Personal Data Processing Agreement

This personal data processing agreement, hereinafter referred to as „Agreement”, concluded on ___ at ___ by and between:

___ represented by ___  hereinafter referred to as „Controller” and

___ represented by ___,  hereinafter referred to as „Processor“,

jointly referred to as „Parties“.

Whereas,

the Parties have concluded an Agreement for Provision of Marketing Automation Services, hereinafter referred to as the “Marketing Service Agreement“, Parties hereby agree as follows:

1. Subject matter of Agreement

1.1. Parties agree that for the purpose of fulfilling statutory obligations imposed by law, these being in particular the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), hereinafter referred to as the ‘Act’ as well as proper performance of the Marketing Service Agreement, Company name, as the Controller, entrusts the Processor with the processing of personal data in the scope as defined by this Agreement.

1.2. The Parties declare that processing is to be carried out on behalf of the Controller and the Processor provides sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of the Act and ensure the protection of the rights of the data subject.

2. Scope of entrusted data and purpose of data processing

2.1. The Controller entrusts processing:

• the subject-matter of the processing: personal data stored in databases and Internet service in  duration of the same term as performance of the  Marketing Service Agreement, provided § 5 section 3 clause of this Agreement;
• the nature and purpose of the processing: performing the Marketing Service Agreement, using resources provided by the Processor.
• the type of personal data and categories of data subjects: company data, phone number, email adress, name, surname, tax number.

2.2. The Processor undertakes to process entrusted personal data only for the purpose and scope specified in above, based on documented instructions from the Controller, which also applies to the transfer of personal data to a third country or international organization (unless such obligation is imposed by Union law or the law of the Member State to which the processor is subject; in this case, the processor shall inform the Controller of this legal obligation prior to the commencement of processing, unless such law prohibits the provision of such information on grounds of important public interest).

3. Rights and obligations of Parties

3.1. The Controller entrusts to the Processor lawfully collected personal data. Following a written request by the Controller, Processor shall be obliged to provide information regarding the processing of personal data entrusted to him, including details of technical and organizational means used for the purpose of processing data covered by the request, within 14 days of receiving such a request.

3.2. The Controller or the Processor and, where applicable, the Controller’s or the Processor’s representative, shall make the record available to the supervisory authority on request.

3.3. The Processor shall inform the Controller prior to the commencement of processing of data on the implementation of a possible legal obligation consisting in the transfer of personal data to a third country or an international organization, in accordance with art. 28 para. 3 point a of the Act.

3.4. The Processor ensures that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Art. 28 para. 3 point. b of the Act.

3.5. The Processor declares that he has taken safeguard measures required under art. 32 of the Act, in accordance with art. 28 para. 3 point c of the Act.

3.6. The Processor declares that he respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the Act for engaging another processor, in accordance with art. 28 para. 3 point d of the Act.

3.7. The Processor takes into account the nature of the processing, assists the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the Act, in accordance with art. 28 para. 3 point e of the Act.

3.8. The Processor assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the Act taking into account the nature of processing and the information available to the Processor, in accordance with art. 28 para. 3 point f of the Act.

3.9. The Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this Article and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller,  in accordance with art. 28 para. 3 point h of the Act.

3.10. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes this Regulation or other Union or Member State data protection provisions.

4. Liability

4.1. Each Party shall be liable for any damage caused to the other Party or to any third parties in connection with performance of this Agreement, pursuant to provisions of the Act or this Agreement.

4.2. In the event of damage caused by actions undertaken by the Processor,  the Processor shall be liable as guilty of the actual damage incurred by the Controller.

4.3. The Processor shall be excluded from liability for adequately securing personal data in accordance with provisions set forth in Par. 1(2) of the Agreement in the part of the information system administered by  the Controller.

5. Final provisions

5.1. The Processor shall not charge any additional fees for performance of any of the provisions of this Agreement.

5.2. This Agreement may be terminated by giving to the other Party a one month’s notice.  In the event of terminating this Agreement, the Controller shall, within 7 days of the date of expiry hereof, individually secure any personal data entrusted to Processor for processing. 14 days following the date of expiry of the Agreement, Processor shall permanently delete any and all records containing personal data entrusted for processing, made in connection with or while performing the Marketing Service Agreement in accordance with art. 28 para. 3 point g of the Act.

5.3. The Parties declare that any previously signed agreements regarding the processing of personal data are revoked and replaced by this Agreement.

5.4. Any changes or additions to this Agreement must be in writing, otherwise null and void.

5.5. Any issues falling outside the scope of this Agreement shall be governed by the provisions of  the Act.

5.6. This Agreement has been executed in two identical copies, one for each Party.

/signatures/