The DPA attached below to the Terms & Conditions constitutes the instructions given by the Customer to Heroify regarding the processing of Personal Data, in accordance with GDPR, Article 28. Acceptance of the DPA is a condition precedent to the conclusion of the Terms and Conditions between the Parties and its entry into force.
This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations, which arise from the Service Provider’s (“Data Processor”) processing of personal data on behalf of the Customer (“Data Controller”) under the service agreement between the Parties (“Terms and Conditions” or “T&C”).
The DPA is adopted as an appendix to the T&C. In the event that any provision of this DPA is inconsistent with any term(s) of the T&C, the DPA will prevail.
For the purposes of this DPA:
“Applicable Data Protection law” means any privacy law which may apply to the terms of this agreement and which may vary from time to time;
“Data Controller” and “Data Processor” shall have the meanings as set out in Article 4(7) and (8) respectively of EU General Data Protection Regulation 2016/679 (the “GDPR”);
“Data Protection Supervisory Authority” (DPSA) is the supervisory authority for the purposes of Article 51 of the GDPR;
“Data Subject” means an individual who is the subject of Personal Data;
“Personal Data” shall have the meaning set out in Article 4(1) of the GDPR;
“Prompt Notice” shall mean 24 hours unless otherwise expressly stated in this agreement;
“Special Category Data” shall have the meaning set out in Article 9(1) of the GDPR;
“Third Country” shall mean a location outside of the European Economic Area (EEA), the EEA being: Austria, Belgium, Bulgaria, Czech Republic, Cyprus, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and United Kingdom.
This DPA, including these definitions and its recitals and schedules, is a free-standing document that does not incorporate commercial business terms established by the parties under separate commercial arrangements.
The details of the data processing (as well as the Personal Data covered) are specified in Schedule 1 hereto.
The parties agree that:
1.1 The Data Controller and the Data Processor acknowledge that for the purposes of the Applicable Data Protection Law (as amended) the Customer is the Data Controller and Heroify Sp. z o.o. is the Data Processor in respect of any Personal Data.
1.2 The Data Processor shall process Personal Data only for the purposes of carrying out their obligations arising under the T&C.
1.3 The Data Controller shall instruct the Data Processor to process the Personal Data in any manner that may reasonably be required in order for the Data Processor to carry out the processing in compliance with this DPA and in compliance with Applicable Data Protection law.
1.4 The Data Controller shall refrain from providing instructions which are not in accordance with applicable laws including Applicable Data Protection law, and, in the event that such instructions are given, the Data Processor is entitled to resist carrying out such instructions.
1.5 The details of the transfer and of the Personal Data are specified in Schedule 1. The parties agree that Schedule 1 may contain confidential business information which they will not disclose to third parties, except as required by law or in response to a competent regulatory or government agency, or as required by law. The parties may execute additional annexes/schedules to cover additional transfers, or may include multiple transfers in Schedule 1, which will be submitted to the DPSA where required.
1.6 This DPA shall continue for no less a term than the term of the Agreement.
1.7 The rights and obligations of the parties with respect to each other under this Clause 1 shall survive any termination of the Agreement.
2.1 To the extent required by law or regulation:
2.1.1 The Data Processor shall co-operate with the DPSA in connection with any activities performed by the Data Processor;
2.1.2 The Data Controller, its auditors and the DPSA shall have effective access to data related to such activities, as well as effective access to the Data Processor’s business premises;
2.1.3 The DPSA shall have without notice the right of access to the Data Processor’s business premises for purposes of this Clause 2; and
2.1.4 The Data Processor shall give prompt notice to the Data Controller of any development that may have a material impact on the Data Processor’s ability to perform services effectively under this Agreement and in compliance with applicable laws and regulatory requirements.
The Data Controller warrants and undertakes to:
3.1 The Personal Data has been collected, processed and transferred in accordance with the GDPR and all Applicable Data Protection law.
3.2 It has used reasonable efforts to determine that the Data Processor is able to satisfy its legal obligations under this DPA.
3.3 It will respond to enquiries from Data Subjects and the DPSA concerning processing of the Personal Data by the Data Controller, unless the parties have agreed that the Data Processor will so respond, in which case the Data Controller will still respond to the extent reasonably possible and with the information reasonably available to it if the Data Processor is unwilling or unable to respond. Responses will be made within a reasonable time and in accordance with the Applicable Data Protection law.
3.4 It will make available, upon request, a copy of this DPA to Data Subjects who are relevant to the processing, the subject matter of this DPA, unless this DPA contains confidential information, in which case it may redact such information. The Data Controller shall abide by a decision of the DPSA regarding access to the full text of this DPA by Data Subjects, as long as Data Subjects have agreed to respect the confidentiality of the confidential information removed. The Data Controller shall also provide a copy of this DPA to the DPSA where required.
The Data Processor warrants and undertakes that:
4.1 It will comply with all applicable law including Applicable Data Protection law in its performance of this DPA.
4.2 It will only process the Personal Data on the instructions of the Data Controller.
4.3 It will not transfer Personal Data to a Third Country, other than those about which Data Controller has been informed by Heroify in the moment of accepting this Agreement, without the prior written approval of the Data Controller and only then once the transfer to the Third Country has been legitimized and the Data Controller and the Data Processor are satisfied that an adequate Data Protection regime exists in the Third Country or adequate security measures, like EU Standard Contractual Clauses, has been implemented.
4.4 It will not appoint sub-processors to process the Personal Data on its behalf without the prior written approval of the Data Controller.
