a timely manner.
- The Processor carried out a risk analysis of the processing of the transferred Data, made it available to the Controller and has been applying its results to the organizational and technical data protection measures. The Processor declares that he provides sufficient guarantees for the implementation of appropriate technical and organisational measures.
- The Processor shall notify the Controller of any suspected breach of personal data protection no later than 24 hours from the first notification, shall enable the Controller to participate in clarification activities and shall inform the Controller of the findings as soon as they are made, in particular of the finding of the breach. Breach notification shall be sent together with all necessary documentation of the breach to enable the Controller to comply with the obligation to notify the supervisory authority.
- The Controller may control the manner of processing of the Personal Data transferred to him after notifying the Processor of the planned inspection 7 days in advance. The Controller or persons designated by him shall be entitled to (i) access the premises where Personal Data are processed and (ii) inspect the documentation related to the processing of Personal Data. The Controller shall be entitled to request the Processor to provide information concerning the course of the processing of Personal Data and to provide access to the processing registers.
- The Processor shall cooperate with the personal data protection authority within the scope of its tasks.
- The Processor:
a) shall make available to the Controller any information necessary to demonstrate the compliance of the Controller’s actions with the provisions of the GDPR,
b) shall allow the Controller or the authorised auditor to carry out audits or inspections. The Processor shall cooperate in carrying out audits or inspections.
- The Controller declares that he is the Data Controller and that he is entitled to process the data in the scope of their processing contracted to the Processor.
- The Processor declares that in the course of his business, he is professionally involved in the processing of personal data covered by the Agreement, that he has the necessary knowledge, appropriate technical and organizational measures in this respect and that it guarantees the proper performance of this Agreement.
- At the request of the Controller, the Processor shall provide the Controller with appropriate references, list of experience, financial information or other evidence that the Processor provides sufficient guarantees for the implementation of appropriate technical and organisational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of the data subjects.
- The Processor shall be liable for damage caused by his actions in connection with the failure to comply with the obligations imposed by the GDPR directly on the Processor or if he acted outside the lawful instructions of the Controller, or against such instructions. The Processor shall be liable for any damage caused by the application or non-application of appropriate security measures.
- Should the Sub-Processor fail to comply with his data protection obligations, the full responsibility towards the Controller for the performance of the Sub-Processor’s obligations shall lie with the Processor.
- Upon cancellation or termination of the Agreement, the Processor shall not have the right to further process the entrusted Data and shall be obliged to:
a) delete the Data,
b) delete any existing copies of the Data or to return them, unless the Controller decides otherwise, or the European Union or Member State law further prescribes the storage of the data.
After fulfilling the obligation referred to above, the Processor shall submit to the Controller a written statement confirming the permanent deletion of all Data.
- The personal data processing agreements are subject to Polish law and the GDPR.