I. General provisions
- Service within the meaning of the Regulations means: a service provided electronically by HCM Deck to the Customer with the access to an online platform allowing testing of functionalities related to the outplacement solution OutplaceME (hereinafter: “Service”).
- The Service is provided by HCM Deck sp. o.o. (limited liability company) based in Kraków at Kluczborska 17/2 St., 31-271 Kraków, entered into the Register of Entrepreneurs of the National Court Register maintained by the District Court for Kraków Śródmieście in Kraków, XI Commercial Division of the National Court Register under KRS numer: 0000717370, with the tax identification number NIP: 9452216507, share capital: PLN 6,350.00 .
- The Service is a demonstration version, and allows the Customer to test the functionality and specification of the commercial version of a service – available for a fee.
- The Service if free of charge.
- The Service provided to the Customer is non-exclusive and the Customer shares the given space along with other Customers, which means that data such as comments, photos, videos or any other materials added by the user can be displayed by other Customers.
- HCM Deck reserves the right to limit or remove Customer’s access to the Service without giving a reason.
- The Service can be used only by entrepreneurs/companies.
- HCM Deck is not responsible for any damage incurred by the Customer in connection with the use of the Service.
- The Customer may process personal data within the framework of the Service only in the event of a prior conclusion of the Data Processing Agreement (“DPA”) with HCM Deck.
II. Submission for Services
- If necessary, after receiving the order, HCM Deck may contact the Customer to confirm the order and to conclude additional terms of the Service, explain technical specifications, offer assistance, or present a commercial offer.
II. Rules of usage
- The Customer is obliged to use the Service in accordance with its intended use indicated in point I.1. and IV of the Regulations.
- The Customer, in particular, has no right to use the Service in a manner that disrupts the access of the Service to the other Customers’ shared space.
- It is prohibited to use the Service to publish sexually explicit or pornographic content, offensive content, content that promotes racial or any other discrimination, xenophobic content or content that promotes totalitarian systems od state.
IV. Obligation to comply with the law
- The Customer is obliged to use the Service in a manner consistent with the intended purpose and not infringing the rights of third parties and the provisions of applicable law.
- In the event of receiving information about the unlawful use of the Service, and in particular about the unlawful nature of data stored by the Customer, HCM Deck has the right to block the Service and delete or secure this data.
- The Customer undertakes to cooperate in countering unlawful activities of users, with whom the Customer shares the Service. The Customer is responsible for the manner of using the service by third parties with whom the Customer shares the Service.
V. Complaint proceedings
- In case of any reservations related to the Service, the Customer has the right to contact HCM Deck by e-mail or by telephone. Reservations should include: Customer data enabling contact, including data enabling identification of the person submitting the complaint as a Client; circumstances justifying reservations.
- HCM Deck will take care to respond to customer’s reservations within 7 days from the date of their submission.
- Due to the free of charge and demonstrative character of the Service, HCM Deck does not guarantee that the reservations made by the Customer will be resolved.
VI. Final provisions
- Each change of the Regulations will be published on the HCM Deck website.
- Version of Regulations: 05/07/2020.
Appendix No. 1
Terms and Conditions of Personal Data Processing
- This document (“Terms and Conditions of Personal Data Processing”):
- is an integral part of the Agreement on the provision of the Cloud Service, and
- constitutes an agreement on entrusting data processing between HCM Deck, as a Data Processor, and the Customer, as a Controller providing Personal Data in connection with its use of the Cloud Service, and
- defines appropriate technical and organizational measures implemented and maintained by HCM Deck to protect Personal Data stored as part of the Cloud Service, referred to in the Agreement.
- The requirement of a written form of this Appendix shall be deemed met where HCM Deck receives the signed original version of the Order.
- The Customer represents that it is the Controller with respect to the Personal Data of its Users.
- The agreement on entrusting data processing is concluded in order to enable HCM Deck and its Sub-processors to process Personal Data, which is necessary to execute the Agreement.
