DATA PROCESSING AGREEMENT
This Data Processing Agreement (the “Agreement”) applies to the processing of Personal Data (as defined below) by Divante Sp. z o.o., with its registered office in Poland, at Dmowskiego Street 17, 50-203 Wrocław, registered by the District Court of Wrocław Fabryczna, VI Department of the National Court Register (Krajowy Rejestr Sądowy), under entry number KRS 0000313348, NIP [taxpayer ID] 8951930748, REGON 020832512, share capital: 58,000 PLN (“Meetsales”) and you as a Client of Meetsales ́s services (hereinafter “Client”) (Meetsales and Client hereinafter individually also referred to as a “Party” and together as the “Parties”).
The subject of this Agreement is the collection and processing of Personal Data (as defined below) in connection with certain online Software as a Service services (“Services”) provided by the Meetsales to the Client as specified in a separate agreement (hereinafter the “Main Agreement”).
The Controller appoints Meetsales as a processor to process Personal Data (as defined below) for the purposes described in this Preamble and the Main Agreement, or as otherwise agreed in writing by the parties (the “Permitted Purpose”).
Each party shall comply with the obligations that apply to it under Applicable Data Protection Law.
The Personal Data processing in connection with the performance of the agreement in relation to the Services shall be subject to Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (“Regulation”). Under the Main Agreement, Client as Personal Data Controller entrusts to Meetsales as the Personal Data Processor the processing of the following scope of personal data („Personal Data”): (i) nature and purpose of the processing – provision of Services specified in the Main Agreement; (ii) categories of data subjects – data subjects include Client, Client's representatives and end-users including employees, contractors, collaborators, and Client's Clients. Data subjects may also include individuals attempting to communicate or transfer personal information to users of Services. The data subjects exclusively determine the content of data submitted to Meetsales. Due to a full autonomy of data subjects regarding data entered to the system, Meetsales shall not be liable for the content entered to the system regardless if it constitutes personal data or not; (iii) type of personal data –email, first name and last name, address, title, contact details, username, chat history, financial information (credit card details, account details, payment information); employment details (employer, job title) and other data in an electronic form provided in the context of Services; a special categories of Personal Data in form of biometric data – facial images of Client’s and end-users of Services and information about Client’s and end-users’ of Services behaviour („Biometric Data”) (iv) area where personal data will be processed: EEA/EU.
The Personal Data processing under the Main Agreement includes profiling, which means any form of automated processing of personal data consisting of the use of Personal Data to evaluate certain personal aspects („Profiling”).
Because of Personal Data processing including a Biometric Data and Profiling, the Client is obliged to (i) present relevant information and notifications on Personal Data processing to the Client’s employees, contractors and collaborators using the Services in accordance with the Regulation and other applicable legal regulations, (ii) present relevant information and notifications on Personal Data processing to the end-users of Services, in accordance with the Regulation and other applicable legal regulations, (iii) withdraw consents from the Client’s employees, contractors and collaborators using the Services and the end-users of Services, when it’s necessary according to Regulation, (iv) perform all other obligations under the Regulation and other applicable legal regulations.
Client is obligated to process the Personal Data in accordance with the Regulations, other applicable laws and provisions of this Agreement. The Client declares that the Personal Data entrusted to Meetsales and its sub-processors are legally processed by the Client according to the requirements of the Regulation, in particular based on one of the legal grounds legalizing the processing specified in the Regulation.
Meetsales can support the Client in fulfilling the information obligation towards to the end-users of Services, by providing to the Client, for information purposes only, the model of information clause for end-users related to Profiling and processing of Biometric Data, which is an example of the fulfillment of the information obligation resulting from the Resolution for the Client. The Client is entitled to use the pattern provided by the Meetsales only after its appropriate modification and supplementation according to the Client’s actual needs, as well as confirmation of compliance of this material with the law. Meetsales shall not liable for the Client's use of the model of information clause referred to above, its timeliness and correctness. The Client is obliged to fulfill the obligations in accordance to the Resolution, and the above-mentioned the pattern is only informative and educational for the Client.
