Conditions for the processing of Personal data
In accordance with the laws on personal data protection, the Provider, acting as a processor, performs processing of personal data for the User, acting as a controller, according to the instructions of the User.
Subject-matter of processing, categories of data subjects and type of personal data
- The subject-matter of the processing is the personal data of the Customers entered into the Service by the User or processed by the Provider on its behalf, especially identification data, addresses, contact details, information about the Customer's transactions within its relationship with the User, information about Customer's actions within the User's website, content of the Communications, Customer's activity relating to the received Communications and, where applicable, other data provided by the User to the Provider and relating to the Customer (hereinafter the "personal data").
- The extent to which the Customer's personal data is processed in each particular case shall always be determined solely by the User.
Nature, purpose and means of the processing
- The Provider processes personal data by automated means using statistical methods for the purpose of creating individualized Communications for the Customers, sending statistical methods for the purpose of creating individualized Communications to the Customers and for evaluating business campaigns' results.
Duration of the processing
- The processing of personal data by the Provider will be performed for the term of the Agreement. The Provider undertakes to perform its obligations regarding the protection of personal data for the entire term of the Agreement, unless it is apparent from the provisions of the Agreement that they should continue to be in effect after its expiry.
- The personal data will be erased by the Provider upon the User's instruction, but no later than 30 days after the termination of the Agreement. Until that time, the User is entitled to download a copy of the personal data.
Representations of the User
- The User represents and warrants that, as a controller of the personal data of the Customers, he fulfils all his obligations under the laws on personal data protection at the date of conclusion of the Agreement, in particular:
- processes personal data on the basis of proper titles and has a valid legal title for the processing of personal data of the Customers for the purpose, to the extent, by means and in the manner specified by the User in accordance with these Conditions for the processing of personal data;
- informs the Customers about the processing of their personal data, to the extent stipulated by the laws on personal data protection;
- enables the Customers to exercise their rights under the laws on personal data protection;
- liquidates the personal data as soon as the purpose for which it was processed will have ceased;
- fulfils all his other obligations under the laws on personal data protection;
- within 24 hours of receiving, the User will send the Provider by automated means via the Services interface information about any withdrawals of the Customer's consent to the processing of personal data, objections to the processing of personal data, revocations of consent to the sending of the Commercial Communications and other acts affecting the possibility of processing the Customer's personal data according to the Agreement, and will always respect these;
- within 24 hours of receiving the information from the Provider that Customer's consent to the processing of personal data has been withdrawn, any objections to the processing of personal data were made, consent to the sending of Commercial Communications has been withdrawn or any other acts affecting the processing of personal data of the Customers according to the Agreement were made, responds adequately to these and always respects these;
- Should damage (material or non-material) be incurred by the Provider as a result of non-compliance with the User's obligations under the laws on personal data protection, the User undertakes to fully compensate the Provider for this damage. For the purpose of this provision the damage incurred by the Provider means in particular: (i) compensation for damage (material or non-material) to data subjects defined in the laws on personal data protection and (ii) fines imposed by The Office for Personal Data Protection or other administrative authority.
