ReRegulations on entrusting

the processing of personal data

Contents
  1. Introduction
  2. Regulations Pages
  3. Purpose of the Regulations
  4. § 1 Description of processing
    1. Scope of entrusted data
    2. Purpose limitation
  5. § 2 Obligations of the parties
    1. Commands
    2. Duration of personal data processing
    3. Processing security
    4. Documentation and compliance
    5. Using the services of sub-processors
    6. International data transfers
  6. § 3 Help for the administrator
  7. § 4 Reporting a personal data breach
    1. Data protection breach concerning data processed by the administrator
    2. Data breach concerning data processed by the Processor subject
  8. § 5 Final provisions
    1. Annex I List of sub-processors

Introduction

When using the spedimo.eu Transport Platform, you may provide us with the personal data of your employees in order to set up user accounts for them and enable them to use the functionalities of the Transport Platform.

In accordance with the provisions of the General Data Protection Regulation (GDPR), in such a situation, personal data processing is entrusted, as you act as a Data Controller for your employees, whose data—such as name, surname, email address, and phone number—is transferred via our platform to create user accounts. We, as the system provider, process employee data as a Data Processor.

To ensure compliance with regulations and the transparency of our cooperation, we provide the following Terms and Conditions, which specify the terms and conditions for entrusting the processing of personal data. Acceptance of the Terms and Conditions through a corporate account constitutes another legal instrument, referred to in Article 28, Section 3 of the GDPR, concluded electronically between the Data Controller and the Data Processor.

Regulations pages

The personal data Controller is the entity that registers a company account on the platform for the purpose of providing transport services and provides data of its employees in order to create user accounts for them.

The processor is Spedimo GT Spółka z ograniczoną odpowiedzialnością SKA, address: Kazimierzowska 6/16, 62-800 Kalisz, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court Poznań – Nowe Miasto i Wilda in Poznań, 9th Commercial Division of the National Court Register, under the KRS number: 0001191545, using the Tax Identification Number (NIP): 6182089137, National Business Registry Number (REGON): 300897699, which provides the service of operating the platform and processes personal data on behalf of the Controller, pursuant to these Regulations.

The Processor has appointed a Personal Data Protection Officer – Mr. Radosław Bula, who can be contacted (in case of questions regarding the processing of personal data and your rights) via: 

1. e-mail box:radoslaw.bul@kancelariahawk.pl or

2. in writing to the following address: ul. Kazimierzowska 6/16, 62-800 Kalisz.

The Data Controller and the Processor are hereinafter referred to jointly as the “Parties” and each of them individually as a “Party”.

Purpose of the Regulations

The purpose of these Regulations is to define the rules and conditions for entrusting the processing of personal data by the Controller to the Processor in connection with the creation and management of user accounts (the Controller’s employees) on the transport exchange platform.

Pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (GDPR), the Controller entrusts the Processor with the processing of the personal data of its employees within the scope and under the terms specified in these Regulations.

The processor is responsible for providing services consisting in processing the entrusted data in order to create and maintain user accounts on the platform and to ensure the necessary technical support and system updates.

§ 1 Description of processing

1. Scope of entrusted data

  1. The Processor processes the personal data of the Controller’s employees entrusted to it solely for the purpose of creating and maintaining user accounts on the transport exchange platform and ensuring technical support and system updates.
  2. The categories of persons whose data are processed include employees and associates of the Controller.
  3. The categories of personal data processed include in particular:
     a) personal data (e.g. name and surname),
     b) contact data (e.g. e-mail address, telephone number),
     c) data relating to concluded contracts,
     d) IT data.
  4. The nature of processing includes activities such as collecting, recording, organizing, structuring, storing, adapting, modifying, retrieving, viewing, using, disclosing, matching, combining, restricting, and deleting or destroying data.
  5. Data is processed in an automated and continuous manner.
  6. Data are processed for the period of providing services to the Administrator, necessary for the implementation contracts and until accounts are deleted or cooperation is terminated.
  7. The place of data processing is the registered office of the Processor: ul. Kazimierzowska 6/16, 62-800 Kalisz. The servers on which the data is stored are located in the Microsoft Azure cloud.

Purpose limitation

The Processor processes personal data only for the specific purpose or purposes of processing specified in the point above, unless it receives further instructions from the Controller.

§ 2 Obligations of the parties

1. Commands

  1. The Processor processes personal data only on documented instructions from the Controller, unless such an obligation is imposed on the Processor by EU law or the law of the Member State to which the Processor is subject. In such a case, the Processor shall inform the Controller of this legal obligation before starting the processing, unless the law prohibits the provision of such information for important public interest reasons. The Controller may issue further instructions throughout the period of personal data processing. These instructions are always documented.
  2. The Processor shall immediately notify the Controller if, in the opinion of the Processor, an instruction issued by the Controller infringes the GDPR or applicable EU or Member State data protection provisions.

