Attachment no. 1 to the SARE System usage Regulations
General terms of the personal data processing contract within the scope of the SARE System
I. General provisions
1. The present General Terms constitute a data processing contract as understood by art. 28 section 3 of the GDPR and a documented order of the data controller as understood by art. 28 section 3 letter a) of the GDPR.
2. The General Terms are concluded between the User and Digitree in relation to and at the moment of acceptance of the SARE Regulations by the User, and constitute an integral part thereof. 3. Acceptance of the Regulations, and hence, the General Terms, is necessary to make use of the SARE System.
4. Within the scope of the General Terms, the Provider (User) contracts the Processor (Digitree) to process Personal Data within the scope and for the purpose set forth by the General Terms, and orders the Processor to process them.
II. Definitions
The words and phrases used in the General Terms have the following meanings:
1. Data Controller – SARE System User, being the controller of the Personal Data as understood by art. 4 p. 7) of the GDPR, meaning, the controller of the personal data introduced by the User into the SARE System in relation to usage of the SARE System.
2. Personal Data – personal data as understood by art. 4 p. 1) of the GDPR, provided by the Provider to the Processor for processing based on the conditions described in the Terms.
3. Digitree/ Processor – the company Digitree Group S. A. with seat in Rybnik, Poland, being a Party to the Terms.
4. Recipient – a natural person, whose data was entered into the SARE System, to whom messages are directed transmitted via the SARE System, and the controller of whose data is the User, reserving p. III.2 of the SARE System Regulations.
5. Terms – the present General data processing contract terms constituting an integral part of the SARE System Regulations.
6. Subcontactors – entities, the services of which are made use of by the Processor for the purpose of execution of the general contract (SARE Regulations and Terms), as indicated under item VII of the Terms.
7. SARE Regulations – the regulations of use of the SARE System, of which the Terms constitute an integral part.
8. GDPR – Regulation (EU) 2016/ 679 of the European Parliament and of the Council of April 27th, 2016, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/ 46/ EC (General Data Protection Regulation).
9. User/ Provider – a User of the SARE System, being a party to the Terms and to the contract concluded on the basis of the SARE Regulations.
10. SARE System – a piece of software, not requiring installation on the User’s computer, used for the purpose of marketing as well as integrated and precisely targeted communication over e-mail and mobile (SMS) channels using Users’ own databases.
III. Statements of the Provider
1. The Provider states that
a. they are the Controller of the Personal Data, reserving item III.2,
b. the Personal Data have been lawfully collected by them,
c. they have the legal basis to process the Personal Data of the Recipients,
d. they are entitled to contract the Processor to process the Personal Data within the scope and for the purpose set forth in the Terms.
2. If the Provider is not the Controller, then at the latest on the day of conclusion of the present Contract (Terms):
a. they shall notify the Processor about this by e-mail sent to iod@digitree.pl,
b. they shall indicate, at lease by e-mail, their position in terms of the relationship, meaning, being co controller or a processing entity, and,
c. they shall provide the data of the correct Personal Data Controller and their Personal Data Protection Representative.
In such a case, the provisions of the Terms are applied accordingly.
IV. Personal Data
1. The Personal Data apply to the following categories of persons: Recipients.
2. Depending on the mode, in which the Provider would make use of the SARE System, the Provider provides to the Personal Data Processor Personal Data within the following scope (Personal Data types):
a. E-mail address of the Recipient and/ or phone number of the Recipient,
b. other types of Personal Data described individually by the User within the Database Structure within the scope of the SARE System.
3. The User may undertake to change the type of Personal Data provided to the Processor by using the electronic form available within the SARE System to determine the properties of the Data. The change of the type of the provided Personal Data is made the moment it is introduced to the SARE System by the User, on the basis of regulations set forth in the preceding sentence.
4. It is absolutely forbidden to introduce into the SARE System, without clear and specific consent of the Processor, particular categories of personal data (concerning the health condition, the racial or ethnic background, political views, religious or worldview affiliations, membership in trade unions, genetic data, biometric data). If the Provider would plan to introduce such data types into the SARE System, they have to notify the Processor about this beforehand, acquire their express and specific consent and agree with them on the scope of this Personal Data, and any possible additional conditions that may need to be fulfilled.
