Below, we present the Data Processing Agreement, which is an Annex to the REGISTO service Regulations and constitutes an integral part thereof.
You can find the content of the REGISTO service Regulations here.
Attachment to the Terms and conditons
PERSONAL DATA PROCESSING AGREEMENT (Data Processing Agreement)
“Concluded on the day when the Service Recipient (specified in the REGISTO service Regulations, hereinafter referred to as the ‘Regulations’), accepted the Regulations, to which this Data Processing Agreement is attached (hereinafter referred to as the ‘Data Processing Agreement’ or ‘Agreement’), between the Service Recipient, hereinafter referred to as the ‘Controller.’
The Service Provider, i.e., NSF sp. z o.o. with its registered office in Opole, at Technologiczna 4 Street, 45-839 Opole, entered into the National Court Register kept by the District Court in Opole, VIII Economic Division of the National Court Register, under the KRS number: 0000671135, NIP: 7543144787, REGON: 366913754, share capital: PLN 100,000.00, hereinafter referred to as the ‘Data Processor.’
In connection with the conclusion of an Agreement for the provision of electronic services between the Controller and the Data Processor, and this Data Processing Agreement is necessary for the achievement of the purposes arising from this Agreement based on Article 28 of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as ‘GDPR’), the parties enter into an Agreement with the following content:
I. DATA PROCESSING AGREEMENT
- The Controller declares that they are the Controller of personal data of individuals employed by them, to the extent to which they entrust such data for processing to the Data Processor. The Controller further declares that they have completed all necessary actions in accordance with the General Data Protection Regulation (GDPR) and other applicable legal provisions, and also that they have the appropriate legal basis for the processing of such data.
- The Controller entrusts the Data Processor with the processing of personal data in accordance with the principles and purposes specified in this Agreement.
- The Data Processor undertakes to process the personal data entrusted to them in accordance with this Agreement, the General Data Protection Regulation (GDPR), and other applicable laws governing the protection of the rights of individuals whose data is processed.
- The Data Processor, as the entity processing the entrusted data, declares that they have implemented appropriate technical and organizational measures to ensure an adequate level of security for the processing of personal data, in compliance with the requirements of the General Data Protection Regulation (GDPR), and effectively safeguards the rights of the individuals whose data is processed.
II. SCOPE AND PURPOSE OF DATA PROCESSING
- The Controller entrusts the Data Processor with the processing of personal data of individuals employed by them, including business-related data, encompassing:
- First name and last name,
- PESEL number,
- Phone number,
- Email address,
- Occupied position,
- Data related to working hours,
- Data related to absences,
- IP address of the registering device (with an installed application for timekeeping),
- Geolocation data of the registering device (with an installed application for timekeeping).
- If, in connection with using services provided by the Data Processor, the Controller introduces personal data other than those listed in paragraph 1 above, the Controller also entrusts them for processing by the Data Processor under the terms of this Agreement.
- The entrusted personal data will be processed by the Data Processor solely for the proper implementation of the Agreement for the provision of electronic services based on the applicable REGISTO service Regulations and only during the term of the Agreement for the provision of services between the Controller and the Data Processor.
- The Data Processor, as part of achieving the purpose of processing the entrusted personal data, is authorized to perform operations on personal data, such as: recording, organizing, sorting, storing, viewing, modifying, restricting, and deleting.
III. EXECUTION METHOD OF THE AGREEMENT REGARDING THE PROCESSING OF PERSONAL DATA
- The Controller declares that they have the consent of the individuals employed by them to entrust their personal data specified in point II, paragraph 1 to the Data Processor, or that they transfer the aforementioned personal data of the employed individuals in accordance with the law, indicating that they are legally authorized. In the event of any claims by the aforementioned individuals against the Data Processor related to the irregularity of this declaration (challenging the legality of transferring their personal data), the Controller will release the Data Processor from any claims, join ongoing processes, and reimburse all costs incurred by the Data Processor, including legal costs, compensation, etc.
- The Data Processor, in processing the entrusted personal data, undertakes to implement all measures required by the GDPR, including appropriate technical and organizational measures as referred to in Article 32 of the GDPR, to ensure a level of security appropriate to the risk associated with the processing of personal data.
- The Data Processor undertakes to exercise due diligence in the processing of the entrusted personal data. The Data Processor ensures that individuals authorized by them to process the entrusted personal data are trained in the field of personal data protection and are obligated to maintain the confidentiality of the processed data, both during the term of the Agreement and after its termination.
- After the termination of the agreement or the completion of service provision, the Data Processor will allow the Controller to download the data and promptly delete the Controller’s account, along with all existing data and copies, unless Union law or Polish law requires the retention of personal data.
- The Data Controller, to the extent possible, assists the Controller in fulfilling the obligation to respond to requests from the data subject and in fulfilling its obligations as defined in Articles 32-36 of the GDPR, through appropriate technical and organizational means.
