61 655 95 55
Higher effectiveness standard
Terms & Conditions
GENERAL TERMS & CONDITIONS
FOR SERVICES PURCHASED
Last update: 09.10.2020
1. General provisions
  1. In these general terms and conditions (the “GTC”), “we”, “us”, “our”, or “Sunrise System” will refer to Sunrise System spółka z ograniczona odpowiedzialnością sp.k., a company established under the laws of Poland, with its registered address at Plac Andersa 3, 61-894 Poznań, Poland, entered into the Register of Entrepreneurs kept by the Regional Court for Poznań-Nowe Miasto i Wilda, VIII Commercial Department of the National Court Register under registry No. (KRS) 0000489705, having tax identification number (NIP) 7831707183 and VAT-EU identification number PL7831707183, e-mail address: biuro@sunrisesystem.pl.
  2. These General Terms and Conditions (the “GTC”), together with other supplemental agreements or arrangements (the “Agreement”), constitute a legally binding agreement between you (the “Reseller”, as defined below) and Sunrise System.
  3. These GTC set forth the terms and conditions under which we provide our Services (as defined below).
  4. If you acquire our Services from a Master Reseller (as defined below), these GTC contain the terms and conditions that govern your access to and your use of our Services. If you purchase our Services from a Master Reseller, we may (if applicable) provide the Services to you in performance of a separate agreement that we have concluded with the Master Reseller. By acquiring our Services through the Master Reseller, you acknowledge and agree to be bound by these GTC and that Sunrise System shall have the right to enforce these GTC against you.
  5. Before using our Services (as defined below), you are required to read the separate terms and conditions of the Reseller Panel (as defined below).
  6. If you are entering into the Agreement on behalf of a company or another legal entity, you agree to the Agreement, including these GTC, for that company or entity and you represent and warrant to Sunrise System that you have the authority to bind such company or entity to the Agreement, including these GTC. If you do not have such authority or if you do not accept the Agreement, including these GTC, you must not use or authorize any use of our Services.
  7. These GTC have been drawn up pursuant to Article 8 of the Polish Act of 18 July 2002 on the Electronic Provision of Services.
2. Definitions

As used in these GTC, the following terms and phrases shall have the meanings set forth below:


  1. Access to Google Tools – providing the Reseller with access to Google Tools and the possibility of their installation, in particular access to Google Search Console and Google Search Console-API maintained for the website of the Client, in a scope enabling the provision of Services.
  2. Agreement – supplementary cooperation agreement on the provision of Services, concluded between the Reseller and Sunrise System; if the Reseller acquires Sunrise System’s Services through the Master Reseller, the Agreement may be concluded between the Reseller and the Master Reseller (if applicable) – in such a case (1) Sunrise System provides Services to the Reseller and/or to the Client, who are third-party beneficiaries of a separate agreement between Sunrise System and the Master Reseller, and (2) the Agreement shall be subject to these GTC.
  3. Automatic redirection – the configuration of the Client's website, which results in automatic redirection of the visitor to another website.
  4. Client – an entity conducting business activity in a form permitted by the law of the country competent for its seat, not being a Consumer, whose website was indicated by the Reseller in the Reseller Order accepted by Sunrise System, for whom Services are implemented on behalf of the Reseller, or to whom the Client Panel service is being provided through the Reseller. Sunrise System has the right to reject a Client, forwarded by the Reseller, particularly the right to reject the Reseller Order, subject to giving the reasons for such decision.
  5. Client Account – a login account for the Client Panel created for the Client and made available by the Reseller or Sunrise System at the request of the Reseller, to the Client's contact persons, linked to the Master Account.
  6. Client Panel – an IT system (service in the SaaS model, Software as a service) made available to the Reseller by Sunrise System during the term of the Agreement, as a module within the Reseller Panel, and to the Client by the Reseller from the Master Account level, or by Sunrise System at the request of the Reseller (or Master Reseller – if applicable), during the performance of Services, not longer than for the duration of the Agreement.
  7. Client's website – a website, the owner of which or legal administrator is the Client, consisting of the homepage, all its pages, graphics and other content, to which directs the domain indicated in Reseller Order and all other domains directing to this website.
  8. Consumer – a natural person who performs a legal action with an entrepreneur, for purposes which are outside his trade, business, craft or profession.
  9. Confidential Information – all information that constitutes trade secrets as defined by Article 11 item 2 of the Polish Act on Combating Unfair Competition dated 16 April 1993, in particular the documents and draft documents that have not been disclosed to the public which relate to either Party, including its activities, in particular any information of a technical, technological, commercial (e.g. Price Lists) or organizational nature, as well as information relating to their strategies, staff and financial affairs or future plans or perspectives, whether this information is written, oral or in any other form, or whether the information or documents are clearly marked as confidential.
  10. Displaying the Client's website – an Internet user's opening of Search results registered by Google which contain a link to the Client’s website for the Key phrase. The number of views in the Search results is an independent variable provided by Google in Google Search Console.
  11. Documentation – terms and conditions regarding the use of the Reseller Panel, available in the Reseller Panel (terms and conditions, privacy policy). Access to the Reseller Panel is granted on the terms specified in the Documentation, the Agreement and these GTC.
  12. Google Tools – Google Search Console, Google Search Console API, Google Analytics, Google Alerts, Google Maps and other tools and functionalities provided by Google.
  13. Key phrase – a string of alphanumeric characters, a word or a combination of two or more words, or words and alphanumeric characters, in particular which, due to its meaning or content, is characteristic of the Client's website or the subject of the Client’s economic activity.
  14. Master Account – a login account for the Reseller Panel created for the Reseller and made available to persons mutually agreed by the Parties. Each e-mail address is a separate Master Account.
  15. Materials – data, content, files stored in the Reseller Panel and made available in connection with the use of the Reseller Panel.
  16. Modification of the source code of the Client's website – adding, changing and removing fragments of the source code on the Client's website, performed by Sunrise System.
  17. Mono – Mono Solutions Asp, a company established under the laws of Denmark, with its registered address at Hejrevej 28, 1st floor, 2400 Copenhagen NV, Denmark, which runs an online solution that allows to purchase the Services.
  18. Parties – the Reseller and Sunrise System, each separately referred to as a Party.
  19. Reseller – a natural person, a legal person or an organizational unit without legal personality, to which legal capacity is granted by law, conducting a business, commercial, artisanal or professional activity in its own name, which concluded the Agreement in order to conduct business, commercial, artisanal, professional or statutory activity.
  20. Reseller Agreement – an agreement concluded between the Reseller and the Client, the scope of which includes the performance of any of the services indicated below:
    1) Service,
    2) Client Panel.
  21. Reseller Order – an order placed by the Reseller to perform Services by Sunrise System for an individual Client Website or an individual Client Panel service. The Reseller Order should contain at least: type or name of an individual Service, address of the Client's Website, date of commencement and/or termination of Services, contact person on the part of the Client/e-mail, VAT ID number, registered company/business name and address.
  22. Reseller Panel – an IT system (service in the SaaS model, Software as a service) made available to the Reseller by Sunrise System during the term of the Agreement, used to perform the Agreement, in particular to place Reseller Orders, including the Client Panel module. One Reseller Panel may consist of many Client Panels.
  23. Price List – a list of fees and commissions related to the provision of Services performed by Sunrise System, in particular the Reseller Panel. The Price List is an integral part of the Agreement; it may be made available via the Reseller Panel or constitute an appendix to the Agreement or be subject to separate arrangements between the Parties or – as applicable – between the Reseller and Master Reseller. If the Price List is made available through the Reseller Panel, we may change it from time to time without prior notice. In case of discrepancies between the Price List agreed in the Agreement and the Price List published via the Reseller Panel, the Price List agreed in the Agreement shall prevail.
  24. Master Reseller – an authorized business partner or authorized reseller of Sunrise System Services, such as Mono.
  25. Search results – a list of text or graphic links leading to websites, graphics or other content, displayed after entering a specific Key phrase in the search engine box. This list does not include: paid sponsored and advertising links, and paid advertising banners.
  26. Services – services provided by Sunrise System, specified in the Agreement, referred to separately as the Service. The scope of Services to be provided, as well as the language, area and currency for which a Service shall be provided are specified each time in the Agreement or are subject to separate arrangements between the Parties or – as applicable – between the Reseller and Master Reseller.
  27. Twin website – an additional website of the Client with identical or very similar graphic and text content, compared to the website of the Client, which can be treated by Google as so-called duplicate content, which in consequence may result in the removal of the Client's website from the Search results.
3. Our Services
  1. Subject to the terms and conditions of these GTC and the Agreement, Sunrise System may provide various Services. The Services may include, in particular, but not exclusively, access to the Reseller Panel or the SEO Services, as described in point 4 herein below.
  2. Our Services are designated for and targeted to businesses only, including the individuals performing business activities and companies. We do not provide the Services to Consumers. By accepting these GTC and getting access to our Services, you declare that you are not using the Services as a Consumer.
  3. You acknowledge that Sunrise System will in no event be considered as a party to the Reseller Agreement. For the avoidance of any doubt, there is no direct legal obligation between Sunrise System and the Client.
  4. In order to ensure the high quality of our Services, we will contact the Client directly, unless the Reseller or – as applicable – the Master Reseller instructs us otherwise. In particular, we may contact the Client directly in order to provide the Client with the SEO Service guidelines or with the access to the Reseller Panel.
  5. The Reseller is obliged to provide Sunrise System with all necessary access and data required for the proper performance of the Services, in particular the data necessary for the configuration of the Reseller Panel, the activation of the Master Account and access to the Client's website.
  6. The Reseller shall ensure and guarantee that the Client will comply with the Agreement, including these GTC, in particular that the person whom the Reseller will provide with access to the Reseller Panel or its module, or on whose behalf the Reseller Panel or its module has been made available, fulfills all the obligations of the Reseller, as specified in the Agreement, these GTC and the Documentation, and adheres to their content.
  7. Failure to, or delay in providing access or data, or providing incorrect access or data does not entitle the Reseller to reduce the remuneration eligible for the Services provided by Sunrise System. In such a case, Sunrise System shall be entitled to remuneration for the readiness to provide the Service or for making the Reseller Panel/Client Panel available.
  8. Both Parties have the right to terminate an individual Service, and the Client Panel service commissioned on the basis of a Reseller Order, by submitting a notice to the other Party, with a three-month notice period. The notice period shall last from the end of the calendar month, in which the Party had received the notice. If the Agreement is concluded between the Reseller and the Master Reseller, the notice periods and terms of termination may vary.
4. SEO Services
  1. Sunrise System will start providing the SEO Services, based on an accepted Reseller Order, as of the first day of the calendar month following the month of the acceptance of the Reseller Order. The SEO Services will be provided until terminated by the Reseller or by Sunrise System.
  2. Sunrise System may offer in particular, but not exclusively, the following SEO Services:
    1. Content Creation Expansion,
    2. Directory Listings Creation & Linking,
    3. Google Analytics & Search Console integration,
    4. HTML Element Optimization,
    5. Local Business Schema,
    6. Meta Content Creation,
    7. Monthly Reports,
    8. Security Alerts,
    9. Site Speed Optimization,
    10. Structural Indexing Optimization,
    11. Web Content Analysis Revision & Optimization,
    12. Webmaster emergency service.
  3. When Sunrise System renders the SEO Service set out in item 4.2, it means that Sunrise System will prepare monthly reports based on Google Search Console published in the Client Panel. The Service may be performed provided that Sunrise System has access to Google Search Console. Sunrise System undertakes to render the Service within 15 days after the end of each month. The availability of the monthly reports in the Reseller Panel, or sending via e-mail address indicated in the Reseller's Order, confirms the performance of the Service. Sunrise System is obliged to draw up the monthly reports only if Google ensures availability of source data in Google Tools, which are necessary to render these reports, and necessary for Sunrise System to have Access to Google Tools on the Client's website, in particular including the views of the Client's website in Google Search Console and Google Search Console-API. The reports will be made available in the Reseller Panel or sent to the Client's e-mail address indicated in the Reseller's Order at Sunrise System’s sole discretion.
  4. We will solely choose the appropriate methods to provide you with high-quality Services. You acknowledge and agree that when providing you the Services we will act at our sole discretion. You also acknowledge that the method of performance of the SEO Services and scope of the Services possible to be performed may vary depending, i.a. on the technology and specificity of the Client's website, recognition and knowledge of Sunrise System, as well as obtaining access and permits, which Sunrise System believes are necessary for the effective performance of Services.
  5. The SEO Services will be provided on the condition that the Client and/or the Reseller provides the necessary access or data.
  6. You acknowledge, that a number of activities and factors may adversely affect the performance of the SEO Service, including:
    1. insufficient saturation of the Client's website with content;
    2. no possibility of making changes to the source code of the Client's website by Sunrise System for optimization purposes, including not providing access data to the website server and the Content Management System (CMS);
    3. creating or owning a website or websites, or ordering the creation of such websites by third parties;
    4. adding the Client's website to automated external linking systems (e.g. SWL), alone or via third parties, which adversely affects promoting the website in Search results;
    5. transferring (at least partly) the content posted on the Client's website to other websites (including blogs, forums and online newspapers, auction websites, etc.) without prior arrangement of such activity with Sunrise System, alone or via third parties;/li>
    6. the occurrence of Automatic redirection on the Client's website;
    7. making changes to the Client's website, which are not agreed upon with Sunrise System, including the website code;
    8. failure to ensure the continuity of operation of the Client's website, i.e. not paying the costs of maintaining the domain by the Client, as indicated in the Reseller Order, as well as hosting for this domain.
  7. Sunrise System undertakes to consult visible changes implemented on the Client's website, and to make changes only upon obtaining the Client’s prior approval.
  8. The Reseller declares that the Client is the owner of the domain indicated in the Reseller Order or, if it is not its owner, it holds the written consent of the domain owner, which it will provide to Sunrise System upon every request.
  9. Throughout the term of the Agreement, Sunrise System has the right of Modification of the source code of the Client's website in order to carry out Services. The Reseller agrees thereto and represents and warrants that the Client agrees to the aforementioned modification, and that the Client is entitled to grant any necessary consents or approvals in this regard.
5. Reseller Panel
  1. Sunrise System may make the commencement of co-operation with regard to making the Reseller Panel available, subject to paying a fee, in accordance with the Price List.
  2. Sunrise System shall, at its own discretion, determine and provide to the Reseller the tools in the Reseller Panel necessary to support the process of selling the Services, and also ensure their proper functioning during the term of the Agreement, subject to the right to perform systematic maintenance works within the Reseller Panel that may cause interruptions in its functioning.
  3. The tools referred to in item 5.2 are the property of Sunrise System and shall be made available to the Reseller for use only for the purposes set forth in the Agreement, and only during the term of the Agreement. Immediately after the termination of the Agreement, the Reseller shall cease to use the tools owned by Sunrise System and other tools available in the Reseller Panel (i.a. Google tools).
  4. The Reseller commissions the Sunrise System to collectively research and analyze the activity of the users of Client Panel, using the Sunrise System's own analytical tools or tools provided by third parties, in order to further develop and better adapt the Client Panel service to the real needs of users. A statistical report on the activity of users will be prepared at the request of the Reseller. The request may not be submitted more frequently than every six months.
  5. Sunrise System will send the Reseller an activation link to the Reseller Panel to the e-mail address indicated in the Agreement, within 90 days after the conclusion of the Agreement. The Reseller shall have the possibility to establish the password.
  6. The Reseller undertakes to activate the account by logging into the Master Account, within 45 days from the date of receiving the activation link; this shall hereinafter be referred to as the Activation. Upon Activation, the Reseller shall be able to log into the Reseller Panel using the Master Account.
  7. Sunrise System reserves the right to confirm the Activation by sending the Reseller an acceptance protocol of the Reseller Panel for signing. Before signing the Reseller Panel acceptance protocol, the Reseller shall become familiar with its functionalities.
  8. The procedure for creating accounts in the Reseller Panel is as follows:
    1. The Master Account is set up by Sunrise System;
    2. Accounts of the Reseller's employees, other than Master Accounts, are set up by Sunrise System at the Reseller's request or by the Reseller's contact person using the Master Account.
  9. The Client's Account is opened by the Reseller's contact person using the Master Account, or by Sunrise System at the Reseller's request.
  10. The Reseller undertakes and shall ensure to keep the access details of the Reseller Panel confidential and shall not make the Reseller Panel available to any other party, except for persons duly authorized to act on behalf of the Reseller.
  11. The Reseller undertakes to prepare and implement in the Reseller Panel his own documents, regulations, policies regarding the implementation of the electronic service (Client Panel) for the benefit of Clients, in accordance with the provisions of local law and provisions regarding the processing of personal data. The Reseller is solely responsible for their content and legal effects, in particular related to their introduction or lack thereof.
  12. You agree not to provide any unlawful content to the Reseller Panel, in particular any content violating any third-party rights (including in particular, but not exclusively, intellectual property rights, trade secrets, or personal rights) or the Materials that could be a threat to the security of the Reseller Panel, or the operation of telecommunications networks or third party ICT systems. You agree to indemnify Sunrise System against any claims arising from the Materials that violate third-party rights, and return to Sunrise System any costs incurred with the third-party claims.
  13. Any actions and omissions of persons whom the Reseller has provided with access to the Reseller Panel shall be treated as the Reseller's own. The Reseller shall bear the consequences of statements, actions and omissions made in the Reseller Panel.
  14. The Reseller agrees that the Reseller Panel may be updated and changed, and its functionalities may be developed at Sunrise System's discretion. The Reseller is not entitled to any claims on this account.
  15. The Reseller instructs the Sunrise System to give the access to the Reseller Panel (including data and content provided by the Reseller or the Client) to the Master Reseller, from whom the Reseller has bought the access to the Services.
6. Restricted access
  1. In the event that the Reseller reveals or suspects that an unauthorized person has obtained, or may have obtained, access to the Reseller Panel, or that an unauthorized person has used and acted on the Reseller Panel, the Reseller is obliged to immediately report this fact to Sunrise System through a message sent to the following e-mail address: partner@sunrisesystem.pl.
  2. Sunrise System is entitled to restrict access to or block the Reseller Panel at its own discretion, of which it shall inform the Reseller prior to blocking the Reseller Panel, or, if this is not possible, immediately after such blocking, with the Reseller not being entitled to make any claims on this account, in the event of:
    1. suspected unauthorized use of the Reseller Panel,
    2. occurrence of causes related to the security of the Reseller Panel, in particular Materials placed on the Reseller Panel,
    3. whenever the Reseller uses the Reseller Panel in a manner that is unlawful, contrary to law, generally accepted custom, social conduct or violates the provisions of these GTC or the Agreement or the Documentation,
    4. expiry of the term of the Agreement,
    5. delay in the payment of remuneration due to Sunrise System for the performance of the Agreement or fees resulting from the Price List.
  3. In the cases referred to in item 6.2. except for subitem 4, Sunrise System may terminate the Agreement immediately for reasons attributable to the Reseller. Regardless of the form of termination provided for in the Agreement, the termination of the Agreement requires delivering an e-mail statement to the Reseller's e-mail address, in the form of a letter covering the content of the statement and signed by Sunrise System, saved in the form of a scan (or other electronic means) in such a way that allows reading its contents and storing and opening it in the normal course of activities.
  4. In the case indicated in item 6.2., making the Reseller Panel available again may be subject to the payment of a fee, in accordance with the Price List, for the maintenance of the infrastructure of the Reseller Panel during the blockade period.
