Data-Processing Agreement

made on ________________________ in _______________ by and between:

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

__________________________________________________________________________

represented by:

hereinafter the ‘Controller’,

and

Accolade Pro Sp. z o.o. (limited-liability company) with its registered seat in Lublin (Poland), ul. Fryderyka Chopina 41/2, 20-023 Lublin, entered in the Register of Entrepreneurs of the National Court Register kept by the District Court Lublin Wschód in Lublin with its seat in Świdnik, VI Commercial Division of the National Court Register, under KRS number 0000902238, NIP 7123419208; represented by:

_________________________________

hereinafter the ‘Processor’; 

both jointly referred to as the ‘Parties’.

Whereas:

• on _________ (date) the Parties entered into a service contract (hereinafter the ‘Main Contract’) with the subject-matter being the provision of access by the Processor to the Controller to the Accolade Pro Application and of services described in terms of service referred to in the Main Contract;
• the services provided by the Processor under the Main Contract involve the Processor’s carrying out of operations on personal data on behalf of the Controller;
• The Controller shall ensure that the processing of personal data on the Controller’s behalf is taking place in accordance with Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as from the date of the latter’s application;

the Parties have agreed as follows:

§ 1

Definitions

Expressions used in this agreement shall have the following meaning:

1. Regulation (EU) 2016/679 — Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) as from the date of its application;
2. Main Contract — the Parties’ contract of _____________  (date).
3. Services — the services referred to in the Main Contract.
4. Controller — a natural or legal person, public body, unit or other entity determining independently or with others the purposes and methods of personal-data processing;
5. Personal Data — data within the meaning of Article 4(1) of Regulation (EU) 2016/679, i.e. all information concerning an identified or identifiable natural person processed by the Processor for the purpose of performance of the Main Contract;
6. Personal-Data breach — security breach leading to inadvertent or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to Personal Data sent, stored or otherwise processed;
7. Supervisory Authority —  independent public body established by a member state in accordance with Article 51 Regulation (EU) 2016/679;
8. processing — operation or operations performed on personal data or on sets of personal data in an automated or non-automated manner, such as collecting, recording, organizing, ordering, storing, adapting or modifying, downloading, browsing, using, disclosing via sending, distributing or making available in some other way, matching or connecting, restricting, erasing or destroying;
9. processor — natural or legal person, public body, unit or other entity processing personal data on behalf of the Controller or of the Processor;
10. third state — state not member of the European Economic Area.

§ 2

Subject-Matter of the Agreement

The subject-matter of this Agreement is to set forth the terms of processing and protection of personal data processed by the Processor on the Controller’s behalf.

§ 3

Personal data processed by the Processor on the Controller’s behalf

1. The Controller entrusts to the Processor the processing of the personal data of persons whose data are processed in connection with the Controller’s use of the Accolade Pro application (hereinafter ‘Personal Data’) for the purposes of the provision of the services the Processor has agreed to perform under the Main Contract.
2. The Processor accepts the Personal Data for processing and agrees to process the same on the Controller’s behalf on terms set forth in this Agreement.
3. The Personal Data entrusted to the Processor include without limitation:

1. the name and surname of people,
2. e-mail address,
3. phone number,
4. financial information (including subscription type, client debts amount),
5. non-payment reason

4. The Processor shall be entitled to perform on the Personal Data any automated or non-automated processing operations warranted by and necessary for the performance of the Services; the foregoing may include without limitation collecting, recording, organizing, ordering, updating, storing, archiving, modifying, downloading, copying, browsing, using, sharing, erasing or destroying.
5. The Processor shall be authorized to process the Personal Data solely for purposes relating to the performance of Services provided to the Controller on the basis of the Main Contract.
6. The Controller entrusts to the Processor the processing of the Personal Data on the Controller’s behalf for the duration of this Agreement.
7. The Controller represents that the Controller has satisfied all the conditions of the legality of the processing of the Personal Data prescribed by the provisions of the law.
8. In the processing of the Personal Data, the Parties agree to comply with the principles set forth in Regulation (EU) 2016/679 and to comply with the guidelines and recommendations on personal-data processing issued by the European Data Protection Council as referred to in Article 68 of said Regulation.
9. For the purpose of proper performance of this Agreement, the Parties nominate hereinbelow the contact persons for matters relating to the performance of this Agreement, one for each of the Parties, with stand-ins in the event of absence:

