Data Processing Agreement

Interpretation and Definitions

The Controller (Customer) and the Processor (Operator) are hereinafter collectively referred to as “Parties” or each individually as a “Party”.

Whereas the Parties concluded an Agreement, the subject of which is the provision by electronic means, via the Application, of a service enabling desk and parking spot management (hereinafter: the Agreement), in connection with the execution of which the Controller – as a personal data controller – will entrust the Processor with the processing of personal data in the scope specified in this Agreement (hereinafter: DPA);

The parties have agreed to conclude a DPA as follows:

1. General provisions

1. To perform the Agreement, the Processor is entrusted with the processing of personal data to the extent indicated in Annex 1 to the DPA (hereinafter: Personal Data). The processing of Personal Data will be carried out on the terms set out in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals regarding the processing of personal data and on the free movement of such data and the repeal of Directive 95 / 46 / EC (hereinafter: GDPR).
2. The Controller declares that the Personal Data has been collected in accordance with applicable law and the Controller is authorized to entrust them to the Processor.
3. The Processor processes Personal Data only on the documented instructions of the Controller – whereas the DPA or additional instructions provided by the Controller during the execution of the Agreement in a documented manner, including in electronic form, constitute sufficient grounds for the processing of Personal Data by the Processor.
4. The Processor shall immediately inform the Controller if, in the opinion of the Processor, the instructions provided by the Controller violate the GDPR or other applicable provisions on the protection of personal data.

2. Principles of personal data processing

1. The Processor undertakes to secure the Personal Data by taking appropriate technical and organizational measures, in accordance with art. 32 of the GDPR. The Processor – regardless of the Controller – assesses the risk to the rights and freedoms of persons to whom the Personal Data relates, inextricably to the processing, and implements measures to reduce this risk.
2. The Processor declares that:
   1. keeps documentation describing the method of processing Personal Data and makes it available to the Controller upon request,
   2. the devices and IT systems in his possession used for the processing of Personal Data ensure the level of security defined as high,
   3. applies technical and organizational measures to ensure the protection of Personal Data, in particular, the protection of Personal Data against disclosure to unauthorized persons, removal by an unauthorized person, processing in violation of applicable law, in particular the GDPR, change, loss, damage or destruction, to the extent for which the entrusting person responds,
   4. the Processor does not decide on the purposes and means of processing the Data entrusted by the Controller and is not entitled to set up, possess or create any copies of documents containing Personal Data, including forms or databases saved in the form of paper or electronic documents, in e-mail, on computer disks and spreadsheets, if it is not necessary to achieve the goals set out in Appendix 1.
   5. will authorize the processing of Personal Data to all persons who will process them in connection with the execution of the Agreement.
   6. will only grant access to Personal Data to persons who have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality, and only on a restricted access basis. The list of persons granted access is periodically reviewed. The Processor, at the request of the Controller, shows that the persons who have access to the Personal Data are subject to the confidentiality principle.
   7. will notify the Controller about a breach of Personal Data protection without undue delay, no later than 48 hours from the moment of finding such a breach. Notification of a breach of Personal Data protection must at least:
      1. describe the nature of the breach, including, if possible, the categories and approximate number of data subjects, as well as the categories and approximate number of personal data entries affected by the breach;
      2. include the name and contact details of the data protection officer or the designation of another contact point from which more information can be obtained;
      3. describe the possible consequences of a breach of Personal Data protection;
      4. describe the measures taken or proposed by the Processor to address the data protection breach, including, where appropriate, measures to minimize its possible negative effects;

with the proviso that if – and to the extent – in which – the above-mentioned information cannot be provided at the same time, the Processor may provide it successively without undue delay.
The notification will be sent to the e-mail address provided by the Administrator in electronic correspondence. In the event of circumstances that may result in the liability of either Party regarding incorrect processing of Personal Data by the Processor, the Processor undertakes to take immediate action to remove these circumstances and prevent their occurrence in the future, and is obliged to immediately (no later than within 24 hours) notify the Controller in writing about this fact and provide the Controller with the necessary, legally permissible assistance in order to release the Controller from this liability. 