7. Fees
  1. Apart from the remuneration (Price List) set forth in the Agreement, Sunrise System reserves the right to establish an additional Price List.
  2. The settlement between Sunrise System and the Reseller will be in accordance with the rules set out in below, unless otherwise agreed in the Agreement. The remuneration for the Services shall be paid on a monthly basis. However, in case you purchase the Services through the Master Reseller (like Mono), the settlement will be made on the other terms that will be agreed between the Reseller and such Master Reseller, subject to the provisions of point 8.
  3. The total net remuneration will be calculated based on the Reseller Orders carried out in a given month and the current Price List.
  4. Within five working days following the end of the calendar month, Sunrise System will provide the Reseller (or – as applicable – the Master Reseller) with a report sent via e-mail to the Reseller's e-mail address, including the calculation of the monthly remuneration.
  5. The monthly report is a confirmation of the Services performed in a given settlement period.
  6. The monthly report shall be binding to the Parties and constitutes the basis for the invoice.
  7. Remuneration for the Services will be paid within 14 days from the date of the invoice. The remuneration shall be paid by bank transfer.
  8. The invoice shall be sent to the Reseller in electronic form as a PDF file, to the Reseller's e-mail address, and the Reseller gives his consent thereto. The consent to the delivery of invoices in electronic form does not mean that the right to issue and send invoices in paper form is excluded, particularly if technical and formal obstacles prevent the delivery of invoices by electronic means. The moment of receipt of the invoice by electronic means by the Reseller is the moment of receiving the message by the Reseller's e-mail server.
  9. The Reseller shall be solely responsible for paying all banking fees, including wire fees and currency conversion fees, without reducing the remuneration due to Sunrise System hereunder.
  10. The Reseller shall be responsible for paying all taxes, withholding tax, sales tax, value added tax (VAT), duties, tariffs or other charges, without a reduction in remuneration due to Sunrise System.
  11. Should there be any changes to the applicable regulations concerning value added tax (VAT) that would result in the tax covering the net remuneration, the Reseller shall be obliged to pay the remuneration enhanced by the tax.
  12. Shall the Reseller resell the Services, the Reseller may offer them to its Clients at such prices as the Reseller, at its sole discretion, shall determine. Sunrise System does not retain any control over such resale prices set by the Reseller.
8. Master Reseller
  1. If the Reseller purchases Sunrise System’s Services through a Master Reseller, unless the Parties agree otherwise:
    1. Instead of paying Sunrise System, the Reseller will pay the applicable remuneration for the Services to the Master Reseller
    2. Sunrise System may suspend the provision of Services or terminate them if Sunrise System does not receive the corresponding payment from the Master Reseller. Sunrise System may also terminate the Services in case of termination of a separate agreement between Sunrise System and the Master Reseller, under which Sunrise System provides Services purchased by the Reseller through the Master Reseller.
    3. If the Reseller places a Reseller Order through the Master Reseller, the order detail will be as stated in the Reseller Order placed with Sunrise System by the Master Reseller on behalf of the Reseller. The Reseller is responsible to ensure that any such Reseller Order communicated to us is accurate.
    4. If the Reseller is entitled to a refund under the Agreement or these GTC, then unless Sunrise System specifies otherwise, any refunds will be made to the Master Reseller, and it is the Master Reseller’s responsibility for refunding the appropriate amounts to the Reseller.
  2. The Master Reseller is not authorized to modify these GTC. The Master Reseller is also not authorized to make any promises or commitments on our behalf without our explicit consent. Sunrise System is not bound by any obligations to the Reseller other than as set forth in these GTC, or individually agreed with Sunrise System. However, you acknowledge, that the Master Reseller may have a full access to all the information related to our performance of the Services. The Master Reseller and Sunrise System may exchange all information related to your use of the Services (including the financial or other terms) in writing or via Reseller Panel or another electronical means of communication.
9. Technical requirements
  1. In order to use the Reseller Panel, the Reseller should have a device with Internet access, a properly configured web browser, with so-called “necessary cookies” enabled. The Reseller should have an active and correctly configured e-mail account. It is recommended to use Firefox or Chrome in the latest versions. It is also recommended to use an anti-virus program installed and maintain it active when using the Reseller Panel.
  2. Sunrise System reserves the right, to change the functionalities of the Reseller Panel and update it, e.g. to newer versions, in particular in the area of software, subcontractors and other technical and organizational aspects. The aforementioned changes will not significantly affect the functioning of the Reseller Panel. The Reseller is not entitled to any claims in this respect.
  3. Sunrise System is not responsible for the Reseller's failure to comply with the above-mentioned technical requirements.
  4. The Reseller accepts and agrees that the performance of technical support activities requires Sunrise System's access to the Reseller's Panel, in particular to the Materials.
  5. Sunrise System makes no express or implied warranty, however, it will make every effort to ensure that the Reseller Panel works correctly and without errors or mistakes in each popular web browser.
10. Liability and force majeure
  1. To the maximum extent permitted by law, Sunrise System is not liable for the damage resulting from:
    1. failure or other disruptions in the operation of the telecommunications network or ICT infrastructure, failure of Internet providers, server rooms, reasons arising from cooperating entities, on the part of another software that is not integrated or integrated with the Reseller Panel, information or data leaks from cooperating systems;
    2. technical breaks;
    3. hacker attacks, DDoS attacks, terrorist attacks, errors, security gaps within the infrastructure of the Reseller Panel;
    4. acts or omissions of the Reseller in the Reseller Panel or other people who have gained access to the Reseller Panel;
    5. failure by the Reseller to comply with the technical requirements specified in these GTC or Documentation;
    6. breach of the Reseller's obligations specified in these GTC or otherwise provided to the Reseller.
  2. To the maximum extent permitted by law, Sunrise System shall not be liable for non-performance or improper performance of any of its obligations, if the non-performance or improper performance was caused by force majeure or an event beyond its control, e.g.:
    1. war, either declared or not; civil war; riots; revolts and sabotage; natural disasters, such as intense storms, hurricanes, earthquakes, floods, destruction caused by a thunder within the Sunrise System business enterprise; explosions; fire; destruction of machinery, manufacturing plants or all types of installations within the Sunrise System business enterprise;
    2. boycotts; strikes; lockouts of any type whatsoever; sit-in strikes in the Sunrise System enterprise;
    3. unlawful actions on the part of governments or other authorities;
    4. pandemic.
  3. To the maximum extent permitted by law, Sunrise System is not responsible for any damage resulting from the loss of Materials.
  4. To the maximum extent permitted by law:
    1. Sunrise System's liability for any reason is limited only to direct, actual damage. The Reseller acknowledges and agrees thereto, that Sunrise System shall not be labile for any loss of profit and indirect damages.
    2. The total aggregate liability of Sunrise System, for all issues arising hereof (including damages), regardless of the basis of the Reseller's or third party's claims, is hereby limited to the amount of EUR 3 000 (in words: three thousand euros)./li>
  5. The Parties undertake not to employ or engage in direct cooperation with employees or associates, regardless of the form of the legal relationship, as well as former employees or associates of the other Party, whose period of termination of cooperation with the Party is shorter than one year. In the event of the Reseller’s non-compliance with this obligation, the Reseller in default shall pay Sunrise System a contractual penalty in the amount of EUR 2,500 (in words: two thousand five hundred euros) for each case of breach. Sunrise System has the right to claim compensation exceeding the contractual penalties specified herein.
  6. Detailed issues of the Parties' liability related to sharing or using the Reseller Panel are specified in detail in the Documentation.
  7. The limitations of liability set out in this article 10 shall not apply, if, under the mandatory provisions of Polish law, the liability must not be excluded or limited.
  8. The Reseller agrees to indemnify Sunrise System and its employees, associates and/or contractors against any and all liability arising from the allegations and claims made by third parties related to the use or provision of the Reseller Panel or the Client Panel module, in particular related to the violation of these GTC, law or rights of third persons.
11. Intellectual Property Rights
  1. Sunrise System owns and retains any and all intellectual property rights, in and to the Services, and the Reseller Panel.
  2. Sunrise System grants the Reseller a temporary, limited, revocable, non-transferable, non-exclusive license to use the Reseller Panel, in order to use the Reseller Panel in accordance with its purpose, in the territory specified in the Agreement. The license is valid only during the term of the Agreement and expires at the latest on the day of its termination or expiry.
  3. The Reseller Panel is made available on the server provided by Sunrise System (SaaS model). The Reseller shall not have the right to make the Reseller Panel available for payment or free of charge to third parties, except for making it available to Clients only during the period of performing Services for them, to the extent necessary for Clients to use the Client Panel in accordance with the purpose of the Agreement.
  4. Sunrise System grants the Reseller a temporary, limited, non-transferable, non-exclusive, revocable, license, and further sublicense to use the documentation templates, copywriter content in the territory specified in the Agreement in the scope of use indicated below, in accordance with the purpose of the Agreement.
  5. The license set out in item 11.4 is granted on the following fields of use:
    1. placing on the market,
    2. placement in the memory of an electronic device,
    3. making it available in accordance with the Agreement,
    4. transmission by means of image or sound transfer,
    5. recording on any media,
    6. copying using an appropriate digital technique,
    7. spreading to the extent necessary for the purposes of the Agreement,
    8. translation, changing, merging with order elements to the extent agreed with Sunrise System.
  6. The license indicated in items 11.2 and 11.4 hereinabove is granted as part of the remuneration indicated in the Agreement, unless the Parties agree on a separate remuneration in the Agreement or the Price List.
  7. Sunrise System may charge additional fees for carrying out the onboarding and training for the Reseller, his employees, persons authorized by him, with respect to the provision of Services or use of the Reseller Panel. The fees shall be set in the Price List.
  8. The license and sub-license are granted for the duration of the Agreement, excluding any copywriter content created during the provision of the Services, for which the license and sub-license are granted for an indefinite period. Sunrise System reserves the right to use the subject of the license without losing any rights in this respect and reserves the right to use the subject of the license in full, as well as in a manner that converges with the scope of the license granted during the period of its granting.
  9. Detailed rules of using the Reseller Panel are specified in the Documentation.
  10. Upon termination of the Agreement, the Reseller loses access to the Reseller Panel and the Materials, which are immediately anonymized/removed, at Sunrise System's sole discretion. The Reseller and/or the Client must download or otherwise make a copy of the Materials available in the Client Panel, before we cease to provide the Service.
  11. A Reseller who uses the subject of the license in a way exceeding the scope of the license indicated in items 11.2 or 11.4, or otherwise violates the proprietary copyrights of Sunrise System is obliged to pay Sunrise System liquidated damages of EUR 2,500 (in words: two thousand five hundred euros) for each violation. Sunrise System has the right to claim compensation exceeding the liquidated damages specified herein.
  12. The Reseller agrees that Sunrise System may use the Reseller's name, the Reseller's website address, logo and trademark for reference purposes; in particular, Sunrise System is entitled to inform about the fact of providing services to the Reseller, the nature and subject of cooperation, the scope of Services provided on websites, in social media, in Sunrise System's marketing and promotional materials or as part of the Bauer Media group to which Sunrise System belongs. The Reseller is not entitled to any remuneration in respect of the above.
12. Confidentiality
  1. Each Party is obliged to:
    1. keep confidential and not disclose any Confidential Information obtained in connection with the performance of the Agreement regarding each Party (in particular regarding prices, remuneration) to third parties to whom this information is not addressed,
    2. not use the provided materials, sources, studies and technical documentation, except for using them in the purpose of performance of the Services.
  2. The Parties do not consider Confidential Information to include communicating the fact of cooperation between the Parties and the cases agreed by the Parties in writing. The Reseller has the right to use the name of Sunrise System or the Bauer Media group, Sunrise System's website address, subject to the prior written consent of Sunrise System, on social media or on the Reseller's websites.
  3. The Parties hereby agree that the obligation to keep Confidential Information confidential includes, inter alia:
    1. prohibiting the dissemination, copying or distribution of Confidential Information to third parties and unauthorized employees of either Party, with the exception of performing the above-mentioned activities for the implementation of the Agreement,
    2. prohibiting the disclosure and/or transfer of Confidential Information or sharing it with third parties or unauthorized employees of either Party, with the exception of performing the above-mentioned activities for the implementation of the Agreement
  4. Each Party is obliged to store and protect all materials, information and documents in such a way that it cannot be accessed by unauthorized third parties.
  5. Each Party undertakes to ensure appropriate precautions and guarantees that they provide adequate protection against unauthorized disclosure, copying or use of Confidential Information.
  6. Confidential Information does not include information:
    1. which is or will become publicly available in any way without a breach of the commitments towards the other Party;
    2. which is in the possession of or known to a Party prior to obtaining it from the other Party,
    3. which is disclosed by a Party: (i) after obtaining the written consent of the other Party or (ii) without such consent, after a period of three years from the date of termination or expiration of the Agreement;
    4. information disclosure is made due to legal proceedings or at the request of a public prosecutor, tax authorities, or local authorities’ proceedings or under a disclosure requirement under applicable law, and only in the scope as requested by the authority or otherwise required by the respective laws.
  7. Upon the termination or expiration of the Agreement, the Parties undertake not to copy or reproduce Confidential Information obtained from the other Party.
  8. In the event of a breach of the obligations described above, the Reseller shall be obliged to pay to Sunrise System liquidated damages of EUR 2,500 (in words: two thousand five hundred euros) for each violation, and not more than a total of EUR 10,000 (in words: ten thousand euros) for all violations. Sunrise System has the right to claim compensation exceeding the limit of liquidated damages specified herein.
13. Complaints
  1. The Reseller may complain to Sunrise System about the Services, and/or the reports or calculations based on the reports. The complaints must be sent through the Reseller Panel or by e-mail at partner@sunrisesystem.pl.
  2. The complaint must include at least the subject of the compliant, requested solution, contact details, and, with respect to complaints concerning the Reseller Panel, indication of the respective module of the Service.
  3. Sunrise System is obliged to consider the complaint no later than 30 working days by sending an appropriate reply to the Reseller's e-mail address indicated in the Reseller Panel or the e-mail address as provided by the Reseller.
  4. In some cases, in particular due to the level of difficulty in solving the technical problem, Sunrise System reserves the right to extend the deadline for considering the complaint.
  5. Complaints are processed from Monday to Friday from 8 AM to 4 PM, excluding Saturdays and public holidays (as described by Polish law).
  6. Failure to consider the complaint within the period specified hereinabove does not mean recognition of the complaint.
  7. The complaint does not stop, prolong or modify in any other way the payment terms set out in accordance with these GTC or the Agreement.
14. Privacy
  1. We are processing personal data in accordance with our Privacy Policy, attached as the Appendix 1 hereto.
  2. Sunrise System is the controller of the Reseller’s representatives executing this Agreement and the Reseller’s employees’ personal data. The information obligation required by the provisions of Articles 13 and 14 of the General Data Protection Regulation (GDPR) is set out in Appendix 2 hereto.
  3. The Reseller is the data controller of the Clients' contact persons' and employees' personal data. We will process the personal data entrusted by the data controller in connection with the Agreement, including these GTC, in accordance with the data processing agreement, as set out in the Appendix 3 hereto.
  4. The data controller undertakes to comply with the requirements imposed on him by the GDPR, in particular, he undertakes to prepare the documentation required by law, in accordance with the GDPR and the local laws.
  5. The Reseller declares that all of the Clients' personal data have been collected in accordance with applicable laws (GDPR and/or the Reseller's local law).
  6. The Reseller guarantees the transfer to the Client of the minimum requirements for the technical and organizational measures (TOM) indicated in the content of Appendix 3 hereto, and declares that the applied solutions within the framework of the entrustment meet the requirements of the Client as personal data controller for the entrusted data.
15. Changes to these GTC
  1. We will have the right to alter, amend, change or modify these GTC (GTC changes) from time to time. In such a case, we will inform you of the proposed GTC changes by posting the changes within the Reseller Panel and/or sending an e-mail to the Reseller’s address provided within the Reseller Panel (GTC change notification).
  2. The GTC change notification shall include the date on which the change shall enter into force (effective date of the GTC change). This effective date shall not be less than 7 (seven) days from the date of sending the notification or posting the changed GTC within the Reseller Panel.
  3. Unless the Reseller submits a notice of termination of the Agreement before the effective date of the GTC change, the changed GTC are binding upon the Reseller.
  4. Any use of the Services after the GTC change effective date, shall constitute your acceptance of the changed GTC, as modified for all purposes.
16. Governing law and jurisdiction
  1. The Agreement between Sunrise System and the Reseller, as well as this GTC and the Services provided by Sunrise Systems are governed by the laws of Poland. In particular, these GTC shall be construed in accordance with the laws of Poland, and the obligations, rights and remedies hereunder shall be determined in accordance with such laws, without regard to principles of conflict of laws.
  2. All disputes or claims arising out of or relating to these GTC or/and the Agreement between Sunrise System and the Reseller shall be subject to the exclusive jurisdiction of the courts competent for the seat of Sunrise System.
  3. If any term or provision of the Agreement, including these GTC, shall, to any extent, be invalid or unenforceable, the remaining terms and provisions shall stay in force, and each remaining term and provision shall stay valid and enforced to the fullest extent permitted by law. The Parties, at the earlies convenience, shall agree to replace the invalid clauses by the provisions closest to the initial intention of the Parties.
17. Final provisions
  1. All notices and communication, unless otherwise set out in these GTC or in the Agreement, may be submitted both to the Reseller Panel and/or sent via e-mail to the representative established by Sunrise System or the Reseller accordingly.
  2. Provisions pertaining to contractual penalties or liquidated damages, as well as pertaining to Confidential Information and the complaints shall survive any termination of the Agreement.


