Conditions for the Processing of Personal Data

In accordance with the laws on personal data protection, the Provider, acting as a processor, performs processing of personal data for the Customer, acting as a controller, according to the instructions of the Customer.

Subject-matter of processing, categories of data subjects and type of personal data

1. The subject-matter of the processing is the personal data of the Recipients submitted to the Service by the Customer or processed by the Provider on its behalf, especially identification data, addresses, contact details, information about the Recipient’s transactions within its relationship with the Customer, information about Recipient’s actions within the Customer’s website, content of the Communications, Recipient’s activity relating to the received Communications and, where applicable, other data provided by the Customer to the Provider and relating to the Recipient (hereinafter the ”personal data”)
2. The extent to which the Recipient’s personal data is processed in each particular case shall always be determined solely by the Customer.

Nature, purpose and means of the processing

1. The Provider processes personal data by automated means using statistical methods for the purpose of creating individualized Communications for the Recipients, sending Communications to the Recipients, receiving communications from the Recipients and for evaluating business campaigns’ results.

Duration of the processing

1. The processing of personal data by the Provider will be performed for the term of the Agreement, while content of any messages will be deleted immediately after sending these messages and meta-data will be processed for the duration of 30 days after sending of these messages. The Provider undertakes to perform its obligations regarding the protection of personal data for the entire term of the Agreement, unless it is apparent from the provisions of the Agreement that they should continue to be in effect after its expiry.
2. The personal data will be erased by the Provider upon the Customer’s instruction, but no later than 30 days after the termination of the Agreement. Until that time, the Customer is entitled to download a copy of the personal data.
3. The Customer may choose to use “Secure” mode for individual sending domains. In case the sending domain is set for a secure mode the Provider will not store any personal information for messages sent from this domain in its systems and all personal information will be fully anonymized after message meta-data is relayed to the Customer.

Representations of the Customer

1. The Customer represents and warrants that, as a controller of the personal data of the Recipients, he fulfils all his obligations under the laws on personal data protection at the date of conclusion of the Agreement, in particular:

   • processes personal data on the basis of proper titles and has a valid legal title for the processing of personal data of the Recipients for the purpose, to the extent, by means and in the manner specified by the Customer in accordance with these Conditions for the processing of personal data;
   • informs the Recipients about the processing of their personal data, to the extent stipulated by the laws on personal data protection;
   • enables the Recipients to exercise their rights under the laws on personal data protection;
   • liquidates the personal data as soon as the purpose for which it was processed will have ceased;
   • fulfils all his other obligations under the laws on personal data protection;
   • within 24 hours of receiving, the Customer will send the Provider by automated means via the Services interface information about any withdrawals of the Recipient’s consent to the processing of personal data, objections to the processing of personal data, revocations of consent to the sending of the Commercial Communications and other acts affecting the possibility of processing the Recipient’s personal data according to the Agreement, and will always respect these;
   • within 24 hours of receiving the information from the Provider that Recipient’s consent to the processing of personal data has been withdrawn, any objections to the processing of personal data were made, consent to the sending of Commercial Communications has been withdrawn or any other acts affecting the processing of personal data of the Recipients according to the Agreement were made, responds adequately to these and always respects these;
   • and undertakes to perform these obligations throughout the duration of the Agreement in accordance with applicable laws. Annex No. 1 to these Conditions for the processing of personal data contains a general manual for the processing of personal data, which does not bind the Customer but may be used when processing the Recipient’s personal data.

2. Should damage (material or non-material) be incurred by the Provider as a result of non-compliance with the Customer’s obligations under the laws on personal data protection, the Customer undertakes to fully compensate the Provider for this damage. For the purpose of this provision the damage incurred by the Provider means in particular: (i) compensation for damage (material or non-material) to data subjects defined in the laws on personal data protection and (ii) fines imposed by The Office for Personal Data Protection or other administrative authority.

General principles of personal data processing

1. The Provider in connection with the processing of personal data:

   • processes personal data solely on the basis of the Customer’s instructions made via the interfaces of the Services provided or other means, including transfer of personal data to a third country or to an international organization, unless such processing is already required by the applicable laws, which apply to the Provider; in such case the Provider informs the Customer of this legal requirement prior to processing, unless the legislation prohibits this disclosure for the important reasons of public interest;
   • does not process personal data obtained for the purpose of providing the Services for Provider’s own purposes;
   • ensures that persons authorized to process personal data are bound by contractual duty of confidentiality or subject to statutory duty of confidentiality;
   • does not engage any other processor without prior specific or general written authorisation of the Customer;
   • takes into account the nature of the processing;
   • assists the Customer through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Recipient’s rights;
   • assists the Customer in ensuring compliance with the Customer’s obligations to ensure appropriate level of processing security and to report personal data security breaches to supervisory authority and, where applicable, to the Recipients, to assess the impact on the protection of personal data and to conduct previous consultations with the supervisory authority when taking into account the nature of the processing and data available to the Provider;
   • in accordance with the Customer’s decision, either erase or return all personal data to the Customer upon termination of the Services connected with processing of the personal data and delete existing copies unless the applicable laws require the personal data to be stored; and
   • provides the Customer with all the information necessary to demonstrate that the obligations set forth in these Conditions for the processing of personal data have been met and allows audits, including inspections, performed by the Customer or other auditor authorized by the Customer and contributes to such audits;
   • whereas the Provider’s activities stipulated in letters f), g) and i) will be paid according to the prices for the provision of the Consultancy Support Services provided in the Specification.

