Version 26.02.2024
Data Processing Agreement (DPA)
The following DPA Agreement („DPA Agreement”) is a part of the Virtual Data Room Service Agreement (“Main Agreement”). All terms and expressions shall have the meanings given to them in this Agreement and the Privacy Policy, unless otherwise stated in the Main Agreement.
1. Providing personal data
1. On the basis of this DPA Agreement the Client provides the Provider with personal data of Users including: name, surname, company name, e-mail address, telephone number, IP address (“Personal Data of Users”) in order to properly perform the services covered by the Provider indicated in § 3 of the Main Agreement.
2. Parties independently determine the detailed purposes, scope and means of processing Personal Data of Users serving – each individually – as the administrator of personal data.
3. The Administrator of Personal Data of Users is: (a) The Client – with reference to various, justified purposes of processing these data by the Client (b) The Provider – with regard to processing these data for the purpose indicated in Sec. 1 of this paragraph.
4. The Client declares that, as the administrator of Personal Data of Users indicated in Sec.1 of this paragraph, has a legal basis for making this data available to the Provider.
5. Processing of personal data by the Provider for the purpose of providing services covered by the Main Agreement shall be based on the legal basis, i.e. art. 6 sec.1 let. f of Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free flow of such data and the repeal of Directive 95/46/EC [Regulation] (legitimate interest of the Provider).
6. Processing of the Personal Data of Users by the Provider in order to provide the services specified in the Main Agreement will continue throughout the duration of the Main Agreement, including legislation currently in force.
7. Each Party undertakes to process Personal Data of Users in accordance with the provisions of the Regulation and other commonly applicable legal provisions.
8. In the event that either Party suffers damage as a result of violation by the other Party processing Personal Data of Users within the scope of the Regulation, in particular when any financial penalty is imposed, the injured Party shall have the right to demand from the other Party compensation for the damage suffered, including reimbursement of costs related to court proceedings or other appropriate proceedings.
2. Entrusting the processing of personal data
1. The Client, acting on the basis of Regulation, being the Administrator or a processing entity within the meaning of the abovementioned Regulation, of the personal data potentially contained in the documents entered to the VDR System (“Personal Data”) hereby:
a) Entrusts to process Personal Data with the aim and within the scope indispensable for the performance of the Main Agreement, for the period of its validity and in pursuance of the provisions specified in the DPA Agreement,
b) Grants the Provider with General consent concerning sub-processing of Personal Data to other data processing subjects (“Sub-processor”), with the aim and within the scope indispensable for the performance of the Main Agreement and for the period of its validity.
2. In the event, the Client is a Processor, as mentioned in the Section 1 above, the Client declares that the Client has the Administrator’s consent for further entrusting Personal Data.
3. The Provider, as the Processor, and in the event referred to in Section 2 above – further processing entity, is obliged to the following:
a) Guarantee that the people authorised to process personal data are obliged to keep these personal data confidential,
b) Guarantee safety of processed personal data entrusted to them according to the requirements specified in the Regulation, and according to applicable national legal regulations of the Parties,
c) Following the completion of the performance of the services concerning personal data processing and depending on the decision of the Client, to delete or return to the Client all personal data and to delete any existing copies of such data,
d) Provide the Client with all required information indispensable to confirm completion of obligations specified in the provisions of the Regulations as vested in the Provider as the subject processing data, and allow the Client or an Auditor authorised by the Client, to carry out an audit, including inspection. Client is entitled to carry out 1 (one) inspection within a calendar year, that shall last no longer than 2 (two) working days. Client shall inform the Provider about a date and scope of the inspection minimum 30 (thirty) days before. In the event the Client shall carry out inspection at the seat of the Provider more frequently that once a calendar year and/or the inspection shall last longer than 2 (two) working days, the Client is obliged to pay the charge for such inspection in the amount of 100 (one hundred Euro)net for every additional hour of inspection at the seat of the Provider.
e) Assist the Client, according to available technical and organisation extent, with the performance of the requirements of a person, the data refer to, concerning compliance with the person’s rights specified in Part 2 of the Regulation, as well as with reference to the performance of the Client obligations specified in Articles 32-36 of the Regulation.
4. The Provider declares that the Provider shall not transfer any Personal Data entrusted to process to any third countries. The Provider shall not be held responsible for any release, if any, of such personal data to any third entities.
5. The Client declares that the Client does not entrust to process Personal Data concerning judgements of conviction or infringement to law.
6. In the event of concluding an agreement on personal data processing by the Provider as mentioned in item 1 b), the Provider is obliged to guarantee that the Sub-processor is obliged to perform the duties as specified in item 3 a) – e).
7. In the event of intended change/amendment, such as adding or replacing Sub-processor with another data processing subject, the Provider informs the Client about such intention. Within 7 (in words: seven) days the Client has the right to lodge an objection against such change/amendment. In case of lack of such objection of the Client or delayed objection filed after the mentioned period, it is understood as a consent to make such change/amendment of the Sub-processor by the Provider. In the event the Client fails to give such consent the Provider is authorised to terminate the Main Agreement with immediate effect. If the objection of the Client, as mentioned in this provision, turns out to be unjustified, the Client bears liability for damages towards the Provider for both actual loss and loss of profit.
8. Some parts of the VDR services and/or complimentary services may be completed through third parties („Subcontractors”). Complimentary services are those to enhance the execution of the Main Agreement. The Provider shall be fully responsible for all activities and/or negligence of the Subcontractors and shall ensure that the Subcontractors keep confidentiality. Parties agree that the Subcontractor might, but does not have to be the Sub-processor. The Provider informs the Client about the Subcontractor to which the Provider entrusts to process Personal Data (“Sub-processor”), according to item 7 above..
9. The Provider shall not bear responsibility for any infringement of personal data protection by the Client or any subjects the Client entrusts their personal data processing, neither for:
a) Processing of sensitive personal data without legal basis,
b) Processing of personal data concerning judgements of conviction or infringement to law or associated safety means without any legal basis.
10. If any national institution or person the data refer to, claims damaged from the Provider for any infringement, especially indicated in items 9 a)-b), the Client undertakes to release the Provider from responsibility towards the person the data refer to, by removing the infringement or payment of the claim (release from the debt) inclusive. In the event the Client fails to perform obligations mentioned in the previous sentence, the Client bears liability for damages towards the Provider.
11. In the event of payment of damages, financial penalty, fine, or any other amount payable by the Provider in favour of the person the data refer to, or in connection with decision or sentence of a public authority, the Client is obliged to reimburse the paid amount to the Provider including any incurred charges such as legal services charges, administrative and legal procedure charges.
3. Duration and breach of the DPA Agreement
1. The DPA Agreement is signed for the duration of the Main Agreement. To resolve doubts, the expiration of the Main Agreement, for whatever reason, results in the termination of the DPA Agreement.
2. Each Party is entitled to terminate the DPA Agreement without notice, if:
a. it is proven by inspection that the other Party has not taken the security precautions referred to in Articles 32-34 of the GDPR,
b. other Party processes personal data not in accordance with the DPA Agreement or the rules of the GDPR.
3. In the event of termination of the DPA Agreement, the Processor is obliged, within 7 days, to permanently destroy and remove all records and documents prepared in connection with the performance of the Main Agreement and documents containing personal data entrusted for processing, unless the Processor has a separate legal basis for processing.
4. Miscellaneous
1. DPA Agreement is valid from the date of signing the Main Agreement.
2. In case of matters not regulated by the DPA Agreement, adequate legal rules apply, in particular those of GDPR and the Polish Civil Code, as well as the Main Agreement.
3. Any modifications to DPA Agreement shall be done in document form and shall be duly executed.
Attachment No. 1 to Data Processing Agreement [“DPA”]
1. In the event that the Sub-processor of the Supplier is Microsoft Ireland Operations Limited, the principles described in paragraph 2, section 3 of the DPA are replaced by the principles described in this Attachment.
2. Fordata is obligated to take all possible actions to ensure that the following obligations are imposed on the Sub-processor:
a. Ensuring that authorized persons processing personal data at the Sub-processor are obliged to keep such personal data confidential,
b. Ensuring the security of the processing of personal data entrusted to it in accordance with the requirements specified by the Regulation and relevant provisions applicable to the Parties,
c. After the provision of services related to the processing of personal data has ended and depending on the decision of the Client, either deleting or returning to the Client all personal data and deleting all existing copies thereof,
d. Enabling the Client or an auditor authorized by the Client to conduct audits, including inspections – solely on terms agreed with the Sub-processor,
e. Assisting the Client, to the extent of available capabilities and technical and organizational means, in fulfilling requests of the data subject regarding the exercise of their rights specified in Chapter II of the Regulation, as well as in fulfilling the Client’s obligations specified in Articles 32-36 of the Regulation.
3. In all other respects, the provisions of the Data Processing Agreement shall apply to the Sub-processor.
Latest versions:
Version 05.06.2020