Appendix 1 – Privacy Policy for Reseller Panel

Privacy Policy


We care about your privacy. This document (the “Privacy Policy”) is to present the most important information, how we process your personal data, including about the cookies that we have implemented to our website.
To process your personal data safely, we implemented organizational and technical measures in accordance with the applicable law (in particular the GDPR), including encryption of the connection with an SSL certificate.
We can amend the Privacy Policy from time to time. We will inform you on any amendments to this Privacy Policy by posting the information on the page of this website or within the Reseller Panel. We also reserve the right to send you a separate notification to the e-mail address provided.


§ 1. General provisions
  1. The Privacy Policy sets out the rules for the processing and protection of personal data in connection with the Reseller's use of the Reseller Panel.
  2. The “Reseller” within the meaning of this Privacy Policy is a natural person who logs into and uses the Reseller Panel.
  3. The controller of your personal data is Sunrise System spółka z o.o. sp. k. based in Poznań at Plac Andersa 3, 61-894 Poznań, entered into the Register of Entrepreneurs kept by the District Court for Poznań – Nowe Miasto i Wilda in Poznań, VIII Commercial Department of the National Court Register under KRS number 0000489705, biuro@sunrisesystem.pl, + 48 61 655 95 55, hereinafter referred to as the “Sunrise System”. In case a third party (e.g.., our Customer or Master Reseller) entrusts the processing of personal data to Sunrise System for the purpose of using the Reseller Panel, such third party is the data controller, and Sunrise System is the (sub)processor in the meaning of the data protection laws. In such a case, the personal data will be processed as described below and accordingly.
  4. Sunrise System has appointed the Data Protection Officer, who can be contacted by e-mail at iod@sunrisesystem.pl or by post at the address “Sunrise System, sp. zo .o. sp.k., Plac Andersa 3, 61-894 Poznań”.
  5. The scope, purpose and period of personal data processing are specified in the further part of the Privacy Policy.
§ 2. Purpose of processing
  1. Processing is the operation made on the personal data, such as collecting, recording, storing, developing, changing, sharing and other actions necessary for the implementation of the service of using the Reseller Panel.
  2. Your personal data (as listed in § 3) and operational data (i.e. data characterizing your use of the Reseller Panel, such as IP, server date and time, information about the technical parameters of the device you are using, place of your connection, traffic generated on the Reseller Panel) will be processed for the purpose:
    1. necessary to implement the Agreement, pursuant to Article 6(1)(b) GDPR - if you are a Reseller/Master Reseller, or to Article 6(1)(f) - if you are an employee, representative of the Reseller/Master Reseller - for the duration of the Agreement and at least six months after its termination;
    2. of possible investigation or defense against claims under the Agreement, as a legitimate interest of the Controller, pursuant to Article 6(1)(f) GDPR – for the duration of the Agreement and the period indicated in the legal regulations on asserting of defending claims, resulting from the Polish legal regulations on asserting claims, not less than eight years from the end of the calendar year in which the Agreement was terminated;
    3. of training, within the scope of the subject of SEO/SEM services, under the Agreement, as a legitimate interest of the Controller (Article 6(1)(f) GDPR) for the duration of the Agreement and at least two years after its termination;
    4. of keeping records for billing purposes under the Agreement, including tax settlements and fulfilment of legal obligations (Article 6(1)(c) GDPR), for the duration of the Agreement and the period indicated in the Polish regulations (including tax law), not less than five years counted from the end of the calendar year in which the tax (or other public law obligations) arose;
    5. of enabling you to use the Reseller Panel within the framework of the Agreement (in particular by providing functionality for ongoing contact related to the implementation of the Agreement, generating quotes and Pos (Article 6(1)(f) GDPR) – for the duration of the Agreement and at least six months after its termination;
      During the processing of personal and operational data, the Controller makes decisions in an automated manner (including in the form of profiling) on the basis of your operational data, which he possesses and which concern: logging, activity in the Reseller Panel, location, generated documents and their quantity; however, this shall not have any legal effects on you or significantly affect your situation in a similar way. Profiling means the automated processing of personal data which involves using it to evaluate certain characteristics, in particular to analyze or forecast aspects that concern your needs, as part of your use of the Reseller Panel. Automated decision-making is necessary for the implementation of the Agreement. Thanks to profiling, we are able to ensure the security of personal data, to research the needs and satisfaction with using the Reseller Panel, and to provide technical support and the secure functioning of the Reseller Panel as our legitimate interest (Article (6)(1)(f) GDPR).
    6. sharing your image for business purposes in the Reseller Panel, on the basis of your voluntary consent (Article 6(1)(a) GDPR) - until your consent is withdrawn. However, after withdrawal of consent, the processing of the data shall continue for the purpose of pursuing or defending claims. The processing indicated in the preceding sentence shall be limited to storing the consent and its withdrawal for a period of time determined by Polish regulations on the assertion of claims.
    7. of reporting, analyses, conducting statistics, ensuring the security of the telecommunications network for the Reseller Panel provided, maintaining proper operation of systems, identifying and implementing technical solutions to problems as our legitimate interest (Article (6)(1)(f) GDPR), for the duration of the Agreement and at least two years after its termination.
§ 3. Scope of processing

We will be processing the personal data received or otherwise collected in connection with the use of the Reseller Panel. The use of the Reseller Panel may include in particular sending e-mails, ongoing contact related to the implementation of the Reseller's order, contracts for the provision of services by Sunrise System for your employer's clients, generating offers and orders, technical support for the Reseller Panel.


Information necessary to log into the Service: Name, surname
Corporate e-mail and phone number,
Password and other information necessary to identify the data subject;

Information necessary to perform the services:
  • information on interactions with the Reseller Panel (e.g. date and time of logging in to the Reseller Panel, generated offers, submitted inquiries and orders, sending e-mail messages that may contain personal data) and information regarding its content, interactions with other users, metadata,
  • country and language.

Other information:
  • technical data (URL address, Internet identifiers, cookie data and IP address associated with the date, time zone and time of the event, combined with other data allowing the identification of the person, device ID, language settings on the device);

Additional information:
  • profile picture.

