Personal data processing agreement

UF Group Sp. z o. o. Limited liability company, with its registered office at ul. Brzóski 8/10 91-315
Łódź, KRS: 0001027769, NIP: 7262697810, REGON: 525141010,
(hereinafter collectively referred to as: “Parties”)

by completing the form provided by the Administrator in the IT system of the Processor.

The parties conclude this agreement for entrusting the processing of personal data in connection
with the main agreement, under which the Processor provides the Administrator with services
related to the processing of personal data by the Processor, within the scope and under the
conditions set out in the main agreement.

§1. Definitions

1. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
   on the protection of natural persons with regard to the processing of personal data and on the free
   movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
2. Administrator – administrator within the meaning of Art. 4 points 7 GDPR.
3. Personal data – personal data within the meaning of Art. 4 points 1 GDPR.
4. Entrusted personal data – Personal data specified in §2 section 2 Entrustment agreements.
5. Processing entity – Processing entity within the meaning of Art. 4 points 8 GDPR.
6. Processing – processing of personal data within the meaning of Art. 4 points 2 GDPR.
7. Sub-entrustment – further entrusting of the processing of personal data by the Processor to a
   further processor.
8. Breach of personal data protection – breach of personal data protection within the meaning of Art.
   4 points 12 GDPR.
9. Main contract – contract for the provision of Services concluded on the basis of the Regulations of
   using the website ultrasfactory.com
10. Entrustment agreement – this agreement for entrusting the processing of personal data,
    constituting in accordance with
    with the will of the Parties, an integral part of the main contract.

§2. Subject of the contract

1. This agreement specifies the conditions for the Processing by the Processing Entity on behalf of the
   Administrator of the entrusted personal data specified below in §2 section 2 to the extent necessary
   to perform the services specified on the basis of the main contract.
2. The Administrator entrusts the Processor with the processing of the following personal data:
   2.1. Type of personal data covered by the Agreement:
   a) identification and address data of recipients of postal items (name and surname, country, city,
   street, house number, apartment number, postal code, telephone number);
   b) identification and address data of the senders of postal items (name and surname, country, city,
   street, house number, apartment number, postal code, telephone number);
   c) Unstructured data – content with potential and probable personal data content (data related to
   the content of correspondence, such as text documents, images).
   d) If it is necessary to add an additional type of personal data not indicated on the list above, the
   Administrator will inform the Processor about it in writing, and each modification of the personal
   data indicated on the list does not require an annex to this agreement, but only a written statement
   of the Administrator submitted to the Processor with a precise indication of the type of personal data
   that is additionally entered.
   2.2. Categories of persons to whom personal data concern:

• Recipients and senders of postal items:
• employees of the Administrator and the Administrator’s affiliates;
• clients or potential clients of the Administrator;
• people with whom the Administrator interacts socially; • contractors (recipients and suppliers) and
  commercial partners of the Administrator;
• Administrator’s subscribers.

1. The processing entity will process the entrusted personal data within the scope of services
   provided under the main contract.
2. The Administrator entrusts the processing of personal data for the purpose of performing the
   contract
   main page.

§3. Processing of entrusted personal data by the Processor

1. The processor will process the entrusted personal data only for the purpose, within the scope and
   under the conditions specified in the entrustment agreement.
2. The Parties agree that the Entrusted personal data will be processed in accordance with the
   Administrator’s instructions, which should be sent to the Processing Entity in writing. Instructions

given in any other form are not binding until they are sent in the agreed form. The deadline for
implementing each order should be agreed by the Parties. An order that concerns a change in the
scope or method of providing services or the provision of an additional service is treated as an order
to the Processor for an additional service, for the provision of which it may request additional
remuneration. Such an order may only be submitted after both Parties have concluded an
appropriate agreement and for the agreed remuneration.

3. The Processing Entity will inform the Administrator if the instruction given to it in accordance with
   §3 section 2, acknowledge
   should be deemed inconsistent with the GDPR or other personal data protection regulations.

§4. Processing period

1. The entrusted personal data will be processed by the Processor during the term of the main
   contract, subject to §4 section 2 and section 3.
2. Data specified in §2 section 2.1 lit. c) will be processed for a period of 3 months, while the data
   specified in §2 section 2.1 lit. a) for a period of 3 years from the provision of the service resulting
   from the main contract related to the processing of the entrusted personal data.
3. After termination of the main contract or after completion of the provision of the service related
   to the processing of entrusted personal data, subject to section 2 The processing entity is obliged to
   delete or return to the Administrator – depending on the Administrator’s decision – the entrusted
   personal data, as well as to delete all existing copies thereof, unless generally applicable regulations
   require the storage of such personal data. In the absence of the Administrator’s decision taken no
   later than on the date of termination of the contract or termination of the provision of the service, it
   is deemed that he has made a decision to delete the data.
4. If the scope of the entrusted personal data is changed or limited, section 3 shall apply accordingly
   to personal data which, as a result of this change or restriction, will no longer be entrusted to the
   Processing Entity.

§5. Obligations of the Processor

1. The processing entity undertakes to comply with the entrustment agreement and the relevant
   legal provisions applicable to the processing of personal data that is the subject of the entrustment
   agreement,
   in particular, undertakes to comply with the obligations of the Processor arising from the GDPR.
2. The processing entity ensures that persons authorized by it to process personal data have
   undertaken to maintain secrecy or are subject to an appropriate statutory obligation to maintain
   secrecy.
3. The processing entity declares that it provides the necessary guarantees to implement appropriate
   technical and organizational measures to ensure compliance with the GDPR and protect the rights of
   data subjects.
4. In terms of assistance to the Administrator in fulfilling the obligation to report a personal data
   breach to the supervisory authority and to notify the personal data breach of data subjects referred
   to in Article 28(1) 3 letter f) GDPR, taking into account the nature of processing and the information
   available to it, the Processor is obliged to:
   4.1. report to the Administrator without undue delay to the e-mail address provided by the
   Administrator any data protection violations detected by the Processor in connection with the
   performance of the Entrustment Agreement;
   4.2. providing the Controller, if possible, with additional information regarding the personal data
   protection breach identified and reported by the Processor, to the extent necessary for the
   Controller to determine the likelihood of a risk of violating the rights and freedoms of persons whose
   personal data are subject to the breach, and to the extent necessary to report in accordance with
   joke. 33 and 34 of the GDPR, personal data protection breaches to the supervisory authority or
   notification of data subject personal data breaches – at the Administrator’s written request.
5. In the event of a breach of personal data protection caused by the fault of the Processing Entity or
   the fault of a subcontractor of the Processing Entity, the Processing Entity will review the technical
   and organizational measures used and, if necessary and if possible, will introduce appropriate
   changes in order to prevent the recurrence of such personal data protection breach. in the future.
6. The Processor undertakes to send to the Administrator any application or correspondence from a
   person whose data the Processor processes under the entrustment agreement, including a request
   to exercise the rights of the data subject specified in Chapter III of the GDPR, for further processing
   by the Administrator. , unless otherwise provided for in applicable law.

§6. Administrator rights

1. During the term of the main contract, the Administrator is entitled to submit inquiries for
   information specified in §5 and to request – to the extent not exceeding the reasonable limits of
   these activities – that the Processor provides information regarding the manner of performing the
   contract for entrusting the processing of personal data.
2. The Administrator is entitled to submit requests for information regarding personal data
   protection breaches referred to in §5 section 4 by written correspondence.
3. The Processing Entity enables the Administrator to conduct audits to determine whether the
   measures used by the Processing Entity in processing and securing the entrusted personal data meet
   the provisions of the contract, subject to the following conditions:
   3.1. The Administrator will notify the Processor in traditional written form of the intention to conduct
   an audit.
   3.2. The Controller’s auditor cannot be an entity conducting business activity competitive to the
   Processing Entity, nor an entity related to it, its employee or an entity/person cooperating with it,
   regardless of the basis of employment or cooperation.

3.3. The Processor may make the participation of an auditor or a designated employee of the
Administrator in the audit conditional on the prior conclusion of an appropriate confidentiality
agreement.
3.4. During the audit, the Administrator and the auditor are obliged to comply with the internal
procedures and policies of the Processor or the Processor’s subcontractor regarding security and
confidentiality.
3.5. The audit may not include information or documents relating to other clients of the Processing
Entity, nor may it aim or result in the Administrator gaining access to personal data other than the
entrusted personal data.
3.6. The audit should not be conducted more often than once a calendar year and should not last
longer than 3 days.
3.7. The Administrator bears all costs related to audits carried out at its own request, including the
full costs of the auditor.

4. The Administrator should use the rights specified in this Entrustment Agreement in such a way as
   not to disrupt the performance of the main contract and the ongoing operations of the Processor
   and its subcontractors. In the event of disruption to the ongoing operations of the Processor, the
   Processor may interrupt the audit process while it is in progress.
5. The processor is obliged to actively participate in the audit and cooperate appropriately
   with the Administrator and auditor;

§7. Administrator’s declarations and obligations

1. The Administrator declares that he processes personal data on his own behalf, as well as on behalf
   of another Administrator or other Administrators on the basis of an appropriate contract, and
   guarantees that they are processed by him in accordance with the law.
2. The Administrator declares that he is entitled to entrust the processing of personal data and
   undertakes to ensure that at the time of transferring personal data to the Processing Entity, there
   will be a valid legal basis for their processing, in that each consent is given expressly, voluntarily,
   unambiguously and based on the information obtained in this regard. At the request of the
   Processor, the Administrator undertakes in writing to indicate and/or document the basis for the
   processing of personal data.
3. By concluding this agreement, the Administrator instructs the processing of personal data to the
   Processing Entity, as well as to any person acting under the authorization of the Processing Entity
   who has access to the entrusted personal data, which constitutes a documented instruction within
   the meaning of Art. 28 section 3 letter and in connection with joke. 29 GDPR.
4. The Administrator undertakes to comply with the entrustment agreement and the relevant legal
   provisions applicable to the processing of personal data, in particular undertakes to comply with the
   Administrator’s obligations arising from the GDPR.

§8. Sub-entrustment of data

1. The Administrator grants general consent to further sub-entrusting of the Entrusted personal data
   to entities through which the Processor provides the service (so-called further processors). The
   Processor will maintain a full and complete list of sub-processors, which is available for inspection at
   the registered office of the Processor
2. The Administrator authorizes the Processor to grant authorizations, issue instructions and
   commands within the meaning of Art. 29 GDPR in relation to further processors.
3. The Processing Entity shall inform the Administrator about any intended changes regarding the
   addition or replacement of further processing entities no later than 7 days before their introduction,
   and the Administrator may raise an objection to such changes within this period, explaining the
   grounds for not granting acceptance to the new entity. Due to the nature of the service provided
   under the main contract, in the event of an objection, the Administrator accepts that the Processor
   will have the right to terminate the main contract with immediate effect.
4. The processor may only use the services of such further processors that provide a sufficient
   guarantee of implementing appropriate technical and organizational measures so that the processing
   meets the requirements of the GDPR and protects the rights of data subjects.
5. The Administrator also consents to making the entrusted personal data available to other entities
   that will become administrators of these data, to the extent that such disclosure is necessary to
   perform the service ordered by the Administrator. This applies in particular to the provision of
   entrusted personal data to postal operators who, pursuant to legal provisions, are entitled to process
   the data of senders and recipients of parcels in connection with the service provided, inter-operator
   settlements or other obligations imposed by law.
6. If a subcontractor of the Processing Entity fails to fulfill its obligations to protect the entrusted
   personal data, the Processing Entity shall be liable to the Administrator for the subcontractor’s failure
   to fulfill its obligations as well as for its own actions and omissions.

§9. Liability of the Parties to the Agreement

1. The Administrator is responsible for the proper performance of the duties of the Personal Data
   Administrator in accordance with the GDPR, other applicable personal data protection regulations
   and this entrustment agreement.
2. The processing entity is responsible for the proper performance of its obligations in accordance
   with the GDPR, other applicable personal data protection regulations and this entrustment
   agreement.
3. Neither party will be liable to the other for any accidental damages that could not have been
   foreseen by exercising reasonable care.
4. Neither party shall be liable to the other party for:
   4.1. errors or delays beyond the reasonable control of the non-performing party, including general
   network access delays, power failures or machinery failures;

4.2. errors caused by the other party’s systems or acts, omissions or negligence for which that party
is solely responsible.

