AGREEMENT ON ENTRUSTMENT OF PERSONAL DATA PROCESSING

The User of the ENCOR ESS Application, pursuant to the Terms and Conditions of the ENCOR ESS Application (available on the following website: encorbat.corab.pl)

hereinafter referred to as “the Personal Data Administrator”, “PDA”

and

Corab S.A. seated in Olsztyn, address: ul. Michała Kajki 4, postal code 10-547 Olsztyn, entered into the register of entrepreneurs of the National Court Register under number 0000950779, the registry records of which are kept by the District Court in Olsztyn, the 8th Commercial Division of the National Court Register, holder of NIP [Tax ID no.]: 7390207757 and REGON [National Business Registry Number]: 510519084.

hereinafter referred to as the “Processing Entity”,

 

hereinafter mutually referred to as “the Parties”, concluded this agreement on entrustment of personal data processing (hereinafter referred to as “the Agreement”) as follows:

 

 

WHEREAS:
 

(1) The Parties concluded a Software as a Service agreement for the ENCOR ESS Application hereinafter referred to as “the Master Agreement” in accordance with the Terms and Conditions of ENCOR ESS Application and the subject of which is to provide access to the ENCOR ESS Application with the possibility to utilize its features;
 

(2) In relation to activities performed as part of the Master Agreement, the Processing Entity shall have access to personal data that the Personal Data Administrator is the administrator of, pursuant to Art. 4 point 7) of the Regulation of the European Parliament and the Council (EU) 2016/679 of 27 April 2016 on protection of individuals with regard to processing of personal details and on the free movement of such data and repeal to Directive 95/46/EC (General Data Protection Regulation) (hereinafter referred to as “the Regulation” or “the GDPR”).
 

(3) Pursuant to Art. 28 of the GDPR, the Personal Data Administrator intends to entrust the Processing Entity with the processing of personal data within the scope and purpose connected with the activities performed by the Processing Entity as part of the Master Agreement.
 

THE PARTIES DECIDED TO CONCLUDE AN AGREEMENT WHICH READS AS FOLLOWS:
 

§ 1.

Subject of the Agreement

1. Pursuant to Art. 28 of the Regulation, the Personal Data Administrator shall entrust the Processing Entity with personal data for processing under rules and for the purpose specified herein.
2. The Processing Entity shall undertake to process the personal data they are entrusted with in accordance with this Agreement, the Regulation and other regulations of commonly applicable law that protect the rights of data subjects.
3. The Processing Entity declares that they utilize safety measures; in particular, they implemented proper (i.e. technical and organizational) safeguards that meet the requirements of the Regulation and protect the rights of data subjects the processing of which has been entrusted to the Processing Entity hereunder.
4. The PDA declares that the personal data entrusted to the Processing Entity have been collected and processed in accordance with the law; in particular, proper permissions were obtained from the data subjects or there are different legal grounds for the processing of personal data by the PDA.
5. If the Master Agreement provides that the Processing Entity shall collect personal data on behalf of the Personal Data Administrator, the Personal Data Administrator shall provide the Processing Entity with all the necessary instructions and guidelines as to the contents of permissions for the processing of personal data that must be obtained and/or the contents and method of delivery of the information clauses pursuant to Art. 13 or 14 of the GDPR. In such a situation, the Processing Entity shall obtain proper permissions of data subjects and independently fulfill the information obligations under Art. 13 or 14 of the GDPR on behalf of the Personal Data Administrator.

§ 2.
Type of entrusted Personal Data
1.    In relation to the services provided under the Master Agreement, the Processing Entity shall process personal data specified in Appendix no. 1 to the Agreement (“Personal Data”). A change in the appendix shall not require an annex to the Agreement but shall only need to be approved in a documented form (including electronic mail).
2.    The Processing Entity shall process the Personal Data solely for the purpose of performance of the Master Agreement for the duration thereof.
3.    In general, the Personal Data shall be processed electronically, among others, in IT systems used to handle the subject of the Master Agreement i.e., as part of the ENCOR ESS Application.
 

§ 3.
Declarations of the Parties
1. For the avoidance of doubts, the PDA and the Processing Entity mutually declare that the Processing Entity:
a)    does not decide on the purpose and means of the processing of Personal Data entrusted by the PDA;
b)    shall not have the right to hold or create any copies of the documents with the Personal Data entrusted by the PDA, including records containing the Data in question or databases saved in form of hard copies or electronic documents except for those justified by the purpose and scope related to the performance of the Master Agreement;
c)    shall process the data entrusted to them under this Agreement solely upon the request of the PDA and shall keep record of the PDA requests; oral requests must be confirmed with a documented form;
d)    shall inform the PDA prior to the processing on the processing obligation, if such an obligation results under regulations of law, unless such regulations prohibit disclosure of such information due to an important public interest;
e)    shall immediately inform the PDA if the request issued to the Processing Entity constitutes a breach of the Regulation or other applicable regulations on data protection;
f)    must not use the Personal Data for own purposes unrelated to the implementation of this Agreement and the Master Agreement;
g)    can rectify, remove or limit the processing of entrusted Personal Data only upon the PDA’s request.
 

