Personal data processing agreement

UF Group Sp. z o. o. Limited liability company, with its registered office at ul. Brzóski 8/10 91-315
Łódź, KRS: 0001027769, NIP: 7262697810, REGON: 525141010,
(hereinafter collectively referred to as: “Parties”)

by completing the form provided by the Administrator in the IT system of the Processor.

The parties conclude this agreement for entrusting the processing of personal data in connection
with the main agreement, under which the Processor provides the Administrator with services
related to the processing of personal data by the Processor, within the scope and under the
conditions set out in the main agreement.

§1. Definitions

  1. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
    on the protection of natural persons with regard to the processing of personal data and on the free
    movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
  2. Administrator – administrator within the meaning of Art. 4 points 7 GDPR.
  3. Personal data – personal data within the meaning of Art. 4 points 1 GDPR.
  4. Entrusted personal data – Personal data specified in §2 section 2 Entrustment agreements.
  5. Processing entity – Processing entity within the meaning of Art. 4 points 8 GDPR.
  6. Processing – processing of personal data within the meaning of Art. 4 points 2 GDPR.
  7. Sub-entrustment – further entrusting of the processing of personal data by the Processor to a
    further processor.
  8. Breach of personal data protection – breach of personal data protection within the meaning of Art.
    4 points 12 GDPR.
  9. Main contract – contract for the provision of Services concluded on the basis of the Regulations of
    using the website ultrasfactory.com
  10. Entrustment agreement – this agreement for entrusting the processing of personal data,
    constituting in accordance with
    with the will of the Parties, an integral part of the main contract.

§2. Subject of the contract

  1. This agreement specifies the conditions for the Processing by the Processing Entity on behalf of the
    Administrator of the entrusted personal data specified below in §2 section 2 to the extent necessary
    to perform the services specified on the basis of the main contract.
  2. The Administrator entrusts the Processor with the processing of the following personal data:
    2.1. Type of personal data covered by the Agreement:
    a) identification and address data of recipients of postal items (name and surname, country, city,
    street, house number, apartment number, postal code, telephone number);
    b) identification and address data of the senders of postal items (name and surname, country, city,
    street, house number, apartment number, postal code, telephone number);
    c) Unstructured data – content with potential and probable personal data content (data related to
    the content of correspondence, such as text documents, images).
    d) If it is necessary to add an additional type of personal data not indicated on the list above, the
    Administrator will inform the Processor about it in writing, and each modification of the personal
    data indicated on the list does not require an annex to this agreement, but only a written statement
    of the Administrator submitted to the Processor with a precise indication of the type of personal data
    that is additionally entered.
    2.2. Categories of persons to whom personal data concern:
  • Recipients and senders of postal items:
  • employees of the Administrator and the Administrator’s affiliates;
  • clients or potential clients of the Administrator;
  • people with whom the Administrator interacts socially; • contractors (recipients and suppliers) and
    commercial partners of the Administrator;
  • Administrator’s subscribers.
  1. The processing entity will process the entrusted personal data within the scope of services
    provided under the main contract.
  2. The Administrator entrusts the processing of personal data for the purpose of performing the
    contract
    main page.

§3. Processing of entrusted personal data by the Processor

  1. The processor will process the entrusted personal data only for the purpose, within the scope and
    under the conditions specified in the entrustment agreement.
  2. The Parties agree that the Entrusted personal data will be processed in accordance with the
    Administrator’s instructions, which should be sent to the Processing Entity in writing. Instructions

given in any other form are not binding until they are sent in the agreed form. The deadline for
implementing each order should be agreed by the Parties. An order that concerns a change in the
scope or method of providing services or the provision of an additional service is treated as an order
to the Processor for an additional service, for the provision of which it may request additional
remuneration. Such an order may only be submitted after both Parties have concluded an
appropriate agreement and for the agreed remuneration.

  1. The Processing Entity will inform the Administrator if the instruction given to it in accordance with
    §3 section 2, acknowledge
    should be deemed inconsistent with the GDPR or other personal data protection regulations.

§4. Processing period

  1. The entrusted personal data will be processed by the Processor during the term of the main
    contract, subject to §4 section 2 and section 3.
  2. Data specified in §2 section 2.1 lit. c) will be processed for a period of 3 months, while the data
    specified in §2 section 2.1 lit. a) for a period of 3 years from the provision of the service resulting
    from the main contract related to the processing of the entrusted personal data.
  3. After termination of the main contract or after completion of the provision of the service related
    to the processing of entrusted personal data, subject to section 2 The processing entity is obliged to
    delete or return to the Administrator – depending on the Administrator’s decision – the entrusted
    personal data, as well as to delete all existing copies thereof, unless generally applicable regulations
    require the storage of such personal data. In the absence of the Administrator’s decision taken no
    later than on the date of termination of the contract or termination of the provision of the service, it
    is deemed that he has made a decision to delete the data.
  4. If the scope of the entrusted personal data is changed or limited, section 3 shall apply accordingly
    to personal data which, as a result of this change or restriction, will no longer be entrusted to the
    Processing Entity.

§5. Obligations of the Processor

  1. The processing entity undertakes to comply with the entrustment agreement and the relevant
    legal provisions applicable to the processing of personal data that is the subject of the entrustment
    agreement,
    in particular, undertakes to comply with the obligations of the Processor arising from the GDPR.
  2. The processing entity ensures that persons authorized by it to process personal data have
    undertaken to maintain secrecy or are subject to an appropriate statutory obligation to maintain
    secrecy.
  3. The processing entity declares that it provides the necessary guarantees to implement appropriate
    technical and organizational measures to ensure compliance with the GDPR and protect the rights of
    data subjects.
  4. In terms of assistance to the Administrator in fulfilling the obligation to report a personal data
    breach to the supervisory authority and to notify the personal data breach of data subjects referred
    to in Article 28(1) 3 letter f) GDPR, taking into account the nature of processing and the information
    available to it, the Processor is obliged to:
    4.1. report to the Administrator without undue delay to the e-mail address provided by the
    Administrator any data protection violations detected by the Processor in connection with the
    performance of the Entrustment Agreement;
    4.2. providing the Controller, if possible, with additional information regarding the personal data
    protection breach identified and reported by the Processor, to the extent necessary for the
    Controller to determine the likelihood of a risk of violating the rights and freedoms of persons whose
    personal data are subject to the breach, and to the extent necessary to report in accordance with
    joke. 33 and 34 of the GDPR, personal data protection breaches to the supervisory authority or
    notification of data subject personal data breaches – at the Administrator’s written request.
  5. In the event of a breach of personal data protection caused by the fault of the Processing Entity or
    the fault of a subcontractor of the Processing Entity, the Processing Entity will review the technical
    and organizational measures used and, if necessary and if possible, will introduce appropriate
    changes in order to prevent the recurrence of such personal data protection breach. in the future.
  6. The Processor undertakes to send to the Administrator any application or correspondence from a
    person whose data the Processor processes under the entrustment agreement, including a request
    to exercise the rights of the data subject specified in Chapter III of the GDPR, for further processing
    by the Administrator. , unless otherwise provided for in applicable law.

§6. Administrator rights

  1. During the term of the main contract, the Administrator is entitled to submit inquiries for
    information specified in §5 and to request – to the extent not exceeding the reasonable limits of
    these activities – that the Processor provides information regarding the manner of performing the
    contract for entrusting the processing of personal data.
  2. The Administrator is entitled to submit requests for information regarding personal data
    protection breaches referred to in §5 section 4 by written correspondence.
  3. The Processing Entity enables the Administrator to conduct audits to determine whether the
    measures used by the Processing Entity in processing and securing the entrusted personal data meet
    the provisions of the contract, subject to the following conditions:
    3.1. The Administrator will notify the Processor in traditional written form of the intention to conduct
    an audit.
    3.2. The Controller’s auditor cannot be an entity conducting business activity competitive to the
    Processing Entity, nor an entity related to it, its employee or an entity/person cooperating with it,
    regardless of the basis of employment or cooperation.

3.3. The Processor may make the participation of an auditor or a designated employee of the
Administrator in the audit conditional on the prior conclusion of an appropriate confidentiality
agreement.
3.4. During the audit, the Administrator and the auditor are obliged to comply with the internal
procedures and policies of the Processor or the Processor’s subcontractor regarding security and
confidentiality.
3.5. The audit may not include information or documents relating to other clients of the Processing
Entity, nor may it aim or result in the Administrator gaining access to personal data other than the
entrusted personal data.
3.6. The audit should not be conducted more often than once a calendar year and should not last
longer than 3 days.
3.7. The Administrator bears all costs related to audits carried out at its own request, including the
full costs of the auditor.

  1. The Administrator should use the rights specified in this Entrustment Agreement in such a way as
    not to disrupt the performance of the main contract and the ongoing operations of the Processor
    and its subcontractors. In the event of disruption to the ongoing operations of the Processor, the
    Processor may interrupt the audit process while it is in progress.
  2. The processor is obliged to actively participate in the audit and cooperate appropriately
    with the Administrator and auditor;

§7. Administrator’s declarations and obligations

  1. The Administrator declares that he processes personal data on his own behalf, as well as on behalf
    of another Administrator or other Administrators on the basis of an appropriate contract, and
    guarantees that they are processed by him in accordance with the law.
  2. The Administrator declares that he is entitled to entrust the processing of personal data and
    undertakes to ensure that at the time of transferring personal data to the Processing Entity, there
    will be a valid legal basis for their processing, in that each consent is given expressly, voluntarily,
    unambiguously and based on the information obtained in this regard. At the request of the
    Processor, the Administrator undertakes in writing to indicate and/or document the basis for the
    processing of personal data.
  3. By concluding this agreement, the Administrator instructs the processing of personal data to the
    Processing Entity, as well as to any person acting under the authorization of the Processing Entity
    who has access to the entrusted personal data, which constitutes a documented instruction within
    the meaning of Art. 28 section 3 letter and in connection with joke. 29 GDPR.
  4. The Administrator undertakes to comply with the entrustment agreement and the relevant legal
    provisions applicable to the processing of personal data, in particular undertakes to comply with the
    Administrator’s obligations arising from the GDPR.

§8. Sub-entrustment of data

  1. The Administrator grants general consent to further sub-entrusting of the Entrusted personal data
    to entities through which the Processor provides the service (so-called further processors). The
    Processor will maintain a full and complete list of sub-processors, which is available for inspection at
    the registered office of the Processor
  2. The Administrator authorizes the Processor to grant authorizations, issue instructions and
    commands within the meaning of Art. 29 GDPR in relation to further processors.
  3. The Processing Entity shall inform the Administrator about any intended changes regarding the
    addition or replacement of further processing entities no later than 7 days before their introduction,
    and the Administrator may raise an objection to such changes within this period, explaining the
    grounds for not granting acceptance to the new entity. Due to the nature of the service provided
    under the main contract, in the event of an objection, the Administrator accepts that the Processor
    will have the right to terminate the main contract with immediate effect.
  4. The processor may only use the services of such further processors that provide a sufficient
    guarantee of implementing appropriate technical and organizational measures so that the processing
    meets the requirements of the GDPR and protects the rights of data subjects.
  5. The Administrator also consents to making the entrusted personal data available to other entities
    that will become administrators of these data, to the extent that such disclosure is necessary to
    perform the service ordered by the Administrator. This applies in particular to the provision of
    entrusted personal data to postal operators who, pursuant to legal provisions, are entitled to process
    the data of senders and recipients of parcels in connection with the service provided, inter-operator
    settlements or other obligations imposed by law.
  6. If a subcontractor of the Processing Entity fails to fulfill its obligations to protect the entrusted
    personal data, the Processing Entity shall be liable to the Administrator for the subcontractor’s failure
    to fulfill its obligations as well as for its own actions and omissions.

§9. Liability of the Parties to the Agreement

  1. The Administrator is responsible for the proper performance of the duties of the Personal Data
    Administrator in accordance with the GDPR, other applicable personal data protection regulations
    and this entrustment agreement.
  2. The processing entity is responsible for the proper performance of its obligations in accordance
    with the GDPR, other applicable personal data protection regulations and this entrustment
    agreement.
  3. Neither party will be liable to the other for any accidental damages that could not have been
    foreseen by exercising reasonable care.
  4. Neither party shall be liable to the other party for:
    4.1. errors or delays beyond the reasonable control of the non-performing party, including general
    network access delays, power failures or machinery failures;

4.2. errors caused by the other party’s systems or acts, omissions or negligence for which that party
is solely responsible.

  1. The total and maximum liability of either party to the other party in claims in connection with the
    performance of the main contract and this contract or in connection with any transaction
    contemplated by the contract in any twelve (12) month period shall in no event exceed an amount
    equal to the total amount paid for services under the main contract for the twelve (12) month period
    preceding the event giving rise to liability.
  2. The above limitations do not apply to damages caused by fraud, gross negligence or willful
    misconduct.
  3. The Processor’s liability for carrying out the Administrator’s instructions which is inconsistent with
    the GDPR or other provisions on the protection of personal data and in connection with the
    Administrator’s instructions which were not submitted in accordance with §3 section 2 is excluded.
  4. The provisions of §9 shall remain in force after the termination or expiration of the entrustment
    agreement.

§10 Information obligation

  1. In order to fulfill the information obligation of the Processing Entity towards the Administrator’s
    employees, whose data such as name and surname will be processed in connection with the
    implementation of the main contract, the Administrator undertakes to familiarize the employees
    designated to contact the Processing Entity with the following information clause:
    Information clause
    Pursuant to Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council of
    27 April 2016. (hereinafter referred to as GDPR) we inform you that:
  2. UF Group Sp. z o. o. Limited liability company, with its registered office at ul. Brzóski 8/10 91-315
    Łódź, (hereinafter referred to as Ultrasfactory.com).
  3. Your personal data, such as name and surname, will be processed by Ultrasfactory.coml in order to
    implement the contract concluded with your employer.
  4. Personal data will be processed pursuant to Art. 6 section 1 letter f GDPR.
  5. Personal data will be stored for the duration of the contract referred to in point 2.
  6. ultrasfactory.com may transfer your personal data to third parties in connection with the
    implementation of the contract referred to in point 2.
  7. You have the right to access your personal data, request rectification, deletion, restriction of
    processing, the right to object, and the right to transfer data in accordance with the provisions of the
    GDPR.
  8. You have the right to lodge a complaint with the supervisory authority – the President of the
    Personal Data Protection Office.
  9. The processing of your data in an automated manner may only take place for the purposes of
    implementing the contract referred to in point 2.
  10. Use the rights indicated in point. 6 can be sent by sending an appropriate request to the e-mail
    address support@ultrasfactory.com with the note GDPR.
  11. Contact to the Data Protection Inspector: support@ultrasfactory.com

§11. Final Provisions

  1. The entrustment agreement enters into force with effect from the date of entry into force of the
    main agreement, constitutes an integral part of the main agreement and is concluded for the period
    of performance of the main agreement.
  2. In matters not regulated in this entrustment agreement, the provisions of the GDPR and the
    relevant provisions of Polish law will apply.
  3. Each Party has the right to terminate this Agreement immediately in the event of a breach of the
    provisions of the Agreement by the other Party.
  4. Termination or expiration of the main agreement results in the termination or expiration of the
    entrustment agreement, respectively, without the need to submit additional declarations.
    Termination of the entrustment agreement before the expiry of the period for which the main
    agreement was concluded constitutes the basis for terminating the main agreement without notice.
  5. The Parties agree that the processing of the entrusted personal data will be carried out only within
    the territory of the European Union. The transfer of entrusted personal data by the Processor to a
    third country requires the Administrator’s prior consent in written or documentary form, unless such
    an obligation is imposed by European Union law or the law of the Member State to which it is
    subject.
  6. All information obligations and updates of processed data categories or the list of further
    Processors may be performed in electronic form, e.g. via e-mail.
  7. The entrustment agreement and the main agreement fully regulate the conditions agreed by the
    parties for the processing of entrusted personal data by the Processor in connection with the
    provision of services and repeal any previous arrangements made by the Parties in this respect. In
    the event of discrepancies between the provisions of the entrustment agreement and the main
    agreement, the provisions of the entrustment agreement shall prevail.