As a part of the provision of the Reseller Panel, we also process personal data entrusted to your employer by the Customer in order to provide the SEO / SEM service or the Customer Panel, on the terms set out in a separate data processing agreement, acting as a data processor.


§ 4. Right to object

You have the right to object to the processing of your personal data, on the basis of which Sunrise System will stop processing your data for the purposes set out in § 1., unless Sunrise System demonstrates that there are legitimate grounds for doing so overriding your interests, rights and freedoms, in particular in Sunrise System legitimate interest and where the data will be necessary to establish, pursue or defend claims.


§ 5. Transfer of the personal data

Your personal data may be transferred to the following recipients: entities from Sunrise System group – Bauer Media and our partners with whom Sunrise System cooperates. Your data may also be accessed by Sunrise System subcontractors (processors), including, for example: accounting companies, law firms, external entities whose services are used by Sunrise System for the purpose of performing the Agreement, including but not limited to Microsoft Corporation, hosting providers: OVH sp. z o.o., state authorities and institutions, under generally applicable Polish law.


§ 6. Transfer of personal data to third countries

Sunrise System has the right to transfer your personal data necessary for the implementation of the Agreement to a third country or international organization outside the European Economic Area, as part of Sunrise System’s use of the services of entities providing IT systems and solutions, which entities may store personal data on servers located outside the EEA or as part of Sunrise System’s provision of services related to its business activity (in particular to Microsoft, Google, Facebook and others).

Such transfers may be based on:

  1. the European Commission's decision stating the adequate level of protection or the application of appropriate legal safeguards, which include in particular standard contractual data protection clauses, approved by the European Commission,
  2. legally binding and enforceable instruments between public authorities or entities,
  3. binding corporate rules,
  4. standard data protection clauses adopted by the President of the Data Protection Office and approved by the European Commission,
  5. approved code of conduct with binding and enforceable obligations for the controller or processor in a third country to apply appropriate safeguards, including in relation to data subjects' rights,
  6. an approved certification mechanism with binding and enforceable obligations for the controller or processor in a third country to apply appropriate safeguards, including in relation to data subjects' rights.

In the absence of an adequacy decision by the European Commission or non-provision of adequate legal safeguards, personal data may be transferred to a third country on the grounds listed in Article 49(1) GDPR with the application of appropriate or suitable safeguards. If you need information on the measures/safeguards applied, please contact Sunrise System by e-mail at: biuro@sunrisesystem.pl or by calling us at: +48 61 655 95 55


§ 7. You have the right to:
  1. access and acquire a copy of your data (Article 15 GDPR),
  2. data portability (Article 20 GDPR),
  3. object to the processing of data (Article 21 GDPR),
  4. rectify (correct) your data (Article 16 GDPR),
  5. erase/anonymize your data (Article 17 GDPR),
  6. restrict the processing of data (Articles 18 and 19 GDPR),
  7. lodge a complaint with the supervisory authority, which in Poland is the President of the Office for Personal Data Protection,
  8. withdraw your consent (where processing of personal data is consent-based). Withdrawal of consent shall not affect the lawfulness of consent-based processing prior to the withdrawal

§ 8. Information on the voluntary nature of data provision

The provision of your personal data is voluntary, but necessary for using our Services.


§ 9. Cookies and similar technologies
  1. We use technologies similar to Web Storage (https://en.wikipedia.org/wiki/Web_storage), enabling collecting small text datasets in a web browser (Reseller Panel). These data are used by Sunrise System sp. z o.o. sp. k. exclusively for the purpose of providing the service provided by electronic means requested by the end user. For this purpose, Sunrise System sp. z o.o. sp. k. can store such data as information about end user's login (so that the user does not have to enter the password after each opening of a new subpage), information about the current configuration of the layout of the site entered by the end user (e.g. choice of the site language, set of colors, or user name to confirm that the user is logged in to the correct account).
  2. Information stored in Web Storage (Local Storage) technology is used for the following purposes:
    1. to adapt the content of the website to the expectations of end users,
    2. analytical purposes (determining the service coverage and user behaviour (e.g. preferences), website performance testing, and to update the functionality of Reseller's Panel, which allows Sunrise System sp. z o.o. sp. k. to improve the Reseller's Panel service),
    3. to ensure security, as support for mechanisms to prevent abuse of the Reseller’s Panel website, including data leakage.
  3. Website users have the option to block the use of Web Storage (Local Storage) files in their browsers at any time or to delete the aforementioned files from their browser, nevertheless this will prevent them from using Reseller Panel. For instructions on how to change browser's settings, you should refer to manufacturer's user manual.
  4. Sunrise System sp. z o.o. sp. k. uses the Web Storage technology to process (store) personal data that directly identify the user such as name, surname and e-mail address.
  5. The data in Web Storage (Local Storage) is stored by a browser for a long time and is not deleted after the browser is closed. It also does not have a specific validity period.
  6. Sunrise System sp. z o.o. sp. k. enables Google Inc. based in the USA to use the technology of cookies and other similar technologies on this website in the Google Analytics tool in order to study and analyse the service of the Reseller Panel. Using Google Analytics software, the website will place counting codes on end users' computers to collect data about end users. The storage time of the above-mentioned data on the servers of Google Analytics is determined by the parameter contained in the cookies, which for the cookies "_ga" is 2 years, and for the cookies "_gid" is 24 hours from the moment of their collection.
  7. An end user may separately determine their preferences for the use of information contained in cookies and similar technologies by Google Inc. (withdrawal of consent to the processing of information stored in cookies) and separately by Sunrise System sp. z o.o. sp. k. by objecting, as referred to in Article 21(2) of GDPR.
  8. An end user may object to the collection of data by Google Analytics software by changing the settings of their browser. An end user may decide to block this tool in the browser they are using (to opt-out) by blocking third-party (other sites) cookies or installing an appropriate browser add-on (extension), e.g.: https://tools.google.com/dlpage/gaoptout/eula.html.
  9. The site can also be browsed without saving information in cookies by using special modes available in web browsers (incognito mode, private window, etc.). Restricting the use of cookies and similar technologies may affect some of the features available on the Reseller’s Panel website.


Appendix 2 – information clauses

PERSONAL DATA OF THE RESELLER/MASTER RESELLER (IF A NATURAL PERSON), EMPLOYEES OF THE RESELLER/MASTER RESELLER AND OF CONTACT PERSONS CONCLUDING THE AGREEMENT ON BEHALF OF THE RESELLER/MASTER RESELLER


Pursuant to the Regulation (EU) 2016/679 of the European Parliament and of the Council dated 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (OJ EU L 2016, No. 119) – hereafter: “GDPR” –Sunrise System informs you that:


  1. Sunrise System is the controller of your personal data (hereinafter referred to as the “Controller”). You can contact the Controller by e-mail at: biuro@sunrisesystem.pl or by calling us at: +48 61 655 95 55.
  2. The Controller has appointed the Data Protection Officer. In matters relating to the protection of personal data and in order to exercise your rights, the Controller encourages you to contact your account manager whose details are specified in the Agreement and/or we include the contact details of the Data Protection Officer available for matters relating to the protection of your data at the following e-mail address: iod@sunrisesystem.pl or at the address of the Controller’s headquarters.
  3. Source of data
    We have received your personal data directly from your or from your employer or others who indicated you as a contact person, in order to negotiate, conclude and implement the Agreement and render our services. We may collect your personal data from public sources, e.g. your website or the website of your employer, the National Court Register, or other public register, in order to verify or complete the abovementioned data.
  4. We will process the following categories of your personal data:
    1. identification and contact details (first and last name, e-mail address, telephone number, business position),
    2. and, if you use the Client Panel and Reseller Panel (hereinafter: “Reseller Panel):”):

    3. information necessary to log into the Reseller Panel, i.e.: name, surname, corporate e-mail and phone number, password and other information necessary to identify the data subject;
    4. Information necessary to perform our services:
      • information on interactions with the Reseller Panel (e.g. date and time of logging into the Reseller Panel, generated offers, submitted inquiries and orders, sending e-mail messages that may contain personal data) and information regarding its content, interactions with other users, metadata,
      • country and language.
    5. Other information:
      • technical data (URL address, Internet identifiers, cookie data and IP address associated with the date, time zone and time of the event, combined with other data allowing the identification of the person, device ID, language settings on the device);
    6. Additional information:
      • profile picture in the Reseller Panel.
  5. Your personal data will be processed for the purpose:
    1. necessary to implement the Agreement, pursuant to Article 6(1)(b) GDPR, – if you are a Reseller/Master Reseller, or to Article 6(1)(f) – if you are an employee, representative of the Reseller/Master Reseller or other contact person - for the duration of the Agreement and at least six months after its termination;
    2. of possible investigation or defense against claims under the Agreement, as a legitimate interest of the Controller, pursuant to Article 6(1)(f) GDPR - for the duration of the Agreement and the period indicated in the legal regulations on asserting or defending claims, resulting from the Polish legal regulations on asserting claims, not less than eight years counted from the end of the calendar year in which the Agreement was terminated;
    3. of training, within the scope of the subject of SEO/SEM services, under the Agreement, as a legitimate interest of the Controller (Article 6(1)(f) GDPR) for the duration of the Agreement and at least two years after its termination;
    4. of keeping records for billing purposes under the Agreement, including tax settlements and fulfilment of legal obligations (Article 6(1)(c) GDPR)- for the duration of the Agreement and the period indicated in the tax law, not less than five years counted from the end of the calendar year in which the tax obligation arose;
    5. of enabling you to use the Reseller Panel within the framework of the Agreement (in particular by providing functionality for ongoing contact related to the implementation of the Agreement, generating quotes and Pos (Article 6(1)(b) GDPR) - for the duration of the Agreement and at least six months after its termination.
      During the processing of personal and operational data, the Controller makes decisions in an automated manner (including in the form of profiling) on the basis of your operational data, which he possesses and which concern: logging, activity in the Reseller Panel, location, generated documents and their quantity; this, however, shall not have any legal effects on you or significantly affect your situation in a similar way. Profiling means the automated processing of personal data which involves using it to evaluate certain characteristics, in particular to analyze or forecast aspects that concern your needs, as part of your use of the Reseller Panel. Automated decision-making is necessary for the implementation of the Agreement. Thanks to profiling, we are able to ensure the security of personal data, to research the needs and satisfaction with using the Reseller Panel and to provide technical support and the secure functioning of the Reseller Panel as our legitimate interest (Article (6)(1)(f) GDPR).
    6. of sharing your image for business purposes in the Reseller Panel, on the basis of your voluntary consent (Article 6(1)(a) GDPR); until your consent is withdrawn. However, after withdrawal of consent, the processing of the data shall continue for the purpose of pursuing or defending claims. The processing indicated in the preceding sentence shall be limited to storing the consent and its withdrawal for a period of time determined by Polish regulations on the assertion of claim;
    7. of reporting, analyses, conducting statistics, ensuring the security of the telecommunications network for the Reseller Panel provided, maintaining proper operation of systems, identifying and implementing technical solutions to problems as our legitimate interest (Article (6)(1)(f) GDPR), for the duration of the Agreement and at least two years after its termination.
  6. Right to object
    You have the right to object to the processing of your personal data, on the basis of which the Controller will stop processing your data for the purposes set out in item 3, unless the Controller demonstrates that there are legitimate grounds for doing so overriding your interests, rights and freedoms, in particular in the Controller's legitimate interest and where the data will be necessary to establish, pursue or defend claims.
  7. Personal data transfers
    Your personal data may be transferred to the following recipients: entities from the Controller's group – Bauer Media and our partners with whom the Controller cooperates. Your data may also be accessed by the Controller's subcontractors or external advisors (processors), including, for example: accounting companies, law firms, external entities whose services are used by the Controller for the purpose of performing the Agreement, including but not limited to Microsoft Corporation, hosting providers: OVH sp. z o.o., state authorities and institutions, under generally applicable Polish law.
  8. Transfer of personal data to third countries:
    The Controller has the right to transfer your personal data necessary for the implementation of the Agreement to a third country or international organization outside the European Economic Area, as part of the Controller's use of the services of entities providing IT systems and solutions, which entities may store personal data on servers located outside the EEA or as part of the Controller's provision of services related to his business activity (in particular to Microsoft, Google, Facebook and others).

