colian en
Homepage|Standard contractual clauses

STANDARD CONTRACTUAL CLAUSES MODULE I. Clauses concerning the transfer of data between administrators.

SECTION I.

Clause 1. Purpose and scope

  1. a) These standard contractual clauses aim at ensuring compliance with the requirements of the European Parliament and Council (EU) 2016/679 dated 27 April 2016 on protection of natural persons with respect to personal data processing and free flow of such data (General Data Protection Regulation)(1)with respect to transferring personal data to a third country.
  2. b) Parties:

(i) natural or legal persons, public authorities, agencies or other bodies (hereinafter called “the entities”) transferring personal data, mentioned in Schedule I Part A (hereinafter called “data exporter”) and

(ii) entities in a third country receiving the personal data from the data exporter, directly or indirectly through another entity, being also the Party to these clauses, listed in Schedule I Part A (hereinafter called “ the data importer”)

agreed these standard contractual clauses (hereinafter called “clauses”).

  1. c) These clauses shall apply to the transfer of personal data, as defined in Schedule I Part B.
  2. d) A supplement to these clauses containing the Schedules mentioned herein shall form an integral part of these clauses.

Clause 2. Effect and invariability of the clauses

  1. a) These clauses define relevant types of safeguards, including enforceable rights of the data subjects and effective legal protection measures, in accordance with art. 46(1) and art. 46(2)(c) of the Regulation (EU) 2016/679, and standard contractual clauses under art. 28(7) of the Regulation (EU) 2016/679 with respect to the transfer of data from administrators to processors or from processors to transferring entities, on condition that such clauses are not modified, except for modification with the aim of selecting relevant module or modules or in order to add information to the supplement to or to update such information. This shall not prevent the Parties from inclusion of standard contractual clauses defined herein to a broader contract or adding other clauses or additional safeguards on condition that they do not directly or indirectly conflict with these clauses or infringe fundamental rights or freedoms of the data subjects.
  2. b) These clauses shall not infringe the obligations imposed on the data exporter under Regulation (EU) 2016/679.

Clause 4. Third parties for the benefit of whom the contract was concluded

  1. a) The data subjects may invoke these clauses and enforce them as third parties to the benefit of whom the contract was concluded, with respect to the data exporter or the data importer, with the following exceptions:

(i) clause 1, clause 2, clause 3, clause 6, clause 7;

(ii) clause 8 – first module: clause 8.5(e) and clause 8.9(b); second module: clause 8.1(b), clause 8.9(a), (c), (d) and (e); third module: clause 8.1(a), c) and (d) and clause 8.9(a), (c), (d), (e), (f) and (g); fourth module: clause 8.1(b) and clause 8.3(b);

(iii) clause 9 – second module: clause 9(a), (c), (d) and (e); third module: clause 9(a), (c), (d) and (e);

(iv) clause 12 – first module: clause 12(a) and (d); second and third module: clause 12(a), (d) and (f);

(v) clause 13;

(vi) clause 15.1(c), d) and (e);

(vii) clause 16(e);

( viii) clause 18 – first, second and third module: clause 18(a) and (b); fourth module: clause 18.

  1. b) Letter (a) shall be without prejudice to the rights of the data subjects, under regulation (EU) 2016/679.

Clause 4. Interpretation

  1. a) If these clauses use the terms defined in regulation (EU) 2016/679, such terms shall have the meaning attributed to them in such a regulation.
  2. b) These clauses shall be read and interpreted according to the provisions of the regulation (EU) 2016/679.
  3. c) Such clauses shall not be interpreted in the way conflicting with the rights and duties defined in regulation (EU) 2016/679.

Clause 5. Hierarchy

In case of conflict between these clauses and the provisions of the related contracts between the Parties, applicable upon agreeing these clauses, or concluded thereafter, these clauses shall prevail.

Clause 6. Description of data transfer

Details concerning the data transfer, in particular categories of transferred personal data and purpose(s) of their transfer were defined in Schedule I Part B.

SECTION II – OBLIGATIONS OF THE PARTIES

Clause 8. Safeguards for data protection

The data exporter warrants that he made reasonable efforts to determine that the data importer is able – thanks to implementation of relevant technical and organizational measures – to fulfill his obligations defined herein.