§ 4.
Obligations of the Processing Entity
1.    The Processing Entity shall undertake, prior to the processing of the entrusted Personal Data, to provide technical and organizational measures under Art. 32 of the GDPR i.e., measures that will ensure the proper level of safety reflecting the risk related to the processing of the Personal Data. 
2.    The Processing Entity shall obligate to exercise due diligence during the processing of entrusted Personal Data.
3.    The Processing Entity shall undertake to grant authorization for the processing of Personal Data to all persons that will process the entrusted Personal Data for the purpose of performance hereof as well as shall obligate such persons to keep the confidentiality of the Personal Data both during their employment at the Processing Entity as well as once such employment ceases.
4.    Once the provision of services under the Master Agreement ends, the Processing Entity shall, pursuant to the PDA’s request, remove or return to the PDA all the Personal Data and remove any existing copies thereof, unless provisions of the commonly applicable regulations of law impose the obligation to store personal data.
5.    Where possible, the Processing Entity shall help the PDA within the scope necessary to fulfill the obligation of addressing requests of data subjects in relation to their rights pursuant to Chapter III of the GDPR as well as to fulfill the obligations provided for in Art. 32-36 of the GDPR. 
6.    If the Processing Entity intends to transfer personal data to third countries or international organizations, they shall be obligated to notify the Personal Data Administrator in a documented form prior to such an action.
7.    As part of the Agreement, the Processing Entity shall be obligated to implement and maintain relevant technical and organizational measures that ensure a safety level of the processing of personal data that reflects the risk of breach of rights and freedoms of the subjects of the Personal Data. The list of safety measures used by the Processing Entity has been enclosed in Appendix no. 3 to the Agreement.
8.    In case of an identified breach of personal data protection or justified suspicion of breach of personal data protection, the Processing Entity shall immediately report such cases to the Personal Data Administrator not later than within 36 hours from the identification of such a breach. If possible, the report must contain at least:
a)    a description of the nature of infringement of personal data protection, including (where possible) the categories and an approximate number of data subjects and the categories and an approximate number of personal data entries that the breach affected;
b)    the name and surname and contact details of the data protection officer or indication of another contact person who will be able to provide more information;
c)    a description of the possible risk related to the infringement of personal data protection;
d)    a description of the measures applied or proposed by the Processing Entity in order to remedy the breach of personal data processing, including (where applicable) the measures to minimize its possible negative outcome.

§ 5.
Right to control
1.    The PDA shall have the right to control whether the measures used by the Processing Entity for the processing and securing of the entrusted Personal Data are in line with the provisions hereof. 
2.    The PDA shall exercise their right to control within the working hours of the Processing Entity and after prior notification on the date of the control, at least 5 days before the planned beginning of the control.
3.    In order to carry out the control, authorized representatives of the Personal Data Administrator shall have the right to access the premises where the Personal Data are processed, conduct the necessary inspection and demand explanation to establish the facts.
4.    Each time, the Parties shall draw up an inspection protocol on the conducted control that shall be signed by the authorized representatives of the Parties.
5.    The Processing Entity shall undertake to immediately remove any omissions identified during the inspections.
 

§ 6.
Further entrustment of data for processing
1.    The Personal Data Administrator hereby gives consent to further entrustment of the entrusted personal data by the Processing Entity under an agreement concluded between the Processing Entity and the sub-processing entity with regard to entities indicated in Appendix no. 2 to the Agreement.
2.    The Administrator shall give consent and confirm that the Processing Entity shall have the right to further entrust the entrusted details to a sub-processing entity in a situation when the further sub-processing entity ensures protection of personal data at least at the same level of safety as the Processing Entity.
 

§ 7.
Liability of the Parties
1.    The Processing Entity shall be liable for culpable disclosure or use of the Personal Data against the contents of the Agreement, particularly for disclosure of Personal Data entrusted for processing to unauthorized person. The Processing Entity shall be liable before the PDA for failure to provide proper safety level of the processing of personal data, infringement of confidentiality of the processed personal data and failure to notify the PDA on a suspected or identified breach of personal data processing.
2.    The Processing Entity shall be liable for the actions and omissions of all the sub-processing entities as if they were the Processing Entity’s own actions and omissions.
3.    The liability of the Processing Entity shall be limited to the amount of the actual loss and shall not cover any lost profits. 
4.    The Parties shall undertake to notify each other, not later than within 3 days, on any proceedings, particularly administrative or judicial proceedings, with regard to the entrusted Personal Data, on any administrative decisions or orders delivered to the Party with regard to the processing of such Data, as well as on any intended (if known) or implemented controls and inspections concerning the processing of such Personal Data, particularly those conducted by officers authorized by the Head of the Personal Data Protection office or another supervisory body competent within the scope of personal data protection so that the other Party can participate in each such a/m proceedings. This section refers solely to the Personal Data entrusted by the PDA.
 

