Data Processing Agreement

  1. GENERAL PROVISIONS
    1.1. These terms and conditions define the conditions of the Data Processing Agreement, including in particular: the subject and duration of the entrustment of personal data processing, the nature and purpose of personal data processing, the type of personal data, the categories of data subjects, the conditions for subcontracting the processing of personal data, and the obligations of the Parties to the Agreement.
    1.2. These terms and conditions set out the conditions of the Data Processing Agreement under which the Controller entrusts the Processor with the processing of personal data of Clients and Employees, in connection with the performance by the Processor, on behalf of the Controller, of the service provision agreement related to the Controller’s use of the web application oterion.com, available and operated at: oterion.com (hereinafter: the “Application”).
    1.3. For the purposes of these terms and conditions, the following terms shall have the meanings set forth below:

    • Processor: the Service Provider, i.e., Oterion sp. z o.o., ul. Mogilska 35, 31-545 Kraków, Poland, KRS (National Court Register No.): 0001111726, NIP (TAX ID): PL6751800508;

    • Controller: the User, i.e., the entity that has concluded a service sales agreement with the Processor under the Terms of Service, providing it with access to the Application;

    • Employee: a natural person connected to the Controller by an employment contract or a civil law contract and who has access to the Application (e.g., by having an account created in the Application by the Controller);

    • Personal Data: personal data as understood by generally applicable Polish laws aimed at protecting the personal data of natural persons.


  2. CONDITIONS FOR ENTRUSTING PERSONAL DATA PROCESSING
    2.1. Since the proper performance of services provided by the Controller requires the processing of the Client’s and Employee’s personal data, the Controller entrusts the Processor with the processing of the Client’s and Employee’s personal data. The scope of the entrusted personal data depends on the person entering this data into the Application (the Controller or its authorized Employee) and may include, in particular, data such as first name, last name, position, email address, and phone number.
    2.2 In connection with the performance of the agreement between the Controller and the Processor, the Processor undertakes to process the personal data specified in Section 2.1 solely to the extent necessary to perform the agreement, in particular to the extent necessary for the proper functioning of the Application. The Processor agrees not to use the personal data for any other purpose.
    2.3. The Processor undertakes to process and secure the personal data entrusted to it in accordance with the generally applicable laws in Poland governing the protection of personal data of natural persons. The Processor undertakes to apply technical and organizational measures during data processing to ensure an adequate level of security for the personal data. Depending on the nature of the risk, such security measures include: pseudonymization and encryption of personal data, the ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services, the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident, and regular testing, assessment, and evaluation of the effectiveness of technical and organizational measures ensuring the security of processing.
    2.4. With the exception of Section 2.5, the Processor, in particular, may not copy (other than for backup purposes), distribute, disclose, or use for its own purposes any personal data entrusted to it.
    2.5. The Processor may make the entrusted Client or Employee personal data available to IT sector entities that support the Processor in the proper performance of the agreement, such as an SMS gateway operator, an entity providing email services, and an entity providing technical support for the Application.
    2.6. The Controller consents to the Processor’s entrustment of personal data to an entity providing hosting services on its behalf, to the extent necessary to maintain the Application. In such a case, the Processor undertakes to require such entity to process and secure personal data in accordance with applicable data protection laws and to process data solely for the purpose of providing hosting services.
    2.7. Further entrustment of data processing or making the data available may take place only under conditions ensuring no lesser security measures for the processing of personal data than those established in these Terms and Conditions, and solely within the scope specified in Sections 2.5 and 2.6. Further processing of personal data by another entity may occur only in compliance with applicable personal data protection laws.
    2.8. The Processor ensures that persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
    2.9. The Controller entrusts the Processor with the processing of personal data for a period equal to the limitation period for claims arising from the primary agreement between the parties. After the expiration of the claims limitation period and in the event of the expiration or termination of the primary agreement by either Party, the Processor is obliged to return the entrusted personal data or delete all copies of such data in its possession, and to take appropriate measures to eliminate the possibility of further processing of the data entrusted under this agreement.
    2.10. The Processor undertakes to promptly notify the Controller of:

    • Any legally authorized request for disclosure of personal data to a competent state authority, unless notifying the Controller is prohibited by law, particularly criminal procedure laws aimed at ensuring the confidentiality of an ongoing investigation;

    • Any unauthorized access to personal data;

    • Any request received from a data subject whose data the Processor is processing, while refraining from responding to such request.

    2.11. The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set forth in the agreement and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor authorized by the Controller.


  3. FINAL PROVISIONS
    3.1. In matters not regulated by these Terms and Conditions, the provisions of generally applicable Polish law shall apply, in particular the Civil Code and personal data protection regulations.
    3.2. The Controller undertakes to provide the Processor, within 14 days from the date of concluding the Data Processing Agreement, if applicable – the names and addresses of the Controller’s representative or co-controller of personal data and the data protection officer. Failure to provide the above information shall be deemed a statement that such entities do not exist or have not been appointed.
    3.3. Any disputes arising from the Data Processing Agreement shall be submitted to the court having jurisdiction over the Processor’s registered office.
    3.4. These Terms and Conditions come into force on December 10, 2024.

Our platform helps businesses like yours manage compliance effortlessly.

Get Started for Free

You can unsubscribe anytime. For more details, review our Privacy Policy.

REGULATIONS

GDPR

EHDS

NIS2

DORA

AI Act

SOON

EAA

SOON

CCPA

INDUSTRIES

Healthcare

Pharmaceuticals and Biotechnology

E-commerce and Retail

Agriculture and Food Production

Technology and Telecommunications

Finance and Banking

Hospitality and Tourism

Media and Entertainment

Transport and Logistics

Insurance

Education

Energy

Manufacturing

RESOURCES

News

Articles

COMPANY

About us

Contact

Our platform helps businesses like yours manage compliance effortlessly.

Get Started for Free

You can unsubscribe anytime. For more details, review our Privacy Policy.

REGULATIONS

GDPR

EHDS

NIS2

DORA

AI Act

SOON

EAA

SOON

CCPA

INDUSTRIES

Healthcare

Pharmaceuticals and Biotechnology

E-commerce and Retail

Agriculture and Food Production

Technology and Telecommunications

Finance and Banking

Hospitality and Tourism

Media and Entertainment

Transport and Logistics

Insurance

Education

Energy

Manufacturing

RESOURCES

News

Articles

COMPANY

About us

Contact

Our platform helps businesses like yours manage compliance effortlessly.

Get Started for Free

You can unsubscribe anytime. For more details, review our Privacy Policy.

REGULATIONS

GDPR

EHDS

NIS2

DORA

AI Act

SOON

EAA

SOON

CCPA

INDUSTRIES

Healthcare

Pharmaceuticals and Biotechnology

E-commerce and Retail

Agriculture and Food Production

Technology and Telecommunications

Finance and Banking

Hospitality and Tourism

Media and Entertainment

Transport and Logistics

Insurance

Education

Energy

Manufacturing

RESOURCES

News

Articles

COMPANY

About us

Contact

© 2025 OTERION

Terms of Service

Privacy Policy

Legal

© 2025 OTERION

Terms of Service

Privacy Policy

Legal

© 2025 OTERION

Terms of Service

Privacy Policy

Legal