8.1.   Limitation of the purpose

The data importer shall process personal data only for the specified transfer purpose(s), as defined in Schedule I Part B. He may process personal data for another purpose only if:

(i) he obtains a prior consent of the data subject;

(ii) it is necessary to determine, enforce or defend the claims in the context of special administrative, regulatory or court proceedings; or

(iii) it is necessary to protect the vital interests of the data subject or another natural person.

8.2.   Transparency

  1. a) In order to enable the data subjects to effectively exercise their rights under clause 10, the data importer shall transfer to them, directly or indirectly through the data exporter, the information concerning:

(i) his identification data and contact data;

(ii) categories of the processed personal data;

(iii) the right to receive a copy of theses clauses;

(iv) if it is planned to further transfer the personal data to a third party (third parties) – a recipient or category of recipients (if it is necessary to communicate important information), for the purpose of further transfer and its justification under clause 8.7.

  1. b) Letter a) shall not apply if the data subject already has such information, also if the data exporter already transferred such information or if its transfer is impossible or if it involves a disproportionate effort of the data importer. In the latter case the data importer shall make the data public in the scope in which it is possible to do so.
  2. c) The parties shall free of charge provide the data subject, at his request, with a copy of these clauses, including the supplement filled in by the Parties. In the scope necessary to protect trade secrets or other confidential information, including personal data, the Parties may partially edit the content of the supplement before its copy is made available, but shall provide a relevant summary if without such a summary the subject data couldn’t understand such a text or use his rights. Upon request the Parties shall provide the data subject with the reasons for editing the text, if possible, without revealing confidential information.
  3. d) Provisions contained in letters (a)-(c) shall be without prejudice to the obligations imposed on the data exporter under art. 13 and 14 of the regulation (UE) 2016/679.

8.3.   Data correctness and minimization

  1. a) Each Party shall make sure that the personal data are correct and updated, if necessary. The data importer shall take any reasonable measures to forthwith delete or rectify the personal data which are incorrect in the light of the purpose(s) of their processing.
  2. b) If one of the Parties realizes that the transferred or received personal data are incorrect or invalid, such a Party shall forthwith inform the other Party about it.
  3. c) The data importer shall make sure that the personal data are adequate, appropriate and limited to the scope necessary for the processing purpose(s).

8.4.   Storage limitation

The data importer shall keep the personal data for a period not longer than it is necessary for the data processing purpose(s). The data importer shall implement proper technical or organizational measures to make sure this obligation is performed, including deletion or anonymisation of the data  (2) and any back-up copies after the end of the retention period.

8.5.   Processing security

  1. a) The data importer, and during the transfer also the data exporter, shall implement proper technical and organizational measures in order to provide the security of personal data, including the protection against security breach, leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access (hereinafter called “personal data breach”). Assessing the relevant level of security, the entities shall take into account the technical knowledge, implementation cost and the nature, scope, context and purpose(s) of processing and also a risk resulting from processing for the data subject. The Parties shall consider in particular the use of encryption or pseudonymisation, also during the transfer, in cases where the processing purpose may be met in this way.
  2. b) The parties agreed technical and organizational measures defined in Schedule II. The data importer shall conduct regular inspections to guarantee that such measures provide the security at the relevant level.
  1. c) The data importer shall make sure the persons authorized to process the personal data will undertake to maintain the confidentiality or be subject to a relevant statutory obligation to maintain the confidentiality.

In case of personal data breach concerning the personal data processed by the data importer under these clauses, the data importer shall apply proper measures for remedying such a breach, including the measures aimed at minimizing its possible negative effects.