General principles of personal data processing
- The Provider in connection with the processing of personal data:
- processes personal data solely on the basis of the User's instructions made via the interface of the Services provided or other means, including transfer of personal data to a third country or to an international organization, unless such processing is already provided by the EU law or law of a member state, which applies to the User; in this case the Provider informs the User of this legal requirement prior to processing, unless this legislation prohibits this disclosure for the important reasons of public interest;
- does not process personal data obtained for the purpose of providing the Services for Provider's own purposes;
- ensures that persons authorized to process personal data are bound by contractual duty of confidentiality or subject to statutory duty of confidentiality;
- does not engage any other processor without prior specific or general written authorisation of the User;
- takes into account the nature of the processing;
- assists the User through appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the User's obligation to respond to requests for exercising the Customer's rights;
- assists the User in ensuring compliance with the User's obligations to ensure appropriate level of processing security and to report personal data security breaches to supervisory authority and, where applicable, to the Customers, to assess the impact on the protection of personal data and to conduct previous consultations with the supervisory authority when taking into account the nature of the processing and data available to the Provider;
- in accordance with the User's decision, either erase or return all personal data to the User upon termination of the Services connected with processing of the personal data and delete existing copies unless the Union law or law of its member state requires the personal data to be stored; and
- provides the User with all the information necessary to demonstrate that the obligations set forth in these Conditions for the processing of personal data have been met and allows audits, including inspections, performed by the User or other auditor authorized by the User and contributes to such audits;
- In relation to the processing of personal data, the Provider shall keep records of all categories of processing activities performed for the Users, which include:
- the name and contact details of the Provider, the User and where applicable, of the Provider's or the User's representative, and the data protection officer;
- the categories of processing carried out on behalf of the Provider;
- where applicable, transfers of personal data to a third country or an international organisation; and
- a general description of the technical and organizational security measures.
Personal data security
- The Provider has adopted and maintains such technical and organizational measures as to prevent unauthorized or accidental access to personal data, modification, destruction or loss of personal data, unauthorized transmissions, other unauthorized processing or any other misuse of personal data.
- The Provider has in particular adopted and is maintaining the following measures to ensure a level of security:
- the pseudonymisation of personal data;
- the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services – the measures put in place and their correct functioning will be regularly monitored;
- the ability to restore the availability and access to personal data in a timely manner and in the event of physical or technical incidents;
- the process of regular testing, assessing and evaluating the effectiveness of the technical and organisational measures for ensuring the security of the processing;
- multi-level firewall;
- antivirus protection and unauthorized access control;
- encrypted data transfer via IT technologies;
- access to personal data only for the Provider's authorized persons;
- servers with personal data locked in the server room; and
- backups of data transferred to another location by encrypted transmission with the access of the Provider's authorized persons only.
- The Provider may allow the User to access the User's data, including the Customer's personal data, through the API. In this case, the User is required to ensure that only the authorized personnel can access the API. The Provider is not responsible for any data loss or privacy violation in the event of API being misused and in the event of data misuse after being available via the API.
- In the event the Provider detects any personal data breaches, the Provider will report them to the User without an undue delay.
Special provisions for providing Mailkit Agency Service
- In case the Mailkit Agency Service is provided, the following provisions of this Article will apply. However, these provisions will not apply in cases where both the Agency and the Clients together form a single natural or legal person; in such case, the Agency (Clients) will, as the User, fully comply with the other articles of these Conditions for the processing of personal data.
- The controller of personal data of the Customers is always the Client, with the Agency acting as a processor and the Provider acting as another person involved in the processing of personal data.
- The Agency will oblige the Client to fulfil the User's obligations under the Conditions for the processing of personal data no later than at the moment of the first use of the Services by the Client. The Agency is liable to the Provider for the proper performance of the obligations under this article by the Client.
- The Agency declares that it has the permission of the Client as a personal data controller to engage the Provider, as another person involved in the processing of personal data, in the processing of personal data. At the same time, the Agency represents that a contract concluded between the Client as a personal data controller and the Agency as a personal data processor complies with legal requirements for a contract between the controller and the processor of personal data and as a processor always complies with this legislation. The Agency is entitled to use these provisions of the Conditions for the processing of personal data for setting up the contractual relationship with the Client.
- The provisions of these Conditions for the processing of personal data governing the relationship between the Provider and the User shall apply equally to the relationship between the Provider and the Agency.
- This current version of the Conditions for the processing of personal data is valid and effective from May 1, 2017.
Annex No. 1 – Recommendations for the implementation by the personal data controller
Below are recommendations for implementation by the personal data controllers (i.e. entrepreneurs) in the area of personal data protection and protection of data subjects (i.e. their customers) against unsolicited commercial communications on their part.
It is always necessary to ensure that personal data (including those processed in commercial communications and cookies) are processed on the basis of the applicable and most appropriate legal grounds, ensuring the legality processing.
The following sections of this Annex are therefore designed in a way that the appropriate legal ground for the processing is identified and that any specifics of processing in relationships between the controller and the data subject are described.
This information is not a legal advice, but only basic informative recommendations for persons processing personal data. Completeness or correctness of this information is not guaranteed.
Part A – Personal Data
In the areas of "general" processing of personal data, i.e. not in connection with the sending of the Commercial Communications or with the collection of so-called cookies (see below), the general rules on the processing of personal data apply.
In order for personal data to be processed in accordance with the laws on personal data protection, it is necessary to:
- define the purpose and means of the processing (depending on the particular case);
- define the legal ground on which the processing will be based (in particular the performance of a contract with the data subject, or if the processing cannot be subsumed under performance of a contract, the legal ground would be the legitimate interest of the controller, or if the previous two legal grounds cannot be used, the consent to the processing of personal data will be a legal ground for the processing);
- fulfil any additional obligations associated with the appropriate legal ground (assessment of the legitimacy of the interest in the case of processing on the basis of a legitimate interest, information about the possibility to withdraw consent, etc.);
- fulfil the information obligation towards the data subject (see below); and
- fulfil other general obligations with regards to the processing of personal data (in particular keeping the relevant documentation, defining the organisational and technical measures for the protection of personal data, etc.).
Legal grounds for the processing
Primarily, all processing of personal data relating to the business activity of the controller will be performed on the basis of performance of the contract with the data subject (processing necessary for the sale of goods and provision of services)
For sending of commercial communications (which is not a processing necessary for the performance of the contract), which will be identical for all data subjects or defined on the basis of the transaction history of the data subjects, a legitimate interest of the controller may be used. The legal ground of legitimate interest is also used for processing of cookies (although it will probably be necessary to obtain an explicit consent in the future).
On the other hand, in the case the performing advanced analytics or other personal data operations that by their nature differ from plain "direct marketing" was to be performed, it would be necessary to obtain the prior consent of the subject to processing of personal data for these purposes – such consent may for example be a condition for inclusion into controller's discount or loyalty program.
However, it is necessary to point out that the boundary where only legitimate interest can be used instead of consent to processing is not clearly defined (it depends on the reasoning and justification of such processing by the controller) and it cannot be guaranteed that certain processing could be performed on the basis of a legitimate interest.
In any case, the data controller must inform the subject about obtaining his or her personal data, irrespective of the legal basis used for processing (performance of the contract, legitimate interest of the controller, consent of the subject). If the consent is used, provision of the consent cannot be enforced.
Content of the information obligation
Where personal data are collected from data subjects, data subjects must be informed of the following:
- the identity and the contact details of the controller and, where applicable, of the controller's representative;
- the contact details of the data protection officer, where applicable;
- the purposes of the processing for which the personal data are intended as well as the legal basis for the processing (in this case the performance of the contract, the legitimate interest or the consent of the data subject);
- legitimate interest of the controller (in the case of processing based on legitimate interest);
- the recipients or categories of recipients of the personal data, if any, i.e. in this case the processor;
- the period for which the personal data will be stored;
- the existence of the right to request from the controller the access to and rectification or erasure of personal data or restriction of processing concerning the data subject or to object to processing as well as the right to data portability;
- the right to withdraw consent to processing (in the case of processing based on consent);
- the right to lodge a complaint with a supervisory authority;
- where applicable, the fact that the controller intends to transfer personal data to a third country and the existence or absence of an adequacy decision by the Commission, or in the case of transfers referred to in Article 46 or 47 of the GDPR, or the second subparagraph of Article 49(1) of the GDPR, reference to the appropriate or suitable safeguards and the means by which to obtain a copy of them or where they have been made available;
- the fact that the processing of the data is necessary for entering into a contract (in the case of processing necessary for performance of the contract);
- the fact that automated decision making, including profiling, as referred to in Article 22 (1) and (4) of the GDPR is performed and, at least in these cases, the meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.