Meetsales shall not be liable for performing any obligations which are binding on the Client under the Regulations.
Meetsales processes Personal Data solely for the purpose of performing the Main Agreement, to the extent necessary to perform it and only during its term. Meetsales is obliged to process personal data in accordance with the Regulation, other applicable provisions of law and the Agreement.
Meetsales in connection of Personal Data processing is obliged to: (i) apply all technical and organizational measures adequate to the risk level securing the Personal Data in accordance with the principles specified in Article 32 of the Regulation; (ii) assist the Client in fulfilling the obligations set forth in Articles 32–36 of the Regulation, while taking into account the nature of processing and information available to Meetsales; (iii) process the Personal Data only on documented instructions from Client, unless required to do so by the applicable EU or local law; in such a case, the Meetsales informs the Client of such a legal requirement before processing, unless that law prohibits such information on important grounds of public interest; (iv) assist the Client by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the Regulation; (v) ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (vi) after the termination of the Agreement, depending on the Client’s request – delete or return the Personal Data and remove copies thereof, unless the mandatory provisions of law provide otherwise.
After the termination this Agreement Meetsales is entitled to using the anonymous information, that is to say, information which does not relate to an identified or identifiable natural person, or to personal data rendered anonymous in such a way that data subjects cannot be identified at all or can no longer be identified.
For the purpose of the appointment of Sub-processors, Client hereby gives the Processor a consent to engage Sub-Processors in connection with the provision of the Services, including without limitation for the Processing of Personal Data on behalf of Client. When requested by the Client, the Meetsales shall make available to Client an up-to-date list of all Sub-processors used for the Processing of Client Personal Data. The list of Sub-processors that are currently authorized by Meetsales to access Personal Data may be listed on a website maintained by Meetsales. At least 10 days before Meetsales authorizes and permits any new Sub-processors to access Client Personal Data, Meetsales will update the applicable website. Client may object in writing to Meetsales’s appointment of a new Sub-processor within five (5) calendar days of such notice, provided that such objection is based on reasonable grounds relating to data protection; otherwise Client shall be deemed to have accepted the respective Sub-processor to Process Client Personal Data. If Client legitimately object to the appointment of new Sub-Processor, the parties shall discuss such concerns in good faith with a view to achieving resolution provided, however, that if this is not possible, Client may suspend or terminate the Agreement (without prejudice to any fees incurred by Client prior to suspension or termination).
Meetsales will provide Client with the information necessary for the performance of its duties related to entrusting the processing of Personal Data. Meetsales will enable the Client to carry out audits, including inspections, of the outsourcing of the processing of Personal Data and will ensure cooperation in this respect. Each Party will incur its own costs of the audit, regardless of its result.
Meetsales may authorize persons acting on its behalf, including sub-processors, to process Personal Data on the Client’s behalf, which includes issuing Personal Data processing instructions to these entities on the Client’s behalf.
Meetsales will not transfer Personal Data outside the EEA, unless it obtains Client’s separate permit in this respect, which the Client will not unreasonably withhold, and such transfer will be effected in accordance with the provisions of the Regulation. In any event, the transfer will be effected solely for the purpose of performing the Main Agreement.
Irrespective of the other provisions of the Agreement, the Meetsales’s liability related to the processing of Personal Data under the Agreement is limited to the amount of ten thousand (10,000) USD, unless the mandatory provisions of law provide otherwise.
The Parties undertake to provide their representatives and persons employed by them (irrespective of the legal grounds for employment e.g. civil law contracts), whose personal data will be disclosed to the other Party of the Agreement and the Main Agreement as the data administrator in connection with the conclusion and implementation of the Agreement and the Main Agreement, with the information known to the disclosing Party and indicated in Article 14 of GDPR.
The current version of this Agreement was adopted on and it applies from 18.09.2020.