1. Contact persons on the Controller’s behalf

1. … — as the main contact person

2. … — as the stand-in

2. Contact persons on the Processor’s behalf

1. Remi Labelle, remi.labelle@accolade-pro.com — as the main contact person

2. Corentin Bernard, corentin.bernard@accolade-pro.com — as the stand-in

§ 4

Subprocessing

1. The Processor shall have the right to use the services of another processing entity during the processing of the Personal Data hereunder, on condition that the Controller shall be notified of each contemplated subprocessing of the Personal Data and any contemplated changes relating to such other processing entities, including without limitation the replacement of the existing processing entity with another provider or abandonment of the services of another processing entity, and with the reservation of subsection 2. The current list of subprocessors is attached hereto as Annex 1, which forms an integral part of this Agreement and has been accepted by the Controller.
2. The Controller shall have the right to object to subprocessing by a service provider selected by the Processor within 14 days following receipt from the Processor of information concerning the contemplated subprocessing by another processing entity or replacement of the existing processing entity with another provider. In the case of the Controller’s objection, any subprocessing by the entity objected to shall be inadmissible.
3. The Processor shall ensure that such other processing entity as the Processor may contemplate engaging the services of provides sufficient guarantees of the implementation of suitable technical and organizational measures for the processing to ensure the adequate level of data security suitable for the category of Personal Data entrusted thereto for processing, as well as for threats relating to the processing thereof, and for the protection of the rights of the data subjects.  
4. The subprocessing referred to in § 4(1) shall be possible solely on condition of the Processor’s imposition on such other processing entity, on the basis of the agreement, of the same data-protection obligations as imposed on the Processor hereunder.
5. Where the subprocessing involves the transfer of the relevant Personal Data to a third state not ensuring an adequate level of data protection in the territory, where there is no other basis enabling the transfer of the Personal Data to such third state, the Controller shall sign with the processor located in such third state an agreement containing:

1. the ‘Standard Contractual Clauses’ adopted by Commission Decision of 5 February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries, or
2. the ‘Standard Data Protection Clauses’ adopted in accordance with Articles 46(2)(c) and 46(2)(d) of Regulation (EU) 2016/679;

or shall authorize the Processor to sign the aforesaid agreement on the Controller’s behalf.   The conclusion of such an agreement with a processing entity located in a third state shall authorize the Processor to use the services of such processing entity in the processing of the Personal Data.

6. The agreement referred to in subsections 4 and 5 above shall be made in written form.
7. The Processor shall be fully liable to the Controller for any failure of a subprocessor engaged by the Processor to comply with such subprocessor’s obligations of data protection. In such case, the Controller shall be entitled to demand that the Processor cease to use the services of such entity in the processing of the Personal Data.