5. The Personal Data shall be processed to execute the object of the contract concluded on the basis of the SARE Regulations as the general contract.
V. Obligations of the Processor
1. The Processor is obliged to process the Personal Data with due care, in line with the provisions of the law and the Terms.
2. The Processor states that they have implemented the relevant necessary technical and organisational resources so that the processing of Personal Data would conform to the requirements set forth in the provisions of the law, protecting the rights of the concerned persons.
3. The Processor shall in particular:
a. process the Personal Data pursuant to documented orders of the Controller (e. g. respectively the Provider), on the basis of the accepted SARE Regulations and the Terms,
b. makes sure that the persons authorised to process the Personal Data are bound to keep confidentiality of the Personal Data or to be bound by a relevant statutory obligation to maintain confidentiality,
c. undertakes all resources required by virtue of art. 32 of the GDPR, in particular – applies the technical and organisational resources to ensure protection of the Personal Data submitted for processing, as relevant for the hazards and categories of the Personal Data covered by the protection, in particular securing the Personal Data against their provision to unauthorised persons, takeover by unauthorised persons, fraudulent processing as well as change, loss, damage or destruction,
d. adheres to the conditions of use of services of other processing entities, as described under p. VII and the regulations,
e. considering the character of the processing, if possible, aids the Provider by utilisation of relevant technical and organisational resources, to come through with the obligation to respond to requests by concerned persons with respect to exercising their rights as described in relevant provisions,
f. considering the character of the processing and the available information, aids the Provider to come through with their obligations described in art. 32-36 of the GDPR, in particular in terms of security of processing of the Personal Data, submitting violations of security of the Personal Data to the relevant supervisory body,
g. following the conclusion of processing of the Personal Data on the basis of the Regulations and the Terms, removes all Personal Data and deletes all existing copies of these, unless the relevant provisions would require the storage of Personal Data; Personal Data shall be irreversibly deleted by the Processor after thirty days, counting from the day of termination/ dissolution of the general contract (the SARE System usage Regulations), with the Provider accepting this fully. In the period indicated in the preceding sentence, the Provider is able to export the Personal Data from the SARE System.
h. provides the Provider at every request with all information necessary to show fulfilment of obligations of the Processor as the entity processing the Personal Data, pursuant to relevant provisions, and allows the Provider or an auditor authorised by the Provider to conduct audits, including inspections, and contributes to these; the Processor shall immediately notify the Provider if in their opinion any order they would receive violates the provisions of the law.
4. Having concluded on a violation of security of the Personal Data, the Processor shall, without undue delays, submit such notifications to the Provider not later than within 48 hours of getting to acquisition of such an information. The Processor, having concluded on a violation of Personal Data security, shall proceed in line with the provisions of art. 33 section 1 of the GDPR.
5. The Provider accepts that all submissions related to the processing of Personal Data are accepted by the Processor on business days, meaning, every day between Monday and Friday, excluding statutory off days, between 8.00 and 16.00. Submissions made after 16.00 are deemed to have been accepted on the following business day at 8.00.
6. The Processor shall notify the Provider about facts and events concerning hazards to the processing of Personal Data, in particular any violations of security measures found, unauthorised access, submissions received directly from Recipients and any possible control and inspection activities by relevant authorised bodies, should this apply to the Personal Data provided by the Provider.
7. The Processor obliges themselves to support the Provider using relevant technical and organisational resources, to come through with the obligation to respond to Recipient requests, in particular with respect to their usage of the ‘right to be forgotten’, the right to transfer the data, the right to limit processing and the right to correct the data. The Provider makes sure that all these obligations are implemented as required by their Subcontractors as well.
8. As part of implementation of the Terms, as well as in exceptional situations, not foreseen by the Terms, the Processor shall process the Personal Data within the scope of legal provisions, considering the best standards of protection of Personal Data and substantiated interest of the Provider.