- The Customer bears sole responsibility for internal coordination, examination and issuing instructions or submitting requests by other Controllers to HCM Deck.
- HCM Deck shall not be obliged to additionally inform or notify the Controller where the specific information or data have already been provided to the Customer.
- HCM Deck shall have the right to reject requests or instructions provided directly by a Controller that is not a Customer.
- The Parties agree that the capitalized terms used in the Terms and Conditions of Personal Data Processing shall be understood as defined in the General Terms and Conditions of the Agreement, except for the following terms defined below:
EEA – European Economic Area;
HCM Deck – HCM Deck, being a party to the Order Form;
Breach of Security – any action or omission by HCM Deck or its Sub-processors that has led to the disclosure of data to unauthorized persons or in an unauthorized manner, or other similar events about which the Data Controller is required by law to notify the relevant Data Subject or the regulatory body for data protection;
Data Subject – an identified or identifiable natural person (as defined in applicable provisions on personal data protection); An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identification number, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Non-EEA Entity – any entity, including a Sub-processor, registered in a third country, i.e. a non-EEA country, that does not provide an adequate level of data protection compatible with European Union law and legislation.
Sub-processor – an Affiliate of HCM Deck or an external Sub-processor engaged by HCM Deck or an Affiliate of HCM Deck, that carries out all or part of sub-processing operations involving the Customer’s Personal Data on behalf of HCM Deck;
IT System – a set of cooperating devices, software, information processing procedures and software tools used for data processing.
Data Security in the IT system – implementation and operation of appropriate technical and organizational measures ensuring data protection against unauthorized processing.
Consent of the Data Subject – a statement of intent that can be revoked at any time, whose content expresses explicit consent to the processing of personal data of the person making this statement (Data Subject).
- Data Subject, Duration, Purposes and Extent of Data Processing
- Under the Agreement the Customer shall entrust HCM Deck with continuous processing of user’s Personal Data stored in the Cloud Service, described in detail in paragraph 5, and HCM Deck shall accept the entrusted Personal Data to be processed on behalf of the Controller.
- The Customer shall define the purposes of collection, processing and other use of Personal Data stored in the Cloud Service. Unless otherwise specified in the Terms and Conditions of Personal Data Processing, the provisions of the Order Form or Additional Terms and Conditions or General Terms and Conditions and Standard Contractual Clauses shall apply to such data processing.
- HCM Deck or its Sub-processors shall process Personal Data only under a written order of the Data Controller and for the following purposes:
- setting up, operating, monitoring and providing the Cloud Service as the Data Processor or Sub-processor, as specified in the Agreement;
- providing Technical Support;
- providing HCM Deck Advisory Services, if agreed by the Parties;
- communicating with Users and for other administrative purposes specified in the terms and conditions related to the Cloud Service, and
- executing the Customer’s instructions in accordance with the provisions of Article 2(2) and Article 2(3) of the Terms and Conditions of Personal Data Processing.
- HCM Deck undertakes to process the entrusted data only to the extent necessary for the proper performance of the Agreement and for the duration of the legal relationship established under the Agreement and, as far as necessary, after its termination, if required in accordance with applicable law. HCM Deck represents that it will perform only the following categories of processing on behalf of the Customer:
- a) storage of Personal Data;
- b) reproduction of data as part of making backups and for purposes related to ensuring redundancy of Personal Data;
- c) provision of Personal Data to the Customer.
- Personal Data processed as part of the Cloud Service shall relate to the following data subjects:
- employees of the Customer’
- persons providing services to the Customer under a civil law contract;
- persons performing specific works for the Customer under a civil law contract;
- the Customer;
- persons providing services to the Customer or performing other activities under civil law contracts.
Personal Data of Data Subjects that will be processed under the Agreement are any data whose types are defined by the Customer.
Personal Data referred to above have been or will be collected by the Customer in accordance with relevant, generally applicable laws, and may be entrusted to HCM Deck for processing.
