Conditions for the processing of personal data
In accordance with the laws on personal data protection, the Provider, acting as a processor, performs processing of personal data for the User, acting as a controller, according to the instructions of the User.
Subject-matter of processing, categories of data subjects and type of personal data
- The subject-matter of the processing is the personal data of the Customers entered into the Service by the User or processed by the Provider on its behalf, especially identification data, addresses, contact details, information about the Customer’s transactions within its relationship with the User, information about Customer’s actions within the User’s website, content of the Communications, Customer’s activity relating to the received Communications and, where applicable, other data provided by the User to the Provider and relating to the Customer (hereinafter the ”personal data”)
- The extent to which the Customer’s personal data is processed in each particular case shall always be determined solely by the User.
Nature, purpose and means of the processing
- The Provider processes personal data by automated means using statistical methods for the purpose of creating individualized Communications for the Customers, sending statistical methods for the purpose of creating individualized Communications to the Customers and for evaluating business campaigns’ results.
Duration of the processing
- The processing of personal data by the Provider will be performed for the term of the Agreement. The Provider undertakes to perform its obligations regarding the protection of personal data for the entire term of the Agreement, unless it is apparent from the provisions of the Agreement that they should continue to be in effect after its expiry.
- The personal data will be erased by the Provider upon the User’s instruction, but no later than 30 days after the termination of the Agreement. Until that time, the User is entitled to download a copy of the personal data.
Representations of the User
- The User represents and warrants that, as a controller of the personal data of the Customers, he fulfils all his obligations under the laws on personal data protection at the date of conclusion of the Agreement, in particular:
- processes personal data on the basis of proper titles and has a valid legal title for the processing of personal data of the Customers for the purpose, to the extent, by means and in the manner specified by the User in accordance with these Conditions for the processing of personal data;
- informs the Customers about the processing of their personal data, to the extent stipulated by the laws on personal data protection;
- enables the Customers to exercise their rights under the laws on personal data protection;
- liquidates the personal data as soon as the purpose for which it was processed will have ceased;
- fulfils all his other obligations under the laws on personal data protection;
- within 24 hours of receiving, the User will send the Provider by automated means via the Services interface information about any withdrawals of the Customer’s consent to the processing of personal data, objections to the processing of personal data, revocations of consent to the sending of the Commercial Communications and other acts affecting the possibility of processing the Customer’s personal data according to the Agreement, and will always respect these;
- within 24 hours of receiving the information from the Provider that Customer’s consent to the processing of personal data has been withdrawn, any objections to the processing of personal data were made, consent to the sending of Commercial Communications has been withdrawn or any other acts affecting the processing of personal data of the Customers according to the Agreement were made, responds adequately to these and always respects these;
and undertakes to perform these obligations throughout the duration of the Agreement in accordance with applicable laws. Annex No. 1 to these Conditions for the processing of personal data contains a general manual for the processing of personal data, which does not bind the User but may be used when processing the Customer’s personal data;
- Should damage (material or non-material) be incurred by the Provider as a result of non-compliance with the User’s obligations under the laws on personal data protection, the User undertakes to fully compensate the Provider for this damage. For the purpose of this provision the damage incurred by the Provider means in particular: (i) compensation for damage (material or non-material) to data subjects defined in the laws on personal data protection and (ii) fines imposed by The Office for Personal Data Protection or other administrative authority.