3. The Processor undertakes to immediately inform the Controller about any activities involving his own participation in matters related to Personal Data, carried out before the supervisory body, public administration authorities, the police or courts.
4. The Processor undertakes – at each request of the Controller – to provide the Controller with reliable and complete information regarding the Personal Data.
5. The Processor, if possible, through appropriate technical and organizational measures, helps the Controller, to the extent necessary, to fulfill the obligation to respond to the requests of the person to whom the Personal Data relates (in terms of exercising his rights set out in Chapter III of the GDPR) and to fulfill the obligations set out in art. 32-36 of the GDPR.
6. The Processor may not entrust the processing of Personal Data to other entities without obtaining the prior written consent of the Controller, except for entities whose list is attached as Annex 2 to the DPA. The Processor shall inform in writing and obtain the Controller’s approval of any intended change in the list of further processors. The Processor ensures that will only use the services of such further processors that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and protects the rights of the persons to whom the Personal Data relates. The Processor is responsible for the actions and omissions of further processors as for their own actions and omissions.
7. The Processor declares that there is no transfer of Personal Data to a third country as part of using the services of further processing entities, the list of which is Annex 2 to the Processing Agreement.
8. The Processor declares that Personal Data is transferred by some subprocessors (subprocessors marked in Annex 2 with the data transfer mechanism) outside the European Economic Area, including the USA, on the basis of standard contractual clauses (adopted by the Commission Implementing Decision (EU) 2021 / 914 of June 4, 2021) in accordance with art. 46 of the GDPR concluded with the providers of these services.
9. In addition, the Processor declares that in the case of data transfer outside the European Economic Area, additional security and measures are applied (in accordance with Article 45 of the GDPR), including:
   1. imposing an obligation on subprocessors to provide information that will enable proper risk assessment (e.g. information on the recipient’s procedures and security measures for data processing, etc.);
   2. requiring subprocessors to have information security certificates (i.e. ISO 27001/27018, SOC 2 Type II);
   3. processing personal data in data centers located in the European Economic Area;
   4. minimizing the scope of the data transferred to each of the subprocessors.

3. Duration of the Agreement for the entrustment of personal data processing

1. The DPA is valid for the duration of the Agreement.
2. The Controller may terminate the DPA with immediate effect when:
   1. the supervisory authority over the observance of the rules for the processing of personal data finds that the Processor or further processor does not comply with the rules for the processing of personal data,
   2. a final judgment of a common court proves that the Processor or further processor does not comply with the rules of personal data processing,
   3. The Controller, as a result of an inspection (audit) referred to in §4 of the DPA, finds that the Processor violates the provisions of the DPA or applicable law, or the Processor fails to comply with the post-inspection recommendations referred to in §4 section 6.

3. Upon completion of the provision of services covered by the Agreement by the Processor, the Processor shall immediately, within no more than 14 working days from the date of termination of the provision of services covered by the Agreement, destroy all copies of Personal Data in his possession, stored on any technologically possible carriers, except when will obtain a different title / legal basis for their processing than this processing DPA.

4. Right to control

1. The Controller, in accordance with art. 28 sec. 3, point h) GDPR has the right to control (audit) whether the measures used by the Processor when processing and securing Personal Data meet the provisions of the DPA and the GDPR.
2. The Controller will exercise the right to control during the working hours of the Processor and with a minimum of 5 days (working days) prior notice.
3. After the control (audit) has been carried out, the Controller’s representative draws up a post-control protocol, which is signed by representatives of both Parties.
4. The costs related to the inspection (audit) shall be borne by each of the Parties on their own, and the Processor shall not be entitled to claim reimbursement of such costs or to pay any additional remuneration for incurring such costs.
5. The Processor undertakes to remove the deficiencies found during the inspection within the period indicated by the Controller, not longer than 7 working days.
6. If the Processor receives consent from the Controller for further entrusting of Personal Data, it is obliged to provide, in the agreements with a further processors, the possibility of the Controller’s control (audit) of compliance of the processing of Personal Data by the further processor with the DPA.

