Agreement for entrusting the processing of personal data
(www.spotbrowser.com)
This personal data processing agreement (hereinafter referred to as the “Entrustment Agreement”) is part of the Regulations of the www.spotbrowser.com website, hereinafter referred to as the “Regulations”, which contain the terms and conditions for the provision of services by the Seller. In the event of inconsistency between the content of the Regulations and the Entrustment Agreement, the provisions of this Agreement shall prevail.
1
In connection with the conclusion of the Sales Agreement, the subject of which is the purchase of a Package of Services offered by Spotbrowser, this Entrustment Agreement defines the conditions on the basis of which the Seller (hereinafter referred to as the Processing Entity) is entitled to process personal data and IT data that the Client/Agent collects through tools provided as part of the purchased Service Package – on behalf of and at the request of the Client/Agent.
2
The administrator of personal data and IT data referred to in §1 of this Agreement, such as:
– personal data and IT data processed as part of the used tool called chatbot, i.e.: Date and time of the chat, Name and Surname, content of the chat
– personal data and IT data processed as part of the virtual walk and enabling identification of the presenting entity, i.e.: date and time of the chat, user ID, content of the chat.
is the Customer who entrusts the Processing Entity, in particular for the purpose of their storage/archiving on the Seller’s servers as a result of using the purchased Service Package.
3
The Administrator and the Processor declare that the personal data entrusted with the Agreement will be provided to the Seller only in electronic form.
4
The Processing Entity declares that it has implemented appropriate technical and organizational measures to ensure that the processing of personal data entrusted to it by the Administrator meets the requirements of the law, including in particular the GDPR and protects the rights of data subjects, and undertakes to ensure a level of security of the entrusted data corresponding to the risk, referred to in Art. 32 GDPR. Securing the devices and IT systems in its possession used for the processing of personal data ensures an appropriate level of security based on the conducted risk and threat analysis. The processor also ensures the ability to quickly restore the availability of data and access to them in the event of a physical or technical incident. The processing entity processes the provided data only to the extent necessary and necessary to perform the service resulting from the previously purchased Service Package.
5
The Processing Entity processes the personal data entrusted to it by the Administrator only on the Administrator’s documented instruction – which also applies to the transfer of personal data to a third country or an international organization within the meaning of the GDPR – unless such an obligation is imposed on the Processing Entity by law. The Administrator’s instruction should be understood as the provisions of this Agreement constituting an appendix to the Regulations of the www.spotbrowser.com website.
6
The Processing Entity declares that it does not transfer personal data entrusted to it by the Administrator to a third country or an international organization, nor does it use the services of further processors (subcontractors) who would transfer such data entrusted to the Processing Entity by the Administrator.
7
In the event that the Processing Entity intends or is obliged to transfer the personal data entrusted to it by the Administrator to a third country or an international organization – it is obliged to inform the Administrator about it in order to enable the Administrator to take decisions and actions necessary to ensure compliance with the law or to complete the entrustment data processing by the Processor.
8
The Processing Entity undertakes to grant authorizations to process personal data to all persons who will process personal and IT data entrusted by the Administrator and to oblige them to maintain confidentiality.
9
The Processing Entity undertakes to provide the Administrator with assistance, through appropriate technical and organizational measures, in fulfilling the obligation to respond to the requests of the data subject in the exercise of his rights set out in Chapter III of the GDPR.
10
The Processing Entity undertakes, taking into account the nature of the processing and the information available to it, to provide the Administrator with assistance in fulfilling the obligations set out in art. 32-36 GDPR.
11
In the event of a breach of personal data protection, the Processing Entity is obliged to report the breach to the Administrator without undue delay, and the notification should comply with the requirements of art. 33 GDPR.
12
1. The Processing Entity is not authorized to entrust data for further processing
personal data entrusted to him by the Administrator under the Agreement – without prior consent expressed on the terms set out in art. 28 sec. 2 GDPR.
2. Further entrustment of data for processing takes place on the basis of an agreement that meets the requirements set out in the provisions of the GDPR, and the Processor may entrust personal data covered by this Agreement for further processing to subcontractors only for the purpose of performing the Basic Agreement and after obtaining the prior consent of the Administrator.
13
The Processing Entity undertakes to keep all data provided confidential and declares that they will not be used, disclosed or made available without the Administrator’s written consent – for purposes other than the performance of this Agreement, unless the need to disclose the information held results from applicable law.
14
The Customer has the right to direct inquiries to the Processing Entity in the scope concerning the performance by the Processing Entity of the obligations regarding the protection of personal data entrusted to it under the Agreement,
15
The Customer authorizes the Seller to establish cooperation with external entities whose services are aimed at maintaining and proper functioning of the Seller’s servers, such as e.g. energy suppliers, network suppliers, technical suppliers without the obligation to inform the Administrator about it and without obtaining his prior consent, provided that the above-mentioned entities will not have access to the Customer’s personal data.
16
1. The Customer is responsible for implementing appropriate technical and organizational measures to ensure the security of resources, systems, applications and operations that are not the responsibility of the Seller in accordance with the Agreement.
2. The Processing Entity is responsible for making available or using, contrary to the Agreement, the data indicated in §2 of this agreement entrusted by the Administrator, and in particular for making them available to unauthorized persons.
17
After the expiry of the service, the Processing Entity undertakes to permanently delete all data entrusted by the Administrator and all existing copies thereof, in particular from electronic media at the disposal of the Processing Entity, unless the law requires the storage of such personal data.
18
The contract is concluded for an indefinite period (does not apply to Consumers).