4.5 It will have in place appropriate technical and organizational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
4.6 It will obtain guarantees from any sub-processors processing the Personal Data, that they will have in place appropriate technical and organisational measures, and all measures pursuant to Article 32 of the GDPR, to protect the confidentiality of the Personal Data and to protect the Personal Data against accidental or unlawful destruction or accidental loss, alteration, unauthorised disclosure or access, and which provide a level of security appropriate to the risk represented by the processing and the nature of the data to be protected.
4.7 It will have in place procedures so that any individual party it authorises to have access to the Personal Data, including employees of the Data Processor, will respect and maintain the confidentiality and security of the Personal Data. Any person acting under the authority of the Data Processor shall be obligated to process the Personal Data only on instructions from the Data Processor. This provision does not apply to persons authorised or required by law or regulation to have access to the Personal Data.
4.8 It will not disclose any Personal Data to a third party in any circumstances other than at the specific written request of the Data Controller, unless such disclosure is necessary in order to fulfill the obligations of the DPA, or is required by applicable law.
4.9 It will notify the Data Controller of any request for information by the DPSA and will not disclose any Personal Data without the prior consent of the Data Controller.
4.10 It will notify the Data Controller of any complaint, notice or communication received which relates directly or indirectly to the processing of the Personal Data, or other connected activities, or which relates directly or indirectly to the compliance of the Data Processor and/or the Data Controller with relevant applicable law including Applicable Data Protection law.
4.11 It will give the Data Controller prompt notice of a Personal Data breach or a potential data breach, once becoming aware of it, and the Data Processor will cooperate with the Data Controller in implementing any appropriate action concerning the breach or the potential breach as the case may be, including corrective actions.
4.12 It will delete from its systems all soft copies of any Personal Data and return all soft and hard copy documentation on the completion of the Service Agreement or on request from the Data Controller and will do so in a timely manner, giving a written confirmation of it having been done. The only exception to this Clause 4.12 shall be where the Data Processor shall have a legitimate reason, which is confirmed by the Data Controller, to continue to process particular data or where it is legally required to maintain data records.
4.13 It will identify to the Data Controller a contact person within its organisation authorised to respond to enquiries concerning processing of the Personal Data, and will cooperate in good faith with the Data Controller, the Data Subject and the DPSA concerning all such enquiries within a reasonable time.
4.14 It will be capable of demonstrating its compliance with the obligations of Applicable Data Protection law.
5.1 Upon reasonable request of the Data Controller, the Data Processor will submit, and/or as appropriate its sub-processors will submit, data processing facilities, data files and documentation used for processing, reviewing, auditing and/or certifying by the Data Controller (or any independent or impartial inspection agents or auditors, selected by the Data Controller and not reasonably objected to by the Data Processor) to ascertain compliance with the warranties and undertakings in this Agreement, with reasonable notice and during regular business hours. The request will be subject to any necessary consent or approval from a regulatory or supervisory authority within the country of the Data Controller.
6.1 The Data Processor will assist the Data Controller, whenever reasonably required, in so
far as possible, to fulfill the Data Controller’s obligation to respond to requests for exercising the Data Subject’s rights as provided under Applicable Data Protection law and the Data Processor will have the appropriate organisational and technical measures in place to deal with Data Subject requests.
7.1 The Data Processor will not be liable for any claim brought by a Data Subject arising from any action by the Data Processor to the extent that such action resulted directly from the Data Controller’s instructions.
7.2 Except as provided for in Clause 7.1, the Data Processor shall indemnify the Data Controller for any monetary fine or penalty imposed on the Data Controller by the DPSA that results from the Data Processor’s breach of its obligations under this DPA.
This DPA shall in all respects be governed by and interpreted in accordance with the laws of Poland. The parties hereto hereby submit to the exclusive jurisdiction of the Polish Courts for all the purposes of this DPA.
9.1 In the event of a dispute or claim brought by a Data Subject or the DPSA concerning the processing of the Personal Data against either or both of the parties, the parties will inform each other about any such disputes or claims, and will cooperate with a view to settling them amicably in a timely fashion.
9.2 The parties agree to respond to any generally available non-binding mediation procedure initiated by a Data Subject or by the DPSA. If they do participate in the proceedings, the parties may elect to do so remotely (such as by telephone or other electronic means). The parties also agree to consider participating in any other arbitration, mediation or other dispute resolution proceedings developed for data protection disputes.
9.3 Each party shall abide by a decision of the DPSA which is final and against which no further appeal is possible.
10.1 In the event that either the Data Processor or the Data Controller is in breach of its obligations under this DPA, then either the Data Processor or the Data Controller may temporarily suspend the transfer of Personal Data to the Data Processor until the breach is repaired or the DPA is terminated.
10.2 The parties agree that the termination of this DPA at any time, in any circumstances and for whatever reason does not exempt them from the obligations and/or conditions under this DPA as regards the processing of the Personal Data transferred.
DESCRIPTION OF THE TRANSFER
The Personal Data transferred concern the following categories of Data Subjects:
Purposes of the transfer(s)
The transfer is made for the following purposes:
– This transfer is necessary for Heroify to provide Customers with services included in the T&C.
Categories of data
The Personal Data transferred concern the following categories of data:
Personal Data, including without limitation:
The Personal Data transferred may be disclosed only to the following recipients or categories of recipients:
– Google (Google Inc. based in the USA), provider of Google Cloud, the Service in which Heroify’s web application is hosted.
Sensitive Data (if appropriate)
The Personal Data transferred concern the following categories of Sensitive Data:
– No Sensitive Data will be transferred within this transfer.
Contact points for data protection enquiries:
Heroify’s Data Protection Officer: firstname.lastname@example.org