TERMS AND CONDITIONS OF ENTRUSTING THE PROCESSING OF PERSONAL DATA
BY HS PARTNERS SP. Z o.o. WITH HEADQUARTERS IN GLIWICE
With a view to art. 28 section 3 GDPR, the processing of personal data by the processing entity is carried out on the basis of a contract or other legal instrument that is subject to Union or state law, HS PARTNERS Sp. z o.o. with its office in Gliwice, to the extent that it is the Administrator of personal data, these regulations specify the rules for entrusting the processing of personal data to processors.
1 [GLOSSARY OF TERMS]
1.1. Whenever the following definitions and phrases are used in the Regulations entrusting the processing of personal data, they should be given the meaning specified below:
(i) PERSONAL DATA ADMINISTRATOR – means the company HS PARTNERS Sp. z o.o. with its registered office in Gliwice, ul. Prymasa Stefana Wyszyńskiego 11 / 207b, entered into the National Court Register by the District Court in Gliwice, 10th Commercial Department of the National Court Register under the number: 0000768067 NIP: 5993191403, REGON: 365741334, share capital in the amount of PLN 10,000.
(ii) PERSONAL DATA – means information about an identified or identifiable natural person („data subject”); an identifiable natural person is a person who can be directly or indirectly identified, in particular on the basis of an identifier such as name and surname, identification number, location data, online identifier or one or several specific factors determining physical, physiological, genetic, mental, the economic, cultural or social identity of the natural person.
(I) SENSITIVE DATA – means special data and criminal data.
(ii) SPECIAL DATA – means the data listed in art. 9 item 1 GDPR, i.e. personal data revealing racial or ethnic origin, political views, religious or beliefs, trade union membership, genetic, biometric data to uniquely identify a natural person or data on health, sexuality or sexual orientation.
(iii) CRIMINAL DATA – means the data listed in art. 10 GDPR, i.e. data on convictions and violations of the law.
(iv) CHILDREN’S DATA – means data of persons under 16 years of age.
(v) HEALTH DATA – means personal data about the physical or mental health of an individual – including the use of healthcare services – disclosing information about his or her health.
(vi) DATA EXPORT – means the transfer of PERSONAL DATA to a third country or international organization.
- i) Breach OF PERSONAL DATA PROTECTION – means a breach of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed.
(ii) PERSON – means the data subject, unless otherwise expressly provided for in the REGULATIONS.
(iii) PROCESSING – means an operation or set of operations performed on personal data or sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, storing, adapting or modifying, downloading, viewing, using, disclosing by sending, disseminating or otherwise sharing, matching or combining, limiting, deleting or destroying.
(iv) PROCESSING WITHOUT IDENTIFICATION – PROCESSING OF PERSONAL DATA by the ADMINISTRATOR that does not require or no longer require him to be identified by the Person due to the purpose of the processing.
(v) PROCESSOR – means a natural or legal person, public authority, entity or other entity that processes personal data on behalf of the ADMINISTRATOR.
(vi) SUBCONTRACTOR – the entity from whom services the PROCESSOR uses when performing specific activities, processing personal data on behalf of the ADMINISTRATOR.
i) PROFILING – means any form of automated processing of personal data that involves the use of personal data to evaluate certain personal factors of a natural person, in particular to analyze or forecast aspects of the natural person’s work effects, economic situation, health, personal preferences, interests, credibility, behavior, location or movement.
(ii) EMPLOYEE – a person performing work for the ADMINISTRATOR on the basis of an employment contract, commission contract or other civil law contract.
(iii) REGULATIONS – means these Regulations for the Processing of Personal Data, unless otherwise explicitly stated in the context.
(iv) GDPR – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46 / EC (general Data Protection Regulation) (Journal of Laws EU No. 2016/2016 19.1 of April 5, 2016).
(i) CROSS-BORDER PROCESSING – means:
(a) the processing of personal data that takes place in the Union as part of the activities of organizational units in more than one Member State of an administrator or a processor in the Union having organizational units in more than one Member State; or
(b) the processing of personal data that takes place in the Union as part of the activities of a single organizational unit of the controller or processor in the Union, but which significantly affects or may significantly affect data subjects in more than one Member State;
(i) prime CONTRACT – a civil law contract concluded by the ADMINISTRATOR with the PROCESSOR in connection with the performance of which the ADMINISTRATOR entrusts the PROCESSOR with the processing of personal data within the scope specified in the REGULATIONS.
(ii) CONTRACT FOR ENTRUSTING THE PROCESSING OF PERSONAL DATA – an agreement concluded between the ADMINISTRATOR and the PROCESSOR, specifying the subject and duration of the PROCESSING, the nature and purpose of the PROCESSING, the type of PERSONAL DATA and the categories of PERSONS, duties and rights of the ADMINISTRATOR.