  1. e) In case of personal data breach which may result in a risk of breaching rights and freedoms of natural persons, the data importer shall forthwith report such a breach both to the data exporter and to the relevant supervisory body under clause 13. Such a report shall include: (i) description of the breach (if possible, categories and estimated number of data subjects and estimated number of entries of personal data which were affected by the breach), (ii) its possible consequences, (iii) measures used or proposed in order to remedy the breach and (iv) particular data concerning the contact point where more information can be obtained. In the scope in which the data importer is unable to provide all information at the same time, the data importer may provide it successively, but without delay.
  2. f) In case of personal data breach which may create a risk of infringing rights and freedoms of natural persons, the administrator shall forthwith report to the data subject this personal data breach and its nature, in relevant cases in cooperation with the data exporter, together with the information referred to in (e)(ii)–(iv), unless the data importer implemented the measures aimed at significant reduction of the risk of infringement of rights or freedoms of natural persons or such reporting requires a disproportionate effort. In the latter case the data importer shall make a public statement instead or take similar measures in order to inform the society about the personal data breach.
  3. g) The data importer shall document all the essential facts connected with the personal data breach, including its effects and all the remedial measures taken.

8.6.   Sensitive data

If the transfer includes personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic or biometric data in order to unambiguously identify the natural person or data concerning health or sex life or sexual orientation of such a person or data concerning conviction or prohibited acts (hereinafter called “sensitive data”), the data importer shall apply special limitations or additional safeguards adjusted to special nature of the data and the existing risk. They may include limitations of personnel who is allowed access to such personal data, additional safeguards (such as pseudonymization) or additional limitations concerning further disclosure.

8.7.   Further transfer of data

The data importer shall not reveal the personal data to a third party located outside European Union (3) (in the same country as the data importer or in another third party; hereinafter called “further transfer”) unless the third party is bound by these clauses or agrees to be bound by them under the relevant module. In other cases further transfer by the data importer shall take place only if:

(i) it takes place to the country covered by the decision confirming the relevant level of security, under art. 45 of the regulation (EU) 2016/679, including further transfer;

(ii) the third party in another way applies relevant safeguards with respect to the said transfer under art. 46 or 47 of the regulation (EU) 2016/679;

(iii) the third party concludes a binding instrument with the data importer, ensuring the same level of data protection as the level provided for in these clauses, and the data importer transfers a copy of these safeguards to the data exporter;

(iv) it is necessary to determine, enforce or defend the claims in the context of special administrative, regulatory or court proceedings; or

(v) it is necessary to protect the vital interests of the data subject or another natural person; or

(vi) if any of the remaining conditions does not apply – the data importer obtained explicit consent of the data subject to further transfer of them in a specific situation, after prior notification of such a person about the purpose(s) of the further transfer, the identify of the recipient and possible risk to which – due to lack of relevant safeguards ensuring data protection – the data subject may be exposed as a result of such a transfer. In such a case the data importer shall inform the data exporter and, at the request of the latter, shall provide him with a copy of the information transferred to the data subject.

Any further transfer shall take place on condition the data importer complies with all the other safeguards under these clauses, in particular the limitation of purpose.

8.8.   Processing authorized by the data importer

The data importer shall ensure that each person authorized by him, including the processor, will process the data only upon his instruction.

8.9.   Documentation and compliance

  1. a) Each of the Parties shall be able to prove that the party performs the obligations imposed on him and resulting from these clauses. In particular the data importer shall keep relevant documentation of the processing activities performed, for which he shall be liable.
  2. b) The data importer shall provide this documentation upon the request of a competent supervisory body.

Clause 10. Rights of the data subject

  1. a) The data importer, in relevant cases with the help of the data exporter, shall consider – without undue delay, and within one month at the latest from receiving a request or demand – any requests and demands received from the data subject connected with processing his personal data and exercising his rights under these clauses (10). The data importer shall apply relevant measures aimed at facilitating the procedures of submitting such requests and demands and exercising the rights of the data subjects. All the information transferred to the data subject shall be provided in a comprehensive and easily accessible form, with the use of simple and clear language.
  2. b) In particular, upon the request of the data subject, the data importer shall, free of charge:

(i) send the data subject a confirmation whether his personal data are processed – and if such processing takes place – copies of data relating to him and information defined in Schedule I; if the personal data were or will be further transferred – send the information about the recipients or categories of recipients (in relevant cases in order to provide essential information), to whom the personal data were or will be further transferred, about the purpose of such further transfer and its basis resulting from clause 8.7 and information on the right to lodge a complaint to the supervisory body under clause 12(c)(i);

(ii) rectify incorrect or fill in incomplete data referring to the data subject;

(iii) delete personal data of the data subject if such data are or were processed with the breach of any of these clauses under which he has rights as a third party, to the benefit of whom the contract was concluded or if the data subject withdraws his consent under which processing takes place.