    Such transfers may be based on:
    1. the European Commission's decision stating the adequate level of protection or the application of appropriate legal safeguards, which include in particular standard contractual data protection clauses, approved by the European Commission,
    2. legally binding and enforceable instruments between public authorities or entities,
    3. binding corporate rules,
    4. standard data protection clauses adopted by the President of the Data Protection Office and approved by the European Commission,
    5. approved code of conduct with binding and enforceable obligations for the controller or processor in a third country to apply appropriate safeguards, including in relation to data subjects' rights,
    6. an approved certification mechanism with binding and enforceable obligations for the controller or processor in a third country to apply appropriate safeguards, including in relation to data subjects' rights.
  9. In the absence of an adequacy decision by the European Commission or non-provision of adequate legal safeguards, personal data may be transferred to a third country on the grounds listed in Article 49(1) GDPR with the application of appropriate or suitable safeguards. If you need information on the measures/safeguards applied please contact the Controller by e-mail at: biuro@sunrisesystem.pl or by calling us at: +48 61 655 95 55.
  10. As data subjects you have the right to:
    1. access and acquire a copy of your data (Article 15 GDPR),
    2. data portability (Article 20 GDPR),
    3. object to the processing of data (Article 21 GDPR),
    4. rectify (correct) your data (Article 16 GDPR),
    5. erase/anonymize your data (Article 17 GDPR),
    6. restrict the processing of data (Articles 18 and 19 GDPR),
    7. lodge a complaint with the supervisory authority, which in Poland is the President of the Office for Personal Data Protection,
    8. withdraw your consent (where processing of personal data is consent-based). Withdrawal of consent shall not affect the lawfulness of consent-based processing prior to the withdrawal.
  11. Information on the voluntary nature of data provision
    The provision of your personal data is voluntary, but necessary for the conclusion and performance of the Agreement.


