Personal Data Processing Regulations

§1 DEFINITIONS

1. Terms used in the Regulations shall mean the following:
   1. Personal Data or Data - personal data within the meaning of Article 4(1) GDPR, i.e. any information about an identified or identifiable natural person entrusted to the Service Provider by the Client for the purpose of performing the Service Agreement;
   2. Regulations - these Personal Data Processing Regulations governing the processing of Personal Data by the Service Provider in connection with the performance of the Services Agreement;
   3. Regulations of eFakturierung.de - The Regulations of eFakturierung.de available at: https://efakturierung.de/AGB.
   4. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27.04.2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation);
   5. Services Agreement or Agreement – a the Services Agreement by electronic means concluded between the Client and the Service Provider under the Regulations of eFakturierung.de.
2. Capitalised terms not defined in Point 1 above shall have the meaning given to them in the Regulations of eFakturierung.de.

§2 OBJECT OF PROCESSING

1. The Client, acting pursuant to Article 28(3) of the GDPR, entrusts the Service Provider with Personal Data for processing, under the terms and conditions and for the purposes set out in these Regulations.
2. The Client declares that it is entitled to process Personal Data to the extent and for the purposes for which it entrusts it to the Service Provider under the Regulations.
3. The Service Provider undertakes to process the Personal Data entrusted to it in accordance with these Regulations, the GDPR and the provisions of common law protecting the rights of Data Subjects.

§3 SCOPE AND PURPOSE OF PROCESSING

1. The scope of Personal Data entrusted for processing shall include Personal Data entered by the Client on the Service, the processing of which by the Service Provider takes place for the purposes and in support of provision of the Services ordered by the Client and referred to in § 2(2) of the Regulations of eFakturierung.de. The processing of Personal Data may include, in particular, the Personal Data of the Client's customers and counterparties and their representatives, as well as employees and associates of the Client who are Service Users, to the extent disclosed to the Service Provider via the Service, including, among others, to the extent of:
   1. basic identification data, such as: first name, surname, company, business address, residence address, NIP number, scope of authority, assigned company department;
   2. contact details, such as: postal address, telephone number, e-mail address, fax;
   3. Financial and transactional data, such as: bank account number, data concerning agreements or transactions carried out by the Client with its clients or counterparties (scope of services provided, financial settlement data);
   4. any other Data insofar as it has been entered by the Client on the Website and its processing by the Service Provider is necessary for the performance of the Service Agreement concluded with the Client.
2. The scope of the Personal Data entrusted for processing results each time from the scope of Services provided by the Service Provider to the Client and is adequate to the functionality of the Subscription Plan selected by the Client. For the avoidance of doubt, the Parties confirm that a change in the Subscription Plan is tantamount to the Client extending or limiting the scope of entrusted Personal Data with information resulting from the given functionality, subject to different provisions of the Regulations of eFakturierung.de. A change in the scope of Personal Data entrusted to the Service Provider shall not constitute an amendment to the Regulations.
3. The purpose of processing Personal Data by the Client is to enable the Parties to perform the subject of the Services Agreement.
4. The Service Provider shall be entitled to process Personal Data as part of any processing activities referred to in Article 4(2) GDPR that are necessary for the proper performance of the Service Agreement, in accordance with the Subscription Plan selected by the Client.
5. The processing of Personal Data by the Service Provider is carried out exclusively through IT systems and does not take place using paper files.

§4 RIGHTS AND OBLIGATIONS OF THE PARTIES

1. The Service Provider shall only process Personal Data upon the documented instructions of the Client, such documented instructions deemed to be these Regulations. The Service Provider may also process Personal Data to the extent that it is obliged to do so under European Union or Polish law. The Service Provider shall immediately inform the Client if, in its opinion, the instruction given to it constitutes a breach of the GDPR or other data protection legislation.
2. The Client is obliged to have a legal basis for the processing operations of the Personal Data it entrusts to the Service Provider for processing under these Regulations.
3. The Service Provider shall process the Personal Data for the period necessary for the performance of the Services ordered and for the fulfilment of all obligations imposed by the Client under the Agreement. Upon termination of the Services Agreement, subject to the provisions of the Regulations of eFakturierung.de to the contrary, the Service Provider shall, subject to the Client's decision and the Service Provider's technical capabilities, delete or return the Personal Data and any existing copies thereof to the Client, unless European Union law or Polish law prescribes the retention of the Data.
4. The Service Provider shall exercise due diligence in the processing of Personal Data. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of the processing and the risk of infringement of the rights or freedoms of natural persons with different probability of occurrence and severity of the threat, the Service Provider is obliged to implement appropriate technical and organisational measures to ensure a degree of security corresponding to the risk.
5. The Service Provider is obliged to grant authorisations to process Personal Data to all persons who will process the entrusted Personal Data for the purpose of the performance of the Agreement.
6. The Service Provider shall ensure that the secrecy of the entrusted Personal Data referred to in Article 28(3)(b) of the GDPR is maintained by the persons it authorises to process Personal Data, both during their employment (during their cooperation with the Service Provider) and after its termination (after the end of their cooperation).
7. The Service Provider, taking into account the nature of the processing, shall, as far as possible, assist the Client, through appropriate technical and organisational measures, to comply with their obligation to respond to the requests of the Personal Data Subject for the exercise of their rights set out in Chapter III of the GDPR, as well as with the obligations set out in Articles 32 to 36 of the GDPR.
8. The Service Provider, upon discovering a breach of the protection of Personal Data, is obliged to report it to the Client without undue delay. Notification of the breach will be made to the Client's email address, which is their login on the Site, or the email address used to contact the Client, assigned to its account on the Site. The breach notification should contain at least the information indicated in Article 33(3) GDPR.
9. The Service Provider shall make available to the Client all information necessary to demonstrate compliance with the obligations set out in Article 28 GDPR.