5. The total and maximum liability of either party to the other party in claims in connection with the
   performance of the main contract and this contract or in connection with any transaction
   contemplated by the contract in any twelve (12) month period shall in no event exceed an amount
   equal to the total amount paid for services under the main contract for the twelve (12) month period
   preceding the event giving rise to liability.
6. The above limitations do not apply to damages caused by fraud, gross negligence or willful
   misconduct.
7. The Processor’s liability for carrying out the Administrator’s instructions which is inconsistent with
   the GDPR or other provisions on the protection of personal data and in connection with the
   Administrator’s instructions which were not submitted in accordance with §3 section 2 is excluded.
8. The provisions of §9 shall remain in force after the termination or expiration of the entrustment
   agreement.

§10 Information obligation

1. In order to fulfill the information obligation of the Processing Entity towards the Administrator’s
   employees, whose data such as name and surname will be processed in connection with the
   implementation of the main contract, the Administrator undertakes to familiarize the employees
   designated to contact the Processing Entity with the following information clause:
   Information clause
   Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of
   27 April 2016. (hereinafter referred to as GDPR) we inform you that:
2. UF Group Sp. z o. o. Limited liability company, with its registered office at ul. Brzóski 8/10 91-315
   Łódź, (hereinafter referred to as Ultrasfactory.com).
3. Your personal data, such as name and surname, will be processed by Ultrasfactory.coml in order to
   implement the contract concluded with your employer.
4. Personal data will be processed pursuant to Art. 6 section 1 letter f GDPR.
5. Personal data will be stored for the duration of the contract referred to in point 2.
6. ultrasfactory.com may transfer your personal data to third parties in connection with the
   implementation of the contract referred to in point 2.
7. You have the right to access your personal data, request rectification, deletion, restriction of
   processing, the right to object, and the right to transfer data in accordance with the provisions of the
   GDPR.
8. You have the right to lodge a complaint with the supervisory authority – the President of the
   Personal Data Protection Office.
9. The processing of your data in an automated manner may only take place for the purposes of
   implementing the contract referred to in point 2.
10. Use the rights indicated in point. 6 can be sent by sending an appropriate request to the e-mail
    address support@ultrasfactory.com with the note GDPR.
11. Contact to the Data Protection Inspector: support@ultrasfactory.com

§11. Final Provisions

1. The entrustment agreement enters into force with effect from the date of entry into force of the
   main agreement, constitutes an integral part of the main agreement and is concluded for the period
   of performance of the main agreement.
2. In matters not regulated in this entrustment agreement, the provisions of the GDPR and the
   relevant provisions of Polish law will apply.
3. Each Party has the right to terminate this Agreement immediately in the event of a breach of the
   provisions of the Agreement by the other Party.
4. Termination or expiration of the main agreement results in the termination or expiration of the
   entrustment agreement, respectively, without the need to submit additional declarations.
   Termination of the entrustment agreement before the expiry of the period for which the main
   agreement was concluded constitutes the basis for terminating the main agreement without notice.
5. The Parties agree that the processing of the entrusted personal data will be carried out only within
   the territory of the European Union. The transfer of entrusted personal data by the Processor to a
   third country requires the Administrator’s prior consent in written or documentary form, unless such
   an obligation is imposed by European Union law or the law of the Member State to which it is
   subject.
6. All information obligations and updates of processed data categories or the list of further
   Processors may be performed in electronic form, e.g. via e-mail.
7. The entrustment agreement and the main agreement fully regulate the conditions agreed by the
   parties for the processing of entrusted personal data by the Processor in connection with the
   provision of services and repeal any previous arrangements made by the Parties in this respect. In
   the event of discrepancies between the provisions of the entrustment agreement and the main
   agreement, the provisions of the entrustment agreement shall prevail.