VI. Mode of implementation of the Terms
1. Within the scope of implementation of the Terms, the Provider and the Processor are obliged to maintain tight cooperation, notifying themselves mutually about any and all circumstances that can or could influence the implementation of the present contract.
2. The Provider obliges themselves not to introduce into the SARE System data and/ or other software that could compromise its integrity or influence security. The Provider accepts and obliges themselves not to start up on servers of the Processor that store the Personal Data any software, sites or scripts that are not related to the personal data, in particular those, the operation of which could negatively influence the work of the server and the internet connections of the Processor and third parties. The Processor is entitled to immediately block the operation of such software or the server, where a part of the infrastructure foreseen for the Provider is stored.
3. If the server foreseen for the Provider, or any component of the service provided for their benefit, would become a source or target of a DOS, DDOS or a different kind of attack aimed at overloading the server, the Processor will take relevant steps aimed at the exclusion of the hazard for other services and servers of the Processor, up to and including the complete locking of these servers or locking out access until the cessation of the attack or disturbance.
VII. Further-level subcontracting of processing of Personal Data
1. The Provider consents for the Processor to use the services of the following processors (Subcontractors) for the purpose of implementation of the Regulations and the Terms:
a. 3S Data Center S.A., with seat in Katowice, Poland, NIP (tax id.) no.: 954 27 04 989, Polish National Court Register no.: 0000364798,
b. Atman sp. z o.o. with seat in Warszawa, Poland, NIP (tax id.) no.: 1130059989, Polish National Court Register no.: 0000923206, the server farms of which are located in Katowice – ALTUS Data Centre in Katowice, and in Warsaw – Data Centre,
c. OVH Sp. z o. o. with seat in Wrocław, Poland, Polish National Court Register no.: 0000220286, NIP (tax id.) no.: 899-25-20-556,
d. Amazon Web Services EMEA SARL with seat in Luxembourg, with the reservation, however, that the Personal Data processed by Amazon Web Services EMEA SARL will be processed exclusively in the European Economic Area,
e. Salelifter sp. z o. o. with seat in Rybnik, Poland, NIP (tax id.) no.: 642-31-83-413, Polish National Court Register no.: 0000472712 (company belonging to the Digitree Group of capital companies), f. Google Ireland Limited with seat in Ireland, with the reservation, however, that Personal Data processed by Google Ireland Limited will be processed exclusively in the European Economic Area.
2. The Processor may use, within the scope of processing of Personal Data, make use of services of another processing entity (general consent of the controller per art. 28 section 2 of the GDPR). In such a case:
a. The Processor shall notify the Provider about the planned changes concerning the addition or replacement of Subcontractors, by transferring basic data of the new processing entity by e-mail, b. The Processor is able to express their opposition against such changes by way of an e-mail message sent to the address iod!@digitree.pl within a timeframe of seven days,
c. In case of lack of reply or lack of opposition expressed in the indicated timeframe, it will be assumed that the Provider consented to the change/ substitution of a new Subcontractor,
d. In case of unjustified opposition by the Provider, in particular in special situations, if the change/ addition of a new Subcontractor would be necessary for reasons of assurance of security of Personal Data, the Processor will be entitled to withhold the performance of services covered by the Regulations until the time of sufficient securing of processing of Personal Data or to immediate dissolution of the Contract (the Regulations, including the Terms) in light of the impossibility of further correct provision of services, of which fact the Provider will be duly informed, with the Processor not being liable in any way for this reason.
3. By subcontracting the processing, the Processor is obliged to bind the Subcontractor (lower-level processor) to the execution of all duties of the Processor pursuant to the Terms, save for these that do not apply by way of the nature of the specific subcontracting case.
VIII. Responsibility
1. The Processor is responsible for the processing of the Personal Data if it would occur contrary to the contents of the Terms and the provisions of the law.