In the case where processing is based on the legitimate interest of the controller, the data subject has to be explicitly informed, clearly and separately from any other information, about the right to object to the processing.
Please note that the rights of data subject include, for example, the right to request from the controller access to personal data relating to the data subject, their rectification, erasure or restriction, and the right to object to processing. It is always necessary to appropriately respond to a request by the data subject to exercise these rights. Under specific conditions, for example, it may be necessary to terminate the processing of the personal data for certain purposes or to completely erase the personal data.
Part B – Commercial Communications
In relation to the sending of commercial communications, it is necessary to ensure compliance with the laws on personal data protection and the general regulation on sending commercial communications.
Regarding the laws on personal data protection, the forms of processing of personal data are in this context the act of sending a commercial communication to the subject's e-mail address as well as all previous and subsequent analyses of the behaviour and possible demographic characteristics of the subject, including the collection of data itself (both based on information from the subject or on its tracking on the website).
All these forms of processing mentioned above, however distinct from each other, are directed towards one common goal, namely marketing communication in relation to the subject. For this reason, it is useful not to divide this purpose to base it on a common legal ground (the combinations of personal data obtained for different purposes is very problematic). An appropriate legal ground may be the legitimate interest of the controller in supporting his/her business and addressing the subjects (its customers), or the subject's consent in the case of a more advanced analysis of the behaviour of data subjects and the monitoring of their behaviour.
The following consequences are associated with using the legitimate interest:
- the duty to internally assess the legitimacy of interest and to have such assessment available;
- the obligation to inform data subjects; and
- the right of the data subject to object to the processing and the obligation of the controller to explicitly inform the data subject about that right.
Furthermore with regard to the general regulation on sending commercial communications, which is aimed at preventing the sending of unsolicited commercial communications, it can generally be noted that in order to ensure compliance with the applicable legislation, relatively strict conditions have to be met. Therefore, it is not possible to send to data subjects:
- any unsolicited messages sent by the e-mail and / or SMS to the recipient without complying with applicable legal requirements, i.e. in practice especially without its prior consent obtained through the double-opt in method (by filling in the form on the website and at the same time by confirming the interest in sending these commercial communications through clicking on a link in an e-mail or through sending a verification SMS);
- any commercial communications that do not contain the mandatory content of the commercial communication in the article "Compulsory Content of Communications" of the Terms and are not in compliance with the article "Conditions for provision of Mailkit Service" of the Terms;
- any commercial communications in the case, where the data subject has refused to use its data for the purpose of sending business messages or after the subject has refused to consent to use of its electronic contact for the purposes of sending commercial communications or the subject has informed the controller that he or she does not agree with any further sending of commercial communications;
- any commercial communications when it relates to products or services that are not provided by the controller or which are not similar to the products or services in connection with the sale of which the controller has obtained an e-mail address or telephone number of the subject, unless the subject has given a prior consent.
Part C – Cookies
At the moment, cookies can be processed in opt-out mode. This means that it is possible to store them in the end device of the subject and further process them without the explicit consent of the data subject, but the data subject must be informed of this fact and allowed to refuse such processing without any significant deterioration of the service (or its parts, which are not dependent on cookies).
In the case of cookies the above-described rules on objections to processing apply accordingly, including the "do not track" requests. However, an implementation of the opt-in mode in the future is considered.
In the case that cookies are eligible to be assigned to an identifiable data subject (e.g. when monitoring registered data subjects), the laws on personal data protection also apply. It is then necessary to comply with all obligations relating to the protection of personal data (Part A), including the legal ground for processing, fulfilment of the duty to inform and handling the "do not track" requests.