When setting up your account you electronically agree to the following Data Processing Agreement. This Agreement will be always available in your Account for your information.
This Agreement constitutes an integral part of an agreement between GetResponse Sp. z o.o. with its registered office in Gdańsk (80-387), Arkońska 6, A3, entered in the Register of Enterprises of the National Court Register kept by the District Court for Gdańsk-Północ in Gdańsk, 7th Commercial Division of the National Court Register, at KRS No. 0000187388, with NIP No. 9581468984, REGON No. 192998251, with a share capital of PLN 5.559.840,00, hereinafter: „GetResponse”, and the Client, binding on the basis of acceptance of GetResponse Terms of Service.
The Client and GetResponse are hereinafter also jointly referred to as „Parties” and each separately as a „Party”.
The service provided by GetResponse to the Client („Service”) may require GetResponse to process Personal Data (as defined below), the Parties wish to ensure that the Personal Data processing is in conformity with the applicable laws, in particular with Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”) – from the moment it shall apply – and with other applicable personal data protection laws;
The Client is the controller of the personal data processed in the course of using the Service (“Personal Data”) or acts as a processor, based on an authorization granted by the Personal Data controller and on behalf of the controller. The detailed scope of Personal Data and the categories of data subjects are defined in Annex 1;
GetResponse provides the Service to the Client based on the GetResponse Terms of Service (“Terms of Service”) with this Agreement constituting an integral part thereof.
The Parties have decided as follows:
Pursuant to Article 28(3) of the GDPR, the Client engages GetResponse in processing of the Personal Data and GetResponse hereby accepts the processing.
GetResponse shall process the Personal Data: (i) in accordance with applicable laws and the Agreement, (ii) exclusively for the purpose of providing the Service to the Client by GetResponse, (iii) to the extent defined in Annex 1 and (iv) in the period from the commencement of Service provision to Agreement termination, subject to §7(2) hereof.
The role of GetResponse shall be limited to providing the Client with the Service tools to be used for the purpose of Personal Data processing. GetResponse does not have any impact on the scope of the Personal Data processed by the Client in the Service, except for specifying the minimum scope of the Personal Data required for the proper use of the Service, GetResponse does not determine the purposes and means of processing, does not monitor the scope of these data or the lawfulness of the basis for their processing, nor does it check if the Client processes them correctly.
The Client hereby represents that it has obtained and that it processes Personal Data in accordance with applicable laws, including GDPR. The Client confirms in particular that it has: (i) obtained and holds the legally required direct marketing consents, including consents to send commercial information by e-mail or telephone and to use telecommunications terminal equipment and automated phone call systems for direct marketing purposes – if the Client carries out such activities, (ii) informed the data subjects about the processing of the data to the extent and in a manner required under the GDPR, (iii) has the right to process Personal Data and engage GetResponse for carrying out processing activities to the extent and for the purpose defined in Annex 1 hereto. Notwithstanding the foregoing, if the Client is not the Personal Data controller, it confirms that it has received the permission of the respective controller as required under the GDPR to engage GetResponse for carrying out processing for the purpose and to the extent in question.
The Client hereby confirms that the technical and organizational measures implemented by GetResponse and defined in Annex 2 are suitable and sufficient for the protection of the rights of data subjects, and the Client considers GetResponse to be providing sufficient guarantees in this respect.
The Client shall inform GetResponse without undue delay about any inspection performed by the Inspector General for the Protection of Personal Data (“IGPPD”), and from the moment of its appointment - President of the Personal Data Protection Authority (“PPDPA”) that is connected with the processing of the Personal Data entrusted to GetResponse and about any notice from the IGPPD or PPDPA requesting explanations regarding the same.
GetResponse shall process the Personal Data exclusively in line with the instructions from the Client, unless the European Union or Member State law requires otherwise. In the latter case, §4(6)(a) hereof shall apply.
The Client’s instructions are given in the Agreement or can be given and followed through the functionalities provided by GetResponse in the Service. The Client shall make sure that any instructions given to GetResponse are in conformity with applicable data protection laws.
