Terms of service
Privacy and personal data (GDPR).
These Regulations are valid from 24 May 2018
1. GENERAL PROVISIONS
1.1 These Regulations form an integral part of the Regulations for electronic provision of the Callpage service (hereinafter: the “Service”) for individuals, corporate entities or other organisational units with legal capacity (hereinafter: the Controller) by the Service Provider – Callpage spółka z ograniczoną odpowiedzialnością, having its registered office in Warsaw (00- 640 Warsaw, ul. Mokotowska 1), registered by the District Court for the Capital City of Warsaw in Warsaw, 12th Economic Division, under the KRS number: 0000572159, with its initial capital of PLN 10,000.00, fully paid up, NIP (tax identification number) 7010503522, REGON (business activity number) 362313916 (hereinafter: the Processor), and shall apply when the Controller, through the Callpage Service, collects or processes personal data as understood by the provisions of the Regulation (EU) 2016/679 – the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ L 119, 4.5.2016, p. 1) (hereinafter: GDPR).
1.2 The data Controller entrusts the Processor with processing of personal data as understood by Article 28 of GDPR to the extent resulting from the Master Regulations. This means, in particular, personal data of customers and prospective customers of the Controller, collected by the Controller and stored by the Processor in the CRM system, and any personal data provided in the course of phone calls recorded by the Controller, if stored by the Processor.
1.3 The Processor undertakes to process personal data to the extent and under the conditions specified in these Regulations, the Act and corresponding secondary legislation based thereon. Personal data entrusted to the Processor under the Regulations shall be processed in the territory of countries of the European Economic Area. The Processor shall not be authorised to receive any additional remuneration for provision of the services specified herein except for the remuneration specified in the Master Agreement.
2. REPRESENTATION OF THE PARTIES
2.1 The Parties unanimously represent that the personal data Controller as understood by Article 4(1) of the GDPR to be processed by the Processor under these Regulations is the data Controller.
2.2 The data Controller represents that the personal data to be processed by the Processor are collected in compliance with the applicable law.
2.3 The Processor represents that they possess appropriate technical and organisational measures, know-how and qualified personnel, thus being able to correctly perform these Regulations for entrusting personal data for processing and to ensure compliance of processing with the applicable law as well as protection of data subjects. The Processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing meets the requirements of GDPR.
2.4 The Processor shall process personal data only upon documented instruction from the Controller.
3 SCOPE OF DATA ENTRUSTED
3.1 The scope of the personal data entrusted for processing by the Processor includes the following personal data of customers using or intending to use the services provided by the data Controller:
3.2 Furthermore, the Controller entrusts the Processor with personal data of the Controller's existing and prospective customers as well as any personal data provided in the course of phone calls recorded by the Controller, if stored by the Processor, to the following extent: identification data of the caller, contact information.
3.3 The procedure of entrusting as referred herein shall involve processing of personal data for the purpose of performance of the following activities by the Processor:
- Storing personal data in CRM systems integrated with the Callpage Service as referred in the Master Agreement,
- Storing backup copies of personal data,
- Storing recorded phone calls where personal data are provided.
Thus, personal data shall be: collected, organised, recorded, arranged, reworked, transferred, made available, deleted or destroyed
3.4 The Processor shall be authorised to process the personal data entrusted by the Controller only to the extent and for the purpose related with implementation of these Regulations and the Master Regulations. Any change of the purpose or the scope of the data processed requires amendment to these Regulations.
4. OBLIGATIONS OF THE PARTIES
4.1 Where processing personal data in relation with implementation of these Regulations, the Processor shall be obliged to comply with the applicable law for personal data protection and to comply with the Controller’s instructions concerning rules for processing the entrusted personal data and concerning safeguarding of personal data.
4.2 The Processor undertakes to process personal data in compliance with the applicable law only to the extent necessary for performing the operations described in par. 3.4 hereof. The Processor acknowledges that their processing of personal data to a broader extent or for other purposes, without appropriate legal grounds, shall constitute a violation of the Data Processing Agreement and the applicable law, and may constitute grounds for terminating or not extending the Collaboration Agreement
4.3 The Processor represents that they are in possession of appropriate technical and organisational measures to protect personal data against unauthorised access, unauthorised retrieval, unlawful processing and damage, destruction or unjustified modification in accordance with the applicable law.
4.4 Prior to commencement of processing of personal data, the Processor must implement measures to protect the personal data as referred to in Article 32 of GDPR, in particular: taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons, of varying likelihood and severity, and is obliged to apply technical and organisational measures ensuring protection of the personal data processed in order to ensure a security level corresponding to the risk.
4.5 The Processor shall be obliged to ensure control of which personal data are transferred, when and who recorded the data in databases and to whom the data are transferred, especially when transferred with data transmission devices.
4.6 Any confidential information and documents containing personal data provided electronically and the communication channel should be secured through cryptographic protection measures.
4.7 If data are processed with the use of an IT system, the system and any related devices, used for processing of personal data, may be used only by individuals named as authorised and trained by the Processor.
4.8 The Processor is obliged to keep a list of individuals engaged for processing of personal data (irrespectively of the legal form of engagement) in relation with performance of the Data Processing Agreement.
4.9 Upon every request of the Controller, the Processor shall be obliged to provide the Controller with a list of individuals engaged for processing of personal data (irrespectively of the legal form of engagement) without delay.
4.10 The Processor undertakes to keep confidential any personal data and their safeguarding methods, also following termination of the Collaboration Agreement, and undertakes to ensure that their employees and other individuals authorised to process the personal data entrusted, as referred to in par. 8 above, undertake to keep confidential any personal data and their safeguarding methods, also following termination of the Data Processing Agreement.
4.11 The Processor shall process the entrusted data at their own premises and in remote locations at sub-processors, also beyond the territory of the European Economic Area.
4.12 In the event of any legal steps undertaken by a third party against the Processor and/or the data Controller in relation with infringement of the rules for processing of personal data, the Parties undertake to collaborate in order to undertake appropriate legal steps, in particular in order to have the third party claims dismissed or rejected by the competent court, appeal measures implemented or a settlement entered into, as well as other legal actions.
In the event of either Party’s violation of the rules for processing of personal data, as stipulated in the Agreement, the Act or corresponding secondary legislation, resulting in the other Party’s damage, the Party to which the violation is attributable shall be obliged to cover the damage incurred by the other Party, whereas the Parties shall restrict the liability to the actual damage (“damnum emergens”) and exclude liability for loss of profit (“lucrum cessans”).
6. TERM OF APPLICATION
The Regulations shall apply for the term of application of the Regulations for provision of the Callpage Service.
These Regulations may be amended or terminated earlier by mutual agreement of the Parties.
Upon expiry of these Regulations, the Processor undertakes to allow for copying all data entrusted by the Controller, and then to delete the entrusted data within not more than 14 days from the expiry of the Regulations, however, not before the data have been copied by the Controller, unless the Controller previously waived the copy in writing.