REGULATIONS FOR ENTRUSTMENT OF PERSONAL DATA PROCESSING IN H88 S.A. EFFECTIVE AS OF MAY 25, 2018. § 1 Definitions When used in the Regulations, the following terms shall have the following meanings: Personal Data – information relating to an identified or identifiable natural person collected as part of Data Sets entrusted by the Client, to the extent indicated in the Order Form, 2) Data Set – a structured set of Personal Data which is accessible according to specific criteria, RODO – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons in relation to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), (Official Journal of the EU L 119/1), 4) Civil Code – the Act of 23 April 1964 Civil Code (consolidated text – Journal of Laws of 2017, item 459, as amended), Processing of Personal Data – processing of data within the meaning of Article 4(2) of the RODO, i.e. the performance by the Processor (respectively natural persons employed by the Processor) of any operations on the Personal Data entrusted to it for processing by automated or non-automated means, such as collection, recording, organization, organization, storage, adaptation or modification, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, and in particular those performed in an IT System, (6) IT System – a set of interconnected devices, programs, information processing procedures and software tools used for Personal Data Processing, 7) Controller – an authority, institution, organizational unit, entity or person, which decides on the purposes and means of the Processing of Personal Data and which meets the conditions for being recognized as the “controller” pursuant to the provisions of the RODO, Customer – an entity with which the Processor has entered into an agreement for the provision of hosting services to which these Regulations apply, 9.Processor – H88 S.A. with its registered office in Poznan, 22 Franklin Roosevelt Street, 60-829 Poznan, entered into the Register of Entrepreneurs of the National Court Register by the District Court Poznan – Nowe Miasto and Wilda in Poznan, VIII Commercial Department of the National Court Register under the number KRS: 0000612359, NIP: 7822622168, with the share capital of 210,000.00 PLN paid in full, 10.Personnel – employees, members of bodies, associates and subcontractors of the Processor who shall directly perform the duties of the Processor under the Terms and Conditions, 11.Agreement – the agreement entered into between the Client and the Processor for the provision of hosting services, Service – the hosting service performed on the Processor’s infrastructure under the Agreement Order Form – a document constituting Attachment No. 2 to the Regulations, in which the Client indicates the type and categories of data subjects. § 2 Declarations of the Parties (1) The Client represents that it is the Controller of the Personal Data collected in the Files and that all Personal Data have been collected in accordance with the relevant provisions of law, in particular, each Data Subject has given its consent to the Processing of its Personal Data where required by law. (2) Customer represents that it is entitled to entrust the Processing of Personal Data to Processor under the Agreement and that the above entrustment does not violate the law or the rights of third parties. (3) The Processor represents that it has adequate resources to perform its obligations under the Agreement and the Regulations, including in particular the required knowledge, experience, equipment and human resources. (4) The Processor declares that it adopts appropriate technical and organizational measures so that the Processing is carried out in accordance with the RODO protects the rights of data subjects and the Processor will be able to demonstrate this. These measures shall be reviewed and updated as necessary. (5) The Processor represents that it is the owner or licensee of all components comprising the IT System necessary for the Processing of Personal Data. § 3 Authorization to Process Personal Data 1. (1) Pursuant to Article 28(3) of the RODO, the Client hereby entrusts the Processor and the Processor undertakes to Process Personal Data in accordance with the provisions of the Terms and Conditions. The Parties declare that the Processor is a “processor” within the meaning of Article 4(8) of the RODO. (2) The Customer authorises and obliges the Processor to Process Personal Data only in respect of the following activities: (a) copying Personal Data, b) storage of Personal Data, (c) deletion of Personal Data, including at the request of Customer. 3. (3) The Client may additionally authorize and oblige the Processor to Process Personal Data with respect to activities other than those indicated in paragraph 2 above by providing the Processor with an additional order in this respect in writing or electronically. (4) The Client entrusts the Processor with the Processing of Personal Data as to the type of data and categories of data subjects to the extent indicated in the Order Form constituting Attachment No. 2 to the Regulations. (5) The Processing of Personal Data shall be carried out solely for the purpose of performance of the Agreement concluded by the Client with the Processor. 