Any further instructions that go beyond the instructions defined in §3(2) above must pertain to the subject matter of the Agreement or the subject matter of the Service provided in accordance with Terms of Service. If executing further instructions results in costs for GetResponse, GetResponse shall inform the Client about such costs, explaining the amounts of the costs, before executing the instruction. Only upon the Client’s confirmation of bearing these costs and their payment is GetResponse obliged to execute further instruction, provided that technical and organisational measures allow it. The Client shall give further instructions in writing, unless urgency or other special circumstances justify giving instructions through electronic means of communication. Instructions in any form other than in writing should be subsequently properly documented without undue delay.
GetResponse shall immediately inform the Client if GetResponse believes that an instruction infringes the GDPR or other European Union or Member State data protection provisions, and shall request the Client to withdraw, change or confirm the challenged instruction. While waiting for the Client’s decision, GetResponse has the right to suspend the performance of the challenged instruction. If, despite the Client’s explanation, executing the challenged instruction would infringe the GDPR or other European Union or Member State data protection provisions, GetResponse has the right to refrain from executing the instruction.
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks for rights and freedoms of natural persons, GetResponse hereby represents that as per Article 32 of the GDPR, GetResponse has implemented appropriate technical and organizational measures to secure the processing of Personal Data. The description of the implemented measures is available in Annex 2. GetResponse may at any time change the implemented measures, provided that the protection level they ensure is not lower than that ensured by the measures applicable at the conclusion of the Agreement. The information about the current technical and organizational measures along with the information about any changes to the scope of the implemented measures can be found in the Client Account as of May 25, 2018. At a justified request of the Client, GetResponse shall make available to the Client any further information necessary to demonstrate its compliance with the obligations laid down in Article 28 of the GDPR. The last sentence of §4(5) hereof shall apply as appropriate.
GetResponse shall ensure appropriate security of the Personal Data against unauthorized access and unauthorized seizure, as well as against damage, destruction or loss, and shall take any necessary steps as required by law to keep the Personal Data and how they are secured confidential.
GetResponse hereby represents that all persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality as per Article 28(3)(b) of the GDPR, and GetResponse shall be liable for their acts or omissions as for its own acts or omissions.
It is the responsibility of the Client to satisfy the requests of Personal Data subjects and to prepare replies to such requests. GetResponse shall reasonably support the Client to the best of its abilities and to a reasonable extent, in fulfilling its obligations, in particular through the application of appropriate technical and organizational measures necessary for the Client to support the exercise of the data subjects’ rights under the GDPR.
GetResponse shall assist the Client in compliance with the obligations pursuant to Articles 32 to 36 of the GDPR in respect of the Service by providing the Client with the necessary information. In respect of assisting the Client in data protection impact assessment (Article 35 of the GDPR) and in prior consultation with the supervisory authority (Article 36 of the GDPR), GetResponse shall assist only insofar as the Client is unable to fulfill its obligations by other means. GetResponse shall inform the Client about the costs of such assistance. Once the Client confirms that it will cover such costs, GetResponse shall provide the required assistance.
GetResponse shall inform the Client without undue delay upon receiving any credible and confirmed information:
To ensure proper provision of the Service, the Client authorizes GetResponse to engage other processors for carrying out processing activities. For the avoidance of doubt and without limiting the general authorisationgranted to GetResponse in the preceding sentence, the Client in particular agrees to the sub-processors listed in Annex 3.
The current list of GetResponse’s sub-processors is available in the Client’s Account as of May 25, 2018. GetResponse shall inform the Client about any intended changes concerning the addition or replacement of other processors. The Client shall be informed about this through a notice in the Client’s Account and properly in advance. The Client shall have the opportunity to object (via electronic means of communication or by post) to such changes within 14 days of receiving a notice on the intended change. If the Client does not object within 14 days of receiving the information about the intended change, the Client is deemed to have agreed to the change. Having received an objection, GetResponse has 30 days to determine how to proceed in relation to the objection. On the expiry of that period, each Party may terminate the Agreement in line with the provisions of the Service Agreement. Notwithstanding the foregoing, GetResponse stipulates that the Client’s objection to a chosen sub-processor may render the Client unable to use all the functionalities of the Service.
Engagement of other processors may only take place within the limits of and for the purpose of performing the Service. GetResponse hereby represents that (i) the sub-processors it has engaged meet all the requirements arising from the GDPR and from applicable data protection provisions, (ii) it has entered into Personal Data processing agreements with the subprocessors as required under Article 28(4) of the GDPR and that such agreements include provisions imposing obligations analogical to those defined in the Agreement in respect of GetResponse, and that (iii) the personal data protection standard followed by the subprocessors is at least equal to the personal data protection standard followed by GetResponse. If sub-processor chosen by GetResponse is located in a third country within the meaning of GDPR, GetResponse shall be obliged to ensure that the conditions set in Chapter V of the GDPR are met.
The Client shall have the right to audit GetResponse’s compliance with the Agreement in terms of Personal Data processing (“Audit”). An Audit may also be conducted by an independent auditor mandated by the Client, subject to prior conclusion of confidentiality agreement between the auditor and GetResponse.
The Client shall not appoint as an auditor any entity conducting directly or indirectly competitive activity in relation to activity conducted by GetResponse. Competitive activity shall mean any activity, whether or not fee-based, irrespective of the place and territory where it is carried out, regardless of the legal form, conducted in the same or the same subject range and addressed to the same group of recipients, coinciding – even partially – with the scope of the main or the side activity of GetResponse or of entities from the GetResponse group worldwide. Assessment of whether an entity is a competitor will include not only the subject of business activity of such an entity as listed in its articles of association or other document constituting the basis for its functioning, but also any activities actually pursued by that entity. If the Audit is mandated to GetResponse’s competitors, GetResponse shall have the right to refuse to allow the Audit until another entity is mandated to carry out the Audit on behalf of the Client or until the Parties agree on how to further proceed.
The Audit shall be subject to the following conditions: (i) it may only apply to the Personal Data entrusted to GetResponse for processing under the Agreement, it shall be limited to GetResponse’s registered office, devices used to process the Personal Data and staff involved in the processing hereunder; (ii) it shall be carried out efficiently and as quickly as possible, taking no more than 2 working days, (iii) it shall not take place more than once a year, unless it is required under applicable laws or by a competent supervisory authority or takes place promptly after a material breach of the Personal Data processed hereunder is identified, (iv) it may take place during regular working hours of GetResponse, in a manner that does not disrupt GetResponse’s business and is in conformity with GetResponse’s security policies; (v) the Client shall inform GetResponse about the intention to carry out the Audit via electronic means of communication or by post at least 14 working days before the intended Audit date. If an Audit cannot be carried out as intended for reasons beyond GetResponse’s control or if other unexpected obstacles arise, GetResponse shall inform the Client about such circumstances and shall suggest a new Audit date, which shall not be later than 7 working days after the date specified by the Client; (vi) the Client shall bear all costs arising from or connected with an Audit, except where an Audit reveals a serious breach of Personal Data security rules that pertains or is a threat to the Client’s Personal Data; (vii) an Audit cannot be intended or lead to the disclosure of legally protected secrets (including GetResponse’s trade secrets). The Client shall create an Audit report that summarizes the Audit findings. The report shall be submitted to GetResponse and shall represent GetResponse’s confidential information which cannot be disclosed to any third parties without GetResponse’s written permission unless this is required by the applicable laws.
If GetResponse adheres to an approved certification mechanism referred to in Article 42 of the GDPR or an approved code of conduct referred to in Article 40 of the GDPR, the Client’s auditing rights may also be exercised through GetResponse’s reference to the results of the monitoring of the rules of certification or the code of conduct. If this is the case, the Audit shall only address issues that cannot be sufficiently clarified through the submission of such results by GetResponse.
If the Agreement is terminated, GetResponse shall, according to the Client’s statement, delete the Personal Data (by deleting any existing copies of Personal Data) or return them to the Client (along with any media where they are stored, if possible), unless GetResponse has the right to further process the Personal Data for a longer period based on independent legal grounds. If GetResponse does not receive the statement referred to in the preceding sentence, whether in writing or by e-mail, within 5 days of Agreement termination, the Client shall be deemed to require that the entrusted Personal Data be deleted. If the Client chooses to have the Personal Data returned, GetResponse shall provide the same to the Client or enable the Client to download the Personal Data in a commonly used and machine-readable format.