§ 5

The Processor’s Obligations

1. The Processor shall process the Personal Data solely upon the Controller’s documented instruction; the foregoing shall apply also to the transfer of personal data to a third state or international organization, with the proviso that instructions transmitted electronically or in writing shall be considered a documented instruction from the Controller. The above shall not apply to a situation when the processing of the Personal Data by the Processor is required by the law of the European Union or of the country of the Processor’s registered office. In such case, prior to the commencement of processing, the Processor shall notify the Controller of such legal requirement, save where such law prohibits the disclosure of such information on grounds of valid public interest.
2. The Processor shall be responsible for the protection of any Personal Data entrusted thereto for processing.
3. The Processor shall implement technical and organizational measures ensuring the protection of personal data entrusted to the Processor for processing, suitable for the threats and for the data category, and in particular should protect the data from disclosure to unauthorized persons, taking away by an unauthorized person, illegal processing, or modification, loss, damage or destruction. The Processor shall keep documentation describing the measures referred to in the foregoing sentence and the method of processing of such personal data. The list of technical and organizational measures currently implemented by the Processor is attached hereto as Annex 2 and forms an integral part of this Agreement.
4. The Processor shall ensure control over what Personal data have been collected in the Processor’s organization, when and by whom and to whom transferred.
5. At the Controller’s demand, the Processor shall inform the Controller of the location where the Personal Data are processed by the Processor and other processing entities referred to in § 4 of this Agreement.
6. In the processing of the Personal Data, the Processor shall comply with this Agreement and with the provisions of the law, and shall follow the policies, rules and guidelines provided by the Controller concerning the assurance of protection and confidentiality of the Personal Data, save where the application of the same may be in violation of national or European data-protection provisions binding upon the Processor.
7. The Processor shall ensure that any persons authorized by the Processor to process personal data have accepted a commitment to the confidentiality of the Personal Data and means of protection thereof both within the duration hereof and thereafter.
8. The Processor shall comply with the service terms of the other processing entity referred to in § 4 hereof.
9. The Processor shall enable the Controller or an auditor authorized by the Controller to carry out the audits referred to in § 6 hereof and shall co-operate with such audits.
10. The Processor shall notify the Controller without delay of any proceedings, including without limitation administrative or judicial, concerning the processing of Personal Data by the Processor, of any administrative decision or ruling addressed to the Processor in respect of the processing of the Personal Data, as well as any audit activities undertaken in respect of the Processor by the supervisory body along with the outcome of such audit, where the scope of such audit covers the Personal Data entrusted to the Processor hereunder, save where the Processor is under an obligation of confidentiality with regard to information about the pending proceedings pursuant to the generally applicable provisions of the law, the judgment of a common court or administrative court, an administrative decision or another instrument addressed to the Processor by an authority competent to do so.
11. Upon discovery of a Personal-Data Breach, the Processor shall so notify the Controller without unnecessary delay, specifying:

1. the nature of the Personal-Data Breach, including without limitation, in so far as possible, the data categories and approximate number of data subjects, as well as categories and approximate number of Personal Data entries affected by the Personal-Data Breach;
2. description of the possible consequences of the Personal Data Breach;
3. description of the measures deployed or contemplated by the Processor in order to remedy the Personal Data Breach, including without limitation description of actions taken to minimize any negative effects of the Personal Data Breach.

12. The Processor shall share with the Controller any information necessary to demonstrate the Controller’s compliance with the obligations set out in this section of the Agreement.
13. The Processor shall undertake all measures required under Article 32 of Regulation (EU) 2016/679 in order to ensure the security of the Personal Data.
14. The Processor, taking into account the nature of the processing, shall in so far as possible assist the Controller through suitable technical and organizational measure with compliance with the obligation to respond to the request of a data subject in respect of the exercise of the data subject’s rights set out in Chapter III of Regulation (EU) 2016/679; in particular, the Processor shall notify the Controller of any questions or requests received from data subjects. The Processor shall forward the aforesaid information without delay, though no later than 3 days following receipt of such question or request from a data subject. The Processor shall not be authorized to respond to questions and act upon requests from data subjects, including without limitation with omission to consult the Controller.
15. The Processor, taking into account the nature of the processing and the information available to the Processor, shall assist the Controller to comply with the obligations set out in Article 32–36 of Regulation (EU) 2016/679.
16. In connection with the obligations set out in subsections 9 and 12 above, the Processor will notify the Controller without delay if, in the Processor’s opinion, an instruction issued to the Controller constitutes a violation of Regulation (EU) 2016/679 or other provisions of the European Union or of the country of the Processor’s registered office in respect of personal-data protection.
17. The terms contained in § 4(5)(b) and § 5(13–16) shall apply as from the day of entry of this Agreement into force.

