PERSONAL DATA PROCESSING AGREEMENT
(“Entrustment Agreement”)

concluded between:

the User within the meaning of the Terms and Conditions
(“Administrator”) and
BMCG Software sp. z o.o. with its registered office in Warsaw, Balbinki 4, 02-495 Warsaw, District
Court for the Capital City of Warsaw in Warsaw, 14th Commercial Division of the National Court
Register under KRS number: 0000631398, share capital: PLN 127,200, NIP number: 125-164-49-59
REGON: 365151727, e-mail: office@powerhub.pl (“Processor” or “POWERHUB”)

The Administrator and the Processor are hereinafter jointly referred to as the “Parties” and individually
as the “Party“.

1. Subject matter of the Entrustment Agreement

1.1. The subject matter of the Entrustment Agreement is, respectively, the entrustment or subentrustment
by the Controller to the Processor of the processing of personal data in connection with the performance of agreements concluded by the Parties (“Main Agreements”), pursuant to
Article 28(3) of Regulation (EU) 2016/679 of the European Parliament and of the Council (EU)
2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of
personal data and on the free movement of such data, and repealing Directive 95/46/EC (OJ EU L
No. 119, p. 1) (“GDPR”).

1.2. The Controller entrusts the Processor with the processing of personal data to the extent specified
in the Entrustment Agreement and for the purpose of performing the Main Agreement, and the
Processor undertakes to process personal data in accordance with the Regulations and the
GDPR.

1.3. The Entrustment Agreement shall apply mutatis mutandis to cases where the Controller is the
processor of the entrusted personal data – in such a case, the Processor shall become a subprocessor.

1.4. The Entrustment Agreement does not apply to cases where the Processor processes personal
data as an independent controller.

2. Scope of entrusting processing

2.1. The Controller entrusts the Processor with the processing of personal data in the following scope:
(a) categories of data subjects: the Controller’s staff, subcontractors, customers, suppliers or
contractors;
(b) categories of personal data: to the extent necessary for the performance of the Main
Agreement and data entered or , in particular, first and last name, title – Mr/Ms, company
name, tax identification number, registered office address, e-mail address, delivery address,
telephone number, order details.

2.2. The Processor is authorised to perform the following processing activities on the entrusted data:
recording, organising, structuring, storing, adapting or modifying, retrieving, consulting, using,
disclosing by transmission, dissemination or otherwise making available, aligning or combining,
restricting,
deleting or destroying. The scope of processing operations depends on the Controller’s
instructions, issued as a rule through the implementation of the Main Agreement.

3. Processing only on the documented instructions of the Controller

3.1. The Processor shall process personal data only based on the provisions of the Entrustment
Agreement and documented instructions from the Controller.

3.2. Processing of personal data beyond the scope of point 2 requires an amendment to the
Entrustment Agreement.

3.3. The above does not apply if the Processor acts to fulfil an obligation imposed on it by European
Union law or the law of a Member State to which the Processor is subject, and the fulfilment of
that obligation cannot be reconciled with the provisions of the Entrustment Agreement. In such a
case, prior to commencing processing, the Processor shall inform the Controller of the legal
obligation in question, unless the applicable law prohibits the provision of such information.

4. Confidentiality obligation

4.1. The Processor shall authorise only those members of its staff who have been trained in the
protection of personal data, and are involved in the performance of the Main Agreement to
process the personal data entrusted to it.

4.2. The Processor shall ensure that the persons referred to in point 4.1:
(a) process personal data in accordance with the principle of necessary knowledge, and
(b) undertake to keep personal data confidential or are subject to an appropriate statutory
obligation of confidentiality.

5. Security of processing

5.1. The Processor shall ensure that appropriate technical and organisational measures are
implemented to ensure that the processing complies with the GDPR, including a level of security
of processing appropriate to the risk of infringement of the rights and freedoms of data subjects,
by conducting and updating the results of a risk analysis and implementing a risk management
plan. In particular, the Processor shall ensure the protection of the entrusted data against
accidental or unlawful destruction, loss, modification, unauthorised disclosure or access,
transmission, storage or other processing that could, in particular, lead to physical, material, or
non-material damage.