2. The Processor will notify the Provider about proceedings, in particular administrative or court proceedings, concerning the processing of Personal Data by the Processor, about any administrative decisions or judgements concerning the processing of this data, transferred to the Processor, as well as any planned, if known, or conducted inspections or analyses, unless this would be contrary to commonly valid provisions of the law and/ or any decisions or judgements of specific authorised bodies. The present section applies exclusively to Personal Data provided by the Provider for the purpose of processing.
3. Each Party to the Terms is responsible for the correct execution of their obligations pursuant thereto. The Provider is particularly responsible for the Personal Data to be collected lawfully by them, to have the legal grounds for the processing of Personal Data of the Recipients, being authorised to transfer the Personal Data to the Processor for the purpose of processing within the scope and for the purpose set forth in the Terms.
IX. Confidentiality
1. The rules concerning confidentiality under item XI of the SARE Regulations apply analogously to the present Terms.
X. Contract validity
1. The present Terms constitute a Personal Data processing contract and are an integral part of the general contract (concluded on the basis of the SARE Regulations), and remain valid for the specific term of the general contract (the SARE Regulations), reserving the period of removal of data as indicated under item V.3.g.
2. The dissolution of the general contract (the SARE Regulations) by any one of the Parties, at any time and in any mode will automatically cause the dissolution of the data processing contract (the Terms). 3. The Provider is entitled to dissolve the Terms immediately if the Processor:
a. would use the Personal Data in a manner contrary to the Terms,
b. would not suspend the improper usage of the Personal Data within a non-negotiable period of three days from the day of the Processor receiving a notification of the improper processing of the Personal Data,
c. would notify about their inability to perform the Contract,
with the reservation, however, that in each case any dissolution of the Terms would automatically cause the general contract to be dissolved.
4. The Processor may dissolve the Terms effective immediately, without adhering to any notice period, in case the Provider would violate the Terms and or the provisions of the general contract as described in par. 1 section 1 above.
5. Following the dissolution/ termination of the Contract, the Processor will remove all Personal Data per item V.3.g) of the Terms.
XI. Right to inspect
1. Pursuant to art. 28 section 3 item h) of the GDPR, the Provider has the right to conduct necessary inspections as to whether the resources used by the Processor during the processing and securing of the provided Personal Data conform to the provisions of the Terms.
2. The inspection may be carried out exclusively by an authorised representative of the Provider, with a prior 14-day notice period (with the notification describing at least the scope/ object of the inspection and the persons authorised to conduct it), under pain of the Processor’s decline to carry out the inspection. The inspection described in the preceding sentence may be carried out not more frequently than once per year, reserving situations, in which subsequent inspections in the same year would be required for reasons of security of the personal data, of which the Provider would be the controller.
3. The Provider may exercise their right to inspect during the working hours of the Processor, that is, Monday to Friday (excluding statutory off days) between 8.00 and 16.00.
4. The person conducting the inspection should show an authorisation by the Provider in this regard, personally naming them, signed by persons authorised to represent the Provider, as well as a valid identity document, under pain of the Processor’s decline to carry out the inspection.
5. The Provider, including persons conducting the inspections, are obliged to maintain full confidentiality of the information and the data acquired in relation to the inspection or during it. In this regard, item IX of the Regulation applies accordingly.
6. The Provider obliges themselves to draw up a protocol from the conducted inspection, and to transfer its copy to the Processor immediately, not later however than within 30 days from the day of conclusion of the inspection. Should the Provider not transfer the inspection protocol to the Processor in the deadline stated above, then the Processor is entitled to decline a further inspection by the Provider.
7. For inspections, the Processor will make available to the Provider any and all information necessary to show conformity to obligations set forth under art. 28 of the GDPR.
8. The Provider bears full responsibility for the actions or inactions of persons conducting the inspection as if it were their own actions or inactions.
XII. Closing provisions
1. Any and all issues omitted from the Terms are governed by generally applicable provisions of the law and, respectively, provisions of the SARE Regulations.
2. Any and all disputes will be subjected to amicable resolution attempts by the Parties, and should no resolution be achievable in this way, the disputes will be resolved by the common court of law for the seat of the Processor.
Version of the Terms valid from 15.11.2023.