XTRF Data Processing Terms

Content

1. Purpose of the present data processing terms

  1. Depending on the circumstances, XTRF will act towards you either as an administrator (data controller; see point III below) or as the so-called processor (see points IV-VII below).

  2. In principle, XTRF will act as an administrator when it is the XTRF who decides on the purpose and means of processing of Personal Data. In turn, XTRF will act as a processor when the Personal Data is introduced into the Services of XTRF by the Business Partner or Vendor. However please bear in mind that the role in which XTRF acts depends on the circumstances in which the Personal Data is processed.

  3. The Services of XTRF will continuously evolve which refers also to these Data Processing Terms. Moreover, it may happen that the law or technologies concerning the processing of Personal Data will change. For these reasons please visit these Data Processing Terms regularly.

  4. For terms not defined specifically below please refer to your other Documents, in particular to your General Terms, if you are acting as a Business Partner of XTRF oryour Vendor Terms, if you are acting as a Vendor.

2.Defined terms (Definitions)

  1. Personal Data – information about an identified or identifiable natural person ("data subject") subject to the Data Processing Terms and specified in the Instructions (if applicable); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to thephysical, physiological, genetic, mental, economic, cultural or social identity of the natural person;

  2. Customer Personal Data – Personal Data of your clients, employees, contractors or persons whose Personal Data are contained in your materials used in the Project.

  3. System – the Service to which XTRF has provided access under the Agreement. The processing of Personal Data by XTRF occurs when the System is made available to you under the SaaS service, or when you purchase the OnPremise Service, subsequently hosted by XTRF;

  4. Implementation Service – the service described in the XTRF document entitled “Implementation Service Terms and Conditions”, under which you shall temporarily entrust Personal Data to XTRF for processing;

  5. Authorized Persons – these are persons authorized pursuant to the Agreement to submit Instructions, in particular the Business Contact, and also to obtain information connected with the subject of the Agreement, including Authorized Users established in accordance with the provisions of Point IV.2.4. below of the present document; on the side of XTRF these are persons authorized pursuant to the internal procedures of XTRF to accept Instructions and process Personal Data, and also to provide the Authorized Persons with the entirety of information concerning the subject of the Agreement;

  6. Authorized User – a User for whom an individual account has been created; such account is protected by a sufficiently intricate password, in accordance with the current state of technical knowledge concerning data security;

  7. Instructions – an order for the processing of Personal Data made by the Authorized Person to XTRF, through which each time the Personal Data is entered into the System or through which each time the transfer of Personal Data takes place to an Authorized Person of XTRF as part of the Implementation Service;

  8. GDPR - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) ); when this document refers to processing it has the meaning as defined in the GDPR.

     

 

3. XTRF as an administrator of personal data

  1. The administrator (data controller) of the Personal Data is XTRF Management Systems Spółka Akcyjna (Joint Stock Company) with its registered seat in Krakow, Poland at the address: Puszkarska 7K, 30-644 Kraków, VAT no: 679-304-51-69, entered into the register of entrepreneurs at the National Court Register by the District Court for Krakow-Downtown under the number (KRS): 735467 with share capital of 105.000,00 PLN paid in full, which can be contacted at office@xtrf.eu 

  2. XTRF declares that it has appointed a Data Protection Officer and indicates his/hers contact details: iod@xtrf.eu 

  3. For the purpose of obtaining access to XTRF Services you will have to provide at least e-mail, name and last name, telephone number. If it is required by law, in particular accounting principles or tax law, XTRF may require that you provide additional data.

  4. In order to improve XTRF Services and assess their performance XTRF processes Personal Data related to your activity within the Services, in other words, information about the data sessions of your device, operating systems, unique ID, IP address, location, how much time you spend on particular XTRF Services' functionality.

  5. The provision of some data is a prerequisite for using certain Services and account functionality (mandatory data). Our system automatically marks mandatory data. As a consequence of your failure to provide such data, we will not be able to provide certain services and functionalities. Contrary to data marked as mandatory, providing other Personal Data is voluntary.