2. Duration of personal data processing

Processing by the Processor shall only take place for the period specified in Annex I.

3. Security of processing

  1. To ensure the security of personal data, the Processor confirms that it has implemented adequate technical and organizational measures. Upon the Controller’s request, the Processor may provide a list of the measures used.
  2. Ensuring data security includes protecting data against a security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access to data (personal data breach). When assessing the appropriate level of security, the Parties shall duly consider the state of the art, implementation costs, the nature, scope, context, and purposes of processing, as well as the associated risks to data subjects.
  3. The processor grants members of its staff access to the personal data being processed only to the extent strictly necessary for the performance of the contracts. The processor ensures that persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.

4. Documentation and Compliance

  1. The Processor shall promptly and appropriately, but no later than within 14 days, consider the Controller’s inquiries regarding data processing and, at the Controller’s request, provide all information necessary to demonstrate compliance with the obligations arising directly from the GDPR.
  2. At the Controller’s request, the Processor also authorizes and participates in audits of processing activities covered by these Regulations. An audit must not violate trade secrets or personal data that are not entrusted. The Processor must be informed of the intention to conduct an audit in writing no later than 14 days before the planned audit date. An audit may be conducted no more frequently than once a year, unless circumstances arise that justify the need for an additional audit, such as a breach. The costs of conducting the audit, including the remuneration of the Processor’s employees handling the audit, are borne by the Controller, and their amount is indicated by the Processor after notification of the intended audit. The Controller may conduct the audit itself or authorize an independent auditor to conduct it, who cannot be a member of a company competing with the Processor. When deciding on a review or audit, the Controller may take into account relevant certificates held by the Processor.
  3. At the request of the competent supervisory authority, the Parties shall make available to it the information referred to in this point, including the results of any audits.

5. Using the services of sub-processors

  1. The Processor has the right to use the services of the subprocessors listed in Annex I, for which the Controller has granted consent to further entrust them with the processing of personal data. If the Processor intends to entrust data processing to a new subprocessor, the Processor will immediately, no later than 14 days before the commencement of cooperation, notify the Controller via email or a message in the user panel. This information will include data identifying the new entity, the scope of the entrusted data, and the purpose of processing. The Controller has the right to object to entrusting data to this entity within 7 days of receiving the notification. If no objection is raised within this period, consent is deemed granted. Annex I contains a list of subprocessors currently authorized by the Controller, which the Parties agree to keep updated.
  2. In the event of an objection that prevents the Processor from further providing the service in accordance with the agreement, the Processor reserves the right to:
    1. suspending the provision of the service in the scope to which the objection relates,
    2. or, if the provision of the service without the participation of a given sub-processor is impossible – termination of the regulations by notice with immediate effect, for reasons beyond the control of the Processor.
  3. If the Processor uses the services of a subprocessor to perform certain processing activities (on behalf of the Controller), it does so by means of a contract that imposes on the subprocessor substantially the same data protection obligations as those imposed on the data processor under these Regulations. The Processor shall ensure that the subprocessor complies with the obligations to which the Processor is subject under the GDPR.
  4. At the Controller’s request, the Processor shall provide the Controller with a copy of the agreement it has concluded with the subprocessor, and if any changes are made, the Processor shall provide the Controller with an updated version. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may classify the text of the agreement before making it available.
  5. The Processor remains fully liable to the Controller for the performance of the Subprocessor’s obligations in accordance with its agreement with the Processor. The Processor shall notify the Controller of any failure by the Subprocessor to fulfill its contractual obligations.

6. International data transfers

  1. Any transfer of data to a third country or an international organisation by the processor shall take place only on documented instructions from the Controller or in order to meet a specific requirement under Union or Member State law to which the processor is subject and shall be carried out in accordance with Chapter V of the GDPR.
  2. Where, in accordance with these Regulations, the Processor uses the services of a sub-processor to carry out certain processing activities (on behalf of the Controller) that involve the transfer of personal data within the meaning of Chapter V of the GDPR, the Controller consents to such entities being able to ensure compliance with Chapter V of the GDPR by means of standard contractual clauses adopted by the Commission pursuant to Article 46(2) of the GDPR, provided that the conditions for the use of those standard contractual clauses are met.