  1. c) If the data importer processes personal data for the purpose of direct marketing, he must stop such processing if the data subject lodges an objection to such processing.
  2. d) The data importer may not take a decision based only on the automated processing of the provided personal data (hereinafter called “automated decision-making”) in a situation when such a decision would have legal effects on the data subject or exercise similar significant influence, unless such a data importer obtained explicit consent of the data subject or was authorized to do so under the provisions of the country of destination if the provisions include relevant measures for safeguarding the rights and legitimate interests of the data subject. In such a case the data importer, if needed, in cooperation with the data exporter, shall:

(i) inform the data subject about the planned automated decision making, expected consequences and principles of decision making and

(ii) implement proper safeguards, at least through giving the data subject the possibility to challenge the decision, express his opinion and conduct human verification.

  1. e) If the requests of the data subject are excessive, in particular due to their incessant nature, the data importer may charge a reasonable fee taking into account administrative costs of fulfilling the request or refusing to take action regarding the request.
  2. f) The data importer may refuse to fulfill the request of the data subject if such a refusal is allowed under the provisions of the country of destination and in a democratic society it is a necessary and proportional measure aimed at protection of one of the purposes mentioned in art. 23(1) of the regulation (EU) 2016/679.
  3. g) If the data importer intends to refuse to fulfill the request of the data subject, he shall inform him about the reasons for refusal and the possibility to lodge a complaint to a competent supervisory body or enforce claims in courts.

Clause 11 Claim enforcement

  1. a) The data importer – in a clear and easily accessible way, through individual notification or through his website, shall inform the data subjects which contact point is authorized to consider the complaints. Such an entity shall forthwith consider any complaints received from the data subject.
  2. b) If there is a conflict between the data subject and one of the Parties regarding the observance of the clauses, such a Party shall do his best to solve the conflict in an amicable and prompt way. The Parties shall give each other, on a regular basis, the information on such conflicts and in relevant case shall cooperate to settle them.
  3. c) If the data subject invokes the right, resulting from clause 3, which he holds as a third party to the benefit of whom the contract was concluded, the data importer shall accept the decision of data subject to:

(i) submit a complaint to the supervisory body in the member state of the habitual residence or the place of work of such a data subject or to the competent supervisory body in accordance with clause 13;

(ii) refer the dispute to competent courts as defined in clause 18.

  1. d) The parties accept that the data subject may be represented by an entity, organization or association which are non-profit-making entities on conditions defined in art. 80(1) of the regulation (EU) 2016/679.
  2. e) The data importer shall follow the binding decision under the applicable EU law or a member state.
  3. f) The data importer confirms that the choice made by the data subject shall be without prejudice to the subjective or procedural rights he holds under the applicable law.

Clause 12 Liability

  1. a) Each Party shall be liable to the entity(s) being the other Party for any damage done to it/them resulting from the breach of these clauses.
  2. b) Each Party shall be liable to the data subject and the data subject shall be entitled to compensation for any property or non-property damage and losses incurred by the data subject by the Party as a result of breaching the rights held by him as a third party to the benefit of whom the contract was concluded, under these clauses. This principle shall be without prejudice to the liability of the data exporter under regulation (EU) 2016/679.
  3. c) If the liability for any losses incurred by the data subject, resulting from the breach of these clauses is held by more than one Party, all the liable Parties shall be jointly and severally liable and the data subject shall be entitled to sue any of the Parties.
  4. d) The Parties agree that if one Party is held liable under (c), this Party shall have the right to demand from the entity(s) being the other Party compensation equal to the extent of the liability for the incurred loss.
  5. e) The data importer may not invoke the actions of the processor or processing subcontractors to avoid his liability.