(iii) ACT ON THE PROTECTION OF PERSONAL DATA – the Act of 10 May 2018 on the protection of personal data (Journal of Laws of 2019, 1781, i.e. from 2019.09.19)
3 [GENERAL PROVISIONS]
3.1. The purpose of these regulations is to determine the conditions under which the PROCESSOR performs personal data processing operations on behalf of the ADMINISTRATOR.
3.2. The ADMINISTRATOR declares that it is the administrator of the PERSONAL DATA specified in § 3 para. 4 and that he is entitled to process them to the extent that he entrusted them to the PROCESSOR.
4 [PROCESSING DESCRIPTION]
4.1. On the terms and for the purpose set out in the REGULATIONS and the BASIC CONTRACT, the ADMINISTRATOR entrusts the PROCESSOR with the processing of the personal data described below.
4.2. The processing will be carried out during the duration of the BASIC CONTRACT.
4.3. Personal data entrusted by the ADMINISTRATOR will be processed by the PROCESSOR solely for the purpose of proper performance of the BASIC CONTRACT.
4.4. The processing will include the following types of personal data: ORDINARY DATA, SPECIAL DATA OF HEALTH.
4.5. The processing of PERSONAL DATA will apply to the data of ADMINISTRATOR EMPLOYEES and persons recruited by the ADMINISTRATOR to work at the PROCESSOR.
5 [SUB- PROCESSING]
5.1. THE PROCESSOR may entrust specific processing operations of PERSONAL DATA by means of a written contract to other processors, provided that the ADMINISTRATOR has been informed in advance and that he has given his written approval to the SUBCONTRACTOR. The above also applies to the CONTRACTOR’s change of the SUBCONTRACTOR.
5.2. The ADMINISTRATOR may, for justified reasons, object to documented objection to entrusting PERSONAL DATA to a specific SUBCONTRACTOR within two weeks from the date of receipt of a written notice from the PROCESSOR, referred to in paragraph 1 above.
5.3. In the event of an objection, the PROCESSOR has no right to entrust the PERSONAL DATA OF THE SUBCONTRACTOR covered by the objection.
5.4. When making a hint, the PROCESSOR is obliged to oblige the SUBCONTRACTOR to perform all the PROCESSOR’s obligations under the TERMS AND CONDITIONS, except for those that do not apply due to the nature of the specific hint.
5.5. The PROCESSOR is responsible for the subcontractor’s actions and omissions as for his own.
6 [OBLIGATIONS OF THE PROCESSOR]
6.1. THE PROCESSOR is obliged to:
(i) process PERSONAL DATA only on the documented instruction of the ADMINISTRATOR – which also applies to the transfer of personal data to a third country or international organization – unless such obligation is imposed by Union law or the law of the Member State to which the PROCESSOR is subject; in this case, before processing begins, the PROCESSOR informs the ADMINISTRATOR of this legal obligation, provided that this law does not prohibit the provision of such information due to important public interest;
(ii) authorize the processing of personal data to all persons who will process the entrusted personal data for the implementation of this contract;
(iii) provide personal data only to persons whose access to such data is needed for the implementation of the BASIC AGREEMENT and who have the authorization referred to in point b above;
(iv) obtain from persons who have been authorized to process PERSONAL DATA, a written undertaking to maintain confidentiality, or make sure that such persons are subject to the statutory obligation of confidentiality;
(v) process entrusted PERSONAL DATA and secure them by using appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risk associated with the processing of personal data, in accordance with art. 32 GDPR,
(vii) taking into consideration the nature of processing, help the ADMINISTRATOR through appropriate technical and organizational measures to comply with the obligation to respond to the request of the data subject in the exercise of his rights set out in Chapter III of the GDPR;
(viii) provide support for the Rights of the individual with respect to entrusted PERSONAL DATA,
(ix) cooperate with the ADMINISTRATOR in performing his duties in the area of personal data protection referred to in art. 32-36 GDPR;
(x) keep documentation describing the manner of processing PERSONAL DATA, including a register of personal data processing activities,
(xi) provide the ADMINISTRATOR with all information necessary to demonstrate compliance with the obligations set out in art. 28 GDPR and enable the ADMINISTRATOR or auditor authorized by the ADMINISTRATOR to carry out audits, including inspections, and contribute to them,
(xii) in the event of using automated processing or PROFILING to perform the Contract, inform the ADMINISTRATOR about it for the purpose and to the extent necessary to fulfill the information obligation by the ADMINISTRATOR,
(xiii) immediately inform the ADMINISTRATOR that in his opinion the order issued to him constitutes a violation of the GDPR, THE STATUTE ON THE PROTECTION OF PERSONAL DATA or other Union or Member State regulations on the protection of personal data.