§5 PERSONAL DATA SUBPROCESSING

1. The Client hereby agrees to further entrust the processing of Personal Data to the Service Provider's subprocessors as indicated in Appendix 1 to the Regulations. The amendment of Appendix No. 1 constitutes an amendment to the Regulations and takes place in accordance with the conditions set out in the Regulations of eFakturierung.de.
2. When Personal Data is entrusted to a subprocessor, the same obligations for the protection of Personal Data are imposed on the subprocessor as in the Regulations, in particular the obligation to provide sufficient guarantees for the implementation of appropriate technical and organisational measures so that the processing of the Data complies with the requirements of the GDPR. If the subprocessor to whom the Service Provider has entrusted the processing of Personal Data fails to comply with its Data protection obligations, the full responsibility towards the Client for the fulfilment of the subrocessor's obligations rests with the Service Provider.
3. The Service Provider may transfer Personal Data to a third country outside the European Economic Area provided that the requirements referred to in Chapter V of the GDPR (Articles 44-50) are met.

§6 RIGHT TO AUDIT

1. The Service Provider shall allow the Client or a person authorised by the Client to carry out and participate in said control. The audit may not be carried out more than once per calendar year and may not last longer than one Business Day each.
2. Each Party shall bear its own costs in connection with the audit..
3. The Client's auditor shall not be an entity that competes with the Service Provider or an entity affiliated with the Service Provider or its employee or an entity/person collaborating with the Service Provider, regardless of the basis of employment or collaboration.
4. The Client is obliged to inform the Service Provider of the planned audit at least 30 days in advance. The Service Provider is entitled to refuse to carry out the audit on the date indicated by the Client if there is a high probability that carrying out the audit on this date will disrupt the ongoing operation of the Service Provider's business. In this case, the Service Provider shall propose another date for the audit, no later than 5 Business Days after the date indicated by the Client. Persons participating in the inspection are required to sign a confidentiality agreement or a confidentiality declaration as directed by the Service Provider prior to the control.
5. The Client will only exercise the right to audit on Business Days remotely during the Service Provider's business hours (9:00 a.m. to 5:00 p.m.) and in the least disruptive manner possible. During the audit , the Client and its auditor are obliged to comply with the Service Provider's or the Service Provider's subprocessor's internal procedures and policies regarding security and confidentiality.
6. In order to carry out the audit , the Service Provider will allow and contribute to the audit activities insofar as they are directly related to the performance of the Agreement, in particular by providing the Client with written or oral explanations regarding the processing of the Personal Data - excluding information or activities that involve the Service Provider's business secrets. The audit may not involve information or documents relating to other Clients of the Service Provider, nor aim or result in the Client gaining access to personal data other than the Personal Data of that Client or to confidential data of the Service Provider or other entities.
7. The audit carried out will be concluded by drawing up a protocol presenting the results of the audit . If the protocol demonstrates deficiencies related to violations of these Regulations, the Client is entitled to submit written post-audit recommendations to the Service Provider, together with a deadline for their implementation, which must be appropriate and no shorter than 30 Business Days. The post-audit recommendations must not go further than the requirements arising from these Regulations or from generally applicable laws, including the GDPR, as well as being objectively reasonable and feasible to implement without changing the organisation or affecting the business continuity of the Service Provider or its subprocessor.

§7 FINAL PROVISIONS

1. The Service Provider shall be liable for non-performance or undue performance of the provisions of the Regulations on the principles set out in the Regulations of eFakturierung.de. The Service Provider's liability for the implementation of the Client's instructions and post-audit recommendations which are incompatible with the GDPR or other provisions of generally applicable law is excluded.
2. The provisions of the Regulations constitute the entirety of the obligations and conditions for processing of Personal Data in connection with the performance of the Services Agreement. Upon the entry into force of these Regulations, its provisions shall supersede all previous arrangements of the Parties concerning the processing of Personal Data, unless otherwise agreed by the Parties.
3. In matters not regulated herein, the relevant provisions of the Regulations of eFakturierung.de shall apply.
4. In the event of any discrepancies between the provisions of the Regulations and the Regulations of eFakturierung.de, the provisions of these Regulations shall apply.
5. These Regulations are another legal instrument within the meaning of Article 28(3) of the GDPR.

Appendix no. 1 to the Regulations of eFakturierung.de