Clause 13; Supervision

  1. a) The supervisory body responsible for ensuring that the data exporter will follow the provisions of the regulation (EU) 2016/679 with respect to data transfer, as defined in Schedule I Part C, shall act as a competent supervisory body.
  2. b) The data importer consents to be subject to jurisdiction of a competent supervisory body and to cooperation with this body in the scope of all the procedures directed at ensuring the compliance with these clauses. In particular the data importer consents to answering the requests, undergoing audits and comply with the measures adopted by the supervisory body, including remedial and compensatory measures. He shall submit to the supervisory body a written confirmation that he started taking necessary actions.

 

SECTION III – LOCAL RIGHTS AND OBLIGATIONS IN CASE OF ACCESS BY PUBLIC BODIES

Clause 14 Local laws and procedures affecting the compliance with the clauses

  1. a) The Parties warrant that there are no grounds to believe that laws and procedures in the third country of destination, applicable towards personal data processing by the data importer, including all the requirements concerning personal data disclosure or measures entitling public bodies to gain access, prevent the data importer from meeting his obligations resulting from these clauses. It is based on an assumption that laws and procedures which do not infringe the essence of fundamental rights and freedoms and do not go beyond what is in a democratic society an indispensable and proportional measure aimed at safeguarding one of the purposes mentioned in art. 23(1) of the regulation (EU) 2016/679, they do not conflict with these clauses.
  2. b) the Parties represent that submitting the warranty referred to in letter a), they took into account in particular the following elements:

(i) particular circumstances of transfer, including the length of the processing chain, the number of the entities engaged and the transfer channels used; planned further transfer, recipient’s type; data processing purpose; categories and form of transferred personal data; a sector of the economy in which data are transferred; place of storing the transferred data;

(ii) laws and procedures of the third country of destination, including laws and procedures requiring disclosure of data to public bodies or authorizing such bodies to gain access, relevant in the light of particular circumstances of data transfer and applying limitations and safeguards (12);

(iii) any relevant contractual, technical or organizational safeguards, introduced in order to supplement the safeguards resulting from these clauses, including the measures applied during the transfer and processing of the personal data in the country of destination.

  1. c) The data importer warrants that he submitted the evaluation under the provisions of letter (b), did his best to provide the data exporter with relevant information and consents to further cooperation with the data exporter in the scope of ensuring compliance with these clauses.
  2. d) The Parties agree to document the evaluation referred to in letter (b) and provide it upon the request of a competent supervisory body.
  3. e) The data importer shall forthwith inform the data exporter if, after these clauses are agreed and during the term of contract, he has reasons to believe that he is or has become subject to the laws or procedures incompliant with the requirements defined in (a), also as a result of changes in the provisions of the third country or measures (such as demand for disclosure of the data) indicating the application of such provisions in practice, which conflicts with the requirements defined in (a).
  4. f) After receiving the notification under (e) or if the data exporter has another reason to believe that the data importer may not continue performing his obligations resulting from these clauses, the data exporter shall forthwith determine relevant measures (e.g. technical or organizational measures for ensuring security and confidentiality) which the data exporter or the data importer shall adopt in order to handle this situation [in case of third module: in relevant cases in cooperation with the administrator]. The data exporter shall suspend the data transfer if he deems that provision of relevant safeguards with respect to such a transfer is not possible or at the request [ in case of the third module: administrator or] competent supervisory body. In such a case the data exporter shall be entitled to terminate the contract – if the problem concerns the personal data processing under these clauses. If the contract concerns more than two Parties, the data exporter may use his right to terminate the contract only with respect to a relevant Party unless the Parties agreed otherwise. If the contract is terminated under this clause, clause 16 (d) and (e) shall apply.

Clause 15 Obligations of the data importer in case of access by public body

15.1.   Notification

  1. a) The data importer shall forthwith inform the data exporter and, if possible, the data subjects (in relevant cases with the help of the data exporter) if:

(i) he receives from a public body, including a court, legally binding request – in accordance with the country of destination – to disclose personal data transferred under these clauses; such a notification shall contain information about the personal data of the data subjects, requesting body, legal basis for the request and the answer granted; or

(ii) he learns about any case of direct access by public bodies to the personal data transferred under these clauses in accordance with the provisions of the country of destination; such a notification shall include any information to which the data importer has access.