§ 8.
Duration of the Agreement
1.    This Agreement shall be valid from the date of its conclusion for the duration of the Master Agreement. The termination or expiry of the Master Agreement, regardless of the reason, shall result in expiry of this Agreement. 
 

§ 9.
Termination of the Agreement
1.    The PDA shall have the right to terminate this Agreement with immediate effect when the Processing Entity processes the Personal Data in a manner inconsistent with the Agreement.
 

§ 10. 
Service addresses
1.    Within the scope of service and contact related to the performance of the Agreement, the Parties shall address all the messages to the contact details indicated upon the conclusion of the Master Agreement, whereby the Administrator can also contact the Processing Entity through the ENCOR ESS Application.

§ 11. 
Final provisions
1.    The Agreement shall come into force on the date of signing by the Parties. 
2.    Should one or more provisions of the Agreement be or become invalid or ineffective, it shall not affect the validity or effectiveness of the remaining provisions hereof. Once the Parties learn about the invalidity of any of the provisions hereof, they shall immediately draw up a written annex to the Agreement in which they shall repeal the defective provisions and, when necessary, replace them with new ones.
3.    The Parties mutually declare that in case of disputes arising from the performance hereof they shall try to resolve them amicably. If the Parties fail to resolve the dispute amicably, the dispute shall be resolved by a common court competent for the registered office of the PDA. 
4.    Any changes, supplements or termination hereof shall be in a documented form, otherwise being declared null and void, subject to situations in which the Agreement allows for implementation of changes in a different form.
5.    The Agreement along with its appendices shall constitute the entire arrangement between the Parties, unless the contents of the Agreement explicitly indicate additional arrangements of the Parties as an integral part hereof.
6.    This Agreement has been drawn up in two identical counterparts, one for each Party.
 

List of appendices to the Agreement:
1.    Type of Personal Data entrusted for processing (Appendix no. 1),
2.    List of accepted processing entities (Appendix no. 2),
3.    List of technical and organizational measures (Appendix no. 3), 
 

Appendix no. 1 to
the Agreement on entrustment of data processing as part of the ENCOR ESS Application

 

TYPE OF PERSONAL DATA ENTRUSTED FOR PROCESSING

Type of personal data: The processing refers to ordinary data   Nature of the processin: Electronic   Personal data categories: Details of the Administrator’s customer: name, surname / company name in case of a corporate customer, phone number, e-mail address. Employee’s details: name, surname, e-mail address, phone number Installation details (name of the installation, address of the installation, installation completion date, installation ID, installation power), details on the customer’s equipment. The Fitter shall have the right to add pictures of the Installation and documents related to a particular Installation that might contain other Personal Data of the Administrator’s Customer (e.g. the agreement concluded between the Fitter and the Installation Owner, the guarantee, module sheet, other documents). The Fitter shall be able to add notes referring to a particular installation of the equipment.   Categories of data subjects: Administrator’s customers/ Installation owners/ Administrator’s employees

Appendix no. 2 to
the Agreement on entrustment of data processing as part of the ENCOR ESS Application

 

LIST OF ACCEPTED PROCESSING ENTITIES

 

Details on entities (company name or name, address): Suzhou Leapton Energy Co., LTD Address: No.9, Sunshine Avenue, Changshu, Jiangsu, China   Chengdu E-LINTER Information Technology Co., Ltd. Address: No. 505, Building 6, Area D, Tianfu Software Park, No. 599 Century City South Road, Chengdu High-tech Zone, China   Purpose of sub-entrustment: The entity that provides IT management of the Application (whereby the data collected in the Application are stored on a server located within the territory of the EEA - servers provided by AWS).   Will the data be transferred outside the EEA? Yes

Appendix no. 3 to

the Agreement on entrustment of data processing as part of the ENCOR ESS Application LIST OF TECHNICAL AND ORGANIZATIONAL MEASURES

 

1. Control of access to information technology systems and use of security software for the information technology systems (anti-virus software, encrypted data transmission, privacy screens).
 

• SSL communication and forced SSL login process
• Access passwords to the systems provided by the Personal Data Administrator are stored in an encrypted form
• Login sessions are protected against change of browser, IP address, editing of cookie files • Restrictive access to the data base - white list of IP addresses and highly-complex passwords
• Internal authorizations within the scope of a single user account on behalf of the Processing Entity
• Continuous software updates and use of legal software
• No public APIs that disclose data
• Internal authorizations within the application are used for a single user account

2. Data access provided only to authorized people. In case of third-party sub-contractors, the data are entrusted solely to entities that provide proper level of safety for the data and that signed an agreement on entrustment of personal data processing.
3. Keeping records of authorized persons and processing entities that have access to the ENCOR ESS Application.
4. The processing of personal data is secured through locks in the premises and an alarm installed at the real property used for the processing of personal data.