Terms and Conditions for Poplatek’s Personal Data Processing Activities

These terms and conditions are applied to Poplatek’s processing of personal data controlled by Poplatek’s Customer.

1. Definitions

Some terms used in the DPA and these terms and conditions are defined below:

“Customer” shall mean the company identified under Section 1 in the DPA.

“Controller” shall mean the Party identified under Section 1 in the DPA. In addition, the term controller shall be interpreted in accordance with Article 4 of the EU General Data Protection Regulation (EU 2016/679; the “GDPR”), where controller is given the meaning of a natural or legal person which, alone or jointly with others, determines the purposes and means of the processing of personal data.

“Poplatek” shall mean the company identified under Section 1 in the DPA belonging to the Poplatek group.

“Processor” shall mean the Party identified under Section 1 in the DPA. In addition, the term processor shall be interpreted in accordance with Article 4 of the GDPR, where processor is given the meaning of a natural or legal person which processes personal data on behalf of the controller.

“processing” shall have the meaning given to such term under Article 4 of the GDPR. Accordingly, processing means any operation or set of operations, which is performed on personal data, or sets of personal data, whether or not by automatic means.

“personal data” shall have the meaning given to such term under Article 4 of the GDPR. Accordingly, personal data means any information relating to an identified or identifiable individual (a “data subject”).

“personal data breach” shall have the meaning given to such term under Article 4 of the GDPR. Accordingly, personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

“Service Agreement(s)” shall mean such agreement(s) between Poplatek and the Customer on the supply of Poplatek’s products and services to the Customer, which involve processing by Poplatek of personal data controlled by the Customer, as identified under Section 3 in the DPA. The Service Agreement(s) set out the nature and purpose of the cooperation between the Parties as well as the responsibilities of the Processor and the Controller for the services to be provided.

2. Scope and Purpose

The purpose of the DPA is to agree upon the terms and conditions governing the processing of personal data (controlled by the Controller) by the Processor on behalf of the Controller in compliance with the requirements set by the GDPR and other applicable data protection legislation.

3. General Responsibilities and Instructions

The Controller is the owner of its personal data and is responsible for the accuracy, integrity and content reliability of such personal data. The Controller shall be responsible for its instructions to the Processor and the legality of the personal data processing in accordance with applicable data protection legislation. The Controller shall acquire all permits, consents and authorizations necessary for the processing covered by the Service Agreement(s), provide necessary information to the data subjects and provide notifications to the relevant authorities.

In its capacity as Processor, Poplatek shall process personal data only to fulfil its obligations under the Service Agreement(s). Such processing shall be carried out in accordance with the Service Agreement(s), the DPA, the Controller’s documented instructions and applicable data protection legislation.

The Processor shall inform the Controller if, in its opinion, an instruction by the Controller infringes applicable data protection legislation.

The Processor is entitled to use anonymous, aggregated or statistical information not identifying the Controller or data subjects that is derived from the services covered by the Service Agreement(s) to provide services to its other customers and to improve and develop its services.

4. Confidentiality and Security

The Processor shall ensure that all persons authorized to process the personal data of the Controller are bound by an obligation of confidentiality with respect to such personal data, and only processes such personal data on instructions from the Controller, unless required to do so by European Union or Member State law.

The Processor shall implement agreed appropriate technical and organizational measures to ensure a level of security appropriate to the risk of processing, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing. This shall include at least measures to:

  1. implement and maintain technical and organisational measures for safeguarding the confidentiality, integrity, availability and resilience of systems and services processing personal data;
  2. restore the availability and access to personal data in a timely manner in the event of an incident;
  3. regularly test, assess and evaluate the effectiveness of technical and organisational measures for ensuring the security of the processing; and
  4. pseudonymize and/or encrypt personal data (if and to the extent this has specifically been agreed to by the Processor).

The agreed technical and organisational measures applied by the Processor are described in the ‘Poplatek Data Protection Policy’ and the ‘Poplatek Security Policy’.

5. Other Processor Obligations

The Processor shall assist the Controller by agreed technical and organizational measures in the fulfilment of the Controller’s obligation to respond to data subject requests relating to their exercise of their rights as laid down in Chapter III of the GDPR. In this respect, the Processor shall provide assistance only upon request by the Controller. Any request directed to the Processor by a data subject shall be referred by the Processor to the Controller without undue delay. Any assistance by the Processor outside the scope of the services agreed under the Service Agreement(s) shall be charged by the Processor at the then current rate applied by the Processor.

