Annex _ to the Hrily Application Rules
The Data Processing Entrustment Agreement (the “Entrustment Agreement”) shall constitute an integral part of the Terms and Conditions of the HRILY Application (the “Terms and Conditions”) and shall regulate the rules of personal data processing by the Service Provider for the benefit of the Customer using the Hrily Application (hereinafter also referred to as the “Site” or “Parties to the Agreement”).
Terms used in the Contract of Entrustment not defined below shall be understood by the wording chosen for them within the Regulations.
The Entrustment Agreement sets out the reciprocal rights and obligations of the Parties in the framework of cooperation on the entrustment of personal data processing.
§ 1 DEFINITIONS
1. FAMILY – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to Personal Data Processing and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation);
2. Application – the Hrily web application, addressed to the HR industry and other entities that may use the functionality of the Application in their business;
3. Administrator – the Customer or any other entity related to him or her who, alone or jointly with others, determines the purposes and means of Personal Data Processing;
4. Data Processor – the Service Provider, or HEADLOGIC Sp. z o.o. of Rzeszów, address: ul. Podwisłocze 2, 99 B, 35-309 Rzeszów, entered in the Register of Entrepreneurs of the National Court Register maintained by the District Court of Rzeszów, XII Commercial Division of the National Court Register, under the number KRS:
0000844300, NIP: 8133839622, REGON: 386201995, with share capital of PLN 5,000;
5. Data subject – any natural person to whom Personal Data relate;
6. Agreement – any agreement for the provision of services in the form of access to the Hrily Application provided by the Data Processor to the Data Controller, concluded by the Data Controller completing and approving the Registration Form and creating an Account in the Application;
7. Personal data – any information relating to an identified or identifiable natural person, in particular on the basis of an identifier such as name, identification number, location data, internet identifier or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of the individual;
8. Violation of Personal Data Protection – any event occurring in the Data Processor or Sub-Processor which leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to the Personal Data of the Data Controller;
9. Personal Data Processing – any operation or set of operations which is performed upon Personal Data or sets of Personal Data, whether or not by automatic means, such as collection, recording, organisation, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or other form of provision, alignment or combination, limiting, erasure or destruction;
10. Data Processor – the contractual partner of the Data Processor that processes the Personal Data of the Data Controller as part of Personal Data Processing by the Data Processor;
11. EEA – the European Economic Area comprising the countries of the European Union plus Norway, Iceland and Liechtenstein;
12. Transfer of Personal Data to Third Countries – means the transfer of data by the Data Processor to non-EEA countries, provided that the conditions set out in Chapter V of the TDC are satisfied.
§ 2 SUBJECT MATTER OF THE AGREEMENT
1. The Parties are bound by the Agreement, the performance of which is connected with Personal Data Processing.
2. The Data Processor undertakes to process Personal Data on the basis of the Entrustment Agreement in accordance with the TYPE.
§ 3 PURPOSE, SCOPE AND MEANS OF PROCESSING PERSONAL DATA
1. The Data Controller entrusts the Data Processor in connection with the performance of the Agreement, in order to provide access to the Application, use its functionalities and organisational and technical support related to its use by the Data Controller.
2. The Data Processor shall process the Personal Data of the following categories of persons: natural persons whose Personal Data have been entered into the Application by the Users.
3. The Data Processor may process in particular the following Personal Data: name, surname, telephone, e-mail, identity card numbers and others.
4. The Data Controller and the Users are responsible for the Personal Data they disclose in the Application in terms of having the legal basis for its processing and the ways in which it is processed.
5. The Data Processor shall process said data in an electronic version using the software in the form of the Application and other tools necessary for the proper performance of the Agreement.
§ 4 PERSONAL DATA SECURITY
1. The Data Processor shall, taking into consideration the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing, and the risk of infringement of the rights or freedoms of individuals of varying degrees of probability and seriousness, implement appropriate technical and organisational measures to ensure Personal Data Processing in accordance with the PDB.
2. The Data Processor shall keep the technical and organisational measures in place under review and update them to ensure their compliance with the rules of the TDC.