5.2. The security measures implemented by the Processor are specified in Appendix A.

5.3. The Processor may not use personal data for purposes other than those specified in the
Entrustment Agreement; in particular, the Processor may not transfer personal data to third parties without express consent, nor may it create copies or duplicates of personal data, except
that the above restriction does not apply to the creation of backups for the purpose of ensuring
the proper processing of personal data.

6. Further entrusting of processing

6.1. The Processor may use the services of further processors in connection with the performance of
the Main Agreement. The list of further processors to whom the Processor entrusts the processing
of personal data is set out in Appendix B.

6.2. The Processor shall notify the Controller of any intended changes regarding the addition or
replacement of further processors by updating Appendix B. The Controller may object to such
changes within 5 days of receiving the notification
by terminating the Main Agreement with immediate effect. The Administrator’s continued
performance of the Main Agreement shall mean that the Administrator does not object to the
update of Appendix B.

6.3. The use of a sub-processor is only permitted based on an agreement that imposes the same
data protection obligations on that entity as those imposed on the original Processor under the
Processing Agreement.

6.4. If this sub-processor fails to fulfil its data protection obligations, the original Processor shall be
fully liable to the Controller for the fulfilment of the obligations of that sub-processor.

6.5. The Controller authorises the Processor to grant authorisations, issue instructions and orders
within the meaning of Article 29 of the GDPR in relation to sub-processors.

7. Transfer of personal data

7.1. To the extent necessary for the proper operation of the Processor’s ICT infrastructure and the
efficient functioning of processes within the Processor’s organisation, including the storage of
documents or communication between persons involved in the performance of the Main
Agreement, the Processor may transfer or authorise the transfer of entrusted personal data
outside the European Economic Area.

7.2. The transfer of personal data to third countries will be based on the decision referred to in Article
45(3) of the GDPR, and in the absence thereof, the Processor will ensure an adequate level of
protection through the solutions specified in Article 46 of the GDPR, in particular through standard
contractual clauses adopted by the European Commission.

8. Responding to requests from data subjects

8.1. The Processor shall implement organisational and technical measures enabling the Controller to
fulfil its obligation to respond to requests from the data subject.

8.2. If the data subject exercises their right to access, rectify, supplement, delete or restrict the
processing of personal data in relation to the Controller, the Processor shall be obliged to exercise
the data subject’s right in accordance with the Controller’s instructions.

8.3. If the Processor receives a request regarding the exercise of the rights of data subjects, the
Processor shall inform the Controller thereof no later than 7 days after receiving the request.
When providing information about the request, the Processor shall forward the sender’s details
and the content of the request.

9. Deletion or return of personal data

No later than 30 days after the expiry or termination of the last Main Agreement in force or upon
receipt of a request from the Controller, the Processor shall delete all personal data processed on
the basis of the Entrustment Agreement and delete all existing copies thereof, unless European
Union law or the law of a Member State requires the Processor to store personal data or the
personal data is stored in backups of the Processor’s IT infrastructure created in the normal
course of business.

10. Reporting

10.1. At the request of the Controller, the Processor shall provide the information necessary to fulfil or
demonstrate compliance with the obligations under Articles 28 and 32-36 of the GDPR.

10.2. The Processor shall notify the Controller of any personal data breach without undue delay, but
no later than within 36 hours of becoming aware of the breach. If the Processor is unable to
provide the Controller with comprehensive information about the breach, it shall provide such
information successively without undue delay.

11. Inspections

11.1. To verify compliance with the obligations under the Entrustment Agreement, the
Controller shall have the right to conduct inspections to the extent that the Processor processes
the data entrusted by the Controller. The Controller may conduct the inspection independently or
through an authorised person, no more than once every 12 months, and additionally in the event
of an incident.

