Entrusting the processing of personal data

Entrusting the processing of personal data

These data entrustment conditions define the principles on which the personal data of employees of Entrepreneurs who concluded agreements with KFE Holding Sp. z o. o. (by placing the order that we accepted for execution) will be processed by our Company.

Whenever these conditions refer to:

  • Entrepreneur - this means entrepreneurs who concluded the agreement with our Company.
  • Company - this means KFE Holding Sp. z o.o. with its registered office in Warsaw at Czerniakowska Street No. 71, KRS number: 0000255059.
  • Parties - this means the Entrepreneur and the Company.
  • § 1 SUBJECT MATTER OF THE AGREEMENT
  1. The Entrepreneur and the Company conclude the personal data entrustment agreement, hereinafter referred to as the "Conditions", under which the Entrepreneur entrusts the Company with the processing of personal data to the extent resulting from the placed order, which was accepted by the Company.
  2. The entrustment of the personal data to the Company takes place in order to provide the service specified in the placed order.
  3. The Company may process the personal data entrusted to it only to the extent and for the purpose specified in the order and for the purpose and to the extent necessary to provide services specified in the placed order.
  4. The scope of entrusted data and categories of data are always dependent on the specificity of the provided service.
  • § 2 DECLARATIONS AND OBLIGATIONS OF THE COMPANY
  1. The Company hereby declares that it has infrastructure resources, experience, knowledge and qualified personnel, to the extent enabling the proper provision of the service, in accordance with applicable law. In particular, the Company declares that it is familiar with the principles of processing and protection of personal data resulting from the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (general data protection regulation, hereinafter referred to as the "GDPR").
  2. The Company is required to:
    1. process the entrusted personal data only on the basis of the order and these Conditions, which together constitute a documented instruction of the Entrepreneur;
    2. provide access to the entrusted personal data only to persons who, due to the scope of performed tasks, are authorized by the Company to process it and only for the purpose of performing duties resulting from the placed order;
    3. ensure that persons authorized to process the personal data commit themselves to confidentiality;
    4. implement appropriate technical and organizational measures to ensure the level of security corresponding to the risk of violating the rights or freedoms of natural persons whose personal data will be processed by the Company;
    5. support the Entrepreneur, if possible (through the application of appropriate technical and organizational measures) in the fulfillment of the obligation to respond to requests of data subjects, to the extent of the exercise of their rights specified in Chapter III of the GDPR;
    6. help the Entrepreneur to the extent of:
      1. reporting violations of personal data protection to the supervisory body and notifying data subjects about such a violation;
      2. assessment by the Entrepreneur of the impact of effects for data protection and consultation with the supervisory body;
  3. keep, in written (including electronic) form, the register of all categories of processing activities conducted on behalf of the Entrepreneur;
  4. provide the Entrepreneur, upon each request, no later than within 3 Business Days, with all information necessary to demonstrate the fulfillment by the Entrepreneur of obligations resulting from the relevant provisions of law, in particular from the GDPR;
  5. enable the Entrepreneur or the auditor authorized by the Entrepreneur the conduct;
  6. immediately inform the Entrepreneur if, in the opinion of the Company, the instruction given to it violates the GDPR or other national or EU provisions on data protection;
  7. store the personal data as long as it is specified by the Entrepreneur, or as is apparent from the generally applicable provisions of law.
  • § 3 SUB-ENTRUSTMENT
  1. The Entrepreneur consents to the further entrustment by the Company of the processing of personal data to other processing entity, to the extent necessary for the execution of the order. The Company is obliged to inform about any planned changes concerning the addition or replacement of further processing entities.
  2. The Company assures that it will use only services of such further processing entities that provide sufficient guarantees to implement appropriate technical and organizational measures, so that the processing meets the requirements of the GDPR and the provisions of the applicable law on the protection of personal data, indicated in § 2 par. 1 section 2, which the Company is obliged to comply with before 25 May 2018, and also protects the rights of data subjects.
  3. The Company will ensure in the agreement with the further processing entity that this entity will be subject to obligations corresponding to the Company's obligations.
  • § 4 AUDIT
  1. The Entrepreneur is authorized to audit the compliance of the processing of personal data by the Company with the applicable provisions of law.
  2. The Entrepreneur shall inform the Company at least 4 Business Days prior to the planned deadline for the audit about the intention to conduct it. If for important reasons, in the Company's opinion, the audit cannot be conducted within the indicated deadline, the Company should inform the Entrepreneur about this fact, indicating the justification for such an opinion. In this case, the Parties will jointly determine the later deadline for the audit.
  3. After the audit, the representative of the Entrepreneur will prepare the inspection report, signed by representatives of both entities. The Company undertakes, within the deadline agreed with the Entrepreneur, to adapt to the inspection recommendations contained in the report, aimed at removing deficiencies and improving the security of personal data processing (if the recommendations are accepted by the Company).
  • § 5 REPORTING OF VIOLATIONS
  1. The Company is obliged to implement and apply procedures to detect violations of personal data protection and implement appropriate corrective measures.
  2. After finding the violation of protection of personal data entrusted to it by the Entrepreneur, the Company, without undue delay, but no later than within 36 hours from the time of finding the violation, shall notify them to the Entrepreneur. The subject of reporting is information about the circumstances and the reason for violation.
  3. Until the procedure in violation is obtained from the Entrepreneur, the Company shall take all reasonable actions to limit and repair the negative effects of the violation, without undue delay. The Company is obliged to document all violations of protection of personal data entrusted to it, including the circumstances of violation of personal data, its consequences and remedial actions taken.
  4. The Company is obliged, at every request of the Entrepreneur, to immediately provide him with the documentation referred to in the preceding sentence.
  5. The Company will not notify about the violation without the explicit instruction of the Entrepreneur:
    1. data subjects, or
    2. supervisory body.
  • § 6 TERM OF THE AGREEMENT AND PRINCIPLES OF LIABILITY
  1. The Agreement is concluded for a definite period of time and ceases to apply with the completion of the provision of the service.
  2. The Entrepreneur may terminate the Agreement with a 1-month notice period.
  3. After the termination of the Agreement, the Company should, in accordance with the instruction of the Entrepreneur, return or destroy, in a manner and on a date separately agreed with the Entrepreneur, all personal data and its copies, unless the relevant provisions of national or EU law require to store such personal data. The costs of return or destruction of personal data and its copies shall be borne by the Entrepreneur.
  • § 7 FINAL PROVISIONS
  1. To all matters not settled in the Conditions, the relevant provisions of the Civil Code, GDPR and other applicable provisions on the protection of personal data shall apply.
  2. All disputes related to the Agreement shall be submitted to the common court with competent jurisdiction for the registered office of the Company.