6th The Processor accepts the authorization and obligations indicated in § 3 paragraphs 2 and 3 and agrees not to process the Personal Data in any other way and for any other purposes than those indicated in § 3 paragraphs 2 and 3. 7th Regulations are adopted to ensure security of Personal Data processed in the IT System. § 4 Method of transfer and storage location of Personal Data 1. Personal Data shall be provided to the Processor independently by the Customer: (a) automatically – via the Internet using an encrypted connection, b) in exceptional cases where the automatic transfer is impossible, manuall using data storage devices, such as CDs, disks or USB memory sticks USB memory sticks. The Processor declares that the Personal Data entrusted to it for processing will be processed The Personal Data entrusted to them for processing shall be processed exclusively in the territory of the European Union or the European Economic Area. § Article 5 Obligations of the Processor 1. The Processor shall process Personal Data only upon the Client’s documented instructions contained in the Terms and Conditions, the Agreement, or otherwise provided to the Processor, which shall also apply to the transfer of Personal Data to a third country or an international organization, unless such obligation is imposed upon the Processor by law. In this case, the Processor shall inform the Client of this legal obligation before the Processing begins. (2) The Processor may use the services of other Processors who will act as subcontractors for the provision of services under the Agreement, to which the Customer gives its general consent. The list of other processors (hereinafter: the “List”) referred to in the preceding sentence is attached as Appendix 1 to the Terms and Conditions. The Processor is entitled to unilaterally update and modify this List. Updating or modifying the List shall not constitute an amendment to the Regulations. The List and its updates and modifications are published in the Service administration panel 30 days in advance. 3. (3) When performing specific Processing activities on behalf of the Client, the Processor, when using the services of another Processor as referred to in paragraph 2 above, imposes the same data protection obligations on that other Processor under the Personal Data sub-processing agreement as those indicated in the Regulations, in particular the obligation to provide sufficient guarantees to implement appropriate technical and organizational measures so that the Processing complies with the requirements of RODO. If this other Processor fails to comply with its data protection obligations, full liability to the Client for compliance with the obligations of this other Processor shall rest with the Processor. (4) Within 21 days from the date of publication of updates or modifications to the List, the Client may object to such changes, in which the Client will explain the grounds for not granting approval to the new entity. The filing of an objection implies the lack of consent to the addition or replacement of such an entity within the scope of subcontracting the Processing of Personal Data provided under the Regulations. In such case, unless it is not possible to perform services under the Agreement, excluding the entity to which the Client has objected, the Parties shall have the right to terminate the Agreement with immediate effect. (5) When processing Personal Data, the Processor shall apply technical and organisational measures to ensure the protection of Personal Data in accordance with Article 32 of the RODO and, in particular, the Processor shall protect Personal Data against unauthorised access, loss, damage or destruction, including, but not limited to, if applicable: (a) pseudonymization and encryption of Personal Data; (b) the ability to continuously ensure the confidentiality, integrity, availability, and resilience of Processing systems and services; (c) the ability to rapidly restore availability of and access to Personal Data them in the event of a physical or technical incident; (d) regular testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure the security of the Processing. (6) In order to fulfil the obligation referred to in the preceding paragraph, the Processor shall maintain documentation describing the Processing of Personal Data and the Personal Data and the measures indicated in the preceding paragraph. (7) Activities within the scope of Processing of Personal Data may be undertaken only by Personnel members who have previously obtained written authorization from the Processor. Each authorization or its withdrawal shall be entered by the Processor in the “Record of persons authorized to Process Personal Data”, which should contain the following data: (a) the name of the authorized person, b) date of granting and expiration, as well as the scope of authorization to access the Personal Data Personal Data, c) identifier, if the Processing of Personal Data is carried out using the Information System. 