- In the event that the data subject directly approaches the Data Processor with a request, the Data Processor promptly informs the Controller of the received request. The Controller is solely responsible for preparing a response to the data subject’s request.
- In the event of a breach of the protection of the entrusted data, the Data Processor undertakes to promptly report this fact to the Controller. The Data Processor takes immediate actions to mitigate and rectify the negative consequences of the data breach.
- The Data Processor is responsible for providing or using the entrusted personal data in violation of the terms of this Agreement, especially for disclosing them for processing to unauthorized persons. The Data Processor is liable for actual damages caused by processing personal data in a manner that violates the GDPR, unless it has fulfilled the obligations imposed on it by the GDPR or acted outside the lawful instructions of the Controller, who is the administrator of the personal data entrusted to the Data Processor, of the employed individuals.
- The Data Processor is responsible for the actions of its employees and other individuals through whom it processes the entrusted personal data, as if they were its own actions and omissions.
- The Data Processor may subcontract the personal data covered by this Data Processing Agreement for further processing to another subcontractor to fulfill the Agreement, after prior detailed notification to the Controller about the further subcontracting of personal data, and obtaining the written, including electronic, consent of the Controller. The Controller may object to the further subcontracting of data.
- The Data Processor declares that it will subcontract the processing of personal data only to entities that provide sufficient guarantees of implementing appropriate technical and organizational measures to ensure that the processing meets the requirements of the GDPR and protects the rights of the individuals whose data is processed, and that they guarantee the highest level of services provided and the processing of personal data within the European Economic Area.
- The Data Processor bears full responsibility towards the Controller for failing to fulfill its obligations regarding data protection.
IV. CONFIDENTIALITY MAINTENANCE PRINCIPLES
- The Data Processor undertakes to keep confidential all information, materials, documents, and personal data received from the Controller and cooperating individuals, as well as data obtained in any other way, whether intentional or accidental, in oral, written, or electronic form.
- In connection with the obligation to maintain the confidentiality of the data mentioned in paragraph 1 above, the Data Processor declares that without the written consent of the Controller, this data will not be disclosed, used, or made available for any purpose other than the performance of the Agreement, unless the need to disclose it arises from generally applicable legal provisions.
- The parties undertake to make every effort to ensure that the communication means used for receiving, transmitting, and storing confidential data guarantee the security of confidential data, including, in particular, personal data entrusted for processing, against access by third parties unauthorized to access their content.
V. RIGHT OF CONTROL
- The Controller, in accordance with Article 28(3)(h) of the GDPR, has the right to control whether the measures applied by the Data Processor in the processing and protection of the entrusted personal data comply with the provisions of the Agreement.
- The Controller is entitled to verify the compliance with the principles of personal data processing under the GDPR and this Agreement by the Data Processor.
- The notice of the intention to carry out an audit should be provided to the Data Processor at least 14 days before the commencement of the activities, with the timing of the audit requiring prior agreement by both parties. The Controller may exercise the right of audit during the working hours of the Data Processor. Any costs associated with the audit are borne solely by the Controller.
- The audit will be conducted by a qualified external entity specializing in information security and personal data protection, approved by both the Data Controller and the Data Processor. The auditor cannot be an entity engaged in competitive activities with the Data Processor, nor can it be affiliated with, an employee of, or a cooperating entity with the Data Processor, regardless of the basis of employment or cooperation. Before commencing the audit activities, the auditor must provide assurance of maintaining the confidentiality of the acquired information.
- The Data Processor undertakes to comply with the recommendations of the Data Controller or the entity authorized by the Data Controller, regarding the improvement of the quality of personal data protection and the manner of their processing. The Data Processor also commits to rectifying any identified deficiencies during audits within a period specified by the Data Controller, not exceeding 14 days.
- The Data Processor provides the Data Controller with all necessary information to demonstrate compliance with the obligations defined in Article 28 of the GDPR.
VI. DURATION OF THE DATA PROCESSING AGREEMENT
- This Data Processing Agreement shall enter into force on the date of its conclusion and shall remain in effect for the duration of the provision of services until the data is deleted.
- The agreement shall be terminated upon the cessation of the use of services provided by the Data Processing Entity.
- After the provision of services related to the processing of the entrusted data has concluded, the Data Processing Entity returns the personal data to the Administrator and deletes all existing copies or provides confirmation of their destruction in electronic form, unless Union law or Polish law requires the retention of personal data.
VII. FINAL PROVISIONS
- This Agreement supersedes any prior agreements and arrangements regarding the processing of personal data.
- In case of any inconsistency between the provisions of this Agreement and the REGISTO service Regulations, the provisions of this Agreement shall take precedence.
- All changes to the Data Processing Agreement will be published on the REGISTO service website as an annex to the Regulations, and additionally, the Administrator will be notified by email of the changes 14 days before they come into effect.
- In matters not regulated herein, the provisions of the Civil Code and the GDPR shall apply.
- The competent court for the resolution of disputes arising from this agreement will be the court having jurisdiction over the Processing Entity.
Update as of July 1, 2023.