ℹ️ This is an English translation provided for convenience. The legally binding version of this Agreement is the Polish one, available at gabinetonline.com.pl/dpo.html. In the event of any discrepancy between the language versions, the Polish version prevails.
concluded on the day of starting to use the GabinetOnline service between:
Rybczak i Wspólnicy spółka z ograniczoną odpowiedzialnością
with its registered office at: ul. Przyjemna 4, 44-264 Jankowice
KRS: 0000520491
VAT ID (NIP): 642-318-72-10
hereinafter referred to as the "Processor" or "Operator"
and
the User of the GabinetOnline Service
hereinafter referred to as the "Controller" or "User"
1. This agreement regulates the conditions and scope of the entrustment of personal data processing by the Controller to the Processor in connection with the provision of services via the GabinetOnline Service (gabinetonline.com.pl).
2. The agreement has been concluded in performance of Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).
3. Whenever the Agreement refers to:
a) Personal data – this means any information relating to an identified or identifiable natural person within the meaning of Art. 4(1) GDPR;
b) Processing – this means an operation or set of operations performed on personal data within the meaning of Art. 4(2) GDPR;
c) the Controller – this means the User of the Service, who is the controller of personal data within the meaning of Art. 4(7) GDPR, independently determining the purposes and means of processing personal data;
d) the Processor – this means the Operator of the Service, who processes personal data on behalf of the Controller;
e) the Service – this means the GabinetOnline IT system available at gabinetonline.com.pl;
f) GDPR – this means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;
g) a Personal data breach – this means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed;
h) the Data subject – this means an identified or identifiable natural person whose data is processed.
1. The Controller entrusts, and the Processor accepts for processing on behalf of the Controller, the personal data of the following categories of data subjects:
2. The entrusted personal data may include the following categories of data:
3. The Processor processes personal data solely for the purpose of providing the Service's services specified in the Terms, in particular:
4. The processing of personal data by the Processor takes place for the duration of the service Agreement and for a period of 5 years from the end of the provision of services, in accordance with § 8(8) of the Terms.
1. The Processor undertakes to:
1. The Controller gives general consent to the Processor using the services of sub-processors.
2. The Processor may entrust the processing of personal data to the following categories of sub-processors:
3. The Processor undertakes to:
4. If the Controller objects to changes concerning sub-processors, the Controller has the right to terminate the Agreement with immediate effect.
1. The Processor undertakes to report each personal data breach to the Controller without undue delay, no later than within 24 hours of becoming aware of it.
2. The report referred to in paragraph 1 should contain at least:
3. The Processor undertakes to cooperate with the Controller in clarifying the circumstances of the breach and taking remedial action.
4. A breach report should be made to the Controller's email address provided during registration in the Service.
1. The Controller has the right to carry out an audit at the Processor's premises in order to verify the compliance of the processing of personal data with this Agreement and the requirements of the GDPR.
2. The audit may be carried out by the Controller in person or by an authorised auditor.
3. The Controller notifies its intention to carry out an audit at least 14 days in advance, indicating the proposed date and scope of the audit.
4. An audit may take place no more than once every 12 months, unless there are justified grounds indicating a breach of the provisions of the Agreement or of the GDPR.
5. The Processor undertakes to make available to the Controller or the auditor all information and documents necessary to carry out the audit.
6. The audit must not disrupt the normal functioning of the Processor's business and must be carried out with respect for the Processor's business secrecy and the data of the Processor's other clients.
1. The Processor is liable for damage caused in connection with the processing of personal data where it has not fulfilled the obligations under the GDPR that are specifically directed at processors, or where it has acted outside or contrary to the lawful instructions of the Controller.
2. The Processor's total liability towards the Controller under this Agreement in a given calendar year may not exceed the amount corresponding to the annual value of the fees paid by the Controller for use of the Service.
3. The Processor is not liable for damage resulting from:
1. The Controller declares that:
2. The Controller undertakes to:
1. The Agreement enters into force on the day the Controller starts using the Service and remains in force for the period of the provision of services specified in the Terms.
2. The Agreement terminates upon termination of the service Agreement in accordance with the Terms.
3. In the event of termination of the Agreement, the Processor, at the Controller's choice:
4. Notwithstanding the provisions of paragraph 3, the Processor has the right to store personal data for a period of 5 years from the end of the provision of services in accordance with § 8(8) of the Terms, solely for archival purposes and to the extent necessary to demonstrate the proper provision of services.
5. After the deletion of data referred to in paragraph 3(a), the Processor provides the Controller with written confirmation of their deletion.
1. This Agreement forms an integral part of the GabinetOnline Service Terms.
2. In matters not regulated by this Agreement, the provisions of the GDPR and Polish law apply, in particular the Personal Data Protection Act of 10 May 2018.
3. Any amendments to the Agreement require written form under pain of nullity, subject to the provisions concerning amendments to the Terms.
4. In the event of a conflict between the provisions of this Agreement and the Terms, the provisions of this Agreement take precedence in respect of personal data protection.
5. The parties will endeavour to resolve any disputes arising in connection with the performance of this Agreement amicably. In the absence of agreement, disputes will be settled by the court competent for the Processor's registered office.
6. The Agreement was drawn up in Polish. This English version is a translation for convenience only; in the event of any discrepancy, the Polish version prevails.
7. By accepting the GabinetOnline Service Terms, the Controller simultaneously accepts the provisions of this personal data processing entrustment Agreement.
Processor (Operator):
Rybczak i Wspólnicy Sp. z o.o.
ul. Przyjemna 4, 44-264 Jankowice
Email: biuro@gabinetonline.com.pl
Phone: 514 14 55 65
Controller:
Contact details provided during registration in the Service