§ 5 PRINCIPLES OF DATA PROCESSING BY THE DATA PROCESSOR
2. The Data Processor shall ensure that persons having access to the Personal Data being processed keep them and the means of protection of their personal data secret, with the obligation of secrecy also existing after the execution of the Entrustment Agreement.
3. The Data Processor will acquaint its employees, associates and other persons authorized to Process Personal Data with the provisions on the protection of Personal Data and the consequences of failure to comply with them.
§ 6 COOPERATION BETWEEN THE PARTIES
1. The Data Processor undertakes to assist the Data Controller in the fulfilment of the obligations set out in Articles 32-36 of the GCRL, as well as to assist the Data Controller in the fulfilment of the obligation to respond to the data subject’s requests for the exercise of his/her rights set out in Chapter III of the GCRL.
2. The Data Processor undertakes to assist the Data Controller, through appropriate technical and organisational measures, in fulfilling its obligation to respond to the requests of data subjects with regard to the exercise of their rights set out in Articles 15-22 of the TDC. In particular, the Data Processor undertakes – at the request of the Data Controller – to prepare and provide the Data Controller with the information necessary to satisfy the data subject’s request immediately, not later than within 14 days from the date of receipt of the data controller’s request.
3. The Data Processor shall promptly notify the Data Controller by electronic means to its e-mail address, no later than 36 hours after being informed of any breach of Personal Data Protection, any suspected breach of Personal Data Protection or any failure to comply with Personal Data Protection.
4. If the Data Processor receives any complaint, notification or submission relating to the processing of the Controller’s Personal Data by the Data Processor or to compliance with the Data Protection Law, to an extent permitted by law, the Data Processor shall immediately notify the Data Controller by sending the relevant information to its e-mail address, not later than within 3 working days from receipt of said complaint, notification or submission and, as necessary, cooperate and assist the Data Controller in responding to it.
5. In the event that, in the opinion of the Data Processor, the instructions issued by the Data Controller to the Data Processor concerning Personal Data Processing constitute, in the opinion of the Data Processor, a breach of the provisions of the TODO or other provisions of the law on personal data protection, the Data Processor shall immediately inform the Data Controller thereof.
§ 7 AUDIT and CONTROL OF PERSONAL DATA PROCESSING
1. The Data Controller shall be entitled to verify the observance of the rules for Personal Data Processing resulting from the PDPA and the performance of the Entrustment Agreement by the Data Processor, using the right to request information concerning the entrusted Personal Data.
2. The Data Controller shall be entitled to carry out an audit at the place of processing or at the premises of the Data Processor in order to obtain the necessary information or to inspect the stored Personal Data. The Data Controller shall be obliged to inform the Data Processor by e-mail to the Data Processor’s e-mail address at least 14 days before the planned audit date. The performance of the audit shall not adversely affect the correct and timely performance of the Data Processor’s current business activities.
3. The audit conducted by the Data Controller, due to the need to ensure the efficient functioning of the Data Processor, may last up to 1 working day.
4. Persons authorised to carry out an audit on behalf of the Data Controller shall be obliged under a written agreement to keep confidential all information, documents, data, in particular but not exclusively of technical, commercial and financial nature, concerning the Data Processor, which they obtained in connection with the audit.
§ 8 TERRITORIAL SCOPE OF PERSONAL DATA PROCESSING
1. The Data Processor is authorised to process Personal Data within the EEA.
2. The Data Processor is entitled to process Personal Data by transferring them outside the EEA, in which case all transfers of Personal Data shall be made on the basis of so-called standard contractual clauses, adopted by the European Commission and providing an appropriate level of safeguards in accordance with the applicable legislation.
§ 9 USE OF SUB-PROCESSING SERVICES
1. The Data Controller agrees that the Data Processor shall use the services of the Sub-Processors in Personal Data Processing in order to properly perform the Agreement.
2. Information on the Sub Processors to whom the Data Processor entrusts Personal Data is provided by the Data Processor is attached as Annex .