§ 3 Help for the administrator

  1. The Processor shall promptly notify the Administrator of each request received from a data subject (but no later than 7 business days from the date of receipt). The Processor shall not respond to such a request itself, unless the Controller has consented to it.
  2. The Processor assists the Administrator in fulfilling its obligations to respond to requests from data subjects to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations under points a) and b), the Processor shall comply with the Administrator’s instructions.
  3. In addition to the Processor’s obligation to assist the Administrator under paragraph 2, the Processor shall also assist the Administrator in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
    1. the obligation to carry out an assessment of the impact of planned processing operations on the protection of personal data (“data protection impact assessment”), if a given type of processing is likely to result in a high risk to the rights and freedoms of natural persons;
    2. the obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the Controller to mitigate the risk;
    3. the obligation to ensure the accuracy and currency of personal data by immediately informing the Controller if the Processor determines that the personal data processed by it are incorrect or out of date;
    4. obligations set out in Article 32 of the GDPR.

§ 4 Reporting a personal data breach

In the event of a personal data breach, the Processor shall cooperate with the Controller and assist it in fulfilling its obligations under Articles 33 and 34 of the GDPR, taking into account the nature of the processing and the information available to the Processor.

1. Data protection breach concerning data processed by the controller

In the event of a breach of personal data protection concerning data processed by the Controller, the Processor shall assist the Controller:

  1. when reporting a personal data breach to the competent supervisory authority(ies) immediately after the Controller has become aware of the breach, where appropriate (unless the breach is unlikely to result in a risk to the rights and freedoms of natural persons);
  2. when obtaining the following information, which, in accordance with Article 33(3) of the GDPR, should be included in the Controller’s notification and include at least:
    1. the nature of the personal data, including, where possible, the categories and approximate number of data subjects and the categories and approximate number of personal data records affected by the breach;
    2. possible consequences of a breach of personal data protection;
    3. measures taken or proposed by the Controller to address a personal data breach, including, where appropriate, measures to minimise its possible negative effects.

If it is not possible to provide all of this information at the same time, the initial report shall contain the information available at that time and, when further information becomes available, it shall be provided without undue delay;

c. when fulfilling the obligation to notify the data subject without undue delay of a personal data breach pursuant to Article 34 of the GDPR, if the breach is likely to result in a high risk to the rights and freedoms of natural persons.

2. Data breach concerning data processed by the Processor

In the event of a personal data breach involving data processed by the Processor, the Processor shall report the breach to the Controller immediately after becoming aware of the breach (but no later than 48 hours after the Processor becomes aware of the breach). The report should include at least:

  1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data entries affected by the breach);
  2. contact details for obtaining more information about the personal data breach;
  3. an indication of the likely consequences of the breach and the measures that have been or are to be introduced to address the breach, including to minimise its possible negative effects.

If it is not possible to provide all of this information at the same time, the initial report shall contain the information available at that time and, when further information becomes available, it shall be provided without undue delay.

§ 5 Final provisions

  1. The Administrator is entitled to terminate the contract to the extent that it concerns the processing of personal data in accordance with these Regulations if:
    1. The Processor seriously or persistently violates these Regulations or its obligations under the GDPR;
    2. the processor does not comply with a binding decision of a competent court or of the competent supervisory authority(ies) concerning its obligations under the GDPR.
  2. The Processor has the right to terminate the contract to the extent that it concerns the processing of personal data in accordance with these Regulations if, after notifying the Controller that its instruction violates applicable legal requirements, the Controller insists on fulfilling the instruction.
  3. Upon termination of the service provision, the Processor, at the Controller’s discretion, either deletes all personal data processed on behalf of the Controller and certifies to the Controller that it has done so, or returns all personal data to the Controller and deletes existing copies, unless EU or Member State law requires storage of the personal data. The Processor shall ensure compliance with these Regulations until the data is deleted or returned.
  4. In matters not regulated by these Regulations, the provisions of the GDPR and EU and national regulations governing the processing of personal data will apply.
  5. The court having jurisdiction to settle any disputes arising from these Regulations will be the court having jurisdiction over the registered office of the Administrator.
  6. Annex I constitutes an integral part of the Regulations.
  7. The Processor reserves the right to change these Regulations in the event of:
    1. changes in legal provisions, in particular in the field of personal data protection,
    2. changes in the way services are provided that affect data processing,
    3. the need to clarify or supplement the provisions of the regulations.

The Administrator will be notified of any changes to the Terms and Conditions via email or a message in the user panel at least 14 days before the changes are scheduled to take effect. The amended Terms and Conditions will be binding unless the Administrator objects to their content before the changes take effect.

Attachments:

  • Annex I List of sub-processors

Annex I List of sub-processors

On the basis of the personal data processing agreement, the Administrator has permitted the use of the services of the following sub-processors:

Name of the sub-processor and addressServices provided to the ProcessorPlace of personal data processing and possible location of servers
IT-Solve S.C. Wiktor Sobczyk Damian Sitek – Rumiankowa 5, 42-280 Częstochowa.Programming ServicesCzęstochowa