  6. We process your Personal Data as it is necessary:

    1. in order to enter into an Agreement with XTRF (article 6 section 1B of GDPR);

    2. in order to perform your Agreement with XTRF (article 6 section 1B of GDPR);

    3. in order to deal with notifications that you make towards XTRF so that we may process your complaints, claims and requests and answer to your questions (article 6 sections 1B and 1F of GDPR);

    4. in order to satisfy tax and accounting obligations of XTRF under applicable law (article 6 section 1C of GDPR);

    5. in order to determine, investigate and enforce claims and defend against claims in legal proceedings which constitutes a legitimate interest of XTRF (article 6 sections 1C and 1F of GDPR);

    6. in order to conduct statistics of the usage of particular functionalities of the Services and to improve our Services, which constitutes a legitimate interest of XTRF (article 6 section 1A and 1F of GDPR);

    7. in order to market Services of XTRF to you (article 6 section 1A and 1F of GDPR).

  7. XTRF does use your data for the purpose of profiling to conduct statistics of the usage of particular functionalities of the Services and to improve our Services. Your Personal Data regarding preferences, behaviors, and selection of content may be used as a basis for making automatic decisions to determine the sales possibilities of XTRF.

  8. We transfer your personal data to the following categories of recipients:

    1. state authorities, e.g. prosecutor’s office, Police, President of the Office of Personal Data Protection, President of the Office of Competition and Consumer Protection, if they request so,

    2. service providers that are available under the following link: https://legal.xtrf.io/XTRF_DataProcessingTerms_SubProcessors.pdf

  9. Personal Data will be processed for the period necessary to execute Services, carry out marketing activities, and provide other Services for the User. Personal data will be removed in the following cases:

    1. when the data subject asks for their removal or withdraws his/her consent;

    2. when the data subject does not take action for more than 10 years (inactive contact);

    3. after receiving information that the stored data are out of date or inaccurate.

  10. Some data, including e-mail address, name, and surname, may be stored for the next 6 years for evidence purposes, for consideration of complaints and claims related to Services provided by XTRF – in such case, these data will not be used for marketing purposes.

  11. Data regarding orders for paid Services, will be kept for 5 years from the end of the calendar year in which the tax payment deadline expired.

  12. XTRF guarantees your rights under GDPR, that is:

    1. the right to access to information and information obligation;

    2. the right to access to your data and to obtain their copies;

    3. the right to correct your data;

    4. the right to remove your data, right to be forgotten;

    5. the right to limit (restrict) processing of Personal Data;

    6. the right to file and opposition against processing of Personal Data;

    7. the right to transfer the data;

    8. the right to file a complaint with the supervisory authority.

  13. If it is your opinion that there are no grounds for our processing of your data you may request their deletion, restriction of its processing solely to their storage or performance of activities that have been agreed explicitly with you. If it is your opinion that we have incorrect data you have a right to request their correction.

  14. You may withdraw your consent to the processing of your personal data at any time. Withdrawal of consent to the processing of personal data does not affect the legality of the processing based on your consent before its withdrawal.

  15. You have the right to receive your personal data in a structured, commonly used, and machine-readable format and to transmit them to another personal data controller. You may also request us to transmit your personal data directly to another controller (where technically possible).

  16. In order to exercise all of your rights please contact us at: iod@xtrf.eu by e-mail or by traditional mail at the seat of XTRF indicated above.

  17. If you believe that the processing of your data violates the GDPR, you have the right to lodge a complaint with the supervisory authority, in particular in the Member State of your habitual residence, your place of work, or place of the alleged infringement. In Poland, the President of the Personal Data Protection Authority is the supervisory authority within the meaning of the GDPR. The complaints to the President of the Personal Data Protection Authority may be filed at the following address: Stawki 2 Street, 00-193 Warsaw, POLAND.

 

4. Agreement for entrusting and processing of personal data

  1. The below points from IV to VII of these Data Processing Terms concern the entrustment to XTRF of the Processing of Customer's Personal Data in accordance with Instructions.

  2. By executing the Agreement and the Data Processing Terms with XTRF, you declare that you instruct XTRF to process entrusted Personal Data in order for and to the extent required by XTRF to perform its obligations under the Agreement. You:

    1. hereby entrust to XTRF the following Customer's Personal Data: ordinary data.