11.2. The inspection shall be carried out on a date agreed by the Parties, but not earlier than 10
Business Days after notifying the Processor of the intention to carry out the inspection. The
notification should specify the scope of the inspection, the persons involved in carrying it out and
the proposed date. Upon receipt of the notification of the planned inspection, the Processor shall
have the right to notify the Controller of a new proposed date for the inspection, falling no later
than 10 Business Days after the date proposed by the Controller.

11.3. All information and documents made available to the Administrator or a person authorised by
him, or prepared by the Administrator or a person authorised by him, in connection with the
inspection, including the results of the inspection, is confidential and constitutes a trade secret
of the Processor (“Confidential Information”). The Administrator is obliged to keep the
Confidential Information, confidential and guarantees that the persons authorised by him will
keep the Confidential Information confidential, in particular the Administrator and authorised personnel:
(a) refrain from disclosing Confidential Information to third parties without the prior express consent of the Processor, expressed in writing under pain of nullity;
(b) shall not use Confidential Information for purposes other than conducting inspections, in
particularly for commercial purposes.

11.4. The Controller shall be obliged to provide the Processor with a written undertaking from the
person authorised to carry out the inspection to maintain confidentiality about Confidential Information to the extent specified above. The Processor shall have the right to
refuse to respond to and grant access to the person authorised to inspect on
behalf of the Controller if the condition specified in the preceding sentence is not met.

11.5. The inspection may be carried out on Working Days. The inspection may only be carried out to
the extent necessary to check the relevant documentation and obtain the necessary
explanations regarding the implementation of its provisions, and only to the extent that it does
not require access to the electronic and IT systems and devices used by the Processor in the
provision of services, as these resources may also process other personal data not covered by
The entrustment relationship between the Parties. The inspection shall be carried out in a
manner that does not disrupt the Processor’s current operations, otherwise the Processor shall
have the right to suspend the inspection, while indicating to the Controller the proposed date of
its resumption.

11.6. If the inspection is excessively burdensome or exceeds the scope indicated in the notice of
intention to carry out the inspection, the Processor may suspend the inspection and make its
continuation, conditional upon the payment of an additional fee, taking into account the
administrative costs of providing information, making documents available, communicating, or
taking other requested or necessary actions in connection with the inspection.

11.7. The Processor shall have the right to refuse to provide the Controller with information covered
by legally protected secrecy, including the Processor’s or third parties’ trade secrets, as well as
information constituting personal data not covered by the Entrustment Agreement, if such
information can be replaced with other information (including statements by the Processor), and
if this is not possible, such information shall be made available to the Controller (or persons
designated by the Controller) only at the location and under the supervision of a person designated by the
Processor, after the Parties and all persons authorised by the Controller to carry out inspections
have concluded an appropriate agreement obliging them to protect such information.

12. Responsibility of the Processor

12.1. The Processor shall be liable to the Controller for any breaches resulting from non-performance
or improper performance of the Entrustment Agreement.

12.2. The Processor shall not be liable to the Controller for any damage resulting from the imposition
of an administrative fine or other administrative sanction on the Controller by a supervisory
Authority to impose a fine for a breach of personal data protection by the Controller.

13. Final provisions

13.1. This Entrustment Agreement is concluded for the duration of the Main Agreements.

13.2. Capitalised terms not otherwise defined shall have the meanings given to them in the
Regulations.

13.3. The terms “personal data”, “processing”, “restriction of processing”, “personal data breach” or
other terms defined in the GDPR have the meaning given to them in the GDPR and apply to the
Controller.

13.4. In matters not covered by the Entrustment Agreement, the provisions of the Regulations and the
provisions of the Civil Code and the GDPR shall apply.

13.5. The court competent to hear disputes arising from the Entrustment Agreement shall be the court
competent for the Processor’s registered office.

