Legal inventory

Terms and conditions for processing of personal data


v. 1.0 in force from 4th of July 2022

These terms and conditions for processing of personal data of Orbico Sp. z o.o. with its seat in Ul. Salsy 2, 02-823 Warszawa, hereinafter also referred to as: Orbico, constitute other legal act within the meaning of Article 28 section 3 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC, supplement the agreements concluded by Orbico under which the processing of personal data is entrusted, to the extent not regulated in the aforementioned agreements.

§1 Definitions

1. Administrator or Controller – Orbico Sp. z o.o. (limited liability company) with its
seat in Warsaw Ul. Salsy 2, 02-823 Warszawa, registered in the Register of Entrepreneurs of the National Court Register kept by the District Court for the capital city of Warsaw in Warsaw, 13th Commercial Division of the National Court Register, under the number 0000046562, REGON number: 277632751, NIP number: 6462526337, with share capital in the amount of PLN 40 841 450.00;

2. Personal data – information about an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be directly or indirectly identified;

3. Breach – a breach of protection of the entrusted Personal data understood as:
a. break of security leading to accidental or unlawful destruction, loss, modification, unauthorized disclosure or
b. unauthorized access to personal data sent, stored or otherwise processed on the basis of the concluded contract and these T&CP;

4. Processor – a natural or legal person, public authority, unit or other entity that processes personal data on behalf of the Administrator to the extent and for the purpose specified in a separate Agreement.

5. Administrator's order – the Administrator's statement addressed to the Processor, obliging it to carry out specific processing in the scope of entrusted personal data;

6. Entrusted data – personal data of persons that have been transferred to the Processor for processing in connection with the contract concluded by Orbico constituting the basis for cooperation with a third party, under which the processing of personal data was entrusted, on the terms set out in these T&CP;

7. Terms and Conditions for Processing (T&CP) – this document containing the provisions applicable to entrusting the processing of personal data by Orbico, specifying the principles of cooperation, including mutual rights and obligations of the parties to the Agreement, constituting an integral part of the Agreement concluded between Orbico and the Processor, available on the website www.;

8. GDPR – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC;

9. Agreement – an agreement constituting the basis for Orbico's cooperation with a natural or legal person, public authority, unit or other entity, in connection with the conclusion of which Orbico entrusts the processing of personal data.

§2 The scope of entrusting the processing

1. The Processor shall process the Personal data entrusted by the Administrator to the extent and for the purpose set out in the Agreement constituting the basis for the aforementioned cooperation.

2. The Processor is authorized to perform all data processing activities that aren ecessary to achieve the purpose referred to in section 1 above, to the extent applicable.

§3 Processor's obligations

1. The Processor, when processing the entrusted Personal data, is obliged to protect the data by applying appropriate technical and organizational measures, corresponding to the state of technical knowledge, ensuring compliance with the GDPR, including an adequate level of security corresponding to the risk of violating the rights or freedoms of data subjects.

2. The Processor is obliged to exercise due diligence in the processing of the Personal data entrusted for processing.

3. The Processor is obliged to authorize the processing of personal data to all persons who will process the entrusted personal data, and these will only be persons who have received appropriate training in the protection of personal data and are necessary to achieve the purpose of processing specified by the Parties.

4. The Processor ensures that the persons who authorize the processing of personal data in order to perform the Agreement will undertake secrecy or will be subject to an appropriate statutory obligation of secrecy referred to in Article 28 section 3 of GDPR.

§4 Further outsourcing of processing

1. In order to perform the Agreement, the Administrator agrees to entrust the Personal data entrusted in connection with it for further processing by the subcontractors of the Processor, while the subcontractors of the Processor should comply with the same guarantees and obligations that were imposed on the Processor.

2. In the event of a change or addition of other subcontractors involved in the processing of data entrusted by the Administrator, the Processor informs the Administrator about the intended changes, giving him the opportunity to object to such changes within 7 working days of providing information about the intended changes.

3. The transfer of the entrusted data to a third country may take place only on a documented request of the Administrator, unless such an obligation is imposed on the Processor of European Union law or the law of the Member State to which the Processor is subject. In this case, before the processing begins, the Processor informs the Data Administrator about this legal obligation, unless the law prohibits the
provision of such information due to important public interest.

