REGULATIONS FOR ENTRUSTMENT CONTRACT FOR PERSONAL DATA PROCESSING BY SUBCONTRACTORS APPLICABLE IN THE WIELKOPOLSKI INDEK COMPANY
I BASIC INFORMATION
In the interest of maintaining the right to privacy of Customers and Contractors of Wielkopolski Indyk Company, fulfilling the requirements of applicable provisions of law, including the provisions of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter referred to as the GDPR), we publish these Regulations for the processing of personal data by subcontractors, hereinafter referred to as the “Regulations“, which describes the rules applicable in our Company to entrust data processing to entities which in connection with the cooperation or services provided by them, we entrust the processing of personal data provided to us.
- The Regulations are binding on all entities cooperating with the Wielkopolski Indyk company or providing it with services, to which, in connection with their cooperation or services provided by them, the Wielkopolski Indyk company entrusts the processing of personal data that it administers.
These entities are hereinafter referred to as the “Subcontractors” or the “Processor”.
- The Regulations apply to all personal data which are entrusted by the Wielkopolski Indyk to its Subcontractors for processing.
- If the Subcontractor has concluded a separate agreement with the Wielkopolski Indyk company regarding the entrusting of data processing, the provisions of this agreement shall take precedence over the provisions of these Regulations. To the extent not regulated in the contract, the provisions of the Regulations shall apply.
- The Regulations were introduced on May 24, 2018 and are valid for indefinite period of time.
The Wielkopolski Indyk company reserves the right to change it. The Subcontractors will be informed about the scope of changes at least 14 days in advance.
For the purposes of these Regulations, the following meanings of the following terms are established:
- Controller – Wielkopolski Indyk sp. z o.o. with its registered office in Bolesławiec at Bolesławiec 12A, 62-050 Mosina, entered into the National Court Register under the number 0000646404, NIP 7773271756, REGON 365834337;
- GDPR – the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation data) (OJ of EU L. of 2016, No. 119, p. 1);
- Subcontractor/Processor – an entity processing personal data at the request of the Controller and in the manner defined by the Controller;
- Cooperation – cooperation between the Controller and the Subcontractor, in connection with which the Controller entrusts the Subcontractor with the processing of personal data;
- Agreement – an agreement for the provision of services or other civil law contract linking the Controller and the Subcontractor, in connection with which the Controller entrusts the Subcontractor with the processing of personal data;
II SCOPE, PURPOSE AND NATURE OF PERSONAL DATA PROCESSING
Each Subcontractor (Processor), entrusted by the Controller with the processing of personal data in connection with the cooperation or the Agreement concluded, is obliged to process the personal data entrusted to him in accordance with the principles set out in these Regulations and applicable provisions of law.
- Entrusting the Processor with the processing of personal may relate in particular to the data of the following categories of persons:
a) employees and associates of the Controller;
b) persons who are members of the Controller’s bodies;
c) clients and contractors of the Controller;
d) employees, associates, subcontractors or contractors of the persons referred to in item c).
- The scope of personal data entrusted to the Processor for the processing may include:
a) first name and surname;
b) address of residence;
c) e-mail address;
d) phone number;
e) bank account number;
f) registration number of the car or other vehicle (if the service applies to a car);
g) person’s identification data – PESEL, NIP, series and number of the identity document;
h) data regarding the conducted business activity
- Entrusting the Processor with the processing of personal data takes place to such an extent that it is necessary to achieve the goals of Cooperation or proper performance of the Agreement.
- Personal data specified in § 2.2. are processed:
– only for the purposes arising from the subject of the Cooperation or from the subject matter of the Agreement, including the purpose of performing a one-off service commissioned on an ad hoc basis in other form than in writing,
– to the extent it is necessary to achieve the goals of the Cooperation or the Agreement.
- The data may not be processed for a different purpose or to a wider extent than specified in item 2 of this paragraph.
- The processing by the Processor of the entrusted personal data to a wider extent or for purposes other than those indicated in items 1 and 2 of this paragraph, in the absence of an appropriate legal basis, will constitute a violation of the provisions of the GDPR and the Regulations, which may constitute the basis for ceasing cooperation or placing further orders by the Controller and taking measures provided for by the provisions of law.
- The personal data may be provided to the Processor in a written or electronic form (e.g. in paper form, in a text message, by phone, via e-mail, traditional mail) in person or to the telephone number, e-mail address, mailing address indicated by the Processor.
- The processing of personal data by the Processor may take place in paper form or using IT systems, depending on the purpose for which the data is being processed.