5. Responsibility

The Processor is responsible for damages that arise to the Controller, persons to whom the Personal Data relates, or other third parties as a result of the processing of Personal Data by the Processor that is inconsistent with the Agreement or the provisions of the law, in particular in connection with the disclosure of Personal Data to unauthorized persons.

6. Final provisions

1. Any changes to the DPA shall be made in writing, otherwise null and void.
2. Any disputes arising from the DPA will be submitted to a common court having jurisdiction over the Controller’s headquarters.
3. The appendices constitute an integral part of the DPA.

Appendix 1 – The scope of entrusting personal data

a) Nature and purposes of processing:

Data processing in connection with the provision of a service enabling the desk and parking spot management accordance with the Agreement.

b) Categories of persons whose data is entrusted:

Employees and associates, regardless of the legal form of employment

c) Type of entrusted personal data:

Name and surname, e-mail address, vehicle registration numbers.

Appendix 2 – List of subprocessors

Appendix 3 – Description of implemented organizational and technical measures to protect personal data

1. Organizational security measures
   1. Organization of the Information Security Management System
      1. General and specific security standards have been defined that implement the assumptions of security policies in the field of information security, security of information systems, and security of people and property.
      2. Detailed procedures and instructions have been developed for the implementation of security standards in the field of information security, IT systems security, and the security of persons and property.
      3. Policies, standards, procedures, and instructions are subject to periodic reviews and updates approved by the top management of the Company.
   2. Roles and tasks
      1. Roles and tasks in the processes related to security management have been defined – people responsible for the implementation of each security policy have been appointed.
      2. For each asset (physical and electronic) of value to the organization, a responsible person (Resource Owner) has been appointed who has the responsibility for managing the security of the asset.
      3. Persons processing personal data on behalf of and on behalf of the Company received a personal authorization to process personal data.
      4. All persons authorized to process personal data have been covered by a system of internal training in the field of security and protection of personal data.
      5. All persons authorized to process personal data have been obliged to maintain confidentiality during the employment relationship and after its termination.
   3. Management of permissions and access
      1. A system for managing access rights to data carriers, rooms, zones, buildings, IT systems and elements of IT infrastructure and networks was developed.
      2. It has been ensured that persons authorized to process personal data are assigned minimum access rights, depending on the tasks performed.
      3. It has been ensured that access rights to personal data are ad hoc and periodically monitored and controlled.
      4. It has been ensured that the keys, access codes and access rights in the access control system for buildings, zones, rooms, or parts of rooms where personal data are processed are assigned to persons authorized to process personal data in accordance with the scope of authorization and the scope of tasks performed on given job position.
      5. It has been ensured that buildings, zones, rooms, or parts of rooms in which personal data are processed are protected against unauthorized access during the absence of persons authorized to stay in these rooms. Persons who are not authorized to stay in the premises used for the processing of personal data may stay there only under the supervision of authorized persons.
      6. The process of granting and withdrawing access rights to personal data, in particular IT systems, was developed and implemented.
      7. It has been ensured that a unique identifier that cannot be assigned to another person is assigned to each person authorized to access the information system, element of the IT infrastructure or network.
      8. Periodic reviews of all user access, system accounts, test accounts and general accounts are conducted and documented.
      9. It has been ensured that for each person authorized to access an IT system, an element of IT infrastructure or a network, authorization is carried out using secure methods of data transmission for authentication.
      10. It has been ensured that the access password established for each person authorized to access the IT system, element of the IT infrastructure or network is subject to audit procedures and changed within a specified period of time.
      11. A standard for secure transmission of passwords was developed and implemented in the event of the need to provide the user of the IT system with a temporary password.
      12. A standard for creating secure passwords for users of IT systems was developed and implemented.
   4. Security of the Service
      1. Elements of the network infrastructure used to process personal data are secured against loss of availability through the use and provision of maintenance services provided by manufacturers and distributors.
      2. Annual independent tests of the vulnerability of IT systems processing personal data to threats are carried out.
      3. Annual security vulnerability scans on platforms and networks processing personal data are carried out to ensure compliance with common security standards specifically related to system reinforcement.