The Client may obtain a copy of the processed Personal Data throughout the term of the Service Agreement, but no later than 60 days after the Client’s Account has been deactivated. In the said period of 60 days after the Client’s Account has been deactivated, the Personal Data shall only be processed by GetResponse for the purpose of potential reactivation of the Client’s Account, and shall only involve Personal Data storage for the Client without any other processing activities, subject to GetResponse’s other obligations or rights arising from applicable laws or public authorities’’ orders. After the expiry of this term, Personal Data shall be deleted from the main base without possibility of recovery. In the period of next 120 days Personal Data shall be subject to encryption and stored in backup copies only. The said 120- day period is required to delete the Personal Data completely due to specifics of the backup copies operations.
GetResponse’s liability in contract and in tort shall be limited to direct actual losses incurred by the Client. GetResponse shall not be liable for lost profit, notwithstanding the source, except where this is caused by wilful misconduct or gross negligence.
GetResponse’s total liability, notwithstanding the number of and grounds for the Client’s claims, shall be limited to equivalent of amount payable for the Service for three settlement periods (settlement period shall mean, respectively, monthly period or 30 days) paid by the Client in the settlement period immediately preceding the date when the event causing the damage occurred, with the exclusion of any amounts representing setup fees or any extra charges. The Client hereby releases GetResponse from any liability above that limit.
GetResponse shall not be liable for not performing or improperly performing the Agreement resulting from Force Majeure.
The Parties agree that the Client shall be liable for satisfying any and all claims of Personal Data subjects in connection with any damage arising from improper processing of personal data hereunder, unless the Client demonstrates that the damage resulted from the sole through fault of GetResponse or GetResponse’s sub-processors. If the Client fails to demonstrate this, the Client shall unconditionally indemnify GetResponse and hold it harmless in respect of any claims filed by the entities whose Personal Data GetResponse has processed based on the Agreement, and in connection with the processing of such data hereunder. If action is brought against GetResponse, the Client shall, if so required by GetResponse, join the proceedings as a party and assume full liability for the claim.
The Parties jointly agree that save as otherwise provided in the Agreement, GetResponse’s remuneration for the activities hereunder is included in the remuneration due for the provision of the Service to the Client.
The Agreement has been concluded for an indefinite period, but it shall be terminated no later than on the day of return or deletion of Personal Data according to §7 hereof.
The Agreement shall supersede any arrangements between the Parties in respect of entrusting Personal Data which the Parties may have made before in connection with the Service, notwithstanding the form of such arrangements.
Any amendments to the Agreement shall be made in writing, including electronic means of communication.
Any communications between the Parties shall be sent to the following addresses only:
The Agreement has been executed in two counterparts, one for each Party.
Purpose of the Personal Data processing
Personal Data shall be processed by GetResponse in order for the Client to use the Service provided by GetResponse.
Nature of the processing and the processing activities
Processing is both automated and non-automated. Personal Data processing by GetResponse takes place using the IT systems provided within the Service and includes following processing activities: collection, recording, storage, adaptation, alteration, disclosure, backuping Personal Data, as well as other activities as required to provide the Service.
GetResponse shall not communicate directly with the Personal Data subjects in the course of Personal Data processing.
GetResponse’s role is limited to making the Service tools available to the Client for use in order to process the Personal Data. GetResponse does not have any impact on the scope of Personal Data processed by the Client within the Service, does not determine the purposes and means of their processing and does not monitor scope of such Data.
Categories of data subjects
The Client engages GetResponse in processing of the Personal Data of following categories of data subjects:
As a rule, the Service is not intended to process special categories of personal data referred to in Article 9 of the GDPR, personal data relating to criminal convictions and offences referred to in Article 10 of the GDPR, nor personal data of children. However, decision as to the scope of data that to be processed by GetResponse in the Service belongs to the Client. By using the Service to process such data, the Client confirms that security measures implemented by GetResponse are in his opinion sufficient to protect entrusted Personal Data.
Categories of Personal Data to be processed
The Client engages GetResponse for processing of following categories of Personal Data:
A. Organizational security measures.
B. Technical security measures.
GetResponse uses the support of its subsidiaries, as well as external sub-contractors to provide the Service. The sub-processors listed below provide services supporting some of the tools of the Service (webinars), hosting and colocation, customer support, incident tracking, troubleshooting, and services concerning identifying and solving problems in the Service.
|Name of sub-processor||Corporate location|
|ArtNet Sp. z o.o.||Poland|
|ClickMeeting Sp. z o.o.||Poland|