13.6. For purposes related to the Entrustment Agreement, the contact point on the part of the
Processor is the e-mail address: office@powerhub.pl

APPENDIX A
PROCESSOR’S SECURITY MEASURES

Status of GDPR implementation

The GDPR implementation project has been completed, and the Processor has and maintains the
documents required by the GDPR, including a register of all categories of processing activities.
The personal data protection system is continuously maintained and regularly reviewed. Independent
audits of the personal data protection system are carried out once a year, and ad hoc audits are also
carried out as necessary.

The level of security aligns with the identified risks and is continually improving. The
processor ensures a level of security of the entrusted data adequate to the risk of violation of the rights
and freedoms of natural persons, and in particular, measures to protect the entrusted personal data
against accidental destruction, loss, modification and unauthorised disclosure.

Up-to-date risk analysis results are maintained for resources processing entrusted personal data. A
risk management plan is implemented to maintain and continuously improve the level of personal data
security. If a vulnerability is identified that could cause significant risk, it is included in the risk
management plan and given appropriate priority.

The processor has adopted data protection documentation covering all aspects of GDPR compliance.
The policies and procedures in place within the organisation are regularly consulted, clarified and, if
necessary, updated in cooperation with the data protection officer’s team.
In connection with the full implementation of the ISO/IEC 27001 standard, the organisation also has
comprehensive documentation of the information security management system, which also covers the
personal data protection system.

Personal data protection policies and procedures

The processor has prepared and adopted personal data protection policies and procedures in
accordance with Article 24(2) of the GDPR and the requirements of the Polish supervisory authority.
The personal data protection policies and procedures have been communicated to the Processor’s staff.
The Processor has prepared and implemented a security policy or ICT resource management
instructions.

The Processor has prepared a procedure for immediately reporting information security breaches to the
Controller.

Persons performing operations on personal data have been duly authorised to process personal data
pursuant to Article 29 of the GDPR.
The Processor keeps a record of all categories of processing activities, which includes all information
required under Article 30(2) of the GDPR.
The processor is able to demonstrate compliance with the principles of personal data processing.

Employee awareness

The processor ensures that, before being allowed to process personal data, an employee is
familiarised with the applicable data protection policies and procedures.

The Processor shall ensure that its staff members’ knowledge is improved through periodic training
and other activities aimed at raising awareness of personal data protection and information security.
The Processor’s employees and associates who are involved in the processing of personal data are
required to maintain confidentiality.

Members of the Processor’s staff who are involved in the processing of entrusted personal data have
been granted appropriate authorisation to process personal data, and their access to data and rights
are restricted in accordance with the principle of necessary knowledge.

Management of breaches, requests from individuals, and support for the Controller in demonstrating compliance with the GDPR

The Processor has implemented a procedure for dealing with possible data breaches.
The Processor has measures in place to enable the exercise of the rights of data subjects, in particular
the right to restriction of processing and the right to be forgotten.

The Processor shall notify the Controller on time in the event of a personal data breach,
within the time limit specified in the Processing Agreement. The Processor shall respond to the
Controller’s questions to the extent and within the time limits necessary to fulfil the related obligations
under the GDPR.

Data Protection Officer and other data protection functions

The Processor has appointed a Data Protection Officer whose status reflects the requirements of Article
38 of the GDPR and who performs all the tasks specified in Article 39 of the GDPR.
Contact details for the Data Protection Officer: office@powerhub.pl

The Data Protection Officer is independent, and decisions regarding the purposes and means of
processes are made by senior management representatives and the owners of processes and
resources.

In connection with the functioning of the information security management system, persons performing
functions corresponding to the requirements of ISO/IEC 27001, in particular the Chief Information Officer Security Officer, have been appointed.

Codes of conduct and certification mechanisms, information security

The processor has implemented a comprehensive information security management system in
In an H3

accordance with ISO/IEC 27001 and holds a valid certificate confirming the correct implementation
and maintenance of the information security management system (ISMS) in accordance with the
above-mentioned standard.

Audit and risk analysis

The processor subjects its personal data protection system to regular, independent audits and security
tests.

