Personal Data Processing Agreement



Concluded on 29.04.2020 in Wrocław between:

1. SONDA SPORTS SPÓŁKA Z OGRANICZONĄ ODPOWIEDZIALNOŚCIĄ with its registered seat in Wrocław, postcode: 53-609, address: ul. Wagonowa 2C, with documentation stored at the District Court Wrocław-Fabryczna in Wrocław, 6th Commercial Division of the National Court Register, KRS number: 0000506708, with share capital amounting to: PLN 75,000.00, with NIP tax identification number: 8971798074, represented by: Wojciech Ganczarski - President of the Management Board and Emilia Pobiedzińska - Vice-President of the Management Board, hereinafter referred to as the "Personal data administrator"

2. SALESMANAGO (, hereinafter referred to as the "Processing entity"

§ 1

1. The Parties declare that, as at 29.04.2020, they concluded an agreement on CRM and marketing automation services, which might lead to the need to process personal data.

2. The Administrator outsources processing of personal data to the Processing entity pursuant to art. 28 of GDPR, solely for the purposes of the concluded agreement.

3. This agreement should be deemed as a documented personal data processing order.

4. The Processing entity undertakes to process personal data pursuant to GDPR, other applicable laws and this agreement.

5. The Processing entity declares that it possesses appropriate technical and organisational resources to ensure the required degree of security during the data processing procedure.

§ 2

1. The Processing entity is authorised to process the following categories of personal data: full name, e-mail address, thelephone number, data collected by the application, cookies and other related information.

2. The Processing entity is authorised to process data of the following categories of individuals: clients, subscribers, employes, associates, website visitors.

3. The Processing entity is not authorised to process special categories of data within the meaning of art. 9 section 1 of GDPR (racial or ethnic origin, political opinions, religious or philosophical beliefs, affiliation with trade unions and processing genetic or biometric data to identify unambiguously the given natural person, or data concerning the health, sexuality or sexual orientation of such person) as well as data concerning convictions or infringements of law within the meaning of art. 10 of GDPR.

4. Personal data are processed for the purpose of correct performance of the main agreement.

5. The administrator might give its general consent to the Processing entity's use of the services of other processing entity.

6. In case of a general written consent the processing entity informs the administrator about any planned changes regarding adding or replacing processing entities so that the administrator might object to such changes.

7. If the Processing entity uses services of other processing entity to perform specific processing activities on behalf of the administrator, that other processing entity shall have the same data protection obligations as the obligations that apply in the agreement between the administrator and the Processing entity, in particular the obligation to ensure sufficient guarantees of implementing appropriate technical and organisational measures - if the other processing entity does not meet its data protection obligations, the full responsibility towards the administrator for meeting this other processing entity's obligations shall lie with the original Processing entity.

§ 3

1. The Processing entity undertakes permanently to keep the personal data entrusted to it confidential.

2. The Processing entity declares that every individual who is authorised to process the entrusted personal data shall be obligated to keep these data confidential permanently.

3. The confidentiality obligation also applies to all information on the methods of securing the personal data subjected to processing.

§ 4

1. The Processing entity cooperates with the Personal data administrator in ensuring security of personal data.

2. The Processing entity takes all measures required pursuant o art. 32 of GDPR (security of processing), and in particular it implements appropriate technical and organisational measures in order to ensure the degree of security corresponding to risk related to the processing of data.

3. The Processing entity uses the appropriate technical and organisational measures to assist the administrator in meeting the obligation of responding to requirements of the given data subject regarding performance of their rights, listed in chapter III of GDPR.

4. The Processing entity assists the Administrator in meeting the obligations listed in art. 32 of GDPR (security of processing), art. 33 of GDPR (reporting violations of personal data protection to a supervisory authority), art. 34 of GDPR (informing the data subject about violations of personal data protection), art. 35 of GDPR (assessment of consequences to data protection), art. 36 of GDPR (consultations with a supervisory authority).

5. After the termination or expiry of this agreement the Processing entity shall be obliged to immediately return the data entrusted to it and to remove all existing copies made for the purposes of day-to-day operations, unless the law requires that it stores such personal data.

6. The Processing entity informs the Personal data administrator if it finds that it receives an order that infringes GDPR or other provisions of law.

7. The Processing entity informs the Personal data administrator about any suspected infringement of data protection within 24 hours from the moment of infringement.

§ 5

1. The Personal data administrator undertakes to cooperate with the Processing entity in performance of this agreement in order to ensure protection and security of personal data.

2. The Personal data administrator makes explanations in case of the Processing entity's doubts as to the lawfulness of the orders or instructions given to it.

3. The Personal data administrator updates transferred personal data so that they are correct.

§ 6

1. The Personal data administrator reserves the right to control the method of implementation of this Agreement.

2. The Processing entity shall provide all information necessary to evidence its compliance with its contractual obligations.

3. The Processing entity shall enable an inspection of its data processing procedure.

§ 8

1. This Agreement is concluded for the term of one year.

2. Each of the Parties might terminate this agreement with 1 month's notice if processing of the personal data entrusted by the Administrator to the Processing entity is no longer necessary.

3. The Personal data administrator reserves the right to terminate this agreement with immediate effect if the Processing entity processes the personal data in violation of this agreement, GDPR or other generally applicable provisions of law.

§ 9

1. This agreement has been drawn up in two identical copies, one for each of the Parties.
2. The provisions of GDPR and other generally applicable provisions of law, in particular the personal data protection act of May 10th 2018 (Journal of Laws of 2019, item 1781, as amended) shall apply to any matters not covered by this Agreement.