7 [OBLIGATIONS OF THE ADMINISTRATOR]
7.1. The ADMINISTRATOR is obliged to cooperate with the PROCESSOR in the implementation of the provisions of the REGULATIONS, provide the PROCESSOR with explanations in case of doubts as to the legality of the ADMINISTRATOR’s instructions, as well as to fulfill his specific obligations in a timely manner.
8 [DATA SECURITY]
8.1. The PROCESSOR is obliged to carry out an analysis of the risk of processing of entrusted PERSONAL DATA and to comply with its results as regards organizational and technical data protection measures.
8.2. The PROCESSOR is obliged to provide sufficient guarantees for the implementation of appropriate technical and organizational measures, and at the request of the ADMINISTRATOR will present documents confirming the implementation of the appropriate technical and organizational measures.
9 [NOTIFICATION OF INFRINGEMENT OF PERSONAL DATA]
9.1. The PROCESSOR is obliged to notify the ADMINISTRATOR of any suspected INFRINGEMENT OF PERSONAL DATA PROTECTION no later than 24 hours from the first notification.
9.2. THE PROCESSOR will enable the ADMINISTRATOR to participate in explanatory activities and inform the ADMINISTRATOR about the arrangements at the time they were made, in particular about the finding of a violation.
9.3. Notification of a violation should be sent along with all necessary documentation regarding the violation to enable the ADMINISTRATOR to comply with the obligation to notify the supervisory authority.
10.1. The ADMINISTRATOR controls the processing of entrusted PERSONAL DATA after informing the PROCESSOR of the planned control. The ADMINISTRATOR or persons designated by him are entitled to:
(i) access to rooms where PERSONAL DATA are processed,
(ii) inspect the documentation related to the processing of PERSONAL DATA.
10.2. The ADMINISTRATOR is entitled to request from the PROCESSOR to provide information regarding the course of processing of PERSONAL DATA, and to provide processing registers.
10.3. THE PROCESSOR cooperates with the personal data protection office in the scope of its tasks.
10.4. THE PROCESSOR:
(i) provides the ADMINISTRATOR with all information necessary to demonstrate compliance of the ADMINISTRATOR’s operation with the provisions of the GDPR,
(ii) allows the ADMINISTRATOR or an authorized auditor to carry out audits or inspections. The processor cooperates in the implementation of audits or inspections.
11.1. The PROCESSOR is responsible for providing or using PERSONAL DATA contrary to the content of the contract, and in particular for providing PERSONAL DATA entrusted for processing to unauthorized persons.
11.2. The PROCESSOR is responsible for damages caused by his actions in connection with failure to comply with the obligations that the GDPR imposes directly on the PROCESSOR or when he acted outside the lawful instructions of the ADMINISTRATOR or contrary to these instructions. THE PROCESSOR is responsible for damages caused by the application or non-application of appropriate security measures.
11.3. If the SUBCONTRACTOR fails to fulfill its obligations to protect PERSONAL DATA, full responsibility towards the ADMINISTRATOR for fulfilling the obligations by the SUBCONTRACTOR rests with the PROCESSOR.
12 [DELETION OF DATA]
12.1. Upon termination of the PRIME CONTRACT, the PROCESSOR has no right to further process the entrusted PERSONAL DATA and is obliged to:
(i) removal of PERSONAL DATA,
(ii) delete any existing copies or return of PERSONAL DATA, unless the ADMINISTRATOR decides otherwise or European Union law or the law of a Member State requires the retention of PERSONAL DATA.
12.2. THE PROCESSOR will delete PERSONAL DATA 180 days after the end of the BASIC CONTRACT, unless the ADMINISTRATOR instructs him to do so earlier.
12.3. After the obligation referred to in paragraph 1 THE PROCESSOR shall submit to the ADMINISTRATOR a written statement confirming the permanent removal of all PERSONAL DATA.
13 [FINAL PROVISIONS]
13.1. REGULATIONS enter into force on February 1, 2020.
13.2. In the event of a conflict between the provisions of the REGULATIONS and the BASIC AGREEMENT, the provisions of the REGULATIONS shall prevail.
13.3. The TERMS AND CONDITIONS do not apply to the rules for the processing of PERSONAL DATA by the PROCESSOR with whom the ADMINISTRATOR has entered into an AGREEMENT TO ENTRUST THE PROCESSING OF PERSONAL DATA.
13.4. In matters not covered, the provisions of the Act ON THE PROTECTION OF PERSONAL DATA and the GDPR shall apply.