Personal Data Processing and Protection Principles
(hereinafter referred to as the “Principles”)
I. General Provisions
1. These Principles form part of the contractual regulations binding the Parties in connection with all concluded and executed Agreements, as well as with regard to ongoing cooperation and the submission of mutual offers and enquiries in relations with Grupa Inwestycyjna Hossa S.A. with its registered office in Gdansk, Hossa.biz. Sp. z o. o. in Gdansk, Garnizon Sp. z o. o. in Gdansk, Gdynia 8 Sp. z o. o. in Gdansk, OCTO Hotels Sp. z o. o. in Gdansk (“Companies”).
2. Each Party remains the Personal Data Controller within the meaning of Art. 4 point 7) of the GDPR, including personal data of their employees, collaborators, members of the bodies of companies and communities, proxies, subcontractors and service providers, as well as personal data of their clients (“Personal Data Administered by the Party”).
3. Personal Data Administered by the Party were made available or obtained by the Personal Data Controller in a manner consistent with applicable regulations, in particular they were made available by natural persons to whom the Personal Data concern in connection with the preparation, concluding and performance of contracts concluded by the Party with these persons.
4. The Parties conclude agreements with each other as part of their business activities (“Agreements”), on the basis of which the Parties provide mutual services, in particular each Party may provide such services at the request of and/or on behalf of the Other Party, also directly to the clients of that Other Party as the final recipients of such services.
5. In connection with the concluded and performed Agreements, Personal Data Administered by the Party may be made available by one of the Parties to the Other Party.
6. The Parties share Personal Data Administered by the Party in accordance with the applicable provisions of the GDPR, and to the extent related to the processing of Personal Data, the processing of which requires the consent of the person to whom the Personal Data relates, the Personal Data Controller has obtained such consent to share Personal Data.
7. Natural persons to whom Personal Data relates have been provided with information, as required by law, that the Party remains the Controller of their Personal Data, the purpose, scope and forms of processing, including the possibility that the Controller may entrust the processing of Personal Data or otherwise transfer Personal Data to another entity and the principles of such processing, and have been informed of their rights to control the manner in which their Personal Data is processed.
8. Sharing Personal Data Administered by the Party may take the form of:
1) entrusting the Other Party with the processing of Personal Data on behalf and/or at the request of the entrusting Party - in such a case, the Party to which the Personal Data was made available becomes the Personal Data Processor within the meaning of Article 4 point 8) of the GDPR (“Entrusting the Processing of Personal Data”);
2) transfer of Personal Data in such a way that the Party to which the Personal Data was made available becomes their Controller within the meaning of Art. 4 point 7) GDPR, determining further purposes and methods of their processing (“Transfer of Personal Data”).
9. Personal Data entrusted to the Party for processing or transferred by the Other Party will not be transferred to third countries, in particular outside the EEA, nor will they be transferred to international organizations.
II. Entrusting the Processing of Personal Data
1. The Party entrusted with the Processing of Personal Data, in accordance with the provisions of point I. 7.1), as the Data Processor, processes Personal Data in accordance with these Principles, in compliance with the provisions of the GDPR and other relevant legal regulations.
2. The Party entrusted with the Processing of Personal Data, as the Data Processor, processes Personal Data only for the purpose and within the scope in which the Personal Data have been made available to it, i.e., for the purpose of performing Agreements and in connection with their performance, with particular emphasis on the type of Personal Data received, categories of data subjects, the basis for transferring Personal Data, the nature and purpose of processing. Personal Data that has been entrusted to a given Party for processing by the Other Party may also be processed by this Other Party in order to fulfil its legal obligations and within the framework of the legitimate interests of this Party.
3. Personal Data entrusted to the Party for processing by the Other Party will not be further entrusted to any third party without the prior consent of the Personal Data Controller for such further entrustment, and in such a case the Processor is obliged to ensure appropriate control of further processing of Personal Data by the third party, as it is also obligated to conclude an appropriate agreement with such a third party on entrusting the processing of Personal Data, imposing on the third party obligations in the field of processing and protection of Personal Data substantially consistent with these Principles. For the actions of a third party to which the Processor entrusted Personal Data for further processing, the Processor is liable to the Personal Data Controller as for its own actions.
4. Each Party, as Processor, subject to its statutory obligations under applicable law, shall, after the basis and purpose for which the Personal Data has been entrusted to it for processing has ceased to exist (including, in particular, after the termination of the Agreement in connection with the performance of which the Personal Data has been entrusted, taking into account the period of investigation and limitation of claims under such Agreement), and at any request of the Personal Data Controller, return to the Personal Data Controller or delete any Personal Data without retaining a copy, providing the Personal Data Controller with confirmation of the deletion.
5. Each Party, as the Personal Data Controller, has the right to control the processing of Personal Data by the Other Party as the Processor in relation to the Personal Data entrusted to the Other Party.
6. The Personal Data Controller's right of control referred to in point 5) shall be exercised by addressing relevant queries and requests for clarification to the Processor. The Processor is obliged to respond to such inquiries and requests immediately, no later than within 14 days.