The processor regularly identifies and classifies resources that process personal data, including in
terms of existing and planned security measures, identified vulnerabilities, the likelihood of occurrence
and the severity of threats.

The level of information security is additionally monitored through the use of key performance
indicators (KPIs).

Subcontractors

The processor only uses the services of third parties/subcontractors who have been previously verified
to ensure an adequate level of personal data protection.
The processor verifies the adequacy of the guarantees provided by further processors, including,
where appropriate, by requesting the completion of questionnaires and providing answers.

Data processing locations and data transfers, cloud data processing+

As a rule, the Processor processes personal data in data centres provided by specialised further
processors, as specified in the POWERHUB Terms and Conditions, with OVH Sp. z o.o. being the
main ICT infrastructure provider. The security guarantees provided by this entity are described at:
https://storage.gra.cloud.ovh.net/v1/AUTH_325716a587c64897acbef9a4a4726e38/contracts/c50414ccontrat_partDedie-PL-7.0.pdf

All personal data entrusted to us is stored exclusively within the infrastructure provided by specialised
sub-processors. However, in the event of data processing on its own resources, the Processor has
implemented physical security rules and rules for remote working.

To the extent that the entrusted data is processed in the AWS cloud, the Processor assesses the
security measures applied by the provider and supplements them with tools and configurations selected by the Chief Information Security Officer and resource owners. In particular, data
encryption, verification of the correctness of configuration solutions, usage monitoring, vulnerability
scanning, network traffic filtering, event logging, access management, separation, segmentation, and
Redundancy and load-balancing solutions are used.

Physical security

The physical locations where personal data is processed are subject to access control measures,
including, where appropriate, an access card system, video surveillance, security agencies and burglar
alarms.

The resources involved in data processing by the Processor are physically separated from other
organisations.

Security measures have been implemented to minimise the risk of loss due to physical and
environmental threats, including, where appropriate, appropriate threat detection systems, including
fire protection systems.

Access rights to the personal data processing area are regularly reviewed and revoked if necessary.
The process of secure data deletion and secure decommissioning of data carriers has been regulated.
Paper documents are protected against unauthorised access in accordance with the clean desk policy
and, after the expiry of the specified processing periods, are destroyed using a shredder of a standard
no lower than that required for confidential documents.

Control of access to IT systems

Authorisations within IT systems are granted in accordance with the need-to-know principle, and the
password policy has been implemented.

Staff members are required to apply the clean desk and screen policy.

Where appropriate, access control measures such as encryption, two-factor authentication and VPN
are used.

Technical safety, maintenance and testing of equipment

The IT system used to process personal data is protected against power failures.
Equipment and software maintenance is carried out in accordance with the supplier’s recommendations.
A procedure for the removal and destruction of resources withdrawn from use has been adopted and
is applied. The security measures in the server room comply with current security standards.
The processor ensures regular testing, measurement and evaluation of the effectiveness of technical
and organisational measures ensuring the security of processing.

Business continuity

The processor has a business continuity plan.
Appropriate mechanisms for monitoring and detecting events that may affect information security and
business continuity have been implemented.

The processor is able to efficiently restore the availability and access to personal data in the event of a
physical or technical incident.

The processor has implemented backup policies covering their appropriate scope, frequency and
testing.

Measures have been implemented to prevent unauthorised copies of data from the IT system and to
secure the backups made.

Other GDPR requirements

The processor implements new solutions in accordance with the principle of
privacy by design. The processor processes data in accordance with the
principle of privacy by default.

The processor keeps an inventory of resources used in the processing of personal data

Technical safety, maintenance and testing of equipment

APPENDIX B
LIST OF OTHER PROCESSORS

1. OVH Sp. z o.o.
1 Swobodna Street, 50-088 Wrocław

2. entities providing technical support and IT security services, including IT system security
audits;

3. entities providing legal services;

4. companies affiliated with the Processor, to the extent that they are involved in the
performance of the Main Agreement.