    2. do not entrust to XTRF any sensitive data, that is data showing racial or ethnic origins, political views, religious beliefs or worldview, membership in the trade unions, processing of genetic data, biometric data, for the purpose of unequivocal identification of a natural person or data concerning health, sexuality or sexual orientation of such person, unless XTRF is authorized to process such data under applicable law;
    3. establish Authorized Persons in order to perform the Agreement. Among the Authorized Persons there are Authorized Users;
    4. may dismiss Authorized Users by deactivating their accounts in the System.
  3. XTRF:
    1. hereby undertakes to perform actions related to the processing of Customer Personal Data in order and to the extent required to perform the Agreement;
    2. establishes its own Authorized Persons in order to perform the Data Processing Terms and the Agreement and will conduct a list of such Authorized Persons, as described in point V below;
    3. shall process entrusted Personal Data exclusively to the extent required and in order to perform the provisions of the Agreement on the basis of Instructions; the method of processing of Personal Data entrusted to XTRF covers: storage, reading, access, editing, archivization and deletion;
    4. shall process Personal Data in a continuous manner – as required by the specific nature of XTRF OnCloud or OnPremise Services, or for the term of performance of the Implementation Service;
    5. undertakes the processing actions with respect to the entirety of entrusted Personal Data.
  4. At the moment of conclusion of the Agreement XTRF uses services of other processing entities (sub processors), on the basis of agreement obligating them to adhere to measures and duties of personal data protection, vested upon XTRF and described herein. Most important subprocessors are listed in the Attachment no 1 to the Data Processing Terms. XTRF will present a complete list of subprocessors or categories of subprocessors upon your request.
  5. At the moment of conclusion of the Agreement you express a general consent for XTRF's use of services of other processing entities to the extent this will be necessary for the performance of the Agreement, in particular you agree for storage of Customer Personal Data on the servers of third parties, listed in Attachment nor 1 to the Data Processing Terms, with reservation as in points 6-8 below.
  6. You shall limit the disclosure of Customer Personal Data to only that which has been described as outlined in the applicable Implementation Service, Agreement, Data Processing Terms.
  7. In accordance with article 28 section 2 of GDPR, XTRF will notify you about any anticipated changes concerning addition or replacement of other processing entities, by that allowing you for filing an opposition against such changes in writing within 5 (five) days as of obtaining the notification.
  8. In case you express opposition described above in point 7, you are entitled to terminate these Data Processing Terms and the Agreement without any fees and you are entitled to refund for any amounts regarding the period after termination.
  9. In case the processing entity whose services XTRF uses, does not satisfy its obligations concerning data protection, the responsibility for such actions is vested upon XTRF in accordance with article 28 section 4 of the GDPR.
  10. XTRF is entitled to disclose entrusted Personal Data only within the sub-processing which is conducted in accordance with the above point 4 and also in circumstances described below.
  11. XTRF is entitled to disclose entrusted Personal Data to the supervising authority and in case of obtaining appropriate request or decision of competent state authority, issued on the basis of applicable provision of law, allowing such authority to order disclosure of data entrusted to XTRF, subject to possibility of providing a document of proof of such request or decision.
  12. XTRF is obligated to immediately notify you about any legally based request for disclosure of Personal Data by a competent state authority, unless the European Law or applicable law of a Member States does or other state does not prohibit XTRF from providing such a notification due to important public interest.
  13. In other circumstances, XTRF is entitled to disclose entrusted Personal Data only on the basis of an Instruction.
  14. Notwithstanding point 15 below, XTRF will process entrusted Personal Data exclusively on the territory of the European Economic Area, which is composed of all Member States of the European Union, Iceland, Liechtenstein and Norway.
  15. XTRF will process or transfer entrusted Personal Data to a third state or international organization only on the basis of a written Instruction. This shall not apply if the duty to transfer data results from the law of the European Union or other applicable law to which XTRF is subject to. In such a case, prior to processing XTRF will notify you about any legally based request for disclosure of Personal Data by a competent state authority, unless the European Law or applicable law of a Member States does or other state does not prohibit XTRF from providing such an notification due to important public interest.

