DEFINITIONS OF TERMS USED IN THE DATA PROCESSING AGREEMENT
The following capitalized terms used in this Data Processing Agreement shall have the meanings specified below unless the context clearly indicates otherwise:
Controller – means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data;
Personal Data – any information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person;
Data Processing Agreement – this Data Processing Agreement;
Processor – means a natural or legal person, public authority, agency, or other body that processes Personal Data on behalf of the Controller;
Sub-Processing – a situation where the Processor delegates the processing of Personal Data to a third party.
Capitalized terms that are not defined above shall be interpreted according to the definitions in the Terms of Service.
§1. SUBJECT AND PURPOSE OF DATA PROCESSING
In connection with the performance of the Agreement, the User - as the Controller of Personal Data - entrusts ITSM Software with the processing of Personal Data. The purpose of this data processing is to provide the User with access to the System to facilitate, manage, and administer the User’s process of receiving and handling requests.
§2. SCOPE OF PERSONAL DATA ENTRUSTED FOR PROCESSING
The scope of data processing includes, in particular, the following Personal Data: identification data; contact information; data contained in the content of requests submitted through the System (especially concerning violations of law, circumstances, witnesses, etc.); data entered into the System during the handling of a submitted request; and additional data resulting from the User’s individual configuration of the System.
Under the Data Processing Agreement, ITSM Software processes Personal Data of the following categories of entities: Agents; Users; persons indicated in the content of the request; persons assisting in the submission of the request; persons whose personal data will be entered into the System in connection with the handling of a submitted request.
During the term of the Data Processing Agreement, Personal Data will be processed continuously and automatically in electronic form using telecommunication systems. Data processing may include, in particular, the following operations: recording, organizing, structuring, storing, adapting or modifying, retrieving, using, aligning or combining, restricting, deleting, or destroying.
§3. RULES FOR PROCESSING PERSONAL DATA
ITSM Software processes the entrusted Personal Data only based on documented instructions from the User unless ITSM Software is obliged to process the data under Union or Member State law to which ITSM Software is subject. In such a case, ITSM Software will inform the User of the legal obligation before commencing data processing, unless the relevant legal regulations prohibit such information due to an important public interest. In cases of doubt, the Data Processing Agreement also constitutes such documented instructions.
If ITSM Software determines that instructions issued by the User (under the mode specified in this Data Processing Agreement) constitute a breach of GDPR provisions or other Union or Polish data protection laws, ITSM Software will promptly inform the User.
ITSM Software undertakes to issue personalized authorizations to process personal data to individuals granted access to Personal Data entrusted under this Data Processing Agreement. Additionally, ITSM Software ensures that each person authorized by it to process entrusted Personal Data will be required to keep this data and related security measures confidential during and after their employment or cooperation.
ITSM Software, considering the nature of the entrusted Personal Data processing, assists the User - through appropriate technical and organizational measures - in fulfilling the data subject’s rights as outlined in Chapter III of the GDPR.
ITSM Software, taking into account the nature of data processing and the information available to it, assists the User in fulfilling their obligations under Articles 32-36 of the GDPR.
ITSM Software undertakes to maintain a record of processing activities performed on behalf of the User.
ITSM Software will promptly inform the User of any instances involving violations of the entrusted Personal Data protection.
Regardless of the preceding provisions, ITSM Software declares that, considering the state of technical knowledge, implementation costs, nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights or freedoms of natural persons, it will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where applicable:
pseudonymization and encryption of Personal Data;
the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
the ability to restore access to Personal Data in a timely manner in the event of a physical or technical incident;
regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures for ensuring data processing security.
§4. RIGHT TO AUDIT
ITSM Software agrees to make available to the User all information necessary to demonstrate compliance with the obligations set out in the Data Processing Agreement and applicable data protection laws and agrees to allow and contribute to audits, including inspections conducted by the User.
Audits may only be carried out by employees/cooperators authorized in writing by the User or representatives of third parties acting on the User's behalf, provided they are bound by a written confidentiality agreement regarding all information obtained during the audit activities.
Audit activities may only relate to Personal Data entrusted by the User and the tools, infrastructure, and procedures used for this purpose. The manner of conducting the audit may not interfere with other areas of ITSM Software’s operations, including confidential information, contractual obligations, and ITSM Software's cooperation with entities other than the User.
The audit only includes verification of relevant documentation and the right to obtain necessary explanations regarding the execution of the Data Processing Agreement.
An audit may be conducted provided that ITSM Software is notified of the planned audit at least 14 business days before the planned audit date.
§5. SUB-PROCESSING
The User grants ITSM Software general consent to use other processing entities (hereinafter referred to as “Sub-Processor”). ITSM Software will inform the User of any intended changes regarding the addition or replacement of Sub-Processors, allowing the User to object to such changes. If the User does not object within 7 days of receiving the notification from ITSM Software, it is assumed that the User has consented to the Sub-Processing of Personal Data by ITSM Software.
ITSM Software will only use Sub-Processors to whom - under an agreement or other legal act, governed by Union or Member State law - the same data protection obligations as in the agreement between ITSM Software and the User are imposed. Should a Sub-Processor fail to comply with GDPR or the Data Processing Agreement provisions, ITSM Software assumes responsibility, within the limits specified in the Terms of Service, for the Sub-Processor's actions towards the User.
In addition to the above procedure, the User consents to ITSM Software entrusting Personal Data processing to Amazon Web Services EMEA SARL and its distributors and partners, with further sub-processing by this company permitted. The User also acknowledges that ITSM Software’s Services are provided using the external provider’s infrastructure (as mentioned above). The provisions on data processing by Amazon Web Services EMEA SARL are specified in the current documentation available on the Sub-Processor’s website, particularly under the links listed in §7(4) of the Terms of Service.
§6. TERM OF THE AGREEMENT
The Data Processing Agreement is valid for the term of the Agreement and ends upon the termination of the Agreement. Upon Agreement termination, ITSM Software, depending on the User’s instructions, deletes or returns all Personal Data to the User and removes any existing copies thereof unless authorized to further process them as a Controller.
§7. FINAL PROVISIONS
In matters not regulated by the Data Processing Agreement, the provisions of the Terms of Service and generally applicable law shall apply.
