PERSONAL DATA PROCESSING ENTRUSTMENT AGREEMENT

ℹ️ This is an English translation provided for convenience. The legally binding version of this Agreement is the Polish one, available at gabinetonline.com.pl/dpo.html. In the event of any discrepancy between the language versions, the Polish version prevails.

concluded on the day of starting to use the GabinetOnline service between:

Rybczak i Wspólnicy spółka z ograniczoną odpowiedzialnością
with its registered office at: ul. Przyjemna 4, 44-264 Jankowice
KRS: 0000520491
VAT ID (NIP): 642-318-72-10
hereinafter referred to as the "Processor" or "Operator"

and

the User of the GabinetOnline Service
hereinafter referred to as the "Controller" or "User"

§ 1. Subject of the agreement and definitions

1. This agreement regulates the conditions and scope of the entrustment of personal data processing by the Controller to the Processor in connection with the provision of services via the GabinetOnline Service (gabinetonline.com.pl).

2. The agreement has been concluded in performance of Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR).

3. Whenever the Agreement refers to:

a) Personal data – this means any information relating to an identified or identifiable natural person within the meaning of Art. 4(1) GDPR;

b) Processing – this means an operation or set of operations performed on personal data within the meaning of Art. 4(2) GDPR;

c) the Controller – this means the User of the Service, who is the controller of personal data within the meaning of Art. 4(7) GDPR, independently determining the purposes and means of processing personal data;

d) the Processor – this means the Operator of the Service, who processes personal data on behalf of the Controller;

e) the Service – this means the GabinetOnline IT system available at gabinetonline.com.pl;

f) GDPR – this means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016;

g) a Personal data breach – this means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or unauthorised access to, personal data transmitted, stored or otherwise processed;

h) the Data subject – this means an identified or identifiable natural person whose data is processed.

§ 2. Scope of entrustment

1. The Controller entrusts, and the Processor accepts for processing on behalf of the Controller, the personal data of the following categories of data subjects:

  1. the Controller's contractors (clients of the hair, beauty or other salon run by the Controller),
  2. the Controller's employees,
  3. other persons whose data the Controller enters into the Service in connection with their business activity.

2. The entrusted personal data may include the following categories of data:

  1. identification data (first name, last name),
  2. contact data (email address, phone number, home address),
  3. data on the services provided and visit history,
  4. data on financial settlements,
  5. data entered by the Controller in the form of notes and comments,
  6. other data entered by the Controller into the Service.

3. The Processor processes personal data solely for the purpose of providing the Service's services specified in the Terms, in particular:

  1. storing and making data available to the Controller,
  2. enabling management of the database of contractors, services, materials and employees,
  3. sending notifications to contractors on the Controller's instructions (SMS and email messages),
  4. generating reports and documents,
  5. ensuring the functionality of the online booking system.

4. The processing of personal data by the Processor takes place for the duration of the service Agreement and for a period of 5 years from the end of the provision of services, in accordance with § 8(8) of the Terms.

§ 3. Obligations of the Processor

1. The Processor undertakes to:

  1. Process personal data solely on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest;
  2. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. Implement and maintain all measures required under Art. 32 GDPR, in particular:
    1. encryption of data transmission using the SSL protocol with at least a 128-bit key,
    2. the use of access control mechanisms ensuring that only the Controller has access to the data via an individual password,
    3. performing regular backups of the data,
    4. maintaining the physical security of the data centre (monitoring, fire protection),
    5. regular software updates in respect of security patches;
  4. Take into account, when selecting technical and organisational measures, the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons;
  5. Assist the Controller, to the extent necessary, in fulfilling the Controller's obligation to respond to requests from a data subject exercising their rights under Chapter III of the GDPR;
  6. Assist the Controller in ensuring compliance with the obligations set out in Art. 32–36 GDPR, taking into account the nature of processing and the information available to the Processor;
  7. At the Controller's choice, delete or return to the Controller all personal data after the end of the provision of services relating to processing, and delete all existing copies thereof, unless Union or Member State law requires the storage of the personal data;
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller;
  9. Immediately inform the Controller if, in its opinion, an instruction issued by the Controller infringes the GDPR or other Union or Member State data protection provisions.

§ 4. Further entrustment of processing (sub-processors)

1. The Controller gives general consent to the Processor using the services of sub-processors.

2. The Processor may entrust the processing of personal data to the following categories of sub-processors:

  1. providers of hosting services and IT infrastructure,
  2. providers of SMS and email sending services,
  3. payment service providers (to the extent necessary to process payments),
  4. providers of backup and data recovery services.

3. The Processor undertakes to:

  1. impose on sub-processors, by contract or another legal act, the same data protection obligations as set out in this Agreement, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organisational measures so that processing meets the requirements of the GDPR;
  2. inform the Controller of any planned changes concerning the addition or replacement of other processors by placing the information in a visible place in the Service at least 14 days in advance, thereby giving the Controller the opportunity to object to such changes;
  3. remain fully liable to the Controller for the performance of the obligations entrusted to a sub-processor if that sub-processor fails to fulfil its data protection obligations.

