Agreement to entrust the processing of personal data
This data-processing entrustment agreement (hereinafter referred to as the "Entrustment Agreement") is concluded between the Service Provider and the Business Client and constitutes an integral part of the agreement between the Service Provider and the Business Client, in accordance with Article 28 of the GDPR. The moment of conclusion of the entrustment agreement is the moment of acceptance of the provisions of the Regulations or conclusion of the service provision agreement.
This Entrustment Agreement regulates the entire obligations and conditions of entrusting the processing of personal data, in connection with the Business Client's use of the Platform and its functionality.
§ 1. Definitions
The capitalised terms used below shall have the meaning assigned to them in the Contract of Entrustment and in the Regulations. The terms used in the Contract of Entrustment mean:
Audit - verification of compliance of the processing of the entrusted Personal Data by the Service Provider with the law and the Entrustment Agreement, excluding access to information containing the Service Provider's business secrets. The audit may be carried out independently by the Business Client or by an authorised auditor.
Subsequent Processor - an entity performing on behalf of the Service Provider the processing of Personal Data entrusted under this Agreement.
Personal Data - any information about an identified or identifiable natural person to whom the processing is entrusted on the basis of the Entrustment Agreement.
Personal Data Protection Infringement - a breach of security of the Personal Data entrusted resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure or unauthorized access to the Personal Data.
Service Provider - the company Joynt Sp. z o.o., with its registered office at Żurawia 71, entered into the register of entrepreneurs of the National Court Register under the number 0000854345, NIP 9662142152.
Supervisory Body - the President of the Office for Personal Data Protection;
Regulations - the regulations for the provision of Services, including access to the Platform and its functionality, available at https://joynt.works
GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation).
§ 2. Subject matter of the agreement
The Business Client entrusts the Service Provider with the processing of Personal Data to the extent necessary for the proper performance of the Services described in the Regulations for the Business Client.
The Service Provider may process the Personal Data entrusted to him by the Business Client only for the purpose indicated above and to create anonymized statistics.
On the basis of this Entrustment Agreement, the Service Provider shall process Personal Data in the following scope:
Categories of persons, whose personal data have been entrusted
Categories of personal data entrusted
Type of personal data entrusted
Identification, image, contact details, data concerning use of services, including the Platform
Normal data, specific data
collect, record, organise, arrange, store, adapt or modify, download, view, use, disclose by transmission, making available, adapt or combine, restrict
§ 3. Duration of entrustment
The Service Provider may process the Personal Data entrusted to it for the period of the provision of Services and after the end of this period, until the deletion of Personal Data in accordance with the provisions of the Entrustment Agreement, unless the parties agree on a different period of processing of Personal Data.
The Service Provider processes Personal Data on the basis of documented instructions from the Business Client, which means processing in accordance with the Entrustment Agreement, as well as instructions provided by the Business Client through electronic communication tools.
§ 4 Technical and organisational measures
The Service Provider shall ensure an adequate level of security of the Personal Data entrusted to it, corresponding to the risk of infringement of the rights or freedoms of persons whose data are processed, with at least the technical and organisational measures to protect the personal data entrusted to it:
- the personal data protection procedures governing personal data protection;
- procedures for the secure use of IT resources;
- systematic training of employees and co-workers on personal data protection and the safe use of IT resources;
- processing of personal data only after the persons have been authorised to process the data;
- covering all persons acting on behalf of the Service Provider with a written undertaking to keep secret the information obtained in the course of providing services;
- processing of the entrusted data in the area covered by access control, physical protection or video surveillance;
- the use by each employee or associate of a separate, unique access account to the IT systems in which personal data are processed;
- the application of a policy of strong passwords and enforcing their periodic change;
- encryption of mobile devices that process personal data;
- implementation of a remote access control system for personal data;
- subjecting IT systems and software used to process personal data to regular updates as well as to vulnerability and security verification by anti-virus systems;
- protection against unauthorised access to systems and networks through a firewall, as well as filtering access to websites.
§ 5. Subsequent processors
The Service Provider shall use the services of Subsequent Processors, a list of which can be found on https://joynt.works. The Business Client agrees to the involvement of the Sub-Services.
The Service Provider shall use the services of other Subsequent Processors only with the prior consent of the Business Client.
The Service Provider shall inform the Business Client about the intention to use the services of another Subsequent Processors at least 14 days before the commencement of the use of its services.
The Business Client may raise an objection within 7 days from the date of receiving information about another Subsequent Processor.