In case of a personal data breach, the Processor shall notify the personal data breach to the Controller without undue delay after becoming aware of such personal data breach (taking notice of the time limits set by the GDPR).

On request by the supervisory authority, the Processor shall cooperate with the supervisory authority in the performance of its tasks, and shall comply with decisions by the supervisory authority on security measures required to comply with the GDPR.

If and to the extent the Controller or the supervisory authority instructs the Processor to perform any measure, activity or action outside the scope of the services agreed to under the Service Agreement(s) or outside the scope of the Processor’s generally applied measures, activities or actions described in the Poplatek Data Protection Policy and/or the Poplatek Security Policy, then such instruction shall be considered as a request for additional services pursuant to the Service Agreement(s) and additional fees may apply.

6. Processing by Third Parties

The DPA shall constitute a general authorization by the Controller for the Processor’s use of sub-processors and a specific consent for the use of the sub-processors listed under Sections 5 in the DPA.

The Processor shall inform the Controller of changes concerning its sub-processors, including the identity and location of new or replaced sub-processors. Where a sub-processor is engaged, the Processor shall ensure that the obligations of the Processor under the DPA will apply also to each sub-processor. Where a sub-processor fails to fulfil its data protection obligation, the Processor shall remain fully liable to the Controller for the performance of that sub-processor’s obligations.

In case the Controller objects to the use of a specific sub-processor, the Parties shall enter into good faith negotiations on how to resolve the issue. In case the negotiations do not solve the issue and the Controller opposes the Processor’s use of a specific sub-processor for a justified reason the controller shall, as a final remedy, be entitled to terminate the relevant Service Agreement(s).

All personal data processed by the Processor shall be stored within the EU/EEA. In case of any transfer of personal data by the Processor to a sub-processor outside the EU/EEA, the Processor shall ensure that transfer is only made to (a) a country deemed by the Commission to have an adequate level of protection, (b) entities having committed to the EU-US Privacy Shield or having entered into standard data protection clauses or provided other appropriate safeguards as described in Article 46 of the GDPR. Subject to the above and subject to the Processor keeping the Controller informed of transfers of personal data outside the EU/EEA, the Controller hereby consents to such transfers and Processor is authorized to enter into such data protection clauses on Controller’s behalf.

7. Audit Rights

The Processor may engage third party auditors to audit its systems and services in accordance with industry standards. Subject to the Processor’s policies and the Service Agreement(s), and only to the extent the Processor is not able to present a third party audit report or to the extent such third party audit report does not cover to the Controller’s concern, the Processor shall make available to the Controller all information necessary to demonstrate compliance with the DPA and shall allow for audits by the Controller or its representatives (excluding the Processor’s competitors). The Controller shall give the Processor at least ten (10) working days’ notice before such audit. Any audit shall be carried out at the Controller’s expense in a time and cost efficient manner, without unnecessary disturbance to the Processor’s daily operations, in a way that respects the Processor’s confidentiality obligations towards other customers and/or third parties. The Processor shall be entitled to charge the Controller on a time and materials basis for time spent and costs incurred due to the Controller’s audit.

8. Damages

The Processor shall compensate the Controller for damages incurred by the Controller as a result of fault or negligence by the Processor, or by a sub-contractor to the Processor, in the processing of personal data in breach of the Service Agreement(s) or the DPA.

The Parties’ liability for damages under the DPA shall be limited in scope and to the maximum amounts set out in the respective Service Agreement(s), except when limitations of liability are expressly prohibited under the applicable legislation.

9. Termination of Processing of Personal Data

Upon termination or expiry of the Service Agreement(s) and the Processor’s processing of personal data on behalf of the Controller, the Processor shall, in accordance with the Controller’s instructions, either return or destroy all data that includes personal data controlled by the Controller.

10. Applicable Law and Dispute Resolution

The DPA is interpreted, construed and governed in accordance with the applicable law set out in the relevant Service Agreement. Any disputes concerning the interpretation or application of the DPA shall be settled in accordance with the provisions on dispute resolution included in the relevant Service Agreement.