8. Personnel members with whose assistance the Processor will carry out the subject matter of the Terms and Conditions Processor shall be obliged by the Processor to keep the Personal Data and the means for the protection thereof confidential Personal Data and measures to protect the Processing thereof. 9. (9) The Processor shall train the Personnel on the methods of securing the Personnel on how to secure the Personal Data being Processed. 10. (10) Where applicable, the Processor shall, taking into account the nature of the Processing and the information available to it, shall assist the Client and provide the necessary information in order for the Client to duly comply with its obligations under the law, in particular those set out in Chapter III and Articles 32 to 36 of the RODO. (11) The Processor agrees to make available to the Client, upon the Client’s request, all information necessary to demonstrate compliance with the obligations set out in the Regulations. In connection with the above obligation, the Processor shall immediately inform the Client if its in his or her opinion, the instruction given to him or her constitutes a violation of RODO or other data protection laws. Personal Data. (12) Without prejudice to any separate legislation, if the Processor breaches RODO in determining the purposes and means of the Processing, it shall be deemed to be the controller with respect to that Processing. § 6 Inspections (1) The Client may conduct inspections of the Processor’s compliance with the Regulations. (2) The Client shall inform the Processor at least 21 days prior to the inspection The audit shall be performed by a third party. 3. The inspection shall be performed during working hours at the Processor’s office or at a location indicated by the Client. The inspection shall be carried out during working hours at the registered office of the Processor or at another location designated by the Processor and shall not The inspection shall be carried out during working hours at the Processor’s premises or at another location designated by the Processor and shall not unreasonably interfere with the normal operations of the Processor. (4) Inspection reports shall be confidential data of the Parties. The costs of the inspection shall be borne by the Client, excluding the working time of the Processor’s staff time. The Processor agrees to comply with the post-inspection recommendations aimed at The Processor agrees to comply with the post-audit recommendations aimed at remedying the deficiencies and improving the security of the Personal Data Processing, if any 7. (7) The inspection referred to in this paragraph shall be carried out in such a way that the Personal Data are the inspection referred to in this paragraph shall be carried out in such a way as to safeguard the Personal Data or confidential information of the Processor and third parties, in particular other entities entrusting the Processor with the Processing of Personal Data. The Parties represent that in the case of an inspection of the President of the Office for Personal Data Protection conducted at one of the Parties, concerning the Processing of entrusted Personal Data under the agreement, the Party shall provide the other Party with the necessary information and explanations to the extent permitted by law. § 7 Obligations of the Client (1) The Client undertakes to perform the Agreement and the Regulations on entrustment of Processing in accordance with the applicable legal provisions on personal data protection, including RODO, in particular to place the Processed Data in the Processor’s IT System lawfully, with respect for the rights of data subjects. (2) Any software within the infrastructure of the Processor, shall be installed at the expense, risk and responsibility of the Customer. The Customer shall be solely responsible for the operation or improper operation, gaps, errors and consequences resulting from the use of the software referred to in the previous sentence. The Customer shall be solely responsible for the use of outdated versions of command interpreters such as PHP, Python, Ruby, Perl, which are no longer supported in terms of security patches by their producers or developers. The Processor enables the use of these versions to ensure compatibility for the Customer’s legacy software (not applicable to systems administered by the Customer). 