7. Each Party, as Processor, shall promptly notify the Party that is the Data Controller of:
1) any legally authorized request for access to Personal Data made to the Processor by a competent authority of the State, unless such notification is prohibited by applicable law (in particular, such prohibition arises from applicable criminal law and is intended to ensure the confidentiality of an initiated investigation or enquiry or is justified on the grounds of an important public interest);
2) each case of unauthorized access (or attempted access) to Personal Data - indicating the circumstances in which such access occurred, its effects and the actions taken to prevent the breach and its effects;
3) each request received from a person whose Personal Data has been entrusted for processing by the Personal Data Controller to the Processor, relating to the fact, purpose, scope of processing of this person's Personal Data and operations performed on them - while refraining from responding to the request until the position is received Personal Data Controller; the Personal Data Controller is obliged to provide such a position immediately, and in any case no later than within 7 days.
III. Transfer of Personal Data
1. Each Party to which Personal Data was transferred by the Other Party (as the Personal Data Controller, in accordance with the provisions of point I.7.2) undertakes, as the Controller of these Personal Data, to process them in accordance with these Principles, in compliance with the provisions of the GDPR and other relevant legal regulations in force in this area.
2. Each Party to which Personal Data has been provided by the other Party and which has become a Personal Data Controller undertakes to process such Personal Data, as a Personal Data Controller, only for the purpose and to the extent for which the Personal Data has been provided to it, with particular regard to the type of Personal Data received, the categories of persons to whom the Personal Data relates, the basis for the transfer of the Personal Data, the nature and purpose of the processing.
3. Each Party to which Personal Data was transferred by the Other Party and which became the Personal Data Controller to the extent to which they were transferred undertakes to comply with all information obligations provided for in the provisions of the GDPR towards the data subjects.
IV. Personal data protection
1. Each Party takes technical and organizational measures to ensure that the processing and security of Personal Data is consistent with applicable law, including the provisions of the GDPR, and in accordance with this Agreement.
2. Personal Data is processed only by authorized employees and associates of the Party who are subject to appropriate training in the processing and protection of Personal Data and who are contractually or statutorily obliged to maintain the confidentiality of Personal Data. The Party supervises, verifies and enforces compliance with adopted procedures, principles and orders among its employees and associates.
3. Personal Data shall only be processed by the Parties at locations covering the Party's registered office and places of business.
4. Taking into account the state of technical knowledge, implementation costs and the nature, scope and context and purposes of processing, as well as the risk of violating the rights and freedoms of persons whose Personal Data are processed, the Parties shall apply technical and organizational measures appropriate to ensure a level of security of processing and protection of Personal Data corresponding to this risk:
1) preventing unauthorized persons from accessing Personal Data processing systems; in particular those that prevent reading, copying, changing or deleting Personal Data;
2) ensuring the security of Personal Data during electronic transmission and during transport or storage of Personal Data on data carriers, protecting against reading, copying, changing or deleting Personal Data;
3) ensuring the possibility of verifying and determining whether and by whom Personal Data has been entered into data processing systems, changed or deleted;
4) ensuring protection against accidental destruction or loss of Personal Data;
5) ensuring that Personal Data that has been collected for different purposes can be processed independently (separately);
6) ensuring confidentiality, integrity, availability and resilience of Personal Data processing systems;
7) ensuring the ability to immediately restore the availability of Personal Data in the event of physical or technical incidents;
8) ensuring the appropriate testing, measurement and assessment of the effectiveness of technical and organizational measures to ensure the security of Personal Data.
V. Cooperation of the Parties in connection with the Processing of Personal Data
1. The Parties shall cooperate and collaborate with each other to ensure that, in connection with the processing of Personal Data, they comply with the applicable provisions of the GDPR and other relevant data protection and privacy laws.
2. The Parties shall cooperate and collaborate in the fulfilment of their statutory obligations towards the data subjects to which the Personal Data relates, including information obligations towards the data subjects and obligations related to the exercise by the data subjects of their rights to control the processing of the Personal Data (such as the rights to: rectification, deletion, restriction of processing, access, data portability).
3. The Parties shall provide each other with all information necessary to demonstrate their compliance of the adopted procedures for the processing and protection of Personal Data and their application - with the provisions of applicable law, including in particular the provision of Article 3 of the GDPR, and shall allow and participate in audits, including inspections, conducted by the other Party or any other auditor authorized by it.
4. If the performance of any of the provisions of these Principles by a Party is, for any reason, even temporarily, impossible, difficult or limited, this Party is obliged to immediately notify the Other Party, informing about the actions taken/planned to eliminate such a situation.
5. Each Party shall indemnify and hold harmless the other Party from and against any and all liability arising from or related to its breach of these Principles, including, in particular, indemnifying that other Party from any obligation to pay damages, remedy or fulfil any other obligations to Data Subjects, as well as from any penalties or fines imposed by competent courts or administrative authorities.
6. Each Party shall bear its own costs associated with the implementation of these Principles.