Privacy and Cookies Policy
I. Definitions
For the purposes of this document, the following definitions apply:
Personal Data Controller / Controller – Jakub Mańka, conducting business activity under the business name Jakub Mańka, entered into the Central Register and Information on Economic Activity (CEIDG) maintained by the minister competent for economy, registered at Smolna Street 10, 44-200 Rybnik, Poland, NIP (Tax Identification Number): 8993027409, REGON (National Business Registry Number): 541988811;
● Personal Data – information relating to a natural person who is identified or identifiable, which means that the identity of the data subject can be established, directly or indirectly, on the basis of such information;
● Processing – any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, retrieval, consultation, or erasure;
● Privacy and Cookies Policy / Privacy Policy – this document defining the rules for the processing of personal data via the Website, based on and in accordance with the GDPR;
● GDPR (RODO) – Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation);
● Website / Service – the website operated by the Controller under the reklii.com domain;
● User – a User within the meaning of the Terms and Conditions, whose Personal Data is Processed within the Website and the agreements concluded through it.
II. General Information
1. The Privacy Policy has been prepared on the basis of and in accordance with all the requirements of the GDPR; in particular, it contains all the necessary information that the Controller is obliged to provide to the person whose Personal Data they Process and from whom they collected such Data – pursuant to Article 13 of the GDPR, i.e., the information necessary to ensure fair and transparent Processing of Personal Data by the Controller.
2. Capitalized terms not defined in this Privacy Policy shall have the meaning assigned to them in the Terms and Conditions of the Website and the Terms and Conditions for Participants, available on the Website.
3. The Privacy Policy describes issues related to the Processing of Personal Data solely via the Website, including within the framework of distance Contracts concluded on the basis of the information contained on the Website.
4. The Website uses encrypted data transmission, which means it has a so-called SSL (Secure Sockets Layer) certificate, i.e., a network protocol used for secure network connections.
5. This version of the Privacy Policy is effective as of April 1, 2026.
III. Personal Data Controller
1. The Personal Data Controller of the User is Jakub Mańka, conducting business activity under the business name Jakub Mańka, entered into the Central Register and Information on Economic Activity (CEIDG) maintained by the minister competent for economy, registered at Smolna Street 10, 44-200 Rybnik, Poland, NIP (Tax Identification Number): 8993027409, REGON (National Business Registry Number): 541988811.
2. The User may contact the Controller regarding their Personal Data via the following forms of contact:
a. by mail at: Smolna Street 10, 44 – 200 Rybnik, Poland;
b. by email at: info@reklii.com;
c. by phone at: +48 664 289 120.
3. The Controller has not appointed a Data Protection Officer, as due to the small scope and scale of the Processed Personal Data, it is not deemed necessary by the Controller, nor is it legally required.
4. The personal data controller of the Event Participants, for the purpose of fulfilling services related to their participation in the Event, is the Organizer. The Service Provider acts as a data processor based on the Data Processing Agreement constituting an Appendix to the Privacy and Cookies Policy.
IV. Scope of Processed Personal Data
1. Through the Website, the Controller may Process Personal Data via:
a. reviews;
b. the contact form;
c. the newsletter;
d. the Account;
e. the conclusion and performance of the Contract for the supply of a Digital Service;
f. the conclusion of the Contract for the provision of an Electronic Service with Participants;
g. sending forms by Participants to Organizers;
h. ensuring the continuity of communication and enabling contact with the Controller regarding the conducted business activity;
i. managing company accounts on Facebook, Instagram, and TikTok;
j. using analytical tools such as PostHog and Meta Pixel;
k. fulfilling legal obligations arising from applicable laws, in particular accounting and tax regulations.
2. The Controller may also Process Personal Data in the event of establishing, pursuing, and enforcing claims in the case of court proceedings or proceedings before other authorities.
3. All Personal Data that may be Processed by the Controller via the Website is provided by the User on a voluntary basis.
4. The User is not obliged to provide their Personal Data to the Controller, either directly (e.g., via the contact form) or indirectly (data collected via third-party cookies). However, failure to provide certain Personal Data may result in the inability to perform a given service or achieve a specific purpose (e.g., failure to provide Personal Data in the contact form will prevent the User from sending a message through the form).