Appendix 3 – the data processing agreement
I. Subject matter and term
  1. The Subject matter of this data processing agreement (the “CDPA”) is set out in the Agreement concluded between Sunrise System (hereinafter referred to as the “Processor”) and the Reseller/Master Reseller (as defined in the GTC; hereinafter referred to as the “Controller”)
  2. The term of this CDPA shall commence and terminate along with the term of the Agreement and during the performance of all obligations hereunder.
II. Nature and purpose of data processing
  1. The nature and purpose of personal data processing by the Processor for the Controller, in the scope of storage, recording, processing, disclosure of data, management of rights in the processing of entities' data, is set out in Schedule 1 hereto.
  2. The Processor entrusts the entities indicated in Schedule 3 hereto and their subcontractors with personal data entrusted to them for further processing by other processors (hereinafter referred to as "Subcontractors") for the sole purpose of performing the Agreement. If the Controller wishes to receive notifications about new Subcontractors, their list is published on the Processor's website, https://www.bauerseo.pl/, which is continuously being updated.
  3. The Processor is obliged to notify the Controller about any planned subcontracting of personal data processing and about any intended changes concerning Subcontractors, and in particular about replacing the existing Subcontractor by another Subcontractor or about withdrawal from cooperation with the Subcontractor. The notices referred to in the previous sentence may be made – at the Processor's discretion – in the form of an electronic message addressed to the Controller or a general message published on the Processor's website. After receiving said notice, the Controller shall have the right to object to subcontracting of personal data processing within five days. The Controller acknowledges that raising an objection may result in the inability to perform the Agreement, and consequently lead to the termination of the Agreement by the Processor for reasons attributable to the Controller. If the Controller does not object within said time limit of notice, the subcontracting shall be deemed to have been accepted.
  4. The Processor declares that entrusting the processing of personal data to subcontractors shall be governed by relevant entrustment agreements, and the scope of the personal data entrusted to Subcontractors for processing as well as the permissible processing activities to be carried out by Subcontractors shall be adequate to the purpose of the entrustment as set out in this CDPA, and shall not go beyond the CDPA and the Agreement. The Subcontractors shall apply technical and organizational measures ensuring a sufficient level of security for the entrusted personal data. The Processor bears full liability to the Controller for any actions or omissions on the part of Subcontractors.
  5. The Controller agrees to the transfer of personal data necessary for the implementation of the Agreement to a third country or international organization outside the European Economic Area, as part of the Processor’s use of the services of entities providing IT systems and solutions, which entities may store personal data on servers located outside the EEA or as part of the Processor’s provision of services related to his business activity (in particular to Microsoft, Google, Facebook and others).
  6. Each and every transfer of personal data (Schedule 1) to a third country, including the grant of access to personal data stored in the EU/EEA from a third country shall take place only if the specific conditions of Article 44 GDPR are met before personal data is transferred, i.e. if an adequate level of security is ensured by:
    • an adequacy decision of the Commission (Article 45 (3) GDPR);
    • binding corporate rules (Articles 46 (2) (b), 47 GDPR);
    • standard data protection clauses (Articles 46 (2) (c) and (d) GDPR);
    • an approved code of conduct (Articles 46 (2) (e), 40 GDPR);
    • an approved certification mechanism (Articles 46 (2) (f), 42 GDPR), or
    • other measures (Articles 46 (2) (a), (3) (a) and (b), 49 GDPR).
III. Controller’s Rights and Obligations.
  1. The Controller is solely responsible for assessing the admissibility of collecting, processing and using data as well as for assigning rights to entities.
  2. The Controller has the right to give further instructions to the Processor in relation to the data processing. Orders issued orally will be confirmed by the Controller without undue delay (at least in text form). Instructions will be reported via the Reseller Panel.
  3. For this purpose authorized persons on the part of the Controller are coordinators indicated in the Agreement.
  4. Dedicated recipients of orders on the Processor's part are: persons indicated in the Agreement, cc: Data Protection Officer.
  5. The Processor shall immediately inform the Controller if, in his opinion, an instruction infringes applicable data protection law. The Processor shall then be entitled to suspend the execution of the relevant instruction until the Controller confirms or changes it. The Controller shall inform the Processor without undue delay, if errors or irregularities are during the inspection as a result of the order.
  6. The Controller hereby declares that he has ensured that the prerequisites for the legality of the personal data entrusted to the Processor are met.
  7. In the event that the Controller places an image/profile picture of his employees/contact persons/representatives in the Reseller Panel, or orders the Processor to perform such activities on his behalf, the Controller is obliged to acquire voluntary consents from said entities for the publication of their image in the Reseller Panel. The consent for publishing the image should include the date and place of its granting, the purpose and scope of use of the image, the period the consent is granted for and the signature of the employee/representative/contact person.
  8. The Controller declares that personal data entered by him into the Reseller Panel or commissioned to the Processor for processing on his behalf, are obtained in accordance with the law on the basis of valid, lawful processing grounds. The Processor is entitled to request indication in writing or documents from the Controller, regarding the grounds for processing.
IV. Processing, rectification, restriction and erasure of data by the Processor.
  1. The Processor collects, processes and uses the data made available to him strictly in accordance with the arrangement for the implementation of services ordered under the Agreement and based on the instructions issued by the Controller.
  2. Without the consent of the Controller, personal data may not be copied or duplicated for purposes other than performance of the subject of the Agreement, or due to the need to fulfil obligations arising from generally applicable law.
  3. The Processor states that data provided by the Controller or collected at his request may be processed together with databases of other Clients on a single system platform with logical division and that they are jointly managed.
  4. The Processor may not arbitrarily rectify or restrict the processing of data provided to him as part of a request. This can be done only in the case of documented instructions issued to him by the Controller. Where a data subject contacts the Processor directly in this respect, the Processor shall immediately forward this request to the Controller.
  5. Information to third parties or the data subject may only be provided by the Processor with prior written authorization of the Controller and/or is required by law. (e-mail)
  6. The Processor undertakes to assist the Controller in fulfilling the obligations set out in Articles 32-36 of Regulation 2016/679; in particular, the Processor undertakes to provide the Controller with the information and carry out orders concerning the applied protection measures and personal data protection violations. The Processor is obliged to:
    1. provide the Controller with information about any breach of personal data protection within 24 hours from the moment a personal data breach event is detected,
    2. prepare - within 24 hours from the moment a personal data breach event is detected - the information required for the notification of a personal data breach, submitted to the supervisory authority referred to in Article 33(3) of Regulation 2016/679. The notification should contain at least the information about:
    3. the date, duration and location of the personal data breach;
    4. the nature and scale of the breach, i.e. in particular the categories and approximate number of data subjects and the categories and approximate number of entries of personal data affected by the breach and, if possible, identification of data subjects affected by the breach;
    5. the IT system the breach takes place in (if the breach occurs in relation to the processing of data in an IT system);
    6. the estimated time needed to remedy the damage caused by the breach;
    7. the nature and scope of the personal data affected by the breach;
    8. the possible consequences of the breach, including the consequences for the data subjects;
    9. the measures taken to minimize the consequences of the breach and the proposed preventive and corrective actions;
    10. the contact details of the person who can provide further information about the breach;
    11. keeping a register of data breaches, which will include the circumstances of the personal data breach, its effects and the remedial measures taken,
    12. modifications to the scope of information covered by the data breach register at the request of the Controller,
    13. such documentation shall be made immediately available to the Controller on each request,
    14. carrying out a preliminary analysis of the causes of the infringement of the rights and freedoms of data subjects and to communicate the results of this analysis to the Controller within 24 hours from the detection of the event constituting a personal data breach. If the Processor is not able to provide the Controller with all the information referred to in point b) at the same time, it should provide it successively, without undue delay.
    15. provide the Controller with all details required for communication of a personal data breach to the data subject, as specified in Article 34(3) of Regulation 2016/679, within 24 hours from the moment a given personal date breach is detected,
    16. appointment of persons responsible for taking steps to remedy the infringement and take corrective actions in agreement with the Controller,
    17. taking all reasonable steps to limit and remedy the negative effects of the personal data breach without undue delay until receiving instructions from the Controller.
  7. The Controller shall bear all costs relating to the communication with the data subject, in particular one affected by a breach.
  8. The Controller is responsible for identifying the data subject and the Processor undertakes, through appropriate technical and organizational measures, to support the Controller in fulfilling his obligation to respond to the requests of data subjects, with regard to the exercise of their rights set out in Articles 15-22 of Regulation 2016/679; in particular the Processor undertakes to:
    1. in case the data subject requests the right of access, as specified in Article 15 of Regulation 2016/679, prepare a report for the Controller, within 10 working days, providing the information referred to in Article 15(1) of Regulation 2016/679 to be presented by the Controller to the data subject,
    2. in case the data subject requests the right to rectify data, as specified in Article 16 of Regulation 2016/679, to record the request of the data subject by updating the data, provided that the update is covered by the principal agreement, and to inform the Controller about it within five working days,
    3. in case the data subject requests the right to data portability, as specified in Article 20 of Regulation 2016/679, to export to the Controller all electronically processed personal data of the data subject within 10 working days after the data subject's request,
    4. in case the data subject requests the right to object, as specified in Article 21 of Regulation 2016/679, to immediately communicate the information to the Controller not later than within three working days from the data subject's request,
    5. in case the data subject requests the right to human intervention on the part of the Controller or the right to express their point of view, as specified in Article 22 of Regulation 2016/679, to immediately communicate the request to the Controller not later than within three working days from the data subject's request.
  9. The Processor undertakes to immediately inform the Controller, but not later than within three working days from obtaining information, about any proceedings, in particular administrative or court proceedings, concerning the processing of the personal data entrusted by the Controller, about any administrative decision or ruling concerning the processing of the entrusted personal data, addressed to the Processor, as well as about any audits and inspections concerning the processing of the entrusted personal data by the Processor, in particular those carried out by the supervisory authority within the scope of this Agreement.
  10. The Processor undertakes to provide the Controller, upon every request and no later than within five working days, any and all information necessary to demonstrate the Controller's compliance with his obligations under applicable law, in particular under Regulation 2016/679, including the provision of information on the safeguards applied, identified risks and breaches of personal data protection, and only in the extent relating to this agreement and the data entrusted to the Processor under it.
  11. The Processor undertakes to store personal data only as long as specified by the Controller and to update, correct, amend, anonymize, restrict the processing personal data without undue delay and in accordance with the instructions of the Controller. This applies to the exercise of the rights of the entities whose data is processed under this data processing agreement. The Processor stipulates, however, that in some cases it will perform the above activities as a personal data controller.
V. Quality assurance and other obligations of the Processor.
  1. In addition to complying with the provisions hereof, the Processor has legal obligations under Articles 28 to 33 GDPR; in this respect, the Parties agree on the following:
    1. a.with regard to appointing a data protection officer by the Processor, the Parties agree as follows: the Processor has arranged for a data protection officer to be appointed in writing to carry out his activities in accordance with Articles 38 and 39 of the GDPR, and has provided his contact details to the Controller for the purpose of establishing direct contact. The Controller must be informed immediately of any change of the data protection officer.
      Data Protection Officer, BAUER MEDIA POLSKA, os. Teatralne 9A, 31-946 Krakow, Poland, M +48 500 160 668, IOD@bauer.pl. Change of the contact details of the personal data protection officer does not constitute a change hereto or a change to the GTC. The Processor shall inform the Controller about new contact details in the form of an e-mail to the e-mail address indicated in the Agreement.
    2. the Parties agree upon the following with regard to ensuring confidentiality pursuant to Articles 28 (3) (b), 29, 32 (4) GDPR:
      • The Processor shall ensure that all persons authorized to process personal data belonging to the Controller under the terms of this CDPA have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality and have previously been made familiar with the data protection provisions relevant for them.
      • The Processor and any person working for the Processor who has access to personal data may process such data only in accordance with the instructions of the Controller, including the authorizations granted in this Agreement, unless the processing is required by applicable law.
    3. With regard to the implementation of and compliance with technical and organizational measures required for this commissioned processing in accordance with Article 28 (3) (c), 32 GDPR, the Parties agree on the 'Minimum requirements for the technical and organizational measures (TOM)' set out in Schedule 2.
    4. With regard to dealing with supervisory authorities, the Parties agree as follows:
      • The Controller and the Processor shall, upon request, cooperate with supervisory authorities in the performance of their tasks.
      • The Processor is responsible for immediately informing the Controller about the audit activities and actions taken by the supervisory body, provided that they relate to this order or may affect it. This also applies to cases where the competent authority conducts an offense or criminal proceeding relating to the processing of personal data by the Processor.
      • In case the Controller is subject to an inspection by the supervisory authority, to administrative or criminal proceedings, to liability claims of the data subject or of a third party or to any other claim in connection with the commissioned data processing by the Processor, the Processor shall assist the Controller to the best of his ability.
VI. Audit rights and assistance obligations
  1. The Processor gives his consent to announced inspections carried out by the Controller or, in individual cases, by third parties delegated by the Controller not more frequently than once a year and at his own expense. The inspections shall monitor compliance with applicable data protection laws and this CDPA, especially requesting information and inspecting the stored data and data processing programs. The Processor shall charge a fee based on the actual costs per working hour of the Processor's personnel.
  2. The Controller is obliged to report its intention to carry out an audit, indicating its scope, time, place and contact details of the auditor (name, surname, telephone number, e-mail address) no later than 14 working days before the planned audit. Each time before the audit is carried out, the Controller shall present a framework plan of inspection activities (the scope of the audit) to the Processor for verification and acceptance.
  3. The Parties acknowledge that the above arrangements and the final date of the audit will be agreed by the Parties in e-mail form, through exchange of messages to the e-mail addresses indicated in Part III hereof.
  4. The audit may take place only on the date, place and scope specified above, subject to this item. The audit may take place on business days (from Monday to Friday, excluding public holidays in accordance with Polish law and Saturdays), from 8:00 am - 4:00 pm and after submitting written authorizations to the Processor, under pain of nullity. The Controller undertakes that the audit activities do not hinder the Processor's business activity. The Processor may object to the audit being carried out, in particular in the event of a risk of hindering the Processor's business. In this case, the Parties shall set a new date for the audit in accordance with the content of item 2.
  5. In the case of unjustified, excessively repetitive or extensive audits or audits carried out contrary to the above arrangements, the Processor may charge an audit fee that is based on the costs incurred.
  6. The Controller's auditor may not be an entity that carries out activities competitive to the Processor, or its affiliate or its employee or an entity/person cooperating with it, regardless of the basis of employment or cooperation.
  7. The Processor shall make available to the Controller all information necessary to demonstrate compliance with the Processor’s obligations laid down in Article 28 GDPR. The Processor undertakes to provide the Controller with the necessary information upon request and in particular to provide evidence of the implementation of the technical and organizational measures. The demonstration of compliance, which does not solely concern the specific agreement, can be provided by:
    1. compliance with approved codes of conduct in accordance with Article 40 GDPR;
    2. certification according to an approved certification procedure according to Article 42 GDPR;
    3. current certificates, reports or report extracts from independent bodies (e.g. auditors, data protection officers, IT security department, data protection auditors, quality auditors);
    4. a suitable certification by IT security or data protection audit (e.g. according to BSI).
  8. Taking into account the nature of the data processing and the information available, the Processor shall assist the Controller, as far as possible, in fulfilling his obligations laid down in Articles 32 to 36 GDPR concerning the security of personal data, notification obligations in the event of a data breach, data protection impact assessments and prior consultations. This may include but is not limited to:
    1. ensuring an adequate level of protection through appropriate technical and organizational measures taking into account the circumstances and purposes of the processing as well as the predicted probability and severity of a possible infringement of rights due to security gaps, and enable an immediate determination of relevant infringement events,
    2. the obligation to report personal data breaches to the Controller without undue delay,
    3. the obligation to assist the Controller in the context of its obligation to communicate the personal data breach to the data subject and to make all relevant information available to the Controller in this regard without undue delay provision of assistance to the Controller with any data protection impact assessments,
  9. Provision of assistance to the Controller with prior consultations with supervising authorities.
VII. Anonymization or deletion of personal data.
  1. After the completion of work covered by the Agreement or earlier, the Processor should, at the request of the Controller, however no later than upon termination of the Agreement - i) anonymize or if possible ii) delete in accordance with the provisions regarding data protection all documents in his possession, developed results of data processing and use, as well as data sets related to the order, unless European Union or Member State law requires storage of the personal data. Upon request, a removal protocol should be submitted to the Controller.
  2. Documentation which is used to demonstrate orderly data processing in accordance with this CDPA and the Agreement shall be stored beyond the term of the Agreement by the Processor, in accordance with the respective retention periods. The Processor may hand such documentation over to the Controller at the end of the term of the Agreement to relieve the Processor of this contractual obligation.
  3. The Processor shall provide, upon request, written certification to the Controller that the Processor has fully complied with this section VII.
VIII. Subcontracting
  1. Subcontracting for the purpose of this CDPA is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Processor shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of Controller's personal data, even in the case of outsourced ancillary services.
  2. The Controller agrees that the Processor may use the services of subprocessors in order to provide the services under the main agreement in an appropriate manner. If the use of a subprocessor involves the transfer of personal data to a third country and the conclusion of appropriate contractual clauses in order to provide safeguards, the Processor shall conclude standard contractual clauses with the subprocessor in the name and on behalf of the Controller. By concluding this Agreement, the Controller authorizes the Processor to conclude standard contractual clauses on behalf of the Controller. The Processor declares that, while performing processing activities, it employs entities performing activities on their own behalf and at the request of the Processor, the list of these entities as of the date of conclusion of the contract is included in Schedule 3 to the Agreement. The Processor reserves the right to unilaterally change the content of Schedule 3 to the Agreement, provided that it informs the Controller about the change of the entity authorized for subprocessing in accordance with Article II indicated in this Agreement. The new entity, which will perform operations on personal data as a subprocessor, shall carry out these operations on the principles that are at least equal to those described in this Agreement.
  3. The Processor shall ensure data protection compliance and the guarantees of the subcontractor for compliance with European data protection laws. communicated to the Controller.
IX. Technical and Organizational Measures
  1. The Processor shall establish TOMs pursuant to Articles 28 (3) (c), 32 and 5 (1), (2) GDPR which guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems and services. The state of the art, implementation costs, the nature, scope and purposes of processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons shall be taken into account pursuant to Article 32 (1) GDPR [Details in Schedule 2 hereto].
  2. TOMs are subject to technical progress and further development. In this respect, it is permissible for the Processor to change the described TOMs, as long as the security level of the defined measures is not reduced. Notwithstanding the foregoing, any changes shall be documented and communicated to the Controller, e.g. by providing an updated list of TOMs. Significant changes must be agreed upon in writing.
X. Liability
  1. The Processor is liable to the Controller for damages arising from the fault of the Processor, his employees or persons to whom it commissioned the performance of a contractual order.
  2. The Processor is liable to the Controller in accordance with the contract up to the amount of actual losses suffered - any liability for lost profits and indirect damages is excluded. The Parties also agree that the maximum liability of the Processor in this respect is limited to the amount of EUR 2 500 (in words: two thousand and five hundred euros).
  3. For the compensation of damages that a data subject has suffered because of an inadmissible or incorrect data processing within the scope of the provision in accordance to the data protection laws, the Controller is solely responsible in relation to the data subject.