- Obligations of HCM Deck:
- HCM Deck shall process Personal Data for the purpose and on the terms and conditions set out in the Agreement, the GDP and personal data protection regulations. HCM Deck shall process Personal Data only under and in accordance with the Controller’s instructions provided by the Customer. HCM Deck shall take commercially reasonable steps to comply with the instructions received from the Customer, as long as they are required by law and are technically feasible and do not require significant modifications to the operation of the Cloud Service or the System. In case of non-compliance of the instructions provided by the Customer with personal data protection regulations, HCM Deck shall immediately notify the customer thereof by e-mail, specifying the extent to which it is not possible to execute a defective instruction. HCM Deck shall not be obliged to carry out comprehensive verification of the instructions’ compliance with applicable law.
- HCM Deck may, in accordance with the Customer’s instructions and with the necessary cooperation by the Customer, correct, delete or block access to any Personal Data if, due to the manner of operation of the Cloud Service, the Customer, Controllers or Users are unable to perform these activities themselves. If HCM Deck requires to remotely access any of the Customer’s systems or instances of the Customer’s Service to execute instructions or provide technical support, e.g. through application sharing, the Customer shall authorize HCM Deck to such remote access. The Customer shall also designate a contact person who, if necessary, will provide HCM Deck with required access rights.
- For the avoidance of doubt, the Parties hereby agree that HCM Deck may not process Personal Data for its own purposes. HCM Deck shall keep Personal Data confidential.
Persons authorized to process Personal Data shall keep the entrusted data confidential, both during their employment at HCM Deck and after its termination. HCM Deck represents that due to the obligation to keep Personal Data confidential, they will not be used, disclosed or made available without the Customer’s written consent for any purpose other than the performance of the Agreement, unless such information must be disclosed under applicable law or the Agreement.
HCM Deck undertakes to keep secret any information related to entrusting it with Personal Data and any Personal Data entrusted to it, for the time of their processing and indefinitely after their processing has ceased.
HCM Deck shall be responsible for the provision or use of Personal Data contrary to the Terms and Conditions of Personal Data Processing, and in particular for making entrusted Personal Data available to unauthorized persons.
- During the processing of Personal Data under this Agreement, the Parties undertake to cooperate in the processing of Personal Data, which shall include informing each other about circumstances that affect or may affect the performance of their obligations, and HCM Deck shall comply with all lawful instructions given by the Customer with respect to the processing of entrusted Personal Data.
- HCM Deck undertakes to use appropriate technical and organizational measures to process Personal Data in accordance with the provisions of the GDPR, ensure the security of Personal Data and their protection against unauthorized and unlawful processing and accidental loss, destruction or damage of data. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, HCM Deck shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
- pseudonymisation and encryption of Personal Data;
- the ability to ensure the ongoing confidentiality, integrity, accessibility and resilience of processing systems and services;
- the ability to quickly restore availability of Personal Data and access to them in the event of a physical or technical incident;
- regular testing, measuring and evaluating the effectiveness of technical and organizational measures to ensure secure processing.
- HCM Deck represents that it provides the Service to all Customers in the same manner through a hosted web application, so that all relevant and current technical and organizational measures apply to the entire base of HCM Deck Customers served using the same data center and being subscribers of the same Service. The Customer understands and accepts that technical and organizational measures are subject to technical development, therefore HCM Deck reserves the right to implement appropriate alternative measures while maintaining an appropriate level of security. In the event of significant changes, HCM Deck shall notify the Customer thereof and shall provide it with relevant documentation by e-mail or by providing relevant information as part of the Cloud Service in such a way enabling the Customer easy access to it.
- At the Customer’s request, HCM Deck shall provide the Customer with any necessary information about Personal Data processed by HCM Deck. HCM Deck also undertakes to promptly inform the Customer of any complaints, requests, questions and other statements regarding Personal Data, addressed to HCM Deck or addressed to the Customer, but submitted to HCM Deck by any third parties, in particular natural persons to whom Personal Data relate.