5. If, however, the User provides their Personal Data, the Controller will Process it on the basis of and within the limits of the law, including in particular in an adequate manner within the meaning of the GDPR, i.e., appropriately and limited to what is necessary for the purposes for which it is Processed, which is in accordance with the principle of data minimization.
6. Detailed grounds for the Processing of Personal Data are indicated in the further part of the Privacy Policy.
V. Reviews
1. By presenting reviews on the Website, the Controller Processes Personal Data that the Customer indicates in their Google account, which means in particular the following Personal Data: first name, last name, nickname, name, image.
2. The legal basis for the Processing of Personal Data as part of adding and publishing a review is Article 6(1)(f) of the GDPR, i.e., Processing for the purposes of the legitimate interests pursued by the Controller, which in this case means enabling the presentation of reviews regarding the Services, as well as the course of the sales process and Customer service related to the execution of Orders, which serves to ensure reliable information about the offer and transparency of the sales process.
3. Personal Data Processed as part of publishing reviews on the Website are Processed until the review is deleted or earlier – i.e., until the User files an objection to the Processing of Personal Data for this purpose.
VI. Contact form
1. Through the contact form located on the Website, the Controller Processes the Personal Data that you provide when filling out the form, which means in particular the Personal Data required to send a message via the form, i.e.: first name, e-mail address, and Personal Data provided within the sent message.
2. The legal basis for the Processing of Personal Data within the form is Article 6(1)(a) of the GDPR, i.e., Processing based on the consent of the data subject, for the purpose of the Service Provider receiving a message via the form and responding to it.
3. The User's Personal Data Processed within the form are Processed until the consent to the Processing of Data is withdrawn.
4. The User may withdraw the granted consent to the processing of their personal data at any time. The withdrawal of consent to the processing of personal data does not affect the lawfulness of the processing carried out by the Controller based on the consent granted by the User prior to its withdrawal.
5. In the event that the User wishes to withdraw consent to the processing of Personal Data for the purpose of providing the form Service, they may send an e-mail message to the Service Provider's address with information about the desire to withdraw the granted consent.
VII. Newsletter
1. By subscribing to the newsletter, the Controller Processes the Personal Data that the User provides to them by completing and sending the newsletter subscription form, i.e., the e-mail address.
2. The legal basis for the Processing of Personal Data is Article 6(1)(a) of the GDPR, i.e., Processing based on the consent of the data subject, for the purpose of sending the newsletter by the Service Provider.
3. The User's Personal Data Processed within the newsletter are Processed until the consent to the Processing of Data is withdrawn.
4. The User may withdraw the granted consent to the processing of their personal data at any time. The withdrawal of consent to the processing of personal data does not affect the lawfulness of the processing carried out by the Controller based on the consent granted by the User prior to its withdrawal.
5. In the event that the User wants to withdraw consent to the processing of Personal Data for the purpose of providing the newsletter Service, they may unsubscribe from it by clicking the link used to unsubscribe from the newsletter, sent in every e-mail message sent as part of the newsletter.
VIII. Account
1. Through the Account registration form and maintaining the Account on the Website, the Controller Processes the Personal Data that the User provides by filling out the form or data in the Account, which means in particular the Personal Data required to register the Account, i.e.: e-mail address, first name, last name.
2. The legal basis for the Processing of Personal Data within the Account registration form is Article 6(1)(b) of the GDPR, i.e., Processing in order to take steps at the request of the User prior to entering into a contract, and processing necessary for the performance of a contract to which the User is party.
3. Personal Data Processed within the Account are Processed until the expiration of the limitation period for claims regarding the performance of the contract.
IX. Conclusion and performance of the Contract for the supply of a Digital Service
1. As part of placing an Order and concluding a Contract for the supply of a Digital Service, the Controller Processes Personal Data that are necessary to place an Order and conclude the Contract, i.e., first name, last name, e-mail address, contact telephone number, correspondence address, personal or corporate bank account number, NIP (Tax Identification Number), company name.
2. The legal basis for the Processing of Personal Data as part of placing an Order and concluding the Contract is Article 6(1)(b) of the GDPR, i.e., processing in order to take steps at the request of the User prior to entering into a Contract, and processing necessary for the performance of a Contract to which the User is party.
3. The User's Personal Data Processed within the placed Order and the concluded Contract are Processed until the expiry of the limitation period for claims regarding the Contract, resulting from the currently applicable provisions of law.
X. Personal Data of Event Participants
1. In connection with the conclusion and performance of the Contract for the provision of Electronic Services available within the Website for Participants, the Service Provider Processes the Personal Data of Participants as a Personal Data Controller within the meaning of the GDPR.
2. The Service Provider processes the personal data of Participants to the extent necessary to ensure the proper operation of the Website, including its security, handling of requests addressed to the Service Provider, pursuing claims, or defending against claims.
3. The scope of Processed Data may include in particular: identification data provided when accessing the Event Page (e.g., first name, e-mail address, or other data required for authentication), technical data regarding the use of the Website (including IP address, device data, data saved in cookies), and data contained in correspondence addressed to the Service Provider.
4. The legal basis for the Processing of Personal Data is:
a. Article 6(1)(b) of the GDPR – to the extent necessary for the conclusion and performance of the Contract for the provision of Electronic Services;
b. Article 6(1)(f) of the GDPR – to the extent of pursuing the legitimate interest of the Service Provider consisting in ensuring the security of the Website and pursuing or defending against claims.
5. Personal Data are Processed for the period of the Participant's use of the Website, and after its termination – for the period necessary to fulfill legal obligations and until the expiry of the limitation periods for claims arising from the Contract.
XI. Ensuring the continuity of communication and enabling contact with the Controller regarding the conducted business activity
1. By providing the possibility of contacting the Controller in matters related to the conducted business activity, the Controller processes the Personal Data provided by the User, i.e.: first and last name, name, e-mail address, phone number, company, NIP (Tax Identification Number), as well as other Data voluntarily provided by the User or in the content of the message or telephone conversation.
2. The legal basis for the processing of Personal Data in this regard is Article 6(1)(f) of the GDPR, i.e., processing for the purposes of the legitimate interests pursued by the Controller, which in this case means ensuring the continuity of communication and enabling Users to contact the Controller in matters related to the Controller's business activity.
3. Personal Data Processed in order to ensure contact with the Controller will be stored for the period necessary to conduct correspondence and achieve the purpose for which they were provided, and after its achievement, they may be Processed for a period resulting from the legitimate interests of the Controller.
4. The User has the right to object at any time to the Processing of their Personal Data for this purpose, which may result in the cessation of further correspondence and the deletion of the Data, provided there is no other legal basis for their further Processing.
XII. Managing a company account related to the Controller's business activity on Facebook, Instagram, TikTok
1. As part of managing a company account on Facebook, Instagram, and TikTok, the Controller processes the Personal Data of Users who interact with the accounts, in particular by following the account, reacting to published content (e.g., likes, comments, shares), and sending private messages. The Processed Data include in particular: account identifier (e.g., User name), first and last name or company name (if they are the User name), profile picture, content of comments, messages, and other information voluntarily provided by the user as part of their activity on Facebook, Instagram, and TikTok.
2. The legal basis for the processing of Personal Data within the account on Facebook, Instagram, and TikTok is Article 6(1)(f) of the GDPR, i.e., the legitimate interest of the Controller, consisting in running a social media profile to promote the Controller's business activity, building and maintaining relationships with Users, and responding to their inquiries.
3. Personal Data are Processed for the period necessary to achieve the purposes for which they were collected, in particular until the account is closed or the interaction with the User ends.
4. It should be noted that the data controller of Users of the Instagram, Facebook, and TikTok services in terms of the functioning of the platform itself (e.g., terms of use, profiling, statistics) is also Meta Platforms Ireland Limited (Instagram/Facebook) and TikTok Technology Limited (TikTok), acting as separate personal data controllers. The indicated entities transfer Personal Data to third countries.
XIII. Analytical tools PostHog, Meta Pixel
1. The Controller uses analytical tools on the Website: PostHog and Meta Pixel.
2. As part of using individual tools, the Controller may process the following personal data of the User:
a. PostHog - data concerning the User's activity on the Website (so- called events, e.g., visits to subpages, clicks, use of functionalities), IP address, online identifiers (e.g., user identifier assigned on the Website, device or browser identifier), information about the browser, operating system, device type, approximate location data resulting from the IP address, technical data concerning the session;
b. Meta Pixel - IP address, data about the User's device, information concerning the User's activity on the Website (e.g., visited subpages, actions taken), location data and language settings, cookie identifiers associated with Meta platforms.
3. The purpose of processing personal data within the above tools is:
a. in the case of PostHog - analysis of the way the Website is used, monitoring the operation of individual functionalities, detecting technical errors, improving usability and optimizing the operation of the Website. Additionally, this tool is used as a secure intermediary (as part of the Conversions API integration) for server-side transfer of information about key events (e.g., purchases) to Meta advertising systems for campaign optimization;
b. in the case of Meta Pixel - analysis of the effectiveness of advertising campaigns conducted within Meta platforms, conversion measurement, retargeting and adjusting advertising content.
4. The legal basis for processing personal data within PostHog and Meta Pixel is Article 6(1)(a) of the GDPR, i.e., the User's consent expressed via the cookie management tool, to the extent that these tools use cookies or similar technologies.
5. To the extent that PostHog is used exclusively to ensure the security of the Website and detect technical errors, the legal basis for processing may also be Article 6(1)(f) of the GDPR, i.e., the legitimate interest of the Controller consisting in ensuring the proper functioning of the Website.
6. The User may consent to the use of analytical tools via the cookie message displayed during the first visit to the Website.
7. The User may withdraw their consent at any time without affecting the lawfulness of processing carried out before its withdrawal, in particular by changing cookie settings.
8. Data processed within PostHog are stored for the period necessary to achieve analytical and technical purposes, in accordance with the configuration adopted by the Controller, but no longer than until the withdrawal of consent or deletion of data in accordance with the applicable retention policy.
9. Data processed within Meta Pixel are stored in accordance with the rules defined by Meta Platforms Ireland Limited, in particular until the cookies expire or the User withdraws consent.
10. With regard to the collection of data through Meta Pixel and its transmission to Facebook (including via the Conversions API), the Controller and Meta Platforms Ireland Limited act as joint controllers of personal data in accordance with Article 26 GDPR. Information on how Meta processes such data is available in Meta's privacy policy.
11. Google Tag Manager: The Controller uses Google Tag Manager (provided by Google Ireland Limited) to manage scripts and tags on the Website. This tool is used solely for technical implementation and activation of other tools (such as PostHog or Meta Pixel) based on the consents expressed by the User in the cookie banner. Google Tag Manager itself does not collect personal data or profile Users.
XIV. Processing of Personal Data to fulfill legal obligations
1. The Controller may also be subject to legal obligations that they must fulfill, such as accounting, filing financial reports. In connection with this, the Controller Processes Personal Data that are necessary to fulfill all necessary legal obligations imposed on them, in particular in the field of accounting and tax regulations.
2. Personal Data referred to in point 1 may include: first and last name, correspondence address, e-mail address, telephone number, bank account number, possibly also NIP (Tax Identification Number) or REGON (National Business Registry Number) and company name.
3. The legal basis for the Processing of Personal Data within the framework of the Controller's fulfillment of legal obligations referred to in this section is Article 6(1)(c) of the GDPR, i.e., processing necessary for compliance with a legal obligation to which the Controller is subject, arising from applicable legal regulations, in particular accounting and tax regulations.
4. The User's Personal Data Processed for the purpose of fulfilling legal obligations are Processed until the expiration of the legal obligations imposed on the Controller that required the Processing of such Data.
XV. Processing of Personal Data in the event of potential establishment, exercise, and enforcement of claims arising from the contract
1. In the event of the need to establish, pursue, and enforce claims arising from the contract or to defend against such claims in court proceedings or before other authorities, the Controller will Process Personal Data that are necessary for this purpose, in accordance with the provisions of law.
2. Personal Data referred to in point 1 above may include: first and last name, correspondence address, e-mail address, telephone number, bank account number, possibly also NIP or REGON and company name.
3. The legal basis for the Processing of Personal Data in the situation referred to in this section is Article 6(1)(f) of the GDPR, i.e., Processing for the purposes of the legitimate interests pursued by the Controller, which may consist in establishing, pursuing, or enforcing claims or defending against potential claims in court proceedings or before other authorities.
4. The User's Personal Data that may be Processed for the purposes of potential claims or disputes are Processed until the expiration of the limitation period for claims regarding the concluded contract.
XVI. Processing of Personal Data by other entities
In order to use the tools that enable the Controller to maintain the Website, as well as to conclude and perform the Contract, the User's Personal Data may also be Processed by the following entities:
a. the hosting provider of the Website, who stores Personal Data on the server and thus Processes them as a data processor;
b. the cloud infrastructure provider, as a data processor;
c. the entity providing accounting services, as a data processor;
d. the entity operating the invoicing software, as a data processor;
e. entities providing electronic payment services, as separate and independent personal data controllers;
f. the entity providing the service of sending messages as part of the newsletter, as a data processor;
g. Meta Platforms Inc. for the purpose of the Controller's use of the Meta Pixel tool, which is an independent controller of this data;
h. PostHog Inc. for the purpose of the Controller's use of the PostHog tool, as a data processor;
i. Google Ireland Limited for the purpose of managing scripts on the Website via Google Tag Manager.
XVII. Transfer of Personal Data to third countries or international organizations
1. The Controller does not directly transfer the User's Personal Data to third countries or international organizations.
2. However, the User's Personal Data may be transferred to third countries by Meta Platforms Inc. and PostHog Inc., whose tools the Controller uses and which, as part of these activities, becomes a separate controller of the User's Personal Data or a data processor.
3. Meta Platforms Inc. is listed in the list of entities participating in the Data Privacy Framework program (link: https://www.dataprivacyframework.gov/s/participant-search), and therefore the protection of personal data is adequate in relation to the regulations in force in the European Union, in accordance with Commission Implementing Decision (EU) C(2023) 4745 of July 10, 2023, on the adequate level of protection of personal data under the EU-USA Data Privacy Framework (link: https://commission.europa.eu/system/files/2023-07/Adequacy%20decision%20EU-US%20Data%20Privacy%20Framework.pdf).
4. In the case of transferring Personal Data to third countries in connection with the use of the PostHog tool, such transfer takes place with the application of appropriate safeguards required by the GDPR, in particular based on Standard Contractual Clauses adopted by European Commission Decision 2021/914 and with the application of additional technical and organizational measures.
XVIII. Information on automated decision-making, including profiling
The User's Personal Data are not used by the Controller for the purposes of making decisions regarding the User based on automated Processing of Personal Data, including profiling.
XIX. Rights of the User in connection with the Processing of their Personal Data
1. On the basis of Articles 16 – 21 of the GDPR, the User is granted the following rights related to the Personal Data Processed by the Controller.
2. Within the framework of the legal grounds indicated above, the User has the right to exercise the following rights regarding their Personal Data Processed by the Controller, i.e., the User has the right to:
a. access to Personal Data, based on Article 15 of the GDPR;
b. rectification of Personal Data, based on Article 16 of the GDPR;
c. erasure of Personal Data, based on Article 17 of the GDPR;
d. restriction of Processing of Personal Data, based on Article 18 of the GDPR;
e. data portability, based on Article 20 of the GDPR;
f. object to the Processing of Data, based on Article 21 of the GDPR.
3. More detailed information regarding the rights of the User can be found in Articles 16 – 21 of the GDPR respectively.
4. If the Processing of the User's Personal Data is based on the consent granted by the User, the User also has the right to withdraw consent to the Processing of Personal Data at any time, without affecting the lawfulness of Processing carried out based on that consent before its withdrawal.
5. The User also has the right to lodge a complaint with the appropriate supervisory authority if they believe that their Personal Data are not Processed in a correct manner and in accordance with the provisions of law.
6. The appropriate supervisory authority may be the authority competent for the User's habitual residence in a Member State, the User's place of work, or the place of the alleged infringement regarding Personal Data.
7. In Poland, the supervisory authority for Personal Data is the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych).
8. Before filing a potential complaint, the Controller encourages you, however, to first contact them at the e-mail address indicated in this document, in order to clarify the matter or the User's doubts related to the Processing of Personal Data via the Website or the concluded Contract.
XX. Cookies – general information
1. The Website uses cookies.
2. Cookies are small text information stored on the User's terminal device that the User uses when accessing the Website, e.g., a computer or a mobile phone.
3. Cookies can be read by the Controller's information system (so-called own cookies) or by the information systems of third parties (so-called third-party cookies).
XXI. Cookies and Personal Data Processing
1. By reading the User's cookies through the Controller's information system, the Controller may have access to information that constitutes Personal Data, and therefore, based on such activities, the Processing of such Personal Data by the Controller occurs.
2. Some information, including Personal Data contained in cookies, may also be read by the information systems of third parties.
3. Some of the cookies used by the Controller are cookies necessary for the proper provision of electronic services to the User within the meaning of the Act of 18 July 2002 on the provision of electronic services, while the use of some cookies by the Controller is not necessary because it serves the Controller for purposes that are not essential for the User to correctly use the Website.
4. Cookies that are not necessary for the proper provision of electronic services to the User are blocked until the User consents to their use, and thus consents to the Processing of Personal Data.
5. The consent referred to above can be expressed by the User through the cookie bar that will be displayed on the Website during the User's first visit.
6. The legal basis for the Processing of Personal Data via cookies referred to in the points above is Article 6(1)(a) of the GDPR, i.e., the User's consent, about which more in the sections above regarding the rules for processing Data within the tools used on the Website.
7. Additionally, within their web browser, the User has the possibility at any time to manage settings regarding cookies, including blocking their use or re-enabling them.
XXII. Cookies used through the Website
1. Through the Website, the Controller uses own cookies and third-party cookies.
2. Own cookies are used to ensure the proper functioning of individual mechanisms appearing on the website.
3. Third-party cookies are used for the purposes described in this document and these are cookies of:
a. Meta Pixel, owned by Meta Platforms Inc.;
b. PostHog, owned by PostHog Inc.
XXIII. Final Provisions
1. In matters not regulated in the Privacy Policy, the appropriate provisions of Polish law and the GDPR shall apply.
2. The Controller has the right to change the content of the Privacy Policy, in particular when it is required by changes related to the Processing of Personal Data on the Website, technological changes, or changes in the applicable law regarding the issues described in this document.
Appendix - Personal Data Processing Agreement
I. General Provisions
1. The personal data controller of the Participants is the Client (hereinafter referred to as the "Controller").
2. In order to perform the Contract for the supply of a Digital Service, the Controller entrusts the Service Provider (hereinafter referred to as the "Processor") with the processing of personal data on the terms set forth in this appendix, which constitutes a Personal Data Processing Agreement.
3. The Processor has implemented appropriate technical and organizational measures so that the processing meets the requirements of the GDPR and national personal data protection regulations and protects the rights of the data subjects.
4. This Agreement defines the conditions for processing personal data by the Processor on behalf of the Controller, as specified in this Agreement, within the scope of services performed on the basis of the Contract for the supply of a Digital Service.
II. Duration of Personal Data Processing
1. The Processor provides services related to data processing throughout the duration of the Contract for the supply of a Digital Service.
2. After the termination of services related to processing, the Processor, depending on the Controller's decision, shall immediately delete or return all personal data to the Controller and delete all existing copies thereof.
3. The provision in the point above does not apply if European Union or Member State law requires the Processor to store personal data.
III. Scope of Personal Data Entrustment
1. The processing of personal data by the Processor is of a secondary nature.
2. The Processor will process personal data by performing operations on personal data or sets of personal data in a non-automated, partially automated, or automated manner, such as: recording, organizing, structuring, storing, adapting or modifying, retrieving, consulting, using, restricting, erasing or destroying - solely to the extent necessary to perform the Contract for the supply of a Digital Service.
3. The Controller entrusts the Processor with the processing of personal data regarding the Event Participants.
4. The scope of personal data entrusted by the Controller includes the following ordinary data of Participants: first and last name, name, image, dietary preferences, or other personal data provided independently by the Participant within the framework of the submitted Materials or forms available on the Website.
5. Personal data will be processed in electronic form.
IV. Rights and Obligations of the Controller
1. The Controller is obliged to pay the Processor the remuneration due under the Contract for the supply of a Digital Service. The Processor is not entitled to additional remuneration for the performance of this Agreement.
2. The Controller has the right to perform audits, including data protection inspections at the Processor's premises, in particular by:
a. reviewing technical and organizational measures for securing the entrusted personal data;
b. obliging the Processor to update technical and organizational measures for securing the entrusted personal data.
3. The Controller may perform audits personally or authorize an auditor of their choice to do so.
4. The data controller will exercise the right of control during the Processor's working hours and with at least 7 days' prior notice. In urgent cases or in the event of the Parties' failure to agree on the audit date in accordance with the first sentence (in particular in the event of a breach or risk of a personal data breach), immediately, within the period indicated by the Controller.
5. The Controller is obliged to cooperate with the Processor in the performance of the Agreement, provide the Processor with explanations in case of doubts as to the legality of the Controller's instructions, as well as timely fulfill their obligations.
V. Rights and Obligations of the Processor
1. The Processor undertakes to perform their obligations regarding the processing of personal data in accordance with the Agreement and the GDPR in the following manner:
a. processing of personal data, including potential transfer of data to third countries or international organizations, takes place solely on the basis of documented instructions from the Controller. Instructions may be transferred to the Processor in electronic form (including via e-mail or instant messengers), written, telephone, or oral. The Processor undertakes to systematically document all received instructions from the Controller;
b. in the case of a legal obligation imposed on the Processor by the law of the European Union or a Member State to which the Processor is subject to transfer personal data to a third country or international organization, the Processor is obliged to inform the Controller about this in writing. The Processor is released from the above obligation if the law prohibits them from providing such information due to an important public interest;
c. the Processor takes all technical and organizational measures required under Article 32 of the GDPR to ensure an appropriate level of security for the processing of personal data;
d. the Processor supports the Controller, as far as possible and within the scope of available information, in the performance of obligations arising from the GDPR, without undue delay from the date of receiving the Controller's request, as a rule within 7 days, with the reservation that in the case of requests requiring increased effort, system integration or technical analysis, this period may be appropriately extended, about which the Processor will inform the Controller - in the scope of exercising the rights of the data subjects specified in Chapter III of the GDPR and in the scope of performing the obligations arising from Articles 32 – 36 of the GDPR;
e. the Processor makes available to the Controller all information necessary to demonstrate compliance with the obligations set forth in Article 28 of the GDPR;
f. the Processor enables the Controller or an auditor authorized by them to conduct audits and inspections and actively contributes to their implementation.
VI. Further Processors
1. The Processor may entrust the processing of personal data to other specialized entities or subcontractors, i.e., further processors, to the extent necessary to perform the Contract for the supply of a Digital Service.
2. A list of further processors is available for the Controller's inspection upon their request. The Processor shall make the list available upon the Controller's request sent via e-mail within 7 days of receiving the message with the request.
3. Further processors will process the data throughout the entire period of the Contract's performance, and after its termination for the period required by law.
4. In the event of entrusting the processing of personal data to another entrusted entity, the Processor shall reserve at least the same obligations as imposed on them under this Agreement.
5. The Processor is obliged to control other entities processing personal data.
6. The Processor declares that they are aware that they bear full responsibility towards the Controller for the fulfillment of obligations by another entity processing personal data on the basis of Article 28(4) of the GDPR.
VII. Authorization to Process Personal Data
1. The Processor shall authorize to process personal data only persons who have committed themselves to confidentiality or are subject to an appropriate statutory obligation of confidentiality.
2. Section VI of this Agreement does not limit in any way the right of the Processor to grant authorizations to process personal data on the basis of Article 29 of the GDPR.