Schedule 1 - Nature of the data processing
  1. Under contracts concluded between the Controller and the Controller's Client, in connection with the performance of the Agreement
Personal data collected in connection with the provision and use by the Controller of the Reseller Panel, (in particular, sending e-mails, day-to-day contact related to the execution of the Controller's order, contracts for the provision of services by the Processor to the Controller's Clients, generating offers and orders, technical support of the Reseller Panel for the management of the data processing rights of the entities mentioned below):

Information necessary to log into the Service: Name, surname
Corporate e-mail and phone number,
Password and other information necessary to identify the data subject;

Information necessary to perform the services:
  • information on interactions with the Reseller Panel (e.g. date and time of logging in to the Reseller Panel, generated offers, submitted inquiries and orders, sending e-mail messages that may contain personal data) and information regarding its content, interactions with other users, metadata,
  • country and language.

Other information:
  • technical data (URL address, Internet identifiers, cookie data and other similar technologies and IP address associated with the date, time zone and time of the event, combined with other data allowing the identification of the person, device ID, language settings on the device); the information contained in reports on the provision of services, in particular the reports on Google Analytics, if they can be combined with other personally identifiable data;

Additional information:
  • profile picture

Data entrusted to the Controller by the Controller’s Client as part of access to the Client's Website.
  • data covered by the Client's Website, especially, name and surname, e-mail address, IP address, telephone numbers, unstructured data (ie. text documents, pictures, recordings, films, etc.). Method of processing: backup copies.



Schedule 2: Technical and organizational measures. (TOMs) of the Processor. Binding substantive minimum requirements in the field of technical and organizational measures (TOM).
  1. Confidentiality (Article 32 paragraph 1 point b GDPR)
    1. Access control: No unauthorized use of the system
    2. Access control: No unauthorized reading, copying, changes or deletions of data within the system;
    3. Separation control: Separate data processing, that has been collected for differing purposes.
  2. Pseudonymization and encryption of personal data (Article 32 paragraph 1 point a GDPR)
  3. Integrity: (Article 32 paragraph 1 point b GDPR)
    1. Data transfer control: No unauthorized reading, copying, changes or deletions of personal data by electronic transfer or transport;
    2. Data entry control: Verification, whether and by whom personal data has been entered changed or removed from the system.
  4. 4.Availability and Resilience of systems and processing services (Article 32 paragraph 1 point b GDPR)
    1. Availability control
    2. Prevention of accidental or willful destruction or loss;
  5. Rapid recovery (Article 32 paragraph 1 point c GDPR): It is assured that systems used can be rapidly restored in the event of a malfunction;
  6. Procedures for regular testing, assessment and evaluation of effectiveness of technical and organizational measures to (Article 32 paragraph 1 point d GDPR; Article 25 paragraph 1 GDPR)
    1. Data protection management: Data protection guidelines and processes are established and their timeliness, compliance and implementation are checked regularly;
    2. Incident-Response-Management: Warranty that the Controller is informed immediately in the event of data protection incidents;
    Consideration of data protection in the design stage and default data protection (Article 25 paragraph 2 GDPR): The Processor ensures that its data processing systems are preset and operated in compliance with data protection laws.

Order inspection: No third party data processing as per Article 28 GDPR without corresponding instructions from the Controller.


1. Confidentiality (Article 32 paragraph 1 point b GDPR)
Physical Access Control to buildings and areas containing personal data processing equipment e.g.: magnetic or chip cards, keys, electronic intercoms, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems

Access control to devices processing personal data e.g. (certain) passwords automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers
Company headquarters / Local CRM: Magnetic cards, building keys issued to authorized persons, alarms, security, camera systems, recording entrances / exits of the building, door locking;

Server room for BSP (OVH): access cards, 24h security, video monitoring, alarms, own power generators, ISO 27002 and ISO 27005System of automatic start-up, screensaver, system of logging out the user after finishing work in the IT system; Devices, disks and other computer media containing personal data, which are intended to be destroyed or transferred to another entity not authorized to process the data, shall be erased and, if this is not possible, destroyed in such a way as to make them impossible to read; a set of personal data in paper form shall be stored in closed cabinets; documents containing personal data are mechanically destroyed after the purpose and period of processing has ceased; access to the computer operating system requires authentication with a user ID and a password; access to the personal dataset requires authentication with a user ID and a password. Passwords are confidential, they are periodically changed with a minimum of 10 characters; options of blocking in the IT system revoking passwords, keeping a register of users, and their authorizations in the IT system; central management of access to the system; Employees are familiar with data protection and confidentiality regulations, which they confirm with their handwritten signatures; data stored on flash drives and CDs/DVDs or hard drives are not taken outside the company premises;
Access control to applications that process personal data e.g. authorization concept, need-based rights of access, logging of system access eventsAccess to the application is limited to individual user accounts. Each account contains a scope of permissions, which translates into access only to personal data that are subject to the required restrictions. The rights also decide about the choice of selected personal data. Application login times are recorded. User passwords comply with security standards, as for devices handling personal data. The user's passwords are kept in the form of hashes.
Separation Control, e.g. multiple client support, Sandboxing;Data or data collected at the request of the Reseller may be processed together with other databases of other clients on one system platform with logical division and they are managed separately.
Pseudonymization and encryption of personal data (Article 32 (1) (a) GDPR; Article 25 (1) GDPR)
"Pseudonymization" means the processing of personal data in such a way that it can no longer be attributed to a specific data subject, without the use of additional information, provided that such additional information is stored separately and subject to technical and organizational measures that prevent the identification or an identifiable natural person.
The data is encrypted during its transmission between individual systems, along with all communication (SSL). Data in backup files are kept in encrypted form. In systems where this is possible and this will not interfere with the day-to-day operation of the system, the data may be encrypted or pseudonymous.
2. Integrity (Article 32 paragraph 1 point b GDPR)
Data Transfer Control e.g.: encryption, virtual private networks (VPN), electronic signature;Data between systems are sent in an encrypted form (e.g. SSL) and only between authorized terminals (authorization codes / passwords, oauth, limited to trusted IPs).
For employees having access to personal data in the application, the connection to the internet is secured by a firewall module running on network routers; It is forbidden to connect to the internet with an inoperative antivirus program (or lack thereof) and a firewall. Implemented business continuity procedure;
Data entry control, e.g.: logging, document managementDocument circulation procedure implemented.Changes to personal data in the database are logged.
The document circulation procedure implemented , setting restrictions on access to personal data.
3. Availability and Resilience (Article 32 paragraph 1 point b GDPR) and the ability to quickly restore the availability of personal data and access to them in the event of a physical or technical incident (Article 32 (1) (c) GDPR)
Access Control and system resilience:
e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning
The application is hosted from a server room ensuring the highest standards of security and availability: https://www.ovh.co.uk/personal-data-protection/security.xml https://www.ovh.co.uk/files/2018- 06 / plaquette-gdpr-web-EN-final.pdfThe data is secured by making cyclical copies of individual parts of the systems. The procedure is described in the approved backup procedure.Risk analysis carried out for possible problems with personal data processing systems. Implemented procedures and patterns of responding to personal data breaches.Computer network used by employees having access to the application: protection against unauthorized access through a software firewall. Additionally, anti-virus software is installed: E-mail is automatically checked by the anti-virus scanner; Virus detection is reported to system administrators.
Rapid recovery access to Personal dataAn IT system administrator has rights; implementation based on the backup procedure; the correctness of backup copies is verified;
4. Procedures for regular testing, assessment and evaluation (Article 32 paragraph 1 point d GDPR; Article 25 paragraph 1 GDPR)
Data Protection Management
e.g. availability of a data protection management system (data protection guidelines), documentation of the data protection measures taken.
System inspection and maintenance procedure performed by the IT system administrator; Data retention procedure; PPDO agreements with partners and subprocessors; sub-processor selection procedures (e.g. for hosting)
Incident-Response-Management e.g. Incident reporting procedure in place; introduction of staff to confidentiality, data security and incident reporting procedures; internal procedures and training related to personal data processing;Implemented procedure of responding to personal data breach. Incident reporting procedure implemented; familiarizing employees with procedures regarding confidentiality, data security and incident reporting; internal procedures and training related to the processing of personal data;
Considering data protection in the design phase and default data protection (Article 25 GDPR), e.g. minimizing data processing, early pseudonymization, transparency regarding function and data processing;Taking into account the requirements of the GDPR and ensuring the participation of the GDPR and DPO consultants already at the application design stage and in the early stages of its life. The test / presentation versions of the application are independent of the production application (they only have test data). The selected hosting company has security certificates. Periodic security audits.
Order or contract control e.g.: clear and unambiguous contractual arrangements, formalized order management, strict controls on the selection of the service providers, duty of pre-evaluation, supervisory follow-up checksContractual provisions, verification of the selection of service providers, subcontractors, entities cooperating with the Processing Entity; unambiguous formulation of data processing instructions, service monitoring;


Schedule 3: List of subcontractors

The list of these entities is valid as of the date of conclusion of the GTC:

Subcontractors nameType of subcontractingScope / categories of personal dataWill personal data be processed outside the EU/EAA.Address (location) of the company, and if different: location of data processing.
Companies from the Bauer Group, Bauer PublishingCooperate within the group in order to enable current business operations and ensure implementation of the Agreement ;All are indicated in Appendix 1 (for a limited time/scope needed to perform a single task by an employee)NOPoland, Germany
OVHProvides the hosting service on which the Reseller Panel is maintainedAll indicated in Appendix No. 1 (for a limited time/scope needed for an employee to perform a single task)NOPoland, France
MicrosoftProvides tools (Teams, OneDrive, Windows)All (in a limited time/scope needed for an employee to perform a single task)NOUK/Germany