      4. As a result of penetration testing, vulnerability scanning and compliance assessments, a risk-based remediation program is run periodically to leverage the lessons learned.
      5. A training program on the principles of safe software development was developed and provided.
      6. A software security testing program has been developed and provided.
   5. Change and incident management
      1. Change management principles have been developed and implemented for the approval, classification and testing of the back-out plan and segregation of responsibilities between application, approval, and implementation.
      2. A standard for secure software development has been developed and implemented.
      3. Procedures for managing and responding to security incidents are in place, which enable detection, investigation, response, mitigation, and notification of events that involve threats to the confidentiality, integrity and / or availability of personal data. Response and management procedures are documented, checked and reviewed at least annually.
   6. Privacy protection
      1. A standard has been developed and implemented on the analysis of the risk of violation of the fundamental rights and freedoms of data subjects and the loss of confidentiality, availability, and integrity of personal data at each stage of the product life cycle.
      2. A standard has been developed to maintain the principle of privacy protection in the software design phase.
      3. A standard was developed to maintain the privacy principle in the default settings at the software design stage.
2. Technical security measures
   1. Security of the processing area
      1. A minimum scope of technical security measures has been established to ensure the security of personal data. The type and scope of the applied additional technical security measures is determined individually depending on the identified threats, the required degree of protection and technical possibilities.
      2. Buildings and areas with rooms and their parts used for the processing of personal data are protected against access by unauthorized persons using access control systems, burglary and assault signaling system, surveillance system implemented by physical security personnel, mechanical or combination locks.
      3. Buildings and areas containing rooms and their parts used for data processing are protected against fire by using doors with increased fire resistance class.
      4. Buildings and areas containing rooms and their parts used for data processing shall be protected against damage due to fire or flooding using a fire alarm system and an intruder alarm system.
      5. Buildings and areas containing data processing rooms and parts shall be secured for the purpose of monitoring and identifying hazards and adverse events using a closed-circuit television system.
   2. Data transmission security
      1. Personal data transmitted by tele transmission is secured against loss of confidentiality and integrity by means of cryptographic personal data protection measures (data encryption in transit).
      2. Personal data provided by tele transmission is secured against loss of confidentiality using segmentation of ICT networks (network segmentation).
      3. Encryption keys for securing data tele transmission are stored in a safe place with access management and a demonstrated ability to restore the key.
   3. Database security
      1. Personal data stored in databases are secured against loss of integrity by applying consistency rules in the semantic scope (data type definition), entity scope (primary key definition) and in the reference scope (foreign key definition).
      2. Personal data is secured against loss of accountability using solutions that allow assigning specific activities to a specific person or IT system.
   4. IT infrastructure security
      1. Personal data is secured against loss of confidentiality by means of secure methods of authentication of access for persons and IT systems.
      2. Personal data is secured against loss of confidentiality and availability by monitoring the correctness of operation and the use of secure methods of access authentication for people and IT systems.
      3. Personal data is secured against loss of availability using additional, backup and backup sources of power for the IT infrastructure used to process personal data.
      4. Elements of the IT infrastructure used to process personal data (computers, servers, network devices) are protected against access by unauthorized persons and IT systems by using secure methods of access authentication.
      5. Elements of the IT infrastructure used for the processing of personal data are secured against unauthorized access, IT systems and loss of availability by monitoring the updating of the operating system and installed software.
      6. The elements of the IT infrastructure used for the processing of personal data are protected against access by unauthorized persons, IT systems and loss of availability using software such as Firewall, Intrusion Detection Systems, Intrusion Prevention Systems, Anti DDOS.
      7. Elements of the IT infrastructure used to process personal data are secured against loss of availability using multiplication, virtualization, and automatic scaling procedures.
      8. Elements of the IT infrastructure used to process personal data are secured against loss of availability using automatic processes for monitoring availability, load, and performance.
      9. Elements of the IT infrastructure used to process personal data are secured against loss of availability using backup power sources and automatic procedures for changing the power source.