4. The Processor shall be fully liable to the Administrator for any failure to comply with the obligations incumbent on the subcontractor resulting from these T&CP, the provisions of the GDPR and other legal acts.

§5 Right to audit

1. The Administrator undertakes to exercise the right to audit during the working hours of the Processor, about which the Administrator will inform the Processor with a minimum of 15 days' notice. The right to conduct an audit includes: access to the premises where the resources involved in the processing of entrusted Personal data are located; requesting written or oral explanations from persons authorized to process the entrusted Personal data; access to all documents and all data directly related to the purpose of the audit; conducting visual inspection of devices, carriers and IT systems used to process entrusted Personal data.

2. The Processor is obliged to remove any deficiencies discovered during the audit within the period indicated by the Administrator, not longer than 7 days from the day of presenting him with a written audit report.

3. The above mentioned rules of audit of the Processor shall apply to the Administrator's audits of the Processor's subcontractors, referred to in § 4 item 1 hereto.

§6 Reporting

1. At the request of the Administrator, the Processor provides all information necessary to implement or demonstrate compliance with the obligations arising from the Regulation. The information referred to above shall be provided within 14 working days from the date of delivery of the request, subject to paragraph 2.

2. If the application referred to in item. 1 above concerns the fulfillment of the obligation to report a breach of Personal data protection or remove its effects, the Processor shall provide information as soon as possible, not later than within 24 hours from the delivery of the request.

§7 Processor’s Responsibility

1. The Processor is responsible for providing or using personal data inconsistently with the contents of these T&CP, the content of the Agreement, and in particular for disclosing Personal data entrusted to processing to unauthorized persons.

2. If, as a result of the Processor's breach of data protection regulations and the principles set out in this T&CP, the Administrator is obliged to pay compensation or is otherwise held liable for the breach, the Administrator may request the Processor to repair the resulting damage.

3. The Processor is obliged to immediately inform the Administrator of any proceedings, in particular administrative or judicial, regarding the processing by the Processor of Personal data entrusted by the Administrator, of any administrative decision or any ruling regarding the processing of such data, addressed to the Processor, as well as about any planned, if known, or implemented controls and inspections regarding the processing of such personal data in Processor’s entity, in particular those carried out by inspectors authorized by the President of the Personal Data Protection Office. This paragraph applies only to personal data entrusted by the Administrator.

§8 Confidentiality

1. The Processor undertakes to keep confidential all information, data, materials, documents and Personal data received from the Administrator and from persons cooperating with him, as well as data obtained in any other way, whether intended or incidental, in oral, written or electronic form. ("confidential data").

2. The Processor declares that in connection with the obligation to keep information confidential, they will not be used, disclosed or made available without the written consent of the Administrator for any purpose other than the performance of contractual obligations, unless the need to disclose the information held results from applicable law or contracts.

§9 Final Provisions

1. In matters not covered by the provisions of these Terms and Conditions, the provisions of the GDPR and other applicable provisions on the protection of personal data shall apply.

2. In the event of any disputes arising between the Parties regarding the conclusion, interpretation, performance and legal effects of the T&CP, the Parties shall enter into negotiations in good faith in order to settle the dispute amicably. If the dispute is not resolved amicably, the Parties shall submit the dispute to a common court competent for the Administrator's seat.

3. These T&CP are published and available for download on the Orbico website.TheT&CP and their changes are effective after their publication on the Orbico website from the date indicated there in in the heading of the T&CP and cover the legal relations established from that date.

4. The Administrator engages the Processor for the processing of Personal data for the duration of the Agreement, unless the law provides otherwise.

5. On the day of termination or expiry of the Agreement, the provisions of the T&CP regarding the entrusting and protection of personal data shall cease to apply, while the Processor is obliged to stop processing the Personal data entrusted to it, unless the Parties agree otherwise.

6. In other matters not regulated in these T&CP or in the content of the Agreement, the provisions of the GDPR and the Act on the Protection of Personal Data shall apply.

Orbico Group

Orbico Poland is part of Orbico international Group that is present in 20 European countries.

Orbico’s business area stretches from the Baltic to the Black Sea, which allows us to combine synergies and international experience with strong concentration and deep presence in local markets.