  1. b) If the data importer was prohibited to notify the data exporter or the data subject, under the provisions of the country of destination, he shall do his best to obtain the exemption from such a prohibition in order to transfer the highest amount of information possible in the shortest time possible. The data importer agrees to document his attempts to prove them upon request of the data exporter.
  2. c) If it is permissible under the law of the country of destination, the data importer agrees to provide the data exporter, at regular intervals, during the term of contract, with as much essential information as possible about the requests received (in particular about the number of requests, type of required data, body(s) requesting them as well as the information whether the requests concerned the remedial measures aimed at challenging them and what was the result of such activities etc.)
  3. d) The data importer agrees to keep the information referred to in letters (a)-(c) for the term of contract and provide them at the request of a competent supervisory body.
  4. e) Letters (a)–(c) shall be without prejudice to the obligation of the data importer resulting from clause 14(e) and clause 16 concerning forthwith notification of the data exporter if he is unable to ensure compliance with the provisions of these clauses.

15.2.   Inspection of legality and data minimization

  1. a) The data importer agrees to inspect the legality of the request for data disclosure and in particular the fact whether it is within the scope of the rights granted to the public body submitting the request and challenge the validity of the request, if after scrupulous inspection he will find that there are reasonable grounds to believe that the request is unlawful in the light of the law of the country of destination, applicable obligations resulting from international law and international courtesy rules. The data importer shall use the possibility to submit an appeal on the same conditions. Challenging the request, the data importer shall apply provisional measures in order to suspend the effects of the request by the time the substance of the case is settled by a competent court. He shall not reveal the personal data to which the request relates until he is obliged to do so under the applicable provisions of the procedural law. Such requirements shall be without prejudice to the obligations of the data importer resulting from clause 14(e).
  2. b) The data importer agrees to document his legal evaluation and any cases of challenging the request to disclose the data and, in the scope allowed by the law of the country of destination; to provide the documentation to the data exporter. He shall also provide it upon the request of a relevant supervisory body.
  3. c) The data importer shall provide minimum permissible quantity of information, giving answers upon the request for data disclosure, based on his reasonable interpretation.

SECTION IV – FINAL PROVISIONS

Clause 16 Lack of compliance with the clauses and contract termination

  1. a) The data importer shall forthwith inform the data exporter if for any reason he is unable to observe these clauses.
  2. b) If the data importer breaches the provisions of these clauses or is unable to ensure the compliance with their provisions, the data exporter shall provisionally, until the clauses are complied with again or the contract is terminated, suspend the transfer of personal data to the data importer. This shall be without prejudice to the provisions of clause 14(f).
  3. c) The data exporter shall be entitled to terminate the contract – if the problem concerns the personal data processing under these clauses – if:

the data exporter suspended the transfer of the personal data to the data importer under letter (b) and the compliance with the provisions of these clauses was not brought back within reasonable time and in any case within one month from the suspension;

(ii) the data importer grossly or persistently breaches the provisions of these clauses or

(iii) the data importer failed to follow a binding decision of a competent court or supervisory body concerning his obligations resulting herefrom.

In such cases he shall inform a competent supervisory body [in case of third module: and the administrator] about such a case of failure to follow the decision. If the contract concerns more than two Parties, the data exporter may use his right to terminate the contract only with respect to a relevant Party unless the Parties agreed otherwise.

  1. d) Personal data transferred before contract termination under (c) shall – depending on the selection done by the data exporter – be forthwith returned to him or deleted in full. The same applies to any copies of such data.] [In case of fourth module: Personal data gathered by the data exporter in EU which were transferred before contract termination under (c) and also their copies, shall forthwith be deleted in full.] The data importer shall confirm the deletion of the data to the data exporter. Till the data are deleted or returned, the data importer shall still comply with these clauses. If the local law applicable to the data importer prohibits the return or deletion of the transferred personal data, the data importer shall warrant that he still will comply with these clauses and will process the data only in the scope and during the period required by the local law.
  2. e) Each of the Parties may withdraw his consent to being bound by these clauses if: (i) European Commission adopts a decision under art. 45(3) of the regulation (EU) 2016/679 including the transfer of personal data to which these clauses apply; or (ii) regulation (EU) 2016/679 is incorporated in the law of the country to which the personal data are transferred. This shall be without prejudice to other obligations applicable to the said processing under regulation (EU) 2016/679.

Clause 17 Governing law

These clauses shall be governed by the law of one of EU member states on condition that the law allows the rights of third parties to the benefit of whom the contract was concluded. The Parties agree that it shall be the Polish law.

Clause 18 Choice of forum and jurisdiction

  1. a) Any disputes resulting from these clauses shall be settled by courts of EU member states.
  2. b) The Parties agree that they shall be Polish courts.
  3. c) The data subject may also instigate court proceedings against the data exporter or the data importer before the courts of a member state in which his habitual residence is located.
  4. d) The Parties agree that they shall be subject to the jurisdiction of such courts.

(1)  If the data exporter is the processor regulated by the regulation 2016/679, acting on behalf of EU institution or body, relying on these clauses while involving another processor (processing subcontracting) which is not subject to regulation (EU) 2016/679, he shall also ensure compliance with art. 29(4) of the regulation of European Parliament and Council (EU) 2018/1725 dated 23 October 2018 on protection of natural persons with respect to personal data processing by EU institutions, bodies and organizational units and free flow of such data and repealing of regulation (EU) no. 45/2001 and decision no. 1247/2002/EC (Dz.U. L 295 dated 21.11.2018, p. 39) in the scope in which these clauses and obligations concerning data protection, defined in the contract or another legal act concluded between the administrator and the processor under art. 29(3) of the regulation (EU) 2018/1725, are compliant with each other. This shall apply in particular to situations when the administrator and the processor rely on standard contractual clauses contained in decision 2021/915

(2)  This shall mean anonymization of the data in such a way so that the data subjects could not be identified under motive 26 of regulation (EU) 2016/679, and so that this process could be irreversible.

(3)  In the European Economic Area Agreement (EEA Agreement), extension of internal EU market was provided for to include three EEA countries – Iceland, Liechtenstein and Norway. EU legislation concerning data protection, including regulation (EU) 2016/679, is covered by EEA Agreement and was included in its Schedule XI. Consequently, any disclosure to a third party located in EEA by the data importer shall not qualify as further transfer for the purpose of these clauses.

(3)  In the European Economic Area Agreement (EEA Agreement) extension of internal EU market was provided for to include three EEA countries – Iceland, Liechtenstein and Norway. EU legislation concerning data protection, including regulation (EU) 2016/679, is covered by EEA Agreement and was included in its Schedule XI. Consequently, any disclosure to a third party located in EEA by the data importer shall not qualify as further transfer for the purpose of these clauses.

(5)  See art. 28(4) of regulation EU 2016/679, and in case EU institution or body is the administrator – art. 29(4) of the regulation (EU) 2018/1725.

(6)  In the European Economic Area Agreement (EEA Agreement) extension of internal EU market was provided for to include three EEA countries – Iceland, Liechtenstein and Norway. EU legislation concerning data protection, including regulation EU 2016/679, is covered by EEA Agreement and was included in its Schedule XI. Consequently, any disclosure to a third party located in EEA by the data importer shall not qualify as further transfer for the purpose of these clauses.

(7)  This includes the issue whether transfer and further transfer concerns personal data revealing racial or ethnic origin, political views, religious or philosophical beliefs, trade union membership, genetic or biometric data in order to unambiguously identify the natural person or data concerning health or sex life or sexual orientation of such a person or data concerning conviction or prohibited acts.

(8)  Processing subcontractor may meet this requirement, acceding to these clauses under a relevant module in accordance with clause 7.

(9)  Processing subcontractor may meet this requirement, acceding to these clauses under a relevant module in accordance with clause 7.

(10)  This deadline may be prolonged as much as necessary, maximum by two subsequent months due to complex nature of the request or the number of requests. The data importer shall forthwith and duly inform the subject data about each such prolongation.

(11)  The data importer may offer a possibility of alternative dispute resolution through an arbitration tribunal only when it has an organizational unit in the country which ratified the New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards.

(12)  In terms of the influence of such law and procedure on the compliance with these clauses, generally various elements may be taken into consideration. Such elements may include: relevant and documented practical experience related to previous cases of demanding by public bodies to disclose data or lack of such demands, covering sufficiently representative periods of time. This concerns in particular internal registers or other documents executed on a regulal basis, in accordance with the due diligence principle and certified by senior managing staff on condition such information may be lawfully made available to third parties. If such practical experience forms the basis for finding that the data importer will not have difficulty observing these clauses, this shall be confirmed by other, objective elements and it is the Parties who shall scrupulously analyze whether these elements in the aggregate are sufficiently important with respect to their credibility and representativeness to confirm such a statement. In particular the Parties must take into consideration whether their practical experience is confirmed and not contradicted by publicly available or otherwise available reliable information about the requests or lack of requests in the same sector or application of the law in practice, such as case law and reports made by independent supervisory bodies.

SCHEDULE I

  1. A LIST OF PARTIES
1. Name: Colian sp. z o.o.

Address: Zdrojowa 1 | 62-860 Opatówek | Tax no.:

Name, surname, position and contact details of the contact person: indicated in the contract

Measures significant for the data transferred under these clauses: usage of personal data in order to conclude and perform the contract of raw material purchase/ product sales.

signature and date: indicated in the contract

Role (administrator/processor): Administrator

Data importer(s): [Identification data and contact data of the data importer(s), including every contact person responsible for data protection]

1. Name: Party to the contract

Address: each time indicated in the contract

Name, surname, position and contact details of the contact person: indicated in the contract

Measures significant for the data transferred under these clauses: usage of personal data in order to conclude and perform the contract of raw material purchase/ product sales.

signature and date: indicated in the contract

Role (administrator/processing entity): Administrator
  1. DESCRIPTION OF DATA TRANSFER

Categories of the transferred personal data

Contact details, name and surname, business name and details, phone no., position, e-mail address, in specific cases Personal ID no. or passport number, place of residence.

The sensitive data transferred (in relevant cases) and applied limitations or safeguards which fully take into consideration the nature of the data and a risk associated therewith, such as e.g. strict limitation of the purpose, access limitations (including access only for employees who underwent specialist training), storage of entries of cases of data which were made available, limitations of further transfer or additional security measures

none

Frequency of data transfer (e.g. whether the data are transferred only once or regularly)

as needed

Nature of the transfer

permanent processing

The purpose(s) of data transfer and further transfer

preparation of the contract and lawful interest of the Administrator

The period through which personal data will be kept and if possible, the criteria for defining such a period

max. 6 years

In case of transfer to the processing subcontractors, the subject, nature and duration of the transfer shall also be defined.

none

  1. COMPETENT SUPERVISORY BODY

A competent supervisory body(s) shall be defined under clause 13.

President of Personal Data Protection, Personal Data Protection Office

  1. Stawki 2, 00-193 Warsaw,

SCHEDULE II

TECHNICAL AND ORGANIZATIONAL MEASURES, INCLUDING TECHNICAL AND ORGANIZATIONAL MEASURES AIMED AT ENSURING DATA SECURITY

EXPLANATORY NOTE:

Technical and organizational measures must be described in detail (not generally). See also a general remark on the first page of the supplement, in particular with respect to the need of clear indication which measures shall apply to each one-off or regular transfer.

Description  of technical and organizational measures implemented by data importer(s) (including proper certifications) in order to ensure proper level of protection, taking into account the nature, scope, context and purpose of processing and the risk for rights and freedoms of natural persons.

Measures consisting in ensuring confidentiality, integrity, availability and resistance of processing systems and services: obligation of employees to maintain information confidentiality.

Measures aimed at ensuring the ability of fast reinstatement of personal data availability and access to them in case of a physical or technical incident; support of IT service, adoption of information security procedures.

User identification and authentication measures: sending correspondence to individual e-mail addresses, using individual passwords and accounts in software.

Measures aimed at ensuring data minimization; regular verification of the scope of data necessary to perform the processing.

In case of transferring data to processors (or processing subcontractors) specific technical and organizational measures must be described which this entity or subcontractor must use in order to support the administrator, and in case of transferring data from the processor to the subcontractor – to support the data exporter.