TERMS AND CONDITIONS OF ELECTRONIC SERVICES

These Terms govern the use of the websites operated by SALESmanago and the use of the System for free Accounts. Capitalised terms have definitions described herein. Paid packages with unlimited access to the System are governed by a separate agreement that may be concluded with customers.

 

The Customer accepts these Terms respectively by: (i) using the Service (in the case of non-logged-in Users), (ii) accepting the Terms when registering an Account. If a person accepts these Terms on behalf of a company or other entity, such person represents that he or she has the appropriate authority to bind such an entity to these Terms, and in such case the term „Customer” refers to such entity. If the person accepting these Terms does not have such authority or does not agree with these Terms, such person may not accept these Terms and may not use the services.

§1 Definitions

  1. „Personal Data” – any information relating to an identified or identifiable natural person, in accordance with the General Data Protection Regulation (GDPR).

  2. „Password” – a string of characters, including alphanumeric, in accordance with the security requirements, necessary for the authentication process when accessing the Account, specified by the User during the Account registration process. 
  3. “Confidential Information” – all confidential information disclosed by either Party (“Disclosing Party”) to the other Party (“Receiving Party”), whether orally or in writing, that is designated as confidential or that reasonably should be understood as confidential given the nature of the information and the circumstances of disclosure. However, Confidential Information will not include any information that (i) is or becomes generally known to the public without breach of any obligation owed to the Disclosing Party, (ii) was known to the Receiving Party (including its directors, officers, employees, contractors or agents) prior to its disclosure by the Disclosing Party without breach of any obligation owed to the Disclosing Party, (iii) is received from a third party without breach of any obligation owed to the Disclosing Party, or (iv) was independently developed by the Receiving Party.
  4. Customer” – the individual, a company or other legal entity who concludes the Agreement for access to the Account.
  5. Account” – an account enabling the use of the System. Accounts are divided into: Trial Accounts, Demo Accounts and Email Marketing Accounts.
  6. Trial Account” – an Account that provides temporary access to the System with the ability to read and write data.
  7. Demo Account” – an Account that allows User to preview the operation of the System without being able to modify the sample data contained in that Account.
  8. Email Marketing Account” – an Account that provides access to selected functionalities of the System with specific limits.
  9. Terms” – this document.
  10. “User profile”  an arrangement that can store information, made available by SALESmanago within the ICT system, that enables the User to enter, store and modify data necessary for proper usage of the features of the System. This information is provided to the System voluntarily and solely by the User.
  11. Registration” means a one-time action that involves the creation of an Account by the User using the panel provided by SALESmanago on the Service.
  12. GDPR” – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  13. SALESmanago” – Benhauer sp. z o. o. based in Cracow (30-705) at Stanisława Klimeckiego 4, NIP: 676 244 77 54 REGON: 122334666, entered into the Register of Entrepreneurs kept by the District Court for Kraków Śródmieście in Kraków, Division XI of the National Court Register under entry number KRS: 0000523346, with a share capital in the amount of PLN 1 407 450.00.
  14. Service” – the websites, administered by SALESmanago, made available within the salesmanago.com domain or outside the salesmanago.com domain (if they contain a reference to these Terms).
  15. Parties” – respectively: (j) the Customer and SALESmanago – in the case of use of the System or (ii) a non-logged-in User and SALESmanago – in the case of use of the Service without logging into the System.
  16. „System” – the online platform – Customer Engagement Platform, including the monitoring code included in the Customer’s website.
  17. „Agreement” – the agreement for the provision of services by electronic means concluded respectively: between the Customer and SALESmanago, or between a User who is not logged in and SALESmanago, pursuant to the Terms.
  18. Services” – electronic services within the meaning of the Electronic Provision of Services Act of 18 July 2002 (Dz.U.2020.344 t.j., with subsequent amendments) which consist in: (i) enabling the use of the Service, (ii) providing the User an Account and (iii) enabling to use the System through the Account, including providing the User profile.
  19. “Third Party Services” – services provided by a Third Party Provider to Customer in connection with the use of the System.
  20. “The Personal Data Protection Act” – the Act of 10 May 2018 on the Protection of Personal Data (Dz.U. 2019.1781 t.j. with subsequent amendments).
  21. “User” – a natural person above 18 years of age with legal capacity who: (i) uses the System on behalf of the Customer or (ii) is not a registered User.
  22. Third Party Provider” – a provider of Third Party Services approved by SALESmanago.

