Data Protection Agreement
SCHEDULE NO. 2 TO MASTER AGREEMENT
DATA PROTECTION AGREEMENT
ENTRUSTMENT OF PERSONAL DATA PROCESSING
1.1. The Customer entrusts to DevSkiller, pursuant to Article 28 of the GDPR personal data for processing, in the scope, on principles and for the purpose set out below.
1.2. DevSkiller undertakes to process the personal data entrusted to them in accordance with the provisions below, the GDPR and other provisions of generally applicable law that protect the rights of data subjects.
1.3. DevSkiller declares that it applies security measures that meet the requirements of the GDPR.
SCOPE AND PURPOSE OF DATA PROCESSING
2.1. The Customer entrusts DevSkiller the following personal data for processing: forename and surname, tax identification number (NIP), e-mail address, telephone numbers,, Company name, position held in the company, IP number, image.
2.2. Data processing may concern the following categories of persons: persons authorized to represent the Customer, test takers.
2.3. Personal data entrusted by the Customer will be processed by DevSkiller in the way and for the purpose following from the Master Agreement, in particular the way of processing determined by the role of DevSkiller under the concluded Master Agreement.
OBLIGATIONS OF DEVSKILLER
3.1. DevSkiller processes personal data only in accordance with documented orders or instructions of the Customer.
3.2. DevSkiller is obliged to:
3.2.1. secure personal data by using appropriate technical and organizational measures which ensure an adequate level of security corresponding to the risk connected with the processing of personal data, in accordance with Article 32 of the GDPR.
3.2.2. cooperate with the Customer in the performance of the Company’s duties in the area of personal data protection referred to in Article 32-36 of the GDPR,
3.2.3. allow the data to be processed only by persons who have a personal authorization to process data and restrict access to data only to persons for whom access to data is necessary to perform the Master Agreement and who hold appropriate authorization,
3.2.4. delete or return to The Customer all personal data and delete any existing copies thereof after the end of the provision of services relating to the processing, unless the law requires storage of personal data.
OBLIGATIONS OF THE CUSTOMER
4.1. The Customer is obliged to cooperate with DevSkiller in the performance of the Master Agreement, provide DevSkiller with explanations in case of doubts as to the legality of the Customer’s instructions and fulfil its obligations or the Parties’ arrangements in a timely manner.
4.2. The Customer is obliged, in a way that allows verification, to inform the persons whose personal data is processed about entrusting their data for processing to DevSkiller. At each request of DevSkiller, the Customer is required to submit evidence of compliance with the information obligation referred to in the preceding sentence, but no later than 3 business days from the date of the request.
4.3. The Customer is required to provide DevSkiller with all information necessary to demonstrate the compliance of the Company’s activities with provisions of the GDPR.
4.4. The Customer is solely responsible for the entrusting of the data to DevSkiller without legal basis. If DevSkiler suffers a loss as a result of processing data entrusted by the Customer without a legal basis, the Customer is obliged to repair it in full.
5.1. DevSkiller is obliged to provide technical and organizational measures which ensure security of personal data, in particular:
5.1.1. have the ability to ensure ongoing confidentiality, integrity, availability and resilience of their processing systems and services,
5.1.2. have the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident,
5.1.3. regularly test, measure and assess the effectiveness of applied technical and organizational measures for ensuring security of the processing.
NOTIFICATIONS OF PERSONAL DATA PROTECTION BREACH
6.1. DevSkiller is obliged to notify the Customer of any suspected breach of data protection, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons, no later than 36 hours after having become aware of it, allow the Company to participate in explanatory activities and notify the Customer of the findings immediately after making them, in particular of the breach or lack thereof.
RIGHT OF CONTROL
7.1. DevSkiller is required to provide the Customer with all information necessary to demonstrate compliance with obligations set out in Article 28 of the GDPR, including all information necessary to demonstrate the compliance of the Company’s activities with provisions of the GDPR.
SUB-ENTRUSTMENT OF PERSONAL DATA PROCESSING
8.1. DevSkiller is entitled to entrust specific operations of personal data processing by means of a written agreement for sub-entrustment of personal data processing – to other entities (‘Sub-processors’) only for the purpose of performing the Master Agreement.
8.2. The Customer consents to further entrusting the processing of personal data by DevSkiller to Sub-processors supporting the Processor in its operations, including Sub-processors based outside the European Economic Area – EEA in the implementation of the Master Agreement, provided that such transfer is lawful, in particular: entities providing accounting, marketing and training services, IT service providers and hosting tools, software suppliers, banks, entities providing legal services, payment services, associates of the Controller. The list of accepted sub-processors to be entrusted by DevSkiller with the processing of personal data constitutes Appendix No. 1 to the DPA.
8.3. Entrusting data processing to Sub-processors outside the List of accepted Sub-processor categories indicated in point 2 above requires prior notification to the Customer in order to allow objection within a period of no longer than 2 days. The Customer may, for justified reasons, raise documented objections to entrusting data to a specific Sub-processor. DevSkiller shall report the doubts as to the legitimacy of the objection and possible negative consequences in a time allowing for ensuring the continuity of processing. Failure to express an objection within the time limit indicated above is tantamount to consent to the sub-entrustment.
8.4. Where personal data is processed by a Sub-processor, even in part, in countries outside the European Union or the European Economic Area, other than those subject to adequacy decisions taken by the European Commission, the transfer shall be governed by the Standard Contractual Clauses referred to in Appendix No. 2 “Standard contractual clauses for the transfer of personal data to Data Processors located in non-EU countries (Commission Decision 2010/87/EC)”.
8.5. When sub-entrusting data for processing, DevSkiller is obliged to commit the Sub-processor to perform all obligations of DevSkiller under this DPA, except for those that do not apply due to the nature of the specific sub-entrustment.
LIABILITY OF DEVSKILLER
9.1. DevSkiller is liable for providing or using personal data contrary to the provisions of the DPA, and in particular for providing access to personal data entrusted for processing to unauthorized persons.
DURATION OF THE DATA PROCESSING
10.1. Upon termination of the Master Agreement, DevSkiller loses the right to further process the data entrusted to them and shall delete any existing copies or return the data, unless the Customer decides otherwise, or law demands that data storage should be continued.
10.2. The method of data deletion shall be agreed by DevSkiller with the Customer before proceeding with deletion, unless the Parties have clarified this issue on the basis of other documents.
10.3. In the event that, as a result of the objection to entrust data to the Sub-processor referred to Article VIII point 3, it will not be possible to perform the Master Agreement, the Processor is entitled to terminate the Master Agreement. Termination of the Master Agreement in the manner referred to in the preceding sentence does not constitute improper performance of the Master Agreement. In the event of termination of Master Agreement by DevSkiller, DevSkiller retains the right to remuneration paid so far by the Customer and the Customer is not entitled to any claims against DevSkiller.