§ 6

The Right of Audit

1. The Controller shall have the right to audit the data processing to verify that the Processor is in compliance with the obligations set out in § 5 hereof.
2. The Parties agree upon the following terms of carrying out the audit referred to in subsection 1 above:

1. The Audit may consist both in a demand for the submission of documents and information pertaining to the data processing, and in audit activities carried out at the location of data processing on business days (meaning Monday to Friday, excluding Saturdays and holidays), 10.00 a.m. to 4.00 p.m., upon prior notice to the Processor by e-mail to: legal@accolade-pro.com (e-mail address) of the date, time and scope of such audit, at least 14 days prior to the commencement of such audit.
2. The Controller shall carry out the audit in person or through independent external auditors authorized by the Controller to carry out an audit on the Controller’s behalf.

3. The audit activities referred to in § 6(2)(a) may consist, without limitation, in the making of:

1. notes of activities carried out (including without limitation notes of explanations received and inspections carried out);
2. copies of documents pertaining to data processing, to the extent such documents refer to the processing of Personal Data for the purpose of performing the Main Contract;
3. prints of Personal Data from IT systems, to the extent such prints refer to the processing of Personal Data for the purpose of performing the Main Contract;
4. prints of copies of images shown on the displays of devices comprised in the IT systems used for the data processing, to the extent such images refer to the processing of Personal Data for the purpose of performing the Main Contract;
5. copies of records of registers from IT systems, to the extent the same refer to the processing of Personal Data for the purpose of performing the Main Contract;
6. records of technical configurations of means of protection of the IT systems where the Personal Data are processed, to the extent the same refer to the processing of Personal Data for the purpose of performing the Main Contract.  

4. The Controller shall provide the Processor with a copy of the audit report. If the audit reveals the non-compliance of the Processor’s conduct with this Agreement or with such data-protection provisions as the Processor is obliged to comply with, the Processor will ensure the compliance of the data processing with the terms of this Agreement or with the provisions revealed by the audit report to be out of compliance with.                                                                                                                                                                                                                                        

§ 7

The Parties’ Liability

1. The Processor shall be liable for such damages arising with the Controller or third parties as a result of the Processor’s processing of the Personal Data being out of compliance with this Agreement as may arise in the property of the foregoing due to the exclusive fault of the Processor or of persons for whose actions or omissions the Processor is responsible.
2. In the case of non-performance or improper performance of this Agreement by the Processor, the Processor agrees to pay damages according to the general rules.

§ 8

Miscellaneous

1. This Agreement is made for the duration of the Main Contract.
2. Termination of the Main Contract by notice shall result in the simultaneous termination of this Agreement.
3. If the outcome of the audit referred to in § 6 hereof or of an audit carried out by the supervisory authority versus the Processor or a subprocessor demonstrates that the Processor has culpably breached the terms of this Agreement, or if the Processor fails to comply with the request referred to in § 4(7) hereof, the Controller shall have the right to terminate this Agreement with immediate effect.
4. In the case of termination of this Agreement, the Processor shall, depending on the Controller’s decision, either erase or return to the Controller any Personal Data entrusted, including without limitation any media containing Personal Data, and shall without delay irretrievably destroy any copies of documents and records containing the Personal Data on any media — where such media are not subject to being returned to the Controller, save where the law of the European Union or of the country of the Processor’s registered office require the Processor to retain the Personal Data. In such case, the Processor shall be responsible for the processing of the aforesaid data as a controller.
5. The Processor shall comply with the obligation referred to in subsection 4 above without delay, though no later than 14 days following termination hereof.
6. Any amendments or supplementations hereof shall be in written form or else null and void.
7. For matters not regulated by this Agreement, the provisions of Polish Civil Code and of Regulation (EU) 2016/679 shall apply, the latter as from the day of application thereof.
8. Any disputes arising from the legal relationship covered by this Agreement shall be resolved by the court of competent venue for the Processor’s registered office.
9. This Agreement was made in two counterparts to the same effect, one for each of the Parties.

Controller                                                Processor

Annex 1

List of Sub-Processors

Annex 2

Technical and Organizational Measures (TOMs)

1. This Annex forms an integral part of the Data Processing Agreement.
2. Accolade Pro has implemented the following technical and organizational measures to ensure an adequate level of protection for the Personal Data processed on behalf of the Controller: