This Data Protection Agreement is entered into between Beecommerce sp. z o.o. ("Processor") and the Client ("Controller") and forms part of the Agreement resulting from the Cookiesaur Service Terms and Conditions and is subject to its terms.

§1 Entrustment of Personal Data Processing

1. The Data Controller entrusts the Processor, pursuant to Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) of 27 April 2016 (hereinafter referred to as the "Regulation"), with personal data for processing, on the terms and for the purpose specified in this Agreement.

2. The Processor undertakes to process the personal data entrusted by the Controller in accordance with this Agreement, the Regulation, and other provisions of generally applicable law that protect the rights of data subjects.

3. The Parties agree that the entrustment of personal data processing concerns ordinary data and is made in the scope of data storage in systems meeting the security and protection requirements of the transferred personal data in a manner guaranteeing data processing in accordance with the requirements of applicable law.

4. The Processor declares that it applies security measures, i.e., technical and organizational measures ensuring a level of security appropriate to the risk of violation of the rights and freedoms of natural persons, meeting the requirements of Art. 32 of the Regulation.

§2 Scope and Purpose of Data Processing

1. In providing Services to the Controller in accordance with the terms of the Agreement, the Processor will process Personal Data only to the extent necessary to provide the Services in accordance with the terms of the Agreement, this Data Protection Agreement, and the Controller's instructions documented in the Agreement and this Data Protection Agreement, which may be updated from time to time.

2. The Controller and the Processor shall take steps to ensure that any natural person acting under the authority of the Controller or the Processor who has access to Personal Data does not process them except on instructions from the Controller, unless required to do so by any data protection regulations.

§3 Obligations of the Processor

1. The Processor undertakes, when processing the entrusted personal data, to protect them by applying appropriate technical and organizational measures ensuring an adequate level of security corresponding to the risks associated with the processing of personal data referred to in Art. 32 of the Regulation. In particular, but not exclusively, the Processor undertakes to:

   a. ensure the maintenance of documentation describing the method of processing the personal data entrusted for processing and adequate technical and organizational measures to protect such data;

   b. ensure the storage of documents so as to protect the personal data entrusted for processing against: access by persons unauthorized to process them, processing in violation of the law, unauthorized change, loss, damage, or destruction;

   c. ensure the maintenance of a register of employees and associates authorized to process the personal data entrusted for processing;

   d. ensure that access to the personal data entrusted for processing is limited exclusively to employees and associates holding an authorization to process the personal data entrusted for processing issued by the Processor, in accordance with the provision of paragraph 3 below;

   e. constantly supervise its employees and associates in the scope of securing the personal data entrusted for processing.

2. The Processor undertakes to exercise due diligence in processing the entrusted personal data.

3. The Processor undertakes that access to the personal data entrusted for processing may be granted only to employees or associates of the Processor to whom the Processor has granted, prior to admitting these persons to the processing of personal data, authorizations to process personal data in the scope and for the purpose described in this Agreement as part of the implementation of this Agreement.

4. The Processor undertakes that all persons (employees, associates) whom it authorizes to process personal data for the purpose of implementing this Agreement will, prior to being admitted to the processing of personal data, sign a written commitment to maintain confidentiality (referred to in Art. 28(3)(b) of the Regulation) regarding the processed data and the methods of securing them, both during the existence of the legal relationship between these persons and the Processor and after its termination, or that these persons are subject to a statutory obligation of confidentiality, whereby the Processor shall prepare an appropriate statement citing the legal basis for the existence of the statutory confidentiality obligation for the person concerned to document this statutory obligation.

5. After the end of the provision of services relating to processing, the Processor shall delete all personal data and delete existing copies unless Union or Member State law requires storage of the personal data.

6. The Processor undertakes to assist the Controller to the extent necessary to fulfill the obligation to respond to requests from the data subject and to fulfill the obligations set out in Art. 32-36 of the Regulation.

7. In the event of a personal data breach, the Processor shall report the breach to the Controller without undue delay. The information provided to the Controller should include at least:

   a. a description of the nature of the breach and, where possible, an indication of the categories and approximate number of data subjects and personal data records concerned;

   b. the name and contact details of the person from whom the Controller can obtain more information;

   c. a brief description of the likely consequences of the breach;

   d. a brief description of the measures taken or proposed to be taken by the Processor to address the breach or minimize its negative effects.

