Data Processing Agreement (as of November 19th, 2024)

Data Processing Agreement (hereinafter referred to as the “The Agreement”)

The Agreement is concluded between a company from IDH Media capital group, specified in the Framework Agreement (hereinafter referred to as the “Data Processor” or “the Processor”), and the Client mentioned in the Framework Agreement (hereinafter referred to as the “Data Controller”).

1. DEFINITIONS

For the purposes of this agreement, the Administrator and the Processor agree that the terms listed below will have the following meanings:

1. Personal Data – means data within the meaning of Article 4, paragraph (1) of Regulation 2016/679, i.e. any information relating to an identified or identifiable natural person;

2. Processing of Personal Data – means any operation or set of operations performed on Personal Data or sets of Personal Data, regardless of whether in an automated manner, such as collection, recording, organization, structuring, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, matching or combining, restriction, erasure or destruction within the meaning of Article 4, paragraph (2) of Regulation 2016/679;

3. Agreement – ​​means this agreement;

4. Framework Agreement – ​​means the agreement for the provision of services by the Data Processor;

5. Regulation 2016/679 – means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ EU L 119 of 4.05.2016, p. 1).

Considering that:

1. The Parties are entities conducting business activities;

2. The Parties cooperate within the framework of their business activities based on the concluded Framework Agreement.

3. The Parties aim to ensure compliance of their business activities with the requirements of the personal data protection regulations;

4. The nature of the activities conducted by the Parties results in the necessity to process personal data;

2. DECLARATIONS OF THE PARTIES

The Parties declare as follows:

1. The Parties declare that this Agreement has been signed in order to fulfil the obligations referred to in Article 28 of Regulation 2016/679 in connection with the signing of the Framework Agreement;

2. The Administrator declares that it is the controller of Personal Data within the meaning of Article 4, paragraph (7) of Regulation 2016/679, i.e. an entity that independently or jointly with others determines the purposes and methods of processing Personal Data provided to the Processor for the performance of its services.

3. The Processor declares that it is a processor within the meaning of Article 4, paragraph (8) of Regulation 2016/679 under the Agreement, which means that the Processor is to process Personal Data on behalf of the Administrator.

3. SUBJECT AND TIME OF PROCESSING

1. The Administrator entrusts the Personal Data to the Processor for processing, and the Processor undertakes to process them in accordance with the law and the provisions of this Agreement.

2. This Agreement is concluded for the duration of the Framework Agreement and the performance of all obligations arising from this Agreement.

4. PURPOSE AND BASIC PRINCIPLES OF PROCESSING

1. The Processor may process Personal Data only to the extent and for the purpose specified in the Framework Agreement;

2. The purpose of entrusting the processing of Personal Data is processing of data for the benefit of the Administrator in order to perform the services specified in the Framework Agreement. The nature of the entrusted processing of Personal Data is operations or sets of operations, i.e.

  • Collection:

    • personal data (first name, last name, username/profile link on social platforms);
    • contact data from people registering for the SaaS platform/service (mainly e mail, phone);
    • address data from registrants to the SaaS platform/service
    • necessary data to process payment for the service provided;

  • Search for personal, contact and address data of creators;
  • Communicating with users based on contact information for the purpose of inviting them to and/or executing influencer marketing campaigns;
  • Arranging product shipments to creatives using address data.
  • Processing payments for the service;
  • Processing the creator’s statistical data from social platforms and its publication statistics based on the user’s name on social platforms.

3. As part of the data processing operation, the following types of personal data will be processed: First and Last Name, username on social platforms, email, phone, address, data necessary for payment for the service performed. The type of Personal Data processed under this Agreement does not fall within the special categories of personal data referred to in Article 9, paragraph (1) of Regulation 2016/679 also falls within the special categories of personal data referred to in Article 9, paragraph (1) of Regulation 2016/679.

4. The scope of Personal Data processed by the Processor under this Agreement includes the following categories of data subjects: Employees of the Administrator, associates of the Administrator, and personal data of influencers.

5. The Processor will process Personal Data only on the basis of documented instructions from the Controller.

6. When processing Personal Data, the Processor will comply with the principles set out in this Agreement and in Regulation 2016/679.

7. The Subcontractor may process personal data both in paper and electronic form, while maintaining the security measures applicable to the Controller.

5. DETAILED RULES FOR ENTRUSTING PROCESSING

1. Before starting to Process Personal Data, the Processor must take measures to secure Personal Data, as referred to in Article 32 of the GDPR, in particular:

a) taking into account the state of technical knowledge, implementation costs and the nature, scope, context and purposes of processing, as well as the risk of violating the rights or freedoms of natural persons of varying probability and severity, the Processor shall implement technical and organizational measures to ensure the protection of the Personal Data being processed in order to ensure a level of security appropriate to the risk. The Processor shall appropriately document the implementation of these measures, and shall update these measures in consultation with the controller;

b) shall ensure that any natural person acting under the authorization of the Processor who has access to personal data does not process them otherwise than on the instructions of the controller for the purposes and to the extent provided for in the Agreement;

c) shall keep a register of all categories of processing activities performed on behalf of the Controller, as referred to in Article 30 paragraph (2) of Regulation 2016/679, and makes the register available to the Controller upon request, unless the Processor is exempt from this obligation under Article 30, paragraph (5) of Regulation 2016/679.

2. The Processor shall ensure that persons having access to the Processing of Personal Data keep the Personal Data and the methods of securing the Personal Data confidential, and the obligation of confidentiality shall apply until the completion of the Agreement and the termination of the employment relationship with the Processor. For this purpose, the Processor shall allow the processing of data only to persons who have signed an agreement on keeping the Personal Data and the methods of securing the Personal Data confidential. / The Processor undertakes to keep the Processed Personal Data and the methods of securing the Processed Personal Data confidential, and the obligation of confidentiality shall apply until the completion of the Agreement.

2. Obligations of the Controller

a) The Controller undertakes to ensure appropriate standards of personal data protection. In particular, the Administrator undertakes to fully cooperate with the supervisory authorities competent for personal data protection.

b) The Administrator ensures that it has the appropriate, legally required basis for processing the personal data entrusted to the Subcontractor.

c) IndaHash ensures that, acting as a processor, it has the appropriate authorization from the data controller to transfer the data to the Subcontractor.

d) The Administrator undertakes to support the Subcontractor in matters related to the implementation of the rights of data subjects.

6. FURTHER OBLIGATIONS OF THE PROCESSOR

1. The Administrator shall assist the Processor in fulfilling the obligations specified in Articles 32–36 of Regulation 2016/679; in particular, the Processor undertakes to notify the Administrator of and execute the Administrator’s instructions regarding the applied Personal Data security measures and Personal Data breaches within 24 hours of learning about the personal data breach.

2. The Processor undertakes to assist the Controller, through appropriate technical and organizational measures, in fulfilling the obligation to respond to requests from data subjects regarding the exercise of their rights specified in Articles 15–22 of Regulation 2016/679, and in particular, the Processor undertakes to notify the Controller of a request submitted by a data subject within 3 days of receiving the request.

3. The Processor, upon obtaining Personal Data, shall provide the data subject with all information referred to in Article 13 of Regulation 2016/679 on behalf of the Administrator. The content and form of the information clause provided by the Processor on behalf of the Processor shall be agreed between the Parties before the Personal Data is collected.

4. The Processor undertakes to comply with any instructions or recommendations issued by the supervisory authority or EU advisory body dealing with the protection of personal data in connection with the processing of personal data, in particular in the scope of application of Regulation 2016/679.

5. The Processor undertakes to immediately notify the Processor of any proceedings, in particular administrative or court proceedings concerning the Processing of the entrusted Personal Data by the Processor or of any administrative decisions or rulings concerning the Processing of the entrusted Personal Data addressed to the Processor, as well as of any audits and inspections concerning the Processing of the entrusted Personal Data by the Processor, in particular those carried out by a supervisory authority.

6. The Subcontractor undertakes to comply with the scope of processing of the entrusted data indicated by the Administrator, in particular the maintenance of the purpose of processing, the method and principles of processing.

7. The Subcontractor undertakes to exercise the utmost diligence in the processing of the entrusted personal data, in particular undertakes to maintain high technical standards of IT security, using methods such as encryption, pseudonymisation or multi-level authentication.

8. The Subcontractor undertakes to support the Administrator to the extent necessary in fulfilling the Administrator’s obligation to respond to requests from data subjects, as well as in fulfilling the obligations arising from Articles 32-36 of the GDPR.

9. The Subcontractor undertakes to comply with the provisions of this Agreement regarding further entrustment of personal data processing.

10. The Subcontractor undertakes to grant appropriate authorizations to process personal data to all persons acting under the Subcontractor’s authorization, who will have access to the entrusted data in connection with the implementation of this Agreement.

11. The Subcontractor declares and guarantees that the persons referred to in point 10 above will be duly obliged or undertake to keep confidential all personal data to which they gain access, both during the employment relationship with the Subcontractor or the provision of services to it, as well as after its expiration.

12. The Subcontractor undertakes to support the Administrator in the implementation of the rights of the persons whose data is being processed.

13. The Subcontractor shall provide support to the Administrator in the event of an official inspection, in particular in terms of enabling the efficient conduct of administrative proceedings and providing information necessary to clarify questions and demonstrate due diligence in the protection of personal data by the Administrator (including the team of the Administrator’s permanent subcontractors) and the Subcontractor.

14. The Subcontractor shall provide the Administrator with support, information and documents necessary to defend against claims of third parties (including persons whose data is being processed) or potential penalties that may be imposed on the Administrator for breach of the principles of personal data protection.

15. The Subcontractor undertakes to support the Administrator to the extent necessary in carrying out the instructions of the Personal Data Administrator, in a situation where IndaHash acts as a processor.

16. In the event of detection or suspicion of a breach or detected breach of personal data security, the Subcontractor shall immediately, but no later than within [12] hours, inform IndaHash of such circumstances. In particular, the Subcontractor shall indicate, if possible, the type and scope of the breach, its location, categories and scope of data affected by the breach and categories of persons to whom the data concerned, whose security was breached.

17. The Subcontractor undertakes to maintain the confidentiality of all information provided by the Administrator in connection with this Agreement, in particular with regard to personal data entrusted to it for processing. This information may be transferred or disclosed only with the written consent or at the written request of the Administrator, unless such an obligation results from legal regulations. The Subcontractor shall immediately inform the Administrator of the circumstances resulting from legal regulations, on the basis of which the obligation to maintain the confidentiality of information is waived.

18. The subcontractor is obliged to carry out the Administrator’s instructions regarding the processing of personal data, in particular instructions to return, delete and modify data.

7. SUBCONTRACTING PROCESSING

1. The Processor does not engage another processor (sub-processor). The Controller envisages the possibility of entrusting the Processing of the entrusted Personal Data to subcontractors of the Processor. In the event that the Processor intends to entrust the Processing of Personal Data to subcontractors of the Processor, it must notify the Controller in advance of the intention to entrust and of the identity (name) of the entity to which the Processor intends to entrust the Processing of Personal Data, as well as of the nature of the subcontracting, the scope of data and the duration of the subcontracting. Unless the Controller objects to the subcontracting of personal data processing within 7 days of receiving the notification, the Processor will be entitled to continue such subcontracting.

2. In the case of subcontracting of the processing of Personal Data, the subcontracting of processing will be based on an agreement under which the subcontractor undertakes to fulfil the same obligations that are currently imposed on the Processor under this Agreement. The Agreement will be signed in the same form as this Agreement.

3. The Controller will have the powers resulting from the subcontract directly in relation to the sub-processor. The Processor will notify the Controller of the termination of the subcontract within 3 days of such termination.

4. The Processor will ensure that the sub-processors commissioned to process data apply at least a level of protection of Personal Data equivalent to that applied by the Processor.

5. In the event that the sub-processors commissioned to process Personal Data fail to fulfil their data protection obligations, the Processor will be fully liable to the Controller for the performance of the sub-processors’ obligations.

8. AUDIT OF THE PROCESSOR

1. The Controller has the right to verify the Processor’s compliance with the principles of processing Personal Data resulting from Regulation 2016/679 and this Agreement, exercising its right to request the provision of any information concerning the entrusted Personal Data.

2. The Controller also has the right to conduct audits or inspections of the Processor in terms of compliance of processing operations with the law and the Agreement. The audits or inspections referred to in the previous sentence may be conducted by third parties authorized by the Controller.

3. The Processor undertakes to immediately notify the Controller if, in its opinion, any order issued to the Processor constitutes a breach of Regulation 2016/679 or other provisions regulating data protection.

4. When conducting the inspection, the Controller will strive to determine the level of compliance of the Subcontractor’s activities with the law and the provisions of this Agreement.

5. The Controller is obliged to inform the Subcontractor of the intention to conduct an inspection with [7 days] notice.

6. The Administrator shall conduct the inspection during the Subcontractor’s working hours.

7. If the inspection reveals any deficiencies on the part of the Subcontractor in the scope of personal data protection, the Subcontractor shall be obliged to remove said deficiencies within [7 days] of receiving information about the nature of the deficiencies. In particularly justified cases, the Subcontractor may apply to the Administrator for an extension of the deadline for removing the deficiencies. In the event of the Subcontractor failing to comply with the obligation to remove the deficiencies, the Administrator shall have the right to terminate the Main Agreement with the Subcontractor without observing the notice period specified in the Main Agreement.

9. LIABILITY OF THE PARTIES

1. The Processor shall be liable for any damages incurred by the Administrator or third parties as a result of the Processing of Personal Data by the Processor in breach of this Agreement.

2. In the event of non-performance or improper performance of this Agreement by the Processor, the Processor undertakes to pay compensation under the general principles of civil law.

10. TERMINATION OF PROCESSING ENTRUSTMENT

1. At the request of the Controller, the Processor shall delete or return to the Controller all personal data after the completion of the provision of services related to processing, and shall also delete existing copies thereof.

2. Upon expiration of the Main Agreement, the Subcontractor shall be obliged to transfer to the Controller all data that are the subject of this Agreement and delete all copies thereof in its possession, including copies on electronic devices, unless IndaHash instructs otherwise.

3. The Subcontractor shall be obliged to delete all access accounts to online databases, unless IndaHash instructs otherwise.

4. The Subcontractor is obliged to decrypt all data carriers returned to the Administrator after deleting the data, unless the Administrator instructs otherwise.

5. The Administrator shall issue the order referred to in points 1 – 3 in writing, no later than the day preceding the expiry of the Main Agreement.

11. FINAL PROVISIONS

1. This Agreement shall enter into force on the date of its signing.

2. Any amendments to this Agreement must be made in writing under penalty of nullity.

3. Disputes arising in connection with the performance of this Agreement shall be resolved by the court competent for the seat of the Administrator.

4. The Agreement shall be drawn up in two identical copies, one for each Party.