III PERIOD OF ENTRUSTING
- Entrusting the Processor with the processing of personal, subject to the provisions of item 2 of this paragraph, takes place for the duration of the Cooperation or the Agreement.
- After the termination of the Cooperation or termination or expiration of the Agreement, the Processor is entitled to store the personal data entrusted to it only to the extent and for the period necessary for the Processor to fulfil its obligations under the provisions of law (tax law in particular), as well as for the period corresponding to the period of limitation of claims arising from the Cooperation or the Agreement.
After the expiry of period referred to in § 3.1, the Processor – depending on the Controller’s decision – will delete or return to the Controller all personal data entrusted to it and destroy all existing copies within 7 working days from the date of service of the Controller’s decision, unless the law of the European Union or Polish law requires to store the personal data.
IV PRAWA I OBOWIĄZKI ADMINISTRATORA
- The Controller, auditor or other person authorized by the Controller has the right to check the Processor’s compliance with the principles of personal data processing.
- The Controller, auditor or other person authorized by the Controller is entitled to control the Processor’s compliance with the principles of personal data processing, in particular by requesting information regarding the processing of personal data by the Processor or by carrying out inspections in places where the entrusted personal data are being processed.
- The Controller is obliged to cooperate with the Subcontractor in performing the obligations arising from the Regulations and provide clarifications in the event of any doubts as to the legality of the Controller’s instructions.
- The rights specified in this paragraph are vested in the Controller, respectively, in relation to the entities referred to in item VI – in the case of the Controller’s consent for the Processor to entrust other processing entities with processing of the data entrusted to him (sub-processing).
V DUTIES OF THE PROCESSOR
- The Processor processes data only in accordance with the Controller’s documented request, whereas such a documented request also includes a request sent electronically to the e-mail address indicated by the Processor or via text message to the telephone number indicated by the Processor.
- The Processor, without an express consent of the Controller, may not process personal data to a third country or an international organization, i.e. outside the EEA (European Economic Area), unless such an obligation is imposed by the European Union law or the provisions of national law.
- In the event of an obligation or an intent to transfer personal data outside the EEA, the Processor is obliged, if not prohibited by the provisions of law, to inform the Controller about it in order to allow the Controller to take decision and measures necessary to ensure the compliance with the law or to terminate the entrustment of processing.
- The Processor is obliged to ensure that only persons with authorisations to process personal data referred to in art. 29 of the GDPR, and who have been trained in the provisions on the protection of personal data were approved to process the entrusted personal data.
- The Processor is also obliged to ensure that persons authorized to process the data entrusted to them have committed themselves to maintain confidentiality or are subject to an appropriate statutory obligation of maintaining confidentiality.
- The Processor is obliged to keep records of persons authorized to process the entrusted personal data and to provide such records at each request of the Controller.
- The Processor is obliged to deploy and maintain, throughout the entire period of data processing, appropriate technical and organizational measures that are necessary to properly protect the entrusted personal data, in particular to secure this data (e.g. by securing a telephone or a computer with a password not accessible to third parties) against an access of unauthorized persons.
- The Processor is obliged to maintain confidentiality of the entrusted personal data and the methods of securing them.
- The Processor is obliged to inform the Controller in advance about the planned changes in the method of data processing, in such a manner and within such deadlines as to provide the Controller with a real opportunity to react if, in the Controller’s opinion, the changes planned by the Processor threaten the security of data or increase the risk of violating the rights or freedom of data subjects.
- The Processor’s obligation is to provide assistance to the Controller in fulfilling the obligation to respond to the request of the data subject as regards the exercise of his/her rights specified in Chapter III of the GDPR, in particular in exercising the right of that person to:
– access the content of his/her data;
– correct his/her data;
– delete his/ her data;
– restrict the processing of his/her data;
– transfer his/her data to another entity;
– withdraw the consent to the processing of his/her data;
– object to the processing of his/her data.
- The assistance referred to in item 1 of this paragraph is provided through appropriate technical and organizational measures.
- In any case, the Processor is obliged to provide assistance no later than within 7 days from the date of receipt of the request from the Controller.
- The Processor is obliged to inform the Controller about the fact or intent of using an automated data processing, including profiling, to the extent and for the purpose necessary for the Controller to fulfil the information obligation.