4 Customer is responsible for third party entities or individuals who will administer the Service on Processor’s infrastructure on Customer’s behalf. At the same time, Customer is responsible for providing access passwords to the Service to third parties and for storing insufficiently secured passwords to access the Service on its devices. If Customer loses the ability to access its service in which Personal Data is processed, for security reasons it is required to immediately notify the Processor. § 8 Responsibility of the Parties 1. (1) Each Party shall be liable for damage caused to the other Party and third parties in connection with the performance of the Regulations, in accordance with the provisions of the Civil Code and provisions of RODO and in accordance with the provisions of the Regulations. (2) The Processor shall be fully responsible for its own actions, the actions of its Personnel, as well as other Processors for whom the Processor is responsible and to whom the Processor has subcontracted the Processing of Personal Data. § 9 Duration and termination of the Agreement 1. The Agreement for entrusting Processing based on the Regulations is concluded for the duration of the Agreement. Upon expiration or termination of the Agreement for any reason, the Processing Agreement shall be terminated. 2. (2) Each Party may terminate the Processing entrustment agreement with immediate effect in the event of a breach of material provisions of the Regulations and after a call to the other Party to cease the breach within no less than seven days. In such case, upon termination of such Processing entrustment agreement, the Agreement shall terminate. (3) Upon termination of this Processing entrustment agreement, the Processor shall promptly return the Personal Data to the Customer or otherwise allow the Customer to retrieve the Personal Data. Upon the return of the Personal Data, the Processor shall delete all copies of the Data Set or otherwise make access to it impossible, unless the obligation to retain a copy arises under law. § 10 Final provisions (1) The Regulations shall enter into force on 25 May 2018 and its provisions shall also apply to previous actions taken between the Parties and shall supersede all previous contracts, agreements and arrangements relating to the protection of personal data. (2) In matters not regulated by the Regulations, the applicable provisions of Polish law shall apply, in particular the Civil Code and the RODO. (3) If any provision of the Regulations is or becomes invalid, the rest of the Regulations shall remain in force, and the Processor shall take steps to promptly replace that provision with an appropriate provision that is valid and closest to the meaning intended by the Parties. (4) Any amendments or supplements to the entrustment agreement concluded under the Regulations, except for Attachment No. 1 and Attachment No. 2, shall be made in documentary form under pain of nullity. (5) Attachments to the Regulations constitute an integral part thereof. (6) The court with jurisdiction to resolve any disputes arising under the Regulations shall be shall be the court having jurisdiction over the registered office of the Processor. Attachments: List of other processors. order form. Attachment No. 1 List of other processors. Beyond.pl Sp. z o. o., Poland TK Telekom Sp. z o.o., Poland Hetzner Online GmbH, Germany, Finland LeaseWeb Netherlands B.V., Netherlands Host Europe GmbH, France Inten, Poland KEI.PL Sp. z o.o., Poland ENTRUSTMENT AGREEMENT FOR THE PROCESSING OF PERSONAL DATA NO. 676/H/07/2018 ORDER FORM Annex No. 2 to the Regulations on entrustment of personal data processing. Entrusts personal data processing to: H88 S.A. with registered office in Poznań, Franklin Roosevelt 22, 60-829 Poznań, registered in the National Court Register by the District Court Poznań – Nowe Miasto and Wilda in Poznań, VIII Economic Department of the National Court Register under the number KRS 0000612359, REGON 364261632, NIP 7822622168, share capital 200,000.00 PLN fully paid up. according to the following specification: entrusted personal data: Type of personal data:[i] [X] ordinary [ ] sensitive [ ] relating to criminal convictions and infringements 2 Categories of data subjects:[ii] [X] Customers, [ ] Subscribers, [ ] Subscribers, [ ] Contractors, [ ] Employees, [ ] Job applicants, [ ] others: [] 3 Contact Information: Contact information for the administrator’s representative: Michal Labaz, biuro@stornylabaz.pl, 783782792 Contact details of the Data Protection Officer, if appointed: By completing this form and concluding the Agreement, the Client declares that he/she has read the Regulations on entrusting the processing of personal data and fully accepts its provisions. The document was drawn up on the basis of art.28 pkt. 9 of the Regulation of the European Parliament and of the Council (EU) 2016/679 of 27 April 2016. Electronically generated document, no stamp or signature required. [i] [ii] e.g. employees and associates of the Client, contractors of the Client. tick the appropriate boxes list all categories of persons to whom the data relate,