3. In case of a planned change of the Sub-Processors whose services are used by the Data Processor to process Personal Data, by adding a new Sub-Processor, the Data Subject shall inform the Data Controller by e-mail to the e-mail address of the Data Controller at least 14 days prior to further entrusting Personal Data Processing. Amendments:
Sub-processors shall not constitute an amendment to the Entrustment Agreement. With this information
the Data Processor shall indicate to what extent the provision of services by the sub-processor is necessary to maintain the access service to the Application, its partial or additional functionality.
4. The Data Controller shall have the possibility to object to the change referred to in paragraph 3 above by e-mail to the Data Processor’s e-mail address within 7 days from the date of receiving the message from the Data Processor.
5. In the event that the provision of the service of access to the Application, its part or additional functionality is impossible without the provision of services by the Sub-processor to which the Data Administrator has objected, the Parties agree that the Data Administrator’s objection shall be equivalent to the termination of the Agreement with immediate effect.
6. The agreement between the Data Processor and the Sub Processor contains an obligation for the Sub Processor to protect Personal Data at least at the same level as specified in the Entrustment Agreement. In particular, the Sub Processor shall be obliged to ensure that appropriate technical and organisational measures are implemented so that processing satisfies the requirements of the TYRO.
§10 DURATION OF PERSONAL DATA PROCESSING
1. Upon termination or expiry of the Agreement, the Data Processor shall cease Personal Data Processing unless it is authorised to further process the Personal Data under applicable law.
2. In accordance with the wishes of the Data Controller, the Data Processor shall delete or anonymise the Personal Data irreversibly, on any medium on which the Personal Data has been collected and located both at the Data Processor and at the Sub-Processors.
3. Deletion or anonymisation of the Personal Data shall take place no later than 14 days after the termination or expiration of the Agreement, unless the Parties agree on another date for deletion or anonymisation of the Personal Data.
4. If the provisions of law so provide, the Data Processor shall immediately inform the Data Controller about the need to store Personal Data for a specified period of time after the termination or expiry of the Agreement. In this case, the Data Processor shall be entitled to process the Personal Data only to the extent and for the period specified by the law.
§11 RESPONSIBILITY OF THE DATA PROCESSOR
1. The Data Processor shall be responsible for the use of the Personal Data entrusted to it by the Data Controller in contravention of the Entrustment Agreement and the applicable law.
2. The Data Processor shall be liable for damages caused to the Data Controller which have arisen in connection with the non-performance or improper performance of the Entrustment Agreement by the Data Processor, in particular Personal Data Processing which is inconsistent with the Entrustment Agreement, within the limits of actual losses incurred by the Data Controller.
3. To the same extent, the Data Processor is responsible for the actions of its employees, associates and other persons through whom it processes the entrusted Personal Data, including Sub-Processors.
§ 12 FINAL PROVISIONS
1. The Entrustment Agreement shall enter into force on the date of acceptance of the Regulations by the Data Administrator.
2. The Entrustment Agreement shall be terminated simultaneously with the termination of the Agreement.
3. If any provision of this Agreement is found to be invalid or otherwise legally defective, the remaining provisions of this Agreement shall remain in force to the fullest extent permitted by law.
4. The entrustment agreement shall constitute the entirety of the arrangements and understandings between the Parties with regard to the matters governed by it and shall supersede any previous agreement between the Parties and relating to those matters.
5. To the extent not covered by the Entrustment Agreement, the provisions of the PAC and other provisions of common law shall apply.
6. The Entrustment Agreement is governed by Polish law. Any disputes arising from this Entrustment Agreement shall be resolved by a common court having jurisdiction over the seat of the Data Processor.
Attachment no. 2 to the Statute of Hrily Application Subject subprocessing data
Administration of hosting services – IT360 KAMIL KRZEMIŃSKI, ADDRESS: Stanisława Przybyszewskiego Street 17B, 30‑128 Kraków, Poland. VAT Number: 7343097416
Hosting – Amazon Web Services EMEA SARL 38 Avenue John F. Kennedy, L-1855 Luksemburg R.C.S. Luxembourg: B186284
Sending of e-mails – Vercom S.A. based in Poznaniu, Franklina Roosevelta Street 22, 60-829 Poznań, Poland.