The Processor is also obliged to assist the Controller in fulfilling the obligations specified in art. 32-36 of the GDPR, in particular:
1 . notifying the Controller of any breach of personal data not later than within 24 hours from the moment of detecting the breach, including informing at least about:
a) the nature of the breach, the category and approximate number of data subjects, the approximate number of personal data entries affected by the breach,
b) possible consequences of the breach of personal data protection,
c) measures taken or proposed to remedy the breach of personal data protection, including, where appropriate, measures to minimize its possible negative effects
and providing the Controller with the necessary documentation regarding the breach to allow the Controller to fulfil the obligation to notify the supervisory authority;
2. providing the Controller with an assessment of the effects of planned processing operations for data protection – if a given type of processing is likely to cause a high risk of violating the rights or freedoms of individuals – if the risk assessment changes during the performance of this agreement or if new risks occur;
3. documenting any breach of personal data protection in the form of a Register of Breaches containing at least information about the circumstances of the personal data breach, the effects of this breach and remedial measures.
The obligations of the Processor also include:
- providing the Controller with all information required for demonstrating the compliance with the obligations indicated in the Regulations or the provisions governing the protection of personal data, within 5 working days from the date of receipt of the Controller’s request;
- allowing the Controller, auditor or other person authorized by the Controller to conduct audits, including inspections, by cooperating in audit and corrective activities within deadline agreed with the Processor, whereas the determination will take place not later than 7 days before the planned audit;
- complying with the post-audit recommendations provided by the Controller within deadline indicated by the Controller;
- immediately informing the Controller if, in his opinion, the command given to him constitutes a violation of the GDPR or other regulations of the European Union or the provisions of national law on the protection of personal data;
- immediately notifying the Controller:
a) about an audit of personal data processing, announced or carried out by state authorities authorized to perform such audits, and any decisions or administrative decisions issued to the Processor in connection with an audit;
b) about initiated or pending administrative, court or preparatory proceedings related to entrusting the Processor with the processing of personal data, as well as any decisions, resolutions or judgements issued to the Processor in connection with the above.
VI FURTHER ENTRUSTING OF PERSONAL DATA PROCESSING
- Further entrusting of the personal data processing by the Processor to its subcontractor (so-called sub-entrusting) requires the written consent of the Controller. The consent may be general or specific.
- The consent is granted under condition that:
1. the scope and purpose of the sub-entrusting will not be wider than those arising from these Regulations or a separate data processing agreement concluded with the Controller;
2. the subject and duration of processing, its nature and purpose of processing, the type of personal data and categories of data subjects, as well as the obligations and rights of the Controller, will be retained in the sub-entrusting agreement in accordance with the terms and conditions described in the Regulations or the agreement for entrusting of personal data processing concluded separately by the Processor with the Controller;
3. The sub-entrusting will be indispensable for the fulfilment of goals of the Cooperation or the performance of the Agreement;
4. The sub-entrusting will not violate the interests of the Controller;
5. The sub-entrusting agreement will be concluded in writing and pursuant to applicable provisions regarding the entrusting of processing of personal data and will impose on the Processor’s subcontractor an obligation to perform all the Processor’s obligations under this Agreement;
6. The Processor will obligate its subcontractors in the sub-entrusting agreement to comply with the data protection obligations at least at the level specified in the Regulations or in the separate agreement on entrusting data processing concluded by the Processor with the Controller and in the GDPR and the provisions of national law when processing the entrusted data, as well as to perform directly information obligations arising from the Regulations in relation to the Controller, in particular within the scope of exercising the rights of data subjects and breaches of data protection.
- The Controller may at any time, for justified and documented reasons, withdraw the consent for sub-entrusting in relation to the specific subcontractor of the Processor. In the event of withdrawal of consent, the Processor has no right to further entrust data processing to a given subcontractor.
The sub-entrusting without the consent of the Controller will constitute a violation of the provisions of the GDPR and these Regulations, which may be the basis for ceasing the Cooperation or using the services of the Processor and taking appropriate measures provided for by the provisions of law.
- The Processor bears full liability towards the Controller or third parties for damages caused by the processing of personal data contrary to the provisions of the GDPR or other provisions of the law on the protection of personal data, in particular when it has failed to fulfil the obligations specified in the GDPR, other provisions of law and the Regulations or a separate agreement for entrusting data processing concluded with the Controller.
- The Processor is liable against the Controller for the actions and omissions of the subcontractor sub-entrusted with the processing of data, as for his own actions and omissions.
VIII FINAL PROVISIONS
The Regulations were introduced on May 24, 2018 and are valid for indefinite period of time. The Wielkopolski Indyk company reserves the right to change it. The Subcontractors will be informed about the scope of changes at least 14 days in advance.
Bolesławiec, on May 24, 2018