- HCM Deck represents that Personal Data shall be processed and IT devices and systems used for the processing of Personal Data shall be handled only by persons holding personal authorizations to process Personal Data to the extent resulting from the entrustment.
- HCM Deck represents that it shall keep a record of processing activities in accordance with Article 30 of the in accordance with GDPR.
- In assessing the appropriate level of security HCM Deck shall take into account in particular the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
- Taking into account the nature of the processing, HCM Deck shall assist the Controller, as much as possible, through appropriate technical and organizational measures, in meeting the obligation to respond to the Data Subject’s requests as regards the exercise their rights set out in Chapter III of the GDPR.
- To the extent required by applicable law, HCM Deck shall assist the Customer in performing the Controller’s duties referred to in Articles 32-36 of the GDPR.
- HCM Deck shall immediately notify the Controller of any identified breach of personal data protection.
- The Customer shall have the right, having set (minimum 5 days in advance) a date for HCM Deck (in writing or by e-mail), to carry out controls audits and inspections of HCM Deck’s compliance with the rules for the processing of entrusted Personal Data, specified in the Agreement. Controls and audits, including the Customer’s inspections, may be carried out once a quarter, and their conduct must not lead to significant impediments in HCM Deck’s operations. The Customer shall be obliged to cover reasonable costs related to the audit. This shall not apply to cases of identified material breach for which HCM Deck is responsible. HCM Deck shall cooperate with the Customer in the audit and shall contribute to its smooth course.
- HCM Deck reserves the right to share Personal Data with public authorities, agencies or other entities authorized under applicable law (e.g. law enforcement authorities). Where it is necessary to disclose the Customer’s data to public authorities, agencies or other authorized entities, HCM Deck shall immediately notify the Customer thereof, unless such notification is not permitted by applicable law.
- The Customer (also on behalf of its Controllers) hereby agrees and authorizes HCM Deck to use Sub-processors (“Sub-processing”) whose services are used by HCM Deck to fulfil HCM Deck’s contractual obligations under the Agreement (“Sub-processor”). HCM Deck shall be responsible for any actions and omissions of its Sub-processors as for its own actions and omissions.
The Sub-processor shall provide its services under a separate agreement on entrusting the processing of personal data, concluded between HCM Deck and the Sub-processor. Such an agreement shall be compliant with law, and its terms and conditions shall at least correspond to those under which the Customer has entrusted HCM Deck with processing of Personal Data under this Agreement.
- HCM Deck undertakes to delegate to its Sub-processors obligations towards the Customer and the Controller regarding the data referred to in the Terms and Conditions of Personal Data Processing, as specified in the Terms and Conditions of Personal Data Processing.
- HCM Deck shall use services of only such Sub-processors that provide sufficient guarantees to implement the appropriate technical and organizational measures to ensure that data processing complies with the requirements of the GDPR and protects the rights of Data Subjects.
- Sub-processors shall provide the same guarantees and fulfil the same obligations as those imposed on HCM Deck.
- In case of a change of Sub-processors, HCM Deck shall notify the Customer thereof in advance by e-mail. HCM Deck undertakes to obtain from new Sub-processors the assurance of compliance with the provisions of the Terms and Conditions of Personal Data Processing and personal data protection regulations. HCM Deck shall assure that its Sub-processors adapt the processing activities entrusted to them and Personal Data safeguards used, as well as any obligations resulting from Sub-processing to the requirements imposed by the provisions of the GDPR.