General principles of personal data processing
- The Provider in connection with the processing of personal data:
- processes personal data solely on the basis of the User’s instructions made via the interface of the Services provided or other means, including transfer of personal data to a third country or to an international organization, unless such processing is already provided by the applicable laws, which apply to the User; in this case the Provider informs the User of this legal requirement prior to processing, unless this legislation prohibits this disclosure for the important reasons of public interest;
- does not process personal data obtained for the purpose of providing the Services for Provider’s own purposes;
- ensures that persons authorized to process personal data are bound by contractual duty of confidentiality or subject to statutory duty of confidentiality;
- does not engage any other processor without prior specific or general written authorisation of the User;
- takes into account the nature of the processing;
- assists the User through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the User’s obligation to respond to requests for exercising the Customer’s rights;
- assists the User in ensuring compliance with the User’s obligations to ensure appropriate level of processing security and to report personal data security breaches to supervisory authority and, where applicable, to the Customers, to assess the impact on the protection of personal data and to conduct previous consultations with the supervisory authority when taking into account the nature of the processing and data available to the Provider;
- in accordance with the User’s decision, either erase or return all personal data to the User upon termination of the Services connected with processing of the personal data and delete existing copies unless the applicable laws require the personal data to be stored; and
- provides the User with all the information necessary to demonstrate that the obligations set forth in these Conditions for the processing of personal data have been met and allows audits, including inspections, performed by the User or other auditor authorized by the User and contributes to such audits;
whereas the Provider’s activities stipulated in letters f), g) and i) will be paid according to the prices for the provision of the Consultancy Support Services provided in the Specification.
- In relation to the processing of personal data, the Provider shall keep records of all categories of processing activities performed for the Users, which include:
- the name and contact details of the Provider, the User and where applicable, of the Provider’s or the User’s representative, and the data protection officer;
- the categories of processing carried out on behalf of the Provider;
- where applicable, transfers of personal data to a third country or an international organisation; and
- a general description of the technical and organizational security measures.
The Provider undertakes to make the records available to the User upon written request by the User.
Personal data security
- The Provider has adopted and maintains such technical and organizational measures as to prevent unauthorized or accidental access to personal data, modification, destruction or loss of personal data, unauthorized transmissions, other unauthorized processing or any other misuse of personal data.
- The Provider has in particular adopted and is maintaining the following measures to ensure a level of security:
- the pseudonymisation of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services – the measures put in place and their correct functioning will be regularly monitored;
- the ability to restore the availability and access to personal data in a timely manner and in the event of physical or technical incidents;
- the process of regular testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing;
- multi-level firewall;
- antivirus protection and unauthorized access control;
- encrypted data transfer via IT technologies;
- access to personal data only for the Provider’s authorized persons;
- servers with personal data locked in the server room; and
- backups of data transferred to another location by encrypted transmission with the access of the Provider’s authorized persons only.
- The Provider may allow the User to access the User’s data, including the Customer’s personal data, through the API. In this case, the User is required to ensure that only the authorized personnel can access the API. The Provider is not responsible for any data loss or privacy violation in the event of API being misused and in the event of data misuse after being available via the API.
- In the event the Provider detects any personal data breaches, the Provider will report them to the User without an undue delay.
Special provisions for providing Mailkit Agency Service
- In case the Mailkit Agency Service is provided, the following provisions of this Article will apply. However, these provisions will not apply in cases where both the Agency and the Clients together form a single natural or legal person; in such case, the Agency (Clients) will, as the User, fully comply with the other articles of these Conditions for the processing of personal data.
- The controller of personal data of the Customers is always the Client, with the Agency acting as a processor and the Provider acting as another person involved in the processing of personal data.
- The Agency will oblige the Client to fulfil the User’s obligations under the Conditions for the processing of personal data no later than at the moment of the first use of the Services by the Client. The Agency is liable to the Provider for the proper performance of the obligations under this article by the Client.
- The Agency declares that it has the permission of the Client as a personal data controller to engage the Provider, as another person involved in the processing of personal data, in the processing of personal data. At the same time, the Agency represents that a contract concluded between the Client as a personal data controller and the Agency as a personal data processor complies with legal requirements for a contract between the controller and the processor of personal data and as a processor always complies with this legislation. The Agency is entitled to use these provisions of the Conditions for the processing of personal data for setting up the contractual relationship with the Client.
- The provisions of these Conditions for the processing of personal data governing the relationship between the Provider and the User shall apply equally to the relationship between the Provider and the Agency.
- This current version of the Conditions for the processing of personal data is valid and effective from May 1, 2017.