Data Processing Agreement - template

Concluded on …………………… in Warsaw, Poland between:

………………………………………………………………………………………………….. registered office address: ..............................., entered in the Register of Entrepreneurs under Tax Identification Number (NIP): .......................... , hereinafter referred to as the "Controller"

and

Digital Rep Sp. z o.o., registered office address: Chmielna 2/31, 00-020 Warszawa, PL, entered in the Register of Entrepreneurs kept by the District Court for the Capital City of Warsaw in Warsaw, XII Commercial Division of the National Court Register under KRS number: 0000915075, share capital: 5 000,00 zł, Tax Identification Number (NIP): 5252872328, company statistical number (REGON): 389664477, represented by:
Igor Gołębiewski - Chairman of the Board,
Maciej Osytek - Member of the Board,
hereinafter referred to as the "Processor";

hereinafter collectively referred to as the "Parties" and each separately as a "Party"

§ 1

Definitions

For purposes of this Agreement, the Controller and the Processor agree to the following meanings of the following terms:

1. Agreement - this Data Processing Agreement.

2. Platform - the Internet platform maintained by the Processor at the Internet address https://fitebo.com.

3. Principal Agreement - the contract for the provision of services by the Processor to the Controller with respect to the use of the Platform (Fitebo Terms of Service).

4. Regulation - Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

§ 2

Entrusting the processing of personal data

1. Pursuant to Article 28 of the Regulation, the Controller entrusts the Processor with personal data to be processed under the terms and for the purposes specified in the Agreement.

2. The Processor undertakes to process the personal data entrusted to it in accordance with the Agreement, the Regulation and other generally applicable laws that protect the rights of data subjects.

3. The Processor declares that it uses security measures that meet the requirements of the Regulation.

4. The Controller declares that the data provided to the Processor have been obtained in accordance with applicable laws, and that he/she has received the relevant consents from the data subjects for the processing of the data, where required by law.

§3

Scope and purpose of data processing

1. The Controller authorizes the Processor to process personal data.

2. The Processor will process the Controller's clients’ data entrusted under the Agreement in the following categories:

   1. personal data in the form of: name, surname, e-mail address, telephone number

   2. sensitive data in the form of:

      1. date of birth, height, weight, number of training days per week, injuries and posture defects suffered, information on fitness equipment at disposal, training level, training preferences,

      2. body measurements - chest, waist, waist, hips, left arm, right arm, left forearm, right forearm, left thigh, right thigh, left calf, right calf, and body weight,

      3. photos,

      4. data on completed workouts, including information on the number of sets performed, the number of repetitions performed within each set, the load used for each set, and information on the subjective assessment of the difficulty of the completed workout,

      5. data provided as part of the Controller’s Clients’ reports - personal information about well-being (mood, sleep quality, motivation to perform training, training attendance, effectiveness in training, adherence to the diet plan, assessment of the level of difficulty and satisfaction with the current training plan, fatigue after training, speed of regeneration after training), information about the area and level of pain experienced due to overload or injury, and other information obtained by the Controller.

3. The personal data entrusted by the Controller will be processed by the Processor solely for the purpose of performing the Principal Agreement.

§4

Processor's obligations

1. The Processor undertakes, when processing the entrusted personal data, to secure them by applying appropriate technical and organizational measures ensuring an adequate level of security and corresponding to the risks related to the processing of personal data, as referred to in Article 32 of the Regulation.

2. The Processor undertakes to exercise due diligence in processing the entrusted personal data.

3. The Processor declares that all persons who have access to the data entrusted to them by the Controller have the appropriate authorizations.

4. The Processor undertakes to ensure that the data processed by the persons it authorizes to process personal data for the purposes of the Agreement are kept confidential (as referred to in Article 28(3)(b) of the Regulation) both during their employment with the Processor and after its termination.

5. The Processor will delete the entrusted personal data within 3 days following the termination of the services under the Principal Agreement, unless European Union or Member State law mandates the retention of personal data.

6. To the extent possible, the Processor shall assist the Controller to the extent necessary to fulfil the obligation to respond to requests from the data subject and to comply with the obligations set out in Articles 32 to 36 of the Regulation.