- The Customer may object to entrusting data to a specific Sub-processor. The objection must be notified in writing or by e-mail within fourteen (14) days from the date of receipt of the relevant notification. The ineffective expiry of the deadline shall be considered as granting consent to the data processing by the Sub-processor indicated in the notification. The Customer may raise objections where, e.g. the Sub-processor is established or resides in a country where the legal system does not provide a sufficient guarantee of data security. In case of effective objection, HCM Deck undertakes to take remedial actions that it believes to be adequate, such as:
- HCM Deck will refrain from entrusting any activities to the challenged Sub-processor;
- HCM Deck will take action to eliminate the obstacle indicated by the Customer as the reason for the objection, and once it has been eliminated, it will continue to entrust sub-processing activities to this Sub-processor;
- HCM Deck will discontinue, temporarily or permanently, the provision of that part of the Cloud Service that requires sub-processing of Personal Data, or will obtain the Customer’s consent to abandoning, temporarily or permanently, the provision of that part of the Cloud Service that requires sub-processing of Personal Data.
- Should it not be possible or reasonable to take any of the aforementioned remedial actions and the reason for the objection is not eliminated within thirty days from the date of receiving the objection by HCM Deck, HCM Deck shall immediately notify the Customer thereof by e-mail, and the Parties may withdraw from the Agreement with respect to the provision of this part of the Cloud Service. A notice of withdrawal shall be submitted in writing within seven days of becoming aware that the reason for the objection could not be eliminated within 30 days from the date HCM Deck received the objection.
- HCM Deck reserves the right to make an overnight change of the Sub-processor where it is necessary due to reasons beyond HCM Deck’s control (e.g. if the Sub-processor ceases to operate, suddenly ceases to provide services to HCM Deck or violates its contractual obligations towards HCM Deck). In the case referred to in the first sentence, HCM Deck will immediately inform the Customer about the change of the Subcontractor and will start the process of selecting a new Sub-processor and entrusting it with processing activities.
- Cross-Border Data Transfers
- Due to the fact that HCM Deck uses services of Sub-processors with their registered seats and data centers in the United States, Personal Data may be transferred to that third country.
- Data may be transferred to the third country referred to in paragraph 1 above only if it provides adequate safeguards, and on condition that enforceable data subject rights and effective legal remedies for data subjects, referred to in Article 46(2) of the GDPR, are available, including the Privacy Shield self-certification mechanism.
- No Personal Data shall be transferred outside the European Economic Area (EEA), except in the cases referred to in paragraph 1 and paragraph 2, and no entities operating outside the EEA shall be allowed to access them without the Customer’s prior written consent.
- Monitoring of the Customer’s Rights
- The Customer may request HCM Deck to provide information regarding its compliance with the terms and conditions of the processing of entrusted Personal Data in accordance with the Agreement.
- HCM Deck shall provide the Customer with reasonable support in the course of verification processes and with the required information. The Customer shall bear all costs (including the costs of HCM Deck’s internal resources based on the current daily rates for professional services in accordance with the HCM Deck price list) for any service-related activities performed by HCM Deck for more than 4 hours per year.
- During the term of the Agreement, the Customer may at any time access, modify, export or download the Customer Data, in whole or in part, in so far as necessary to meet the Customer’s needs.
- HCM Deck undertakes to enable the Customer to export or download the Customer Data during the term of the Agreement and for a specific period after its termination, in a standard format for this type of data with an adequate, transparent structure that ensures full transferability of the Customer’s Personal Data.
- After termination or expiration of the Agreement, if the data are stored on HCM Deck’s servers, HCM Decks shall, depending on the Customer’s request, return the entrusted Customer’s Personal Data or delete all Personal Data, and (if the Subcontractor’s services are used) make the Subcontractor return or delete the Personal Data. HCM Deck shall also destroy all copies of the data, unless European Union law or the law of a given Member State requires the storage of data. The return or deletion referred to above shall take place no later than within 60 days from the date of the expiry of the Agreement. The return shall take place based on a return protocol drawn up by the Parties (in two identical copies – one for each Party), signed by their authorized representatives.
- The deletion of Personal Data, referred to above, shall be understood as at least their modification in such a way so that it is impossible to determine the identity of the Data Subject. At the Customer’s request, HCM Deck or its Sub-processor shall provide a report on the destruction/deletion of Personal Data.
List of approved Sub-processors: