NoDaily Legal

Personal Data Processing Agreement

Last updated: March 2026

PERSONAL DATA PROCESSING AGREEMENT
(hereinafter: "Entrustment Agreement")

concluded by and between:

the Service Provider (hereinafter also: the "Processing Entity"),

and

the Service Recipient (hereinafter also: the "Controller"),

hereinafter collectively referred to as the "Parties" and each of them individually as a "Party".

Recitals
Whereas:

  1. the Service Provider and the Service Recipient have entered into the Service Agreement (hereinafter: the "Master Agreement");
  2. the provision of the Services requires the Service Provider to process the Participants' personal data within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and the repeal of Directive 95/46/EC (General Data Protection Regulation) (hereinafter: the "GDPR"), which gives rise to the obligation to comply with the requirements indicated in Article 28 of the GDPR, including the conclusion of the Agreement set out in this provision;

The Parties have agreed as follows:

§ 1.
Entrustment of the processing of personal data

  1. The Controller entrusts the Processing Entity with the processing of personal data pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter: "General Data Protection Regulation" or "GDPR").
  2. The Controller represents that it is the controller of the data entrusted to the Processing Entity under the Entrustment Agreement or a processing entity authorized to further entrust the data to the Processing Entity.
  3. The Controller hereby entrusts the Processing Entity with the processing of personal data within the scope specified in § 2 hereof.
  4. Capitalized terms used herein shall have the meaning given to them in the Terms and Conditions or GDPR, unless a specific provision hereof provides otherwise.

§ 2.
Subject matter, nature, purpose, and duration of data processing

  1. Personal Data entrusted by the Controller shall be processed by the Processing Entity only upon the Controller's documented instruction and solely for the purpose of providing the Services. In particular, the Parties deem the conclusion of the Service Agreement to be a "documented instruction".
  2. The categories of personal data which are the subject of the entrustment (hereinafter: "entrusted personal data") and the categories of entrusted data subjects are indicated in Appendix No. 1 hereto.
  3. The personal data entrusted by the Controller hereunder shall not constitute special categories of data referred to in Article 9 of the GDPR or data relating to criminal convictions and offences referred to in Article 10 of the GDPR.
  4. The processing of the entrusted personal data will be carried out using IT systems (in an automated manner) and in paper form (in a non-automated manner).

§ 3.
Obligations, rights, and representations of the Processing Entity

  1. The Processing Entity undertakes to secure the entrusted personal data by implementing (even prior to the processing) and maintaining technical and organizational measures appropriate to the nature, scope, context and purpose of the processing of the entrusted data, including those required by the relevant provisions of generally applicable law, so that the processing of the entrusted personal data meets the requirements of the General Data Protection Regulation.
  2. The Processing Entity undertakes to ensure that the persons authorized to process the personal data entrusted hereunder are bound by confidentiality obligations or are subject to an appropriate statutory secrecy obligation.
  3. The Processing Entity undertakes, to the extent justified by the subject matter of the Entrustment Agreement, to assist the Controller, to the extent possible, in complying with the Controller's obligation to respond to requests from data subjects in exercising their rights under generally applicable law, including Chapter III of the General Data Protection Regulation.
  4. The Processing Entity undertakes to immediately notify the Controller of:
    1. any breach of the protection of the entrusted personal data, where "breach of the protection of the entrusted data" shall mean any accidental or unlawful destruction, loss, modification, unauthorized disclosure of or unauthorized access to the entrusted personal data. The notification referred to in this Subsection 1 shall be made no later than within 24 hours from the discovery of the breach of protection of the entrusted data;
    2. any request received from the data subject, while refraining from responding to the request until the Controller's opinion has been received. The notification referred to in this Subsection 2 shall be made no later than 24 hours after receipt of the request;
    3. any legally authorized request to disclose personal data to a competent state authority, unless the prohibition to notify ensues from the provisions of the law, from the provisions of criminal proceedings, when the prohibition is aimed at ensuring the confidentiality of an initiated investigation;
    4. any compliance checks on the processing of personal data carried out by the President of the Personal Data Protection Office or any other supervisory authority, and the results thereof, as well as any other action taken by public authorities concerning such data.
  5. The Processing Entity undertakes, to the extent justified by the subject matter hereof and the information available to it, to assist the Controller in complying with the Controller's obligations under generally applicable law, including Articles 32 to 36 of the General Data Protection Regulation and concerning the security of the processing of personal data, notification of a personal data breach to the supervisory authority and to the data subject, a data protection impact assessment and related consultations with the supervisory authority.
  6. The Processing Entity undertakes to:
    1. provide the Controller, within 14 days from the date of receipt of the request, with all information and documents necessary to demonstrate the Controller's compliance with its obligations under generally applicable law;
    2. enable the Controller or its authorized auditor to carry out audits, including inspections, and contribute to such audits, on terms to be determined by the Parties from time to time and subject to the provisions of this Section.
  7. The audit referred to in Section 7(2) above may be carried out:
    1. not earlier than 14 days from the date of receipt by the Processing Entity of a notice regarding the intention to conduct it, on a date to be determined by the Parties, and
    2. after the conclusion of a confidentiality agreement between the Processing Entity and the Controller or an auditor authorized by the Controller.
  8. Upon completion of the audit, the Parties shall draw up a report in 2 copies to be signed by authorized representatives of both Parties. The Processing Entity may raise objections to the report within 5 Business Days from the date of signing thereof by the representatives of the Parties.
  9. If any shortcomings affecting the security of processing of the entrusted personal data are identified in the course of the audit, the Processing Entity undertakes to comply with the recommendations formulated by the Controller or the auditor authorized by the Controller.

§ 4.
Controller's Obligations

  1. The Controller is obliged to ensure that throughout the duration of the Entrustment Agreement the Controller has a legal basis for the processing of the entrusted personal data and that the Controller has appropriate entitlements to entrust the personal data to the Processing Entity. Should the Controller lose the legal basis or entitlements regarding certain entrusted personal data, the Controller shall immediately take steps necessary to cease entrusting them, in particular notify the Processing Entity thereof.
  2. The Controller undertakes not to give instructions to the Processing Entity regarding the processing of the entrusted personal data which would conflict with generally applicable law, the provisions of the Entrustment Agreement or other contractual obligations.

§ 5.
Further Entrustment of Personal Data

  1. The Controller grants its general consent for the Processing Entity to further entrust the processing of personal data (hereinafter: "subcontracting") to subcontractors of its choice.
  2. The Processing Entity undertakes to ensure that:
    1. the sub-processor applies appropriate technical and organizational measures to ensure the processing of the subcontracted personal data in accordance with the GDPR;
    2. the scope of the sub-processor's data protection obligations corresponds to the Processing Entity's obligations hereunder.
  3. If the Processing Entity intends to subcontract the processing of personal data to a particular subcontractor, the Processing Entity shall notify the Controller thereof by e-mail no later than 7 (seven) days prior to the subcontracting. The Controller may object to the subcontracting referred to in the preceding sentence by raising an objection by e-mail within 7 (seven) days of receipt of the subcontracting notification.
  4. Upon the ineffective expiry of the objection period referred to in Section 3 above, the Processing Entity may subcontract the processing of personal data to the selected subcontractor.
  5. If the objection referred to in Section 3 above is raised, the Processing Entity may rescind the Master Agreement with immediate effect.
  6. The subcontracting referred to in Section 3 above shall not constitute an amendment to the Entrustment Agreement.

§ 6.
Term of the Entrustment Agreement
The Entrustment Agreement is concluded for the duration of the Master Agreement and terminates upon termination, cancellation, or expiration of the Master Agreement.

§ 7.
Effects of Termination of the Entrustment Agreement
In the event of termination of the Entrustment Agreement, the Processing Entity, without delay, no later than within 14 (fourteen) Business Days from the date of termination of the Entrustment Agreement, undertakes to return to the Controller and remove from its own carriers all personal data the processing of which it has been entrusted with, including effectively removing it also from the electronic carriers at its disposal. The provisions of the preceding sentence shall not apply to the personal data the storage of which by the Processing Entity is required for a period longer than the duration of the Entrustment Agreement in accordance with generally applicable laws.

§ 8.
Final Provisions

  1. Annex No. 1 - Categories of personal data entrusted and categories of personal data subjects constitutes an integral part of the Agreement.
  2. The provisions of § 18 of the Terms and Conditions shall apply respectively to the amendments to the Entrustment Agreement.
  3. To all matters not regulated herein, the provisions of the Terms and Conditions, provisions of the GDPR and relevant provisions of the Polish law shall apply.

Annex No. 1 to the Entrustment Agreement - Categories of personal data entrusted and categories of personal data subjects

NO. CATEGORIES OF DATA SUBJECTS CATEGORIES OF PERSONAL DATA
1. Service’s users Name(s), surname, email addresses
2. Newsletter subscribers Name(s), email addresses
3. Service provider’s employees Name(s), surname, email addresses