7. The Processor, upon discovering a personal data breach, shall without undue delay report it to the Controller within 48 hours.

§5

Right of control

1. The Controller or an entity authorized by it shall have the right to carry out inspections or audits to verify compliance with the obligations set forth in Article 28 of the Regulation.

2. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations set out in Article 28 of the Regulation.

3. The Controller or an entity authorized by the Controller shall carry out inspections or audits in the places where the entrusted data are processed, during the working hours of the Processor.

4. Notice of intent to conduct an inspection or audit shall be provided to the Processor at least 10 calendar days prior to the activity.

5. The costs of conducting the inspection shall be borne by the Controller.

6. The Processor undertakes to comply with recommendations of the Controller or an entity authorized by the Controller, concerning improvement of the quality of personal data protection and the manner of their processing or removal of defects identified during an inspection or audit, within a period specified by the Controller, not longer than 7 days.

§6

Further outsourcing of data processing

1. The Processor may use the services of other data processors who will act as subcontractors for the provision of services under the Agreement, to which the Controller gives his/her general consent. The list of such subcontractors is available on the Platform, at https://fitebo.com/en/rodo_partners . The Processor has the right to update and modify it unilaterally so that it reflects the actual state of affairs, and its update or modification does not constitute an amendment to the Agreement.

2. The transfer of entrusted data to a third country may only take place upon written order of the Controller, unless such obligation is imposed on the Processor by European Union law or the law of the Member State to which the Processor is subject. In such case, the Processor shall inform the Controller of this legal obligation prior to the processing, unless such law prohibits such information on the grounds of an important public interest.

3. The subcontractor referred to in §6.1 of the Agreement shall meet the same guarantees and obligations as those imposed on the Processor in the Agreement.

4. The Processor shall be fully liable to the Controller for failure to comply with the subcontractor's data protection obligations.

§ 7

Responsibility of the Processor

1. The Processor is responsible for providing access to or using personal data contrary to the content of the agreement, and in particular for providing access to personal data entrusted for processing to unauthorized persons.

2. The Processor undertakes to immediately inform the Controller of any proceedings, in particular administrative or judicial, relating to the processing of the personal data specified in the agreement by the Processor, of any administrative decision or ruling concerning the processing of such data, addressed to the Processor, as well as of any planned, if known, or carried out audits and inspections concerning the processing of such personal data at the Processor, in particular by inspectors authorized by the Inspector General for the Protection of Personal Data. This paragraph shall only concern personal data entrusted by the Controller.

§8

Duration of the contract

1. The Agreement is concluded for the duration of the Principal Agreement. Upon expiration or termination of the Principal Agreement for any reason, the Agreement is terminated.

§9

Termination of contract

1. The Controller may terminate this Agreement with immediate effect if the Processor:

   1. despite the obligation to remove the defects found during the inspection, fails to remove them within the prescribed time limit

   2. processes personal data in a way incompatible with the agreement

§10

Confidentiality rules

1. The Processor agrees to keep confidential all information, data, materials, documents and personal data received from the Controller and from persons cooperating with the Controller and data obtained in any other way, whether intentional or accidental in oral, written or electronic form ("Confidential Data").

2. The Processor declares that in connection with the obligation to keep Confidential Data confidential, it will not be used, disclosed or shared without the Controller's written consent for any purpose other than the performance of the Agreement, unless the need to disclose the information held arises under applicable law or the Agreement.

§11

Final provisions

1. The Agreement has been drawn up in two counterparts for each Party.

2. In matters not regulated by the Agreement, the provisions of the Regulation shall apply.

3. The Parties shall use their best efforts to amicably settle any dispute or claim arising from the Agreement, and in case of failure to settle, any disputes or claim shall be resolved by the Polish court competent for the registered office of the Processor.

4. If any provision of this Agreement is held invalid, the validity of the remaining provisions shall not be affected, and Processor agrees to take steps to complete the Agreement in that portion.

_______________________ Controller

_______________________ Processor