8. If the Processor must transfer personal data entrusted by the Controller to a third country or an international organization, it will inform the Controller before the transfer, in writing or by email, at least 5 days before the data transfer.

9. The Controller is entitled to issue binding instructions to the Processor regarding the execution of this Agreement. The Controller is solely responsible for the correctness, reliability, and legality of the instructions provided. However, if the Processor considers that any instruction received from the Controller is contrary to the law, it is entitled, but not obliged, to refrain from performing the activity covered by such instruction and to inform the Controller thereof, including in particular to inform about the consequences of applying the Controller's instructions and guidelines.

10. The Processor undertakes to monitor changes in law and case law regarding personal data protection on an ongoing basis and to adjust the method of personal data processing, including internal procedures, organizational and technical measures used, to current legal regulations.
    

§4 Right of Audit

1. According to Art. 28(3)(h) of the Regulation, the Data Controller has the right to control (audit) whether the measures applied by the Processor in processing and securing the entrusted personal data meet legal requirements and comply with the provisions of the Agreement. As part of the audit, the Controller may, in particular but not exclusively, request the Processor to provide written information or explanations, and to grant access to all places where the Data Controller's personal data are processed.

2. The Data Controller shall exercise the right of control (audit) during the Processor's working hours and with at least 21 days' prior notice.

3. The Processor undertakes to remedy deficiencies found during the control (audit) within the time limit indicated by the Data Controller, not longer than 14 days.

4. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 of the Regulation and in particular in the scope of ensuring security according to Art. 32 of the Regulation.

5. In the case of an audit, the Processor may charge the Controller reasonable costs for conducting the audit.
   

§5 Sub-processing

1. The Processor may entrust personal data covered by this agreement for further processing to subcontractors only for the purpose of executing the Agreement.

2. The transfer of entrusted data to a third country may take place after informing the Controller of this fact, unless such an obligation is imposed on the Processor by Union law or the law of the Member State to which the Processor is subject. In such a case, the Processor shall inform the Data Controller of this legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

3. The subcontractor referred to in §5 paragraph 1 of the Agreement should meet the same guarantees and obligations as those imposed on the Processor in this Agreement.

4. The Processor bears full responsibility towards the Controller and third parties for the subcontractor's failure to fulfill its data protection obligations, i.e., it is responsible for the acts and omissions of subcontractors as for its own acts and omissions.
   

§6 Liability of the Processor

1. The Processor bears full responsibility for non-performance and/or improper performance of the Agreement, in particular for disclosing or using personal data contrary to the content of the Agreement, and for disclosing personal data entrusted for processing to unauthorized persons.

2. The Processor is responsible for the acts and omissions of persons with whose help it processes the entrusted personal data as for its own acts or omissions.

3. The Processor undertakes to immediately inform the Data Controller of any initiated proceedings, in particular administrative or judicial, regarding the processing of personal data specified in the Agreement by the Processor, and then of any administrative decision or ruling regarding the processing of such data addressed to the Processor, as well as of any planned or implemented controls and inspections regarding processing in the Processor of these personal data, in particular those conducted by inspectors authorized under national regulations. This paragraph applies only to personal data entrusted by the Data Controller.

4. In the event that, as a result of processing personal data entrusted by the Controller to the Processor in a manner inconsistent with the provisions of the Regulation, for reasons attributable to the Processor, the Controller incurs any costs or damage (costs), in particular but not limited to those related to the payment of fines, compensation, redress, legal services, etc., the Processor shall be obliged to reimburse the Controller for these costs in full upon the first written request of the Controller containing a justification and documentation regarding the amount of costs incurred by the Controller.
   

§7 Duration of the Agreement

1. The Agreement is concluded for a definite period corresponding to the implementation period of the Main Agreement.

2. Either party may terminate the Agreement with a 3-month notice period.
   

§8 Termination of the Agreement

1. The Data Controller may terminate this agreement with immediate effect when the Processor:

   a. despite being committed to removing deficiencies found during control (audit), does not remove them within the designated period;

   b. processes personal data in a manner inconsistent with the Regulation and the Agreement;

   c. has entrusted the processing of personal data to another entity without the consent of the Data Controller.
   

§9 Final Provisions

1. The Agreement was drawn up in two identical copies, one for each party.

2. In matters not regulated herein, the provisions of the Civil Code and the Regulation shall apply.

3. The court competent to settle disputes arising from this agreement shall be the court competent for BeeCommerce.