 

5. Declarations and obligations of the parties

  1. You hereby declare that you are a data controller within the meaning of article 4 section 7 of the GDPR with respect to data entrusted to XTRF.

  2. XTRF hereby declares that it is a processor of Customer Personal Data on your behalf within the meaning of article 4 section 8 of GDPR. XTRF is obligated to process entrusted Customer Personal Data in accordance with the Data Processing Terms, GDPR and other applicable laws.

  3. XTRF is responsible for processing of entrusted Personal Data in breach of the Data Processing Terms, GDPR or other applicable laws, in particular for its accidental or unlawful destruction, loss, modification, unauthorized disclosure or allowing for unauthorized access to Personal Data transmitted, stored or in other way processed in performance of the Agreement.

  4. XTRF further declares that:

    1. it possess sufficient technical and organizational means, allowing for the processing of Personal Data in a manner protecting the rights of the persons to whom the Personal Data refer to and allowing for fulfillment of requirements of applicable law, in particular article 32 of GDPR;

    2. uses exclusively procedures, services and IT services that fulfill the GDPR requirements;

    3. it processes the entrusted Personal Data in rooms and IT systems secured from access by unauthorized third persons;

    4. it keeps a body of documentation describing the method of Processing Personal Data, which is required pursuant to the provisions of law;

    5. conducts a registry of all categories of actions of processing of Personal Data made on your behalf, in accordance with article 30 sections 2 and 3 of GDPR, in case the exclusion from article 30 section 5 of GDPR does not apply; XTRF will present the registry at the request of the supervising authority.

  5. You hereby declare that Customer Personal Data introduced to the System or submitted to XTRF under the Implementation Service have been collected and are processed in a manner concordant with the applicable law, and in particular that you have obtained the requisite consents, in required legal form, or that there exists a different legal basis for the processing of Customer Personal Data by you.

  6. In particular, you declare that you understand that you remain responsible for the lawfulness of the processing of Personal Data under the Instructions and in the performance of the Agreement, and that XTRF bears this responsibility only insofar as it is necessary to ensure the security of such Personal Data in the System and when entrusted for the purposes of the Implementation Service.

  7. The performance of these Data Processing Terms shall not involve any payments on your part and any financial settlement shall be made under the Agreement.

  8. XTRF hereby undertakes that:

    1. it shall keep a register of Authorised Persons (on the part of XTRF), in accordance with applicable law;

    2. it shall keep Customer Personal Data confidential and in particular information constituting trade secrets, to which XTRF may gain access in connection with the performance of the provisions of the Data Processing Terms or the Agreement, also after the expiry or termination of the Primary Agreement;

    3. while performing the provisions of the Data Processing Terms, it shall ensure due diligence as required in connection with the professional nature of the operations and activities performed thereby;

    4. it shall notify you forthwith, no later than 48 hours, of each and every instance of infringement of the security of Customer Personal Data made available by to XTRF in connection with or during the performance of the Agreement; including, in particular, in the event of a breach of the Personal Data Protection principles;

    5. Authorized Persons of XTRF, authorized to possess Customer Personal Data made in connection with the performance of the Agreement, shall be subject to confidentiality obligations and/or subject to an appropriate statutory obligation of confidentiality;

    6. it shall notify you forthwith of each and every instance of infringement of the obligations following from the Data Processing Terms, however at the latest within 2 (two) business days of ascertaining that an infringement has occurred;

    7. in accordance with article 28 section 3E of GDPR, to the possible extent and with the consideration of the nature of processing of entrusted Personal Data, to providing appropriate technical and organizational means which will assist you in fulfilling obligation to reply to request of person whom the Personal Data concern, within the extent of execution of such persons rights described in articles 12 - 22 of GDPR;

    8. in accordance with article 28 section 3F of GDPR, with the consideration of the nature of processing and available information, to assist you in fulfilling obligations described in articles 32 - 36 of GDPR;

    9. to inform you about any circumstance that has or may have impact on the security of the entrusted Personal Data or its assessment or for execution of rights by persons to whom the Personal Data concern, in particular about:

      1. any unauthorized access to Personal Data entrusted to XTRF;

      2. any breach of principles of protection of Personal Data entrusted to XTRF;
      3. each request from the persons who process data on your behalf;
      4. initiation of controlling or administrative proceedings, issuance of administrative decisions or examination of complaints by state authorities, in particular supervising authority, concerning entrusted Personal Data. The above notification shall be made either in writing or by e-mail and will be made within 24 hours as of learning by XTRF of the facts giving rise to issuing of the notification.
    10. to inform you if in XTRF's opinion any Instruction is in breach of GDPR or other applicable law;
    11. in accordance with article 28 section 3H of GDPR to provide you with information necessary to demonstrate fulfillment of the obligations described herein, in particular concerning means of securing of Personal Data and conduct of its processing;
    12. in accordance with article 28 section 3H of GDPR to allow you or your authorized auditors to conduct audits of performance of entrusting of Personal Data, including inspections, in particular by allowing to authorized auditors access to rooms in which the processing of Personal Data takes place and by making available the data carriers and IT systems used for processing of entrusted Personal Data; you are obligated to notify XTRF about prospective audit with advance of 7 (seven) calendar days before its initiation; at the conclusion of the audit you and XTRF shall make a protocol in two copies, which shall be signed by both parties; each party can make charges to the protocol within 7 (seven) calendar days as of its signing; the protocol is a basis for assessment of compliance of the processing of entrusted Personal Data against the background of these Data Processing Terms and applicable law;
  9. The obligations from points 8.11. and 8.12. are in force during the term of this Data Processing Terms and within 7 (seven) calendar days after their termination. If the operations performed by XTRF in connection with the above shall entail a considerable outlay of labor on the part of XTRF, XTRF shall be entitled to receive the appropriate remuneration therefore according to market rates applicable to services of such type, except where such costs are incurred due to XTRF’s breach of these Data Processing Terms.
  10. You hereby undertake to:
    1. retrieve all Personal Data entered by you into the System or instruct XTRF to delete all entrusted Personal Data from the System - together with termination of the Agreement and these Data Processing Terms. If no action is taken within 30 days, XTRF will be entitled to delete the Personal Data without notifying you. If you elect to retrieve Personal Data previously entrusted to XTRF, XTRF shall also delete all backup copies of the Personal Data. The above shall not apply if European Law or other applicable law provides for other effects of termination with respect to Personal Data. XTRF's obligations connected with the termination of the Data Processing Terms apply accordingly to other processing entities to whom XTRF entrusted Personal Data for sub-processing.
    2. exempt XTRF from all obligations to notify and obtain consent that exist with respect to persons whose Personal Data are processed under Instructions, and further to perform these obligations yourself and to be liable for such under applicable law, under pain of any liability provided for by relevant legal regulations, as well as under pain of liability for damages towards XTRF;
    3. independently establish and dismiss Authorized Persons, and also manage the accounts of the said Authorized Persons and/or Authorized Users in such a way that unauthorized persons will have no access to Customer Personal Data, nor any possibility of submitting Instructions to XTRF.
  11. Change to the Authorized Persons does not constitute an amendment to these Data Processing Terms and does not require an annex. Change to the list of sub-processors referred above requires only communication by email to you. You are entitled to object within 7 Business Days from the date of notification.

 

6. Duration of the agreement for entrusting and processing of personal data

  1. These Data Processing Terms shall remain in force throughout the term of the Agreement. XTRF shall process Customer Personal Data only during the term of the Agreement.

  2. Termination of the Agreement shall result in XTRF's ceasing to be bound by the Data Processing Terms.

  3. Termination of the Data Processing Terms shall render further performance of the Primary Agreement by XTRF impossible.

  4. Each party shall be entitled to terminate the Data Processing Terms without giving its reasons, with a one month notice period.

  5. XTRF is entitled to terminate the Data Processing Terms without notice, in case of:

    1. breach of its provisions by you;

    2. inability of XTRF to further perform the Data Processing Terms, in particular to provide technical and organizational means for allowing sufficient protection of entrusted Personal Data.