The Service Provider's failure to comply with the objection, as well as the use of the services of another Subsequent Processor without prior notification of the Business Client shall result in the termination of the Entrustment Agreement at the end of the last day of the month following the month in which the objection was made or the services of another Subsequent Processor not notified. During the period of notice of termination of the Entrustment Agreement, the Service Provider shall not transfer the Personal Data to another Subsequent Processor for processing.
Failure to raise an objection within the period specified in sub-paragraph 2 shall mean the acceptance of another Subsequent Processor.
6.§ Other obligations related to the outsourcing of processing
Taking into account the nature of the activities entrusted to the processing of Personal Data and the information available in connection with the provision of the Services, the Service Provider shall provide the Business Client with appropriate support in the discharge of the obligation:
To carry out an assessment of the effects of the planned processing operations on the protection of personal data, referred to in Articles 35-36 of the GDPR;
to respond to the requests of data subjects to the extent specified in Articles 15-22 of the GDPR; if the request is submitted directly to the Service Provider, the Service Provider shall immediately inform the Business Client about the request and determine the procedure to be followed in relation to the request;
to report the personal data breach to the supervisory authority and notify the data subjects of the breach, pursuant to Articles 33-34 of the GDPR.
The Service Provider shall immediately inform the Business Client about the breach:
any ongoing proceedings concerning the processing of personal data, decisions or rulings on personal data to which the Service Provider is a party;
orders issued by the Business Client, which in the opinion of the Service Provider constitute a breach of the provisions on personal data protection.
The Service Provider shall make available all information necessary to prove the Business Client's compliance with the obligations set out in Article 28 of the GDPR.
Without the consent of the Business Client, the Service Provider shall not transfer personal data outside the European Economic Area as defined in the Agreement on the European Economic Area.
§ 7. Infringement of Personal Data Protection
The Service Provider shall immediately, but no later than within 36 hours of its discovery, report the identified Infringement of Personal Data Protection to the Business Client. The report shall include:
A description of the circumstances of the event constituting the breach and its established or suspected causes;
a description of the nature of the Infringement, including, if possible, the categories and approximate number of persons affected by the breach and the categories and approximate number of personal data entries;
a description of the possible consequences of the Infringement;
a description of the remedies available to the Service Provider in order to minimise the possible negative impact of the Infringement.
a description of the measures taken by the Service Provider to remedy the breach and minimise the possible negative consequences of the Infringement.
§ 8. The Audit
The Business Client shall be entitled to carry out an Audit at any time, in particular in the execution of a recommendation imposed by the Supervisory Authority or when the audit is necessary to explain the identified breach of Personal Data protection.
The Business Client is obliged to notify the Service Provider of the intention to conduct an Audit at least 7 working days before the planned date of commencement of the Audit. The notification shall indicate the scope, date and persons authorised to conduct an Audit.
The parties agree on the duration of the Audit no longer than 3 working days, unless a longer time is necessary due to the purpose of the Audit. In such case, the Parties shall agree on the maximum duration of the Audit.
The Audit ends with a protocol which contains, in particular, a description of the activities performed and a specification of recommended actions to be taken to ensure the correctness of Personal Data processing.
The cost of conducting the Audit shall be covered by the Business Client.
§ 9. Termination of the entrustment of processing
After the termination of the Services, the Service Provider shall delete the Personal Data entrusted to it and their existing copies, unless their storage is required by law. The obligation to delete does not apply to the data before they have been processed or the statistics produced on their basis.
In case the Business Client requests the return of the data, the request for the return of the entrusted Personal Data should be delivered not less than 7 days before the end of the Service.
The Service Provider shall return the Personal Data within 15 days of receipt of the request from the Business Client.
In the case of deletion of Personal Data, the Service Provider shall document their deletion by protocol. Service Provider shall provide a copy of the protocol upon request of the Business Client.
The Service Provider shall ensure that Further Processors delete the Personal Data under the terms of this paragraph.
In the event that the Service Provider is required by law to store Personal Data after the termination of the Services, the Service Provider shall immediately inform the Business Client about the occurrence of such circumstances. In such a situation, the Service Provider shall process the Personal Data only to the extent and for the purpose of performing the obligations arising from the provisions of the law, and after their fulfillment shall immediately delete them.
§ 10. Final provisions
The Service Provider shall be liable to the data subject for damages caused by a failure to comply with the obligations imposed by the GDPR or this agreement on the processor.