4. If the Controller objects to changes concerning sub-processors, the Controller has the right to terminate the Agreement with immediate effect.

§ 5. Personal data breach

1. The Processor undertakes to report each personal data breach to the Controller without undue delay, no later than within 24 hours of becoming aware of it.

2. The report referred to in paragraph 1 should contain at least:

  1. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  2. the name and contact details of the data protection officer or another contact point from whom more information can be obtained;
  3. a description of the likely consequences of the personal data breach;
  4. a description of the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

3. The Processor undertakes to cooperate with the Controller in clarifying the circumstances of the breach and taking remedial action.

4. A breach report should be made to the Controller's email address provided during registration in the Service.

§ 6. Audit and inspection

1. The Controller has the right to carry out an audit at the Processor's premises in order to verify the compliance of the processing of personal data with this Agreement and the requirements of the GDPR.

2. The audit may be carried out by the Controller in person or by an authorised auditor.

3. The Controller notifies its intention to carry out an audit at least 14 days in advance, indicating the proposed date and scope of the audit.

4. An audit may take place no more than once every 12 months, unless there are justified grounds indicating a breach of the provisions of the Agreement or of the GDPR.

5. The Processor undertakes to make available to the Controller or the auditor all information and documents necessary to carry out the audit.

6. The audit must not disrupt the normal functioning of the Processor's business and must be carried out with respect for the Processor's business secrecy and the data of the Processor's other clients.

§ 7. Liability and compensation

1. The Processor is liable for damage caused in connection with the processing of personal data where it has not fulfilled the obligations under the GDPR that are specifically directed at processors, or where it has acted outside or contrary to the lawful instructions of the Controller.

2. The Processor's total liability towards the Controller under this Agreement in a given calendar year may not exceed the amount corresponding to the annual value of the fees paid by the Controller for use of the Service.

3. The Processor is not liable for damage resulting from:

  1. the acts or omissions of the Controller,
  2. the Controller disclosing the access password to third parties,
  3. improper use of the Service by the Controller,
  4. circumstances for which the Processor is not liable under the Service Terms.

§ 8. Obligations of the Controller

1. The Controller declares that:

  1. it is the controller of personal data within the meaning of the GDPR and is entitled to entrust their processing to the Processor,
  2. it has an appropriate legal basis for processing the personal data,
  3. the personal data was collected lawfully,
  4. it has informed the data subjects of the entrustment of the processing of their personal data to the Processor, or will do so without delay.

2. The Controller undertakes to:

  1. give the Processor only lawful instructions concerning the processing of personal data,
  2. independently fulfil the information obligations towards data subjects,
  3. independently handle data subjects' requests concerning the exercise of their rights under the GDPR,
  4. immediately inform the Processor of any circumstances that may affect the processing of personal data.

§ 9. Term and termination of the agreement

1. The Agreement enters into force on the day the Controller starts using the Service and remains in force for the period of the provision of services specified in the Terms.

2. The Agreement terminates upon termination of the service Agreement in accordance with the Terms.

3. In the event of termination of the Agreement, the Processor, at the Controller's choice:

  1. will delete all personal data and any existing copies thereof, unless the law requires their storage, or
  2. will return all personal data to the Controller in an agreed format.

4. Notwithstanding the provisions of paragraph 3, the Processor has the right to store personal data for a period of 5 years from the end of the provision of services in accordance with § 8(8) of the Terms, solely for archival purposes and to the extent necessary to demonstrate the proper provision of services.

5. After the deletion of data referred to in paragraph 3(a), the Processor provides the Controller with written confirmation of their deletion.

§ 10. Final provisions

1. This Agreement forms an integral part of the GabinetOnline Service Terms.

2. In matters not regulated by this Agreement, the provisions of the GDPR and Polish law apply, in particular the Personal Data Protection Act of 10 May 2018.

3. Any amendments to the Agreement require written form under pain of nullity, subject to the provisions concerning amendments to the Terms.

4. In the event of a conflict between the provisions of this Agreement and the Terms, the provisions of this Agreement take precedence in respect of personal data protection.

5. The parties will endeavour to resolve any disputes arising in connection with the performance of this Agreement amicably. In the absence of agreement, disputes will be settled by the court competent for the Processor's registered office.

6. The Agreement was drawn up in Polish. This English version is a translation for convenience only; in the event of any discrepancy, the Polish version prevails.

7. By accepting the GabinetOnline Service Terms, the Controller simultaneously accepts the provisions of this personal data processing entrustment Agreement.

§ 11. Contact details for personal data protection matters

Processor (Operator):
Rybczak i Wspólnicy Sp. z o.o.
ul. Przyjemna 4, 44-264 Jankowice
Email: biuro@gabinetonline.com.pl
Phone: 514 14 55 65

Controller:
Contact details provided during registration in the Service