§2 General provisions

  1. SALESmanago provides Services through the Service to the extent and on the terms and conditions specified in the Terms. SALESmanago will provide Services with the due diligence required.
  2. The Services regulated herein are provided free of charge and, as regards access to the System, only through Trial Accounts, Demo Accounts and Email Marketing Accounts.
  3. The Trial Account allows the User to use the System for 30 days from the creation of the Trial Account.
  4. The Demo Account allows the User to use the System for an indefinite period of time in a read-only mode, i.e. in particular without the possibility to upload the User’s data into the System.
  5. The Email Marketing Account allows the User to use selected System functionalities and within the limits set by SALESmanago. The current range of functionalities and applicable limits is available at: https://emailmarketing.salesmanago.com/. The indicated scope of functionality and the applicable limits may change over time. The Customer is obliged to monitor any changes to the scope of services provided under this type of account.
  6. If the limits for the Email Marketing Account indicated in sec. 5 above are reached, the possibility of further use of the respective functionality is blocked. In the case of limits determined on a monthly basis, further use of such functionalities is possible, starting from the next month of use of the System.
  7. SALESmanago reserves the right to change, disable or remove the functionalities and/or limits within the Email Marketing Accounts without giving any reason. 
  8. SALESmanago may, at its own discretion, temporarily provide the Customer with additional functionalities of the System free-of-charge (hereinafter referred to as “Additional Functionalities”). Customer agrees that SALESmanago, in its sole discretion and for any or no reason, may terminate Customer’s access to the Additional Functionalities or any part thereof. Customer agrees that any termination of Customer’s access to the Additional Functionalities may be without prior notice, and Customer agrees that SALESmanago will not be liable to Customer or any third party for such termination. Notwithstanding the “Liability” section below, the Additional Functionalities are provided “as-is” without any warranty and SALESmanago shall have no indemnification obligations nor liability of any type with respect to the Additional Functionalities unless such exclusion of liability is not enforceable under applicable law in which case SALESmanago’s liability with respect to the Additional Functionalities shall not exceed PLN 10 (in words: ten polish zlotys).
  9. The Services of providing the User with an Account and enabling the use of the System by means of the Account regulated herein are provided exclusively to entrepreneurs and by using the service the Customer confirms that he/she is acting in such manner. These services are not intended for persons who are consumers as defined by applicable law.

§3 Technical requirements for the use of the Service and the System

  1. The minimum technical requirements to use the System are as follows:
  1. Services accessible through the Customer’s website (widgets): any modern browser that supports HTML5, CSS3, JavaScript, long-term cookie storage, LocalStorage, Web Push notifications and that is not restricted in its access to the resources on the SALESmanago infrastructure, including restrictions imposed by additional software, so-called plug-ins;
  2. Services available through the System (administrative panel): access to the Internet, latest version of one of the following web browsers: Google Chrome, Mozilla Firefox with default configuration.
  1. The minimum technical requirements to use the Service are as follows: access to the Internet, latest version of one of the following web browsers: Google Chrome, Mozilla Firefox with default configuration.
  2. The use of certain features of the System may require additional configuration on the part of the Customer, in particular changes to the Customer’s website and/or changes to the configuration of the Customer’s Internet domain name.

§4 Account Registration

  1. In order to use the System, it is necessary for the User to register and accept these Terms.
  2. During Registration, the User performs actions including:
    1. confirming that the User has read these Terms and accepts their provisions;
    2. filling in the form available in the Service;
    3. logging into the Account using the login and Password.
  3. SALESmanago reserves the right to verify the Registration and the User.
  4. After successful Registration, the User gains access to the Account, which is provided each time by SALESmanago after providing the Password and login on the Service.
  5. During Registration and using the Services, the User is required to:
    1. to provide true, accurate and up-to-date data that is not misleading and does not infringe the rights of third parties;
    2. to update the data provided on the registration form immediately after any change.
  6. Any person who registers on behalf of the Customer declares that he or she is authorised to conclude the Agreement for and on behalf of the Customer.

§5 Use of the Service and the System

  1. In particular, the User is obliged to:
    1. to use the Service and the System in a manner that does not interfere with their functioning, in particular by using specific software and devices;
    2. to use the Service without causing inconvenience to other Users and SALESmanago and to respect their rights;
    3. to keep the Password secret and to exercise due diligence to prevent third parties from gaining possession of the Password;
    4. not to use the System for illegal purposes.
  2. Each Party agrees keep in confidence any Confidential Information disclosed by the other Party, not to use any Confidential Information belonging to the other Party for any purpose outside the scope of the Agreement and to limit access to Confidential Information to those of its directors, officers, employees, contractors and agents who need such access for the purpose of the Agreement. The confidentiality obligations shall remain in effect for the term of the Agreement and 5 years after its termination. Either Party may disclose Confidential Information if it is compelled by the applicable law to do so, provided it gives the other Party prior notice of such compelled disclosure (to the extent legally permitted) and reasonable assistance to contest the disclosure.
  3. The Customer undertakes to use the System with respect for good morals, rules of social coexistence and in accordance with the provisions of generally applicable law, including compliance with the SALESmanago Anti-spam Policy referred to in sec. 6.c. below.
  4. The Customer is responsible for:
    1. the use and/or misuse of the System by any User;
    2. the legality, veracity, integrity, accuracy and quality of the data provided.
  5. The User is obliged to notify SALESmanago immediately both of any violation of his/her rights to the login and/or Password and of any violation of the rules set out in these Terms.  
  6. Notwithstanding any other rights set out in the Terms, SALESmanago may deprive the User of the right to use the System (by blocking or deleting the Account), as well as restrict access to part or all of the resources of the Service or the System with immediate effect if the User violates the Terms, and in particular if the User:
    1. provided during the Registration in the Service data that is untrue, inaccurate or outdated, misleading or violating the rights of third parties;
    2. otherwise behaves contrary to the general rules of Internet use, contrary to the purposes of the Service or in a manner detrimental to the good name of SALESmanago;
    3. violates generally acceptable standards and rules for the use of services of this type. In particular, the User agrees to comply with SALESmanago’s Anti-spam Policy, available here.
  7. SALESmanago reserves the right to:
    1. periodically interrupt the availability of the Services for expansion or maintenance;
    2. immediate discontinuation of the Services in the event of violation of these Terms by the User,
    3. change the parameters of the Account or User Profile, including the features and functionality of the Service;
    4. terminate the provision of the Services at any time, by closing down the entire Service or any part of it, subject to prior posting of an appropriate notice on the Service.
  8. At the time of signing the Agreement, the System is compatible with the requirements indicated in §3 of the Terms. Temporary incompatibility may result from changes made by third-party vendors. SALESmanago will exercise due professional care in ensuring the continued compatibility of the System.
  9. The Customer may choose to obtain Third Party Services (e.g. applications) to use with features within the System. To use such features, the Customer will be required to obtain access to Third Party Services from Third Party Providers. The Customer agrees to comply with the terms and conditions of the Third Party Services and the policies and guidelines pertaining thereto. Notwithstanding the foregoing, SALESmanago does not assume any responsibility for the Third Party Services, the terms of which have been regulated directly between the Customer and the Third Party Provider and specifically disclaims any liability, warranty, and obligation with respect to such Third Party Services, whether or not it is recommended or approved by SALESmanago, or otherwise noted. SALESmanago may terminate the cooperation with any Third Party Provider at any time without reason or change the Third Party Provider and such change shall not constitute a breach of the Agreement. SALESmanago assumes no responsibility for: (i) claims arising from the combination of any Services with any other products, services, hardware, data or business processes or use of Services by Customer other than in accordance with the Agreement; and (ii) for any amendment or modification to the Services not carried out by SALESmanago or one of its approved partners.
  10. The Customer shall only use the Services for its own internal business operations. The Customer acknowledges and agrees that it will not allow any third party, including Customer’s vendors and service providers, to access or use the Services unless such third party is allowed access for the purpose of providing authorised customer support services or in connection with Customer’s appropriate use of the Services for its business purposes.

§6 Personal data protection and the use of cookies and similar technologies

  1. In the case of Customers using Trial Accounts or Email Marketing Accounts, SALESmanago acts as a processor in relation to the Personal Data of Customers or potential customers of the Customer that is processed within the System (in particular, within the database that the User has entered into the System). For the avoidance of doubt, the acceptance of these Terms and the use of the System shall be considered as an entrustment of data to be processed in accordance with the provisions of the GDPR under the terms and conditions specified in the Personal Data Processing Agreement, which constitutes Appendix 1 to these Terms. Appendix No. 1 shall only apply where the performance of the Agreement involves the processing of personal data to which the provisions of the GDPR apply.
  2. SALESmanago is the controller of the personal data of the Customer who is an individual, the Customer’s representatives and the Customer’s contact persons and Users. The Customer declares that he/she has familiarised himself/herself with the information on SALESmanago’s processing of Personal Data available within the Privacy Policy and undertakes to provide the aforementioned information to data subjects.
  3. Information on the use of cookies and other similar technologies is available to Users within the Service.
  4. Selected functionalities of the System placed on the Customer’s website may create cookies and/or LocalStorage content on the Customer’s domain. The Customer is responsible for performing the necessary steps to obtain the consent of the users of its website to use cookies and/or LocalStorage content. Furthermore, the Customer is obliged to post information about the purposes and types of cookies and/or LocalStorage content used, insofar as it is obliged to do so by the law applicable to its place of business.

§7 Compliance

  1. The Customer shall comply with all applicable export controls, economic sanctions, and import laws and regulations, including without limitation the regulations of the European Union, United Kingdom, and the United States, as in force and amended from time to time. This means that Customer will not, directly or indirectly enter into a business relation with any person or entity resident in, located in, or organised under the laws of any country or territory subject to comprehensive economic sanctions (including, currently, Crimea, Cuba, Iran, North Korea, and Syria) (hereafter “Sanctioned Countries”), or (ii) identified on any applicable restricted party lists (including without limitation the U.S. Treasury, Office of Foreign Assets Control’s Specially Designated Nationals List; the HM Treasury Consolidated List of Financial Targets in the UK; and the European Union’s Consolidated List of Sanctioned Individuals and Entities) (hereafter “Restricted Party Lists”). 
  2. The Customer warrants that it is, and will remain during the term of this Agreement, not (i) resident in, located in, or organised under the laws of a Sanctioned Country, or (ii) identified on, or majority-owned or controlled by one or more parties identified on, a Restricted Party List. SALESmanago reserves the right to request the Customer to periodically confirm in writing that it complies with the obligation under the Agreement and specifically with those in this section.

§8 Liability

  1. SALESmanago’s total liability under or in connection with the Agreement is limited to the sum of PLN 10 (in words: ten Polish zloty). SALESmanago shall also not be liable under or in connection with the Agreement for lost profits and any indirect damages. The above exclusion of liability for certain damages and limitation of liability shall apply to the maximum extent permitted by applicable law.
  2. SALESmanago shall not be liable for any delay, failure of delivery or other damage resulting from the transfer of the Customer’s data via network or communication devices, including the Internet. SALESmanago shall also not be liable for:
    1. any damage related to interference by third parties, malfunction of external factors or other systems (e.g. telecommunication networks) beyond SALESmanago’s control;
    2. any damage resulting from unauthorised access to the User Account or User Profile due to negligence on the part of the Customer and/or the User;
    3. any damage resulting from the User’s and/or the Customer’s failure to comply with these Terms;
    4. any damage resulting from incorrect data transmission in the System, incorrect message recording or reception, or loss of data contained in messages transmitted;
    5. any User’s or Customer’s damage resulting from risk factors specific to the Internet, including system attacks or malicious software infections on the User’s system.
  3. If the Service are held or are likely to be held infringing, SALESmanago will have the option, at its expense to (i) replace or modify the Services as appropriate, (ii) obtain a licence for Customer to continue using the Services, (iii) replace the Services with a functionality equivalent service or (iv) terminate the applicable Services. To the fullest extent permitted by law, remedies described in the preceding sentence will constitute the sole and exclusive remedy available to Customer in relation to third party claims.

§9 Agreement duration and termination

  1. The agreement for the provision of Services, concluded by Users who are not logged in, for the duration of their use of the Service is concluded for a fixed period of time, corresponding to the period of processing of personal data, calculated from the last completed visit to the Service, or until the data stored in the User’s browser cookies are deleted, whichever event occurs first.
  2. Either Party shall be entitled to terminate the Agreement other than as set out in sec. 1 with immediate effect without giving reasons, without prejudice to the rights acquired by the other Party prior to termination.
  3. In the event of SALESmanago’s intention to terminate the Agreement, the User will be notified at the e-mail address provided by the User during Registration.
  4. Termination of the Agreement by the Customer shall be effected by deleting the relevant Account.
  5. In the event of termination of the Agreement, all data will be irreversibly and immediately deleted upon deletion of the Account, subject to any contrary provisions of the Terms or generally applicable law. The Customer waives any claims against SALESmanago in this respect.

§10 Complaint procedure

  1. In the course of using the Services, the User is obliged to notify SALESmanago immediately of any irregularities, faults or interruptions in the functioning of the Service or the System and poor quality of the Services – no later than within 14 days of becoming aware of the irregularities.
  2. Complaints by Users regarding SALESmanago’s improper performance of any contractual provisions should be addressed to SALESmanago by e-mail to: info@salesmanago.com and should include, in particular:
    1. the contact details of the User;
    2. reasons for the complaint;
    3. description of the circumstances giving rise to the User’s complaint.
  3. If the required information is missing, SALESmanago will call on the complainant to complete it. During the complaint process, SALESmanago may request additional explanations, documents or verification of the course of the event subject to the complaint.
  4. The complainant will be notified of the outcome of the considered complaint by e-mail to the e-mail address provided in the complaint application within 30 (thirty) days from the date of submission of a complete and correct complaint, with the proviso that the deadline may be extended in particularly complicated cases. Exceeding the deadline for responding to the complaint does not constitute recognition of the complaint.

§11 Final provisions

  1. The Customer authorises SALESmanago to use the Customer’s name and trademark (or logo) to represent the fact that the Customer is a customer of SALESmanago, especially for the purpose of informing about using the System on its website and social media channels.
  2. SALESmanago may at any time make any change to any Services that is necessary to comply with applicable law, or that does not materially affect the nature or quality of the Services. 
  3. SALESmanago may amend the Terms for important reasons, which are: a) changes in generally applicable laws affecting the provisions of the Terms; b) the issuance of a judgement or decision directly affecting the provisions of the Terms by a court or public administration authority; c) introduction of new functionalities of the System or changes to them; d) removal of ambiguities or doubts of interpretation. In case of the amendment of the Terms, SALESmanago shall notify the Customer of the change by the message that will be communicated to the User via the System.The Parties agree that the User is authorised to accept or reject the new terms and conditions on behalf of the Customer. Failure to respond to information about the change in the Terms within 14 days from the date of notification of the change is considered acceptance of the new terms and conditions. If the Customer objects to the new terms and conditions, the Agreement shall be terminated with effect from the commencement date of the amended Terms.
  4. SALESmanago will be entitled to use data processed as part of the Services to produce: statistical analyses, insights, market data and predictive models to assist development of SALESmanago Services and third party products or services designed for use with them (hereinafter referred to as the “Analytics”). No Personal Data is used for the purpose of Analytics nor will Analytics identify Customer.
  5. Neither Party will be liable for any delay or failure to perform its obligation under the Agreement if the delay or failure is due to extraordinary and unforeseeable event or circumstance beyond its reasonable control (force majeure), such as a strike, blockade, war, act of terrorism, riot, natural disaster, failure or reduction of power or telecommunications or data networks or services, or government act.
  6. If any provision of these Terms is held by a court or other competent authority to be unlawful, void or unenforceable, it shall be deemed to be deleted from the Terms. It shall be of no force and effect, and the Terms shall remain in full force and effect as if such provision had not originally been contained in the Terms. In the event of any such deletion the Parties shall negotiate in good faith in order to agree the terms of a mutually acceptable and satisfactory alternative provision in place of the provision so deleted.
  7. The Agreement is governed by and constructed under Polish law.
  8. Any dispute in connection to the Agreement shall be subject to the exclusive jurisdiction of the courts having jurisdiction over SALESmanago registered office.
  9. Appendices shall form an integral part of these Terms.
  10. In the event of a conflict between the Terms and the Personal Data Processing Agreement, the latter shall take precedence.
  11. The Terms are effective as of 1.07.2024.
Previous versions



Appendix No. 1 to the Terms Personal Data Processing Agreement


Personal Data Processing Agreement

hereinafter referred to as „PDPA”

between 

Customer, hereinafter referred to as “Entruster

and

SALESmanago, hereinafter referred to as “ProcessorWhereas,

the Parties have concluded the Agreement, Parties hereby agree as follows:

§1 Statements of the Parties

  1. The Entruster declares that, regarding the entrusted personal data, it is either the data controller or the processor and has the right to process the data and entrust its processing.
  2. The Processor shall ensure that appropriate technical and organisational measures are implemented so that the processing meets the requirements of the Act and the GDPR and provides the protection of the rights of the data subject.
  3. The Processor declares that he applies all required technical and organisational measures so that the processing is carried out in accordance with Article 32 of the GDPR.
  4. The Processor declares that the Processor has the resources, including infrastructure resources, experience, knowledge, and qualified personnel, to the extent that it is able to duly perform the PDPA, in compliance with the applicable laws. In particular, the Processor declares that it is familiar with the principles of personal data processing and security resulting from the GDPR.

§2 Subject matter of PDPA

  1. Parties agree that for the purpose of fulfilling statutory obligations imposed by law, these being, in particular, the provisions of GDPR and the provisions of other Member States data protection laws that apply to the Agreement as well as the proper performance of the Agreement, the Entruster, entrusts the Processor with the processing of personal data in the scope as defined by this PDPA.
  2. The Parties declare that processing is to be carried out on behalf of the Entruster and the Processor provides sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. 
  3. Where terms defined in the GDPR are used in this PDPA, these terms have the same meaning as in the GDPR.

§3 Description and scope of processing

  1. This PDPA applies to the processing of personal data set out below:
    1. categories of data subjects: users of the Entruster’s websites who are clients or potential clients of the Entruster;
    2. the type of personal data: name and surname, e-mail address, telephone number, Contact ID, IP number, online behavioural data of data subjects;
    3. the nature and purpose of personal data processing: performing the Agreement, using resources provided by the Processor;
    4. the subject-matter of the processing: personal data stored in the System in the duration of the same term as the performance of the Agreement.
  2. The Parties jointly agree that the Entruster entrusts the Processor only with personal data within the scope of and concerning the categories of persons specified in § 3(1) of the PDPA. In entrusting a broader scope of personal data than in § 3(1) of the PDPA, the Entruster is obliged to indicate a new scope of personal data that will be entrusted on the date of the Agreement. The scope of data should be sent to dpo@salesmanago.com. If the scope of processed personal data changes during the execution of the Agreement, the Entruster is obliged to indicate a new scope of personal data to the Processor.
  3. The Processor undertakes to process entrusted personal data only for the purpose and scope specified in above, based on documented instructions from the Entruster, which also applies to the transfer of personal data to a third country or international organisation (unless such obligation is imposed by Union law or the law of the Member State to which the Processor is subject; in this case, the Processor shall inform the Entruster of this legal obligation prior to the commencement of processing, unless such law prohibits the provision of such information on grounds of important public interest).

§4  Rights and obligations of Parties

  1. The Entruster entrusts to the Processor lawfully collected personal data. 
  2. Following a written request by the Entruster, the Processor shall be obliged to provide information regarding the processing of personal data entrusted to him, including details of technical and organisational means used for the purpose of processing data covered by the request, within 14 days of receiving such a request. 
  3. The Processor shall inform the Entruster prior to the commencement of processing of data on the implementation of a possible legal obligation consisting of the transfer of personal data to a third country or an international organisation, in accordance with Article 28(3) point a of the GDPR.
  4. The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3) point b of the GDPR.
  5. The Processor undertakes to ensure that every person acting under the authority of the Processor who has access to personal data processes them only at the request of the Entruster for the purposes and scope provided for in the PDPA.
  6. The Processor declares that he has taken safeguard measures required under Article 32 of the GDPR, in accordance with Article 28(3) point c of the GDPR. Ensuring data security includes data protection against security breaches leading to breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data (personal data breach). When assessing the appropriate level of security, the Parties shall take into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. 
  7. The Processor declares that he respects the conditions referred to in paragraphs 2 and 4 of Article 28 of the GDPR for engaging another processor, in accordance with Article 28(3) point d of the GDPR.The Entruster may grant specific consent to the Processor for further entrustment of personal data processing. The Processor shall inform (in a documented form) the Entruster of its intention to further entrust personal data 7 days in advance.
  8. As a general rule, the Processor does not use sub-processors to perform the Agreement. However, access to certain functionalities of the System may require the Entruster’s consent to further entrustment of personal data. The Processor will not entrust personal data before obtaining the consent referred to above. The Entruster’s consent to further entrustment of personal data does not constitute an amendment to the PDPA.
  9. The Processor shall be fully responsible to the Entruster for fulfilling the obligations under the personal data processing agreement entered into between the Processor and the sub-processor. If the sub-processor fails to comply with its data protection obligations, the full responsibility to the Entruster for the fulfilment of the obligations of such sub-processor shall rest with the Processor.
  10. The Processor takes into account the nature of the processing, assists the Entruster by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Entruster’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III of the GDPR, in accordance with Article 28(3) point e of the GDPR. The Processor is neither entitled nor obliged to respond directly to the requests of the data subjects.
  11. The Processor assists the Entruster in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the Processor, in accordance with Article 28(3) point f of the GDPR. In particular:
    1. 11.1. [Data breach concerning data processed by the Entruster] In the event of a personal data breach concerning data processed by the Entruster, the Processor shall assist the Entruster:
      1. 11.1.1. in notifying the personal data breach to the competent supervisory authority, without undue delay after the Entruster has become aware of it, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
      2. 11.1.2. in obtaining the following information which, pursuant to Article 33(3) of the GDPR, shall be stated in the Entruster’s notification, and should include:
        1. 11.1.2.1. the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned; 
        2. 11.1.2.2. the likely consequences of the personal data breach;  
        3. 11.1.2.3. the measures taken or proposed to be taken by the Entruster to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

          Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

 

  1. 11.1.3. in complying, pursuant to Article 34 of the GDPR, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
  1. 11.2.[Data breach concerning data processed by the Processor] In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Entruster without undue delay but no later than 24 hours after the Processor having become aware of the breach. Such notification shall contain:
    1. 11.2.1. a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);
    2. 11.2.2. the details of a contact point where more information concerning the personal data breach can be obtained;
    3. 11.2.3. its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.
      Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.
  1. The Processor makes available to the Entruster all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Entrusteror another auditor mandated by the Entruster, in accordance with Article 28(3) point h of the GDPR and under the conditions set out in §5 below.
  2. The Processor shall immediately inform the Entruster if, in its opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions. 

§5 Audits

  1. The Entruster is entitled to carry out, not more than once during each subsequent calendar year, an audit of the security of personal data processing, in terms of compliance of their processing with the PDPA and applicable law, in particular the GDPR.
  2. The basic form of auditing is an audit carried out by electronic means. It consists in sending by the Entruster to the Processor questions regarding the compliance of the processing by the Processor of the entrusted personal data with the PDPA, the GDPR or the provisions of generally applicable law on the protection of personal data, including the security measures applied. The Processor is obliged to answer the Entruster’s questions, insofar as this is possible, within 30 days of receiving them.
  3. After the audit referred to in point 2 above, the Entruster, if necessary, is entitled to conduct an audit in a different form. After receiving a request to conduct such an audit, the Parties will determine the date of its commencement (which may not take place earlier than 10 business days from receipt of the Entruster’s request), its exact scope, and persons authorised to conduct it.
  4. Audits will be carried out during the working hours of the Processor’s business, to the extent and in the area necessary for the processing of personal data, without prejudice to the normal conduct of business by the Processor, the business secrets of the Processor and confidential information belonging to third parties. The Entruster undertakes to keep the above-mentioned information confidential. Before starting the audit activities, the Parties (and an external auditor appointed by the Entruster, if applicable) will sign an appropriate confidentiality agreement.
  5. The costs of the audit are borne by the Entruster.

§6 Data transfer outside the European Economic Area

  1. The Processor shall not transfer personal data entrusted by the Entruster outside the European Economic Area.
  2. In situations where the Entruster processes personal data or has an establishment outside the European Economic Area (hereinafter: EEA) and therefore a transfer of personal data is necessary as referred to in §6(1) of the PDPA, the standard contractual clauses referred to in Commission Implementing Decision (EU) 2021/914 of June 4, 2021 on standard contractual clauses for the transfer of personal data to third countries under Regulation (EU) 2016/679 of the European Parliament and of the Council, with the following content, shall apply:
  1. when personal data is transferred outside the EEA to the Entruster, which is the processor in relation to such data – link,
  2. when personal data is transferred outside the EEA to the Entruster, who is the Controller of such data – link.
  1. An amendment to the “List of sub-processors” appendix does not constitute an amendment to the PDPA.
  2. If it is necessary to conclude the standard contractual clauses referred to in § 6(2) of the PDPA in written form, the Processor shall forward the request to conclude them in this form to the Processor at dpo@salesmanago.com
  3. Standard contractual clauses referred to in §6(2) of the PDPA apply only in the absence of a decision pursuant to Article 45(3) GDPR. 

§7 Liability

  1. Each Party shall be liable for any damage caused to the other Party or to any third parties in connection with the performance of this PDPA, pursuant to provisions of the GDPR or this PDPA.  
  2. The Processor shall not be responsible for the personal data provided by the Entruster beyond the scope specified in §3(1) of the PDPA unless the Entruster indicates the new scope of data in the Order Form. To avoid any doubts, the Processor shall be responsible for the personal data specified in the Order Form to the same extent as the data specified in §3(1) of the PDPA.
  3. In the event of damage caused by actions undertaken by the Processor,  the Processor shall be liable as guilty of the actual damage incurred by the Entruster. In no event shall the aggregate liability of the Processor arising out of or related to the PDPA exceed PLN 10. In no event will Processor have any liability arising out of or related to the PDPA for any lost profits, revenues, goodwill, or indirect, special, incidental, consequential, cover, business interruption or punitive damages. The foregoing disclaimer will not apply to the extent prohibited by law.
  4. The Processor shall be excluded from liability for adequately securing personal data in accordance with this PDPA in the part of the information system administered by the Entruster.  

§8 Representatives of the Parties

For the purposes of implementing this PDPA, the Entrusterand the Processor appoint a contact person:

  1. The Entruster: contact person and e-mail address indicated during Registration.
  2. The Processor: email: dpo@salesmanago.com
  • – the indicated person may be changed at any time via email. Such change does not constitute an amendment to the PDPA.

§9 Final provisions

  1. The Processor shall not charge any additional fees for the performance of any of the provisions of this PDPA. 
  2. This PDPA is concluded for the duration of the Agreement and for the performance of all obligations under this PDPA.
  3. In the event of terminating the Agreement, the Entruster shall, within 7 days of the date of expiry hereof, individually secure any personal data entrusted to Processor for processing. 14 days following the date of expiry of the PDPA, the Processor shall permanently delete any and all records containing personal data entrusted for processing, made in connection with or while performing the Agreement in accordance with Article 28(3) point g of the GDPR.
  4. The Parties declare that any previously signed agreements regarding the processing of personal data are revoked and replaced by this PDPA. 
  5. Any issues falling outside the scope of this PDPA shall be governed by the provisions of the GDPR.