2. In relation to the processing of personal data, the Provider shall keep records of all categories of processing activities performed for the Customers, which include:

   • the name and contact details of the Provider, the Customer and where applicable, of the Provider’s or the Customer’s representative, and the data protection officer;
   • the categories of processing carried out on behalf of the Provider;
   • where applicable, transfers of personal data to a third country or an international organisation; and
   • a general description of the technical and organizational security measures.
   • The Provider undertakes to make the records available to the Customer upon written request by the Customer.

3. The Customer specifically agrees with the involvement of other processors which will assist the Provider as subprocessors with providing Services under the Agreement, including providers assisting with sending of electronic messages and validating of contact details of Recipient, while respecting the conditions described in Art. 28 (2) and (4) of the GDPR. The list of current subprocessors is available at: https://www.omnivery.com/legal/gdpr. The Customer further agrees that the Provider may engage other subprocessors and replace current subprocessors within the scope of above written authorization granted by the Customer by this provision. The Provider will inform the Customer about any intended changes of subprocessors, by which the Customer will be given the opportunity to object to engagement of a new subprocessor. Intended changes will be published within the list of subprocessors described above at least 1 month before the intended effect of such changes, with which the Customer agrees. In case of any objections against the engagement of new subprocessor are made before the change takes effect, the Provider will inform the Customer whether it is possible to provide the Services to the Customer without engagement of this subprocessor, and if not, both the Customer and the Provider may terminate the Agreement with the effect from the day preceding the day of engagement of the new subprocessor.

Personal data security

1. The Provider has adopted and maintains such technical and organizational measures as to prevent unauthorized or accidental access to personal data, modification, destruction or loss of personal data, unauthorized transmissions, other unauthorized processing or any other misuse of personal data.

2. The Provider has in particular adopted and is maintaining the following measures to ensure a level of security:

   • the pseudonymisation of personal data;
   • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services – the measures put in place and their correct functioning will be regularly monitored;
   • the ability to restore the availability and access to personal data in a timely manner and in the event of physical or technical incidents;
   • the process of regular testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing;
   • multi-level firewall;
   • antivirus protection and unauthorized access control;
   • encrypted data transfer via IT technologies;
   • access to personal data only for the Provider’s authorized persons;
   • servers with personal data locked in the server room; and
   • backups of data transferred to another location by encrypted transmission with the access of the Provider’s authorized persons only.

3. The Provider may allow the Customer to access the Customer’s data, including the Recipient’s personal data, through the API. In this case, the Customer is required to ensure that only the authorized personnel can access the API. The Provider is not responsible for any data loss or privacy violation in the event of API being misused and in the event of data misuse after being available via the API.

4. In the event the Provider detects any personal data breaches, the Provider will report them to the Customer without an undue delay.

Special provisions for agency Customers

1. In case the Customer is an advertising agency or another company (hereinafter the “Agency”) which requires provision of the Services under this Agreement for its individual clients (hereinafter for the purposes of this article the “Client”), the following provisions of this Article will apply. However, these provisions will not apply in cases where both the Agency and the Clients together form a single natural or legal person; in such case, the Agency (Clients) will, as the Customer, fully comply with the other articles of these Conditions for the processing of personal data.
2. The controller of personal data of the Recipients is always the Client, with the Agency acting as a processor and the Provider acting as another person involved in the processing of personal data.
3. The Agency is obliged to ensure that obligations of the Customer under the Conditions for the processing of personal data are fulfilled by and with regards to each of its Clients. The Agency is liable to the Provider for the proper performance of the obligations under this article by and with regards to its Clients.
4. The Agency declares that it has the permission of the Client as a personal data controller to engage the Provider, as another person involved in the processing of personal data, in the processing of personal data. At the same time, the Agency represents that a contract concluded between the Client as a personal data controller and the Agency as a personal data processor complies with legal requirements for a contract between the controller and the processor of personal data and as a processor always complies with this legislation. The Agency is entitled to use these provisions of the Conditions for the processing of personal data for setting up the contractual relationship with the Client.
5. The provisions of these Conditions for the processing of personal data governing the relationship between the Provider and the Customer shall apply equally to the relationship between the Provider and the Agency.

Final provisions

This current version of the Conditions for the processing of personal data is valid and effective from November 1st, 2021.