Agreement on entrustment of personal data for processing

Given that:

1) The Customer has entered into a Master Service and Licensing Agreement (hereinafter: Geosolution) with Geosolution (hereinafter: "License Agreement"), pursuant to which it has granted the Customer the right to use the software developed by Geosolution, and may provide the Customer with the services detailed in the Agreement and the Order.

2) The Customer processes information constituting personal data (hereinafter also referred to as "Personal Data") within the meaning of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (hereinafter also referred to as "RODO")

3) Data provided by the Customer to Geosolution in connection with the License Agreement may also include the Personal Data referred to in Section 2)

Geosolution and the Customer are collectively referred to as the "Parties", and each individually as a "Party".

The parties enter into this Entrustment Agreement with the following content:

1. Subject of the Entrustment Agreement

1.1. The Customer entrusts Geosolution with the processing of Personal Data, within the scope of this Agreement, for the purpose of performing the License Agreement and this Agreement, and Geosolution undertakes to process the same under the terms of this Agreement.

1.2. Geosolution's processing of personal data is carried out within the framework of the remuneration agreed upon in the License Agreement. Terms not defined in this Entrustment Agreement and capitalized shall have the meaning given in the License Agreement.

2. Statements of the Parties

2.1. The Customer represents that, subject to paragraph 2 below, it is the Customer of the Personal Data entrusted to Geosolution, which determines the purposes and means of processing the Personal Data (hereinafter also: "Administrator").

2.2. In any case in which the Personal Data includes data of which the Customer is not the Customer, the Customer hereby declares that its Customer is one of its counterparties and that, in accordance with the law and a separate agreement concluded with the counterparty, such counterparty is authorized to further entrust the Personal Data to Geosolution. The Customer of the present states that the Personal Data includes Personal Data/does not include Personal Data , whose Customer is the Customer's contractor.

2.3. The Customer shall, at Geosolution's request justified, in particular, by an inspection by supervisory authorities or a change in the interpretation of the law, provide Geosolution, without undue delay, via e-mail, with an up-to-date list of the Administrators referred to above.

2.4. The Customer declares that the Personal Data entrusted to Geosolution for processing was obtained in a legal manner, and that its entrustment or further entrustment to Geosolution does not violate the law or the rights of third parties.

2.5. Geosolution undertakes to process Personal Data only to the extent required for the execution of the License Agreement and the Entrustment Agreement and for the purposes set forth therein.

2.6. Geosolution declares that it has the infrastructural resources, experience, knowledge and qualified personnel to the extent that it is able to duly perform the Processing Agreement, in compliance with applicable laws and regulations. In particular, Geosolution declares that it is familiar with the principles of personal data processing and security under the RODO.

3. Scope of entrusted Personal Data and categories of processing

3.1. Personal Data entrusted by the Customer under this Agreement will be processed by Geosolution in electronic form in ICT systems owned or used by Geosolution in traditional form.

4. Processing area

4.1. Geosolution is entitled to process personal data only in the territory of the European Economic Area (hereinafter: "EEA"), unless it obtains the Customer's prior consent to process the entrusted data outside the EEA.

4.2. If the Customer gives Geosolution permission to transfer data to a third country that is outside the European Economic Area, the Customer may transfer such data only in accordance with the terms of the applicable legislation.

5. Data transfer

In order to perform the activities referred to in this Agreement, the Customer shall provide the entrusted data to Geosolution or allow access to it, as mutually agreed upon by the Parties.

6. Responsibilities of Geosolution

6.1. Geosolution shall, in performing the activities referred to in this Agreement, comply with the rules set forth herein and with the Customer's instructions, if the Customer gives such instructions to Geosolution.

6.2. Geosolution agrees to process the entrusted data in accordance with the RODO, Polish regulations adopted to enable the application of the RODO, other applicable laws, the Agreement and this Agreement, and the Customer's instructions referred to in paragraph 1 above.

6.3. Geosolution undertakes to process the data only upon documented instructions from the Customer (based on this Agreement or also specifically within the scope of the instructions referred to in paragraph 1 above or in any other statement provided to Geosolution by the Customer), unless the obligation to process data beyond the scope of this Agreement and the above instructions and statements of the Customer is imposed on Geosolution by applicable law. Geosolution shall each time inform the Customer electronically - prior to the commencement of processing - of this legal obligation, unless applicable law prohibits Geosolution from providing such information due to important public interest.

6.4. Geosolution undertakes to process the data only to the extent and for the purpose provided for in this Agreement. Geosolution shall be held liable for processing of the data contrary to the provisions of this Agreement, as well as in violation of applicable laws on the processing of personal data, in particular the provisions of the RODO.

6.5. Geosolution undertakes to apply throughout the term of this Agreement appropriate technical and organizational measures to ensure a degree of security appropriate to the risk of infringement of the rights or freedoms of the individuals whose data will be processed, and to ensure the implementation of the principles of data protection by design and data protection by default set forth in Article 25 of the RODO.

6.6. Geosolution undertakes to support the Customer (in particular, through the use of appropriate technical and organizational measures) in fulfilling its obligation to respond to requests from data subjects to exercise their rights set forth in Chapter III of the RODO. The cooperation of the Parties within the scope indicated in the preceding sentence shall take place in a form and timeframe that enables the Customer to fulfill these obligations. In connection with the execution of this obligation, Geosolution shall, in particular, be obliged to provide information and disclose the entrusted data (or copies thereof) upon the Customer's request within 5 days, in the form specified by the Customer. Geosolution shall also promptly, but no later than within 2 days, inform the Customer of the request made to Geosolution by the Customer regarding the exercise of the rights of the person whose data has been entrusted to Geosolution. Geosolution shall not, however, respond to such a request without the prior consent or express instruction of the Customer.

6.7. Geosolution undertakes to assist the Customer in complying with the obligations set forth in the RODO, including in particular Articles 32-36 of the RODO.

6.8. Geosolution undertakes to keep a written (including electronic) record of all categories of data processing activities performed on behalf of the Customer, including information on:

a. name and contact information of Geosolution and other entities (in case of further entrustment of personal data processing) and the Customer, as well as the Data Protection Officer, where applicable;

b. categories of processing carried out on behalf of the Customer;

c. when applicable in light of point 4 above - transfer of data to a third country or international organization, including the name of that third country or international organization;

d. a general description of the technical and organizational security measures for securing the entrusted personal data.

6.9. Geosolution undertakes to make available to the Administrator at the Administrator's request, no later than within 3 days, all information necessary to demonstrate that the Customer or Geosolution - depending on the content of the Customer's request - has complied with its obligations under applicable laws, in particular the RODO, including providing information on the safeguards used, identified risks in the area of personal data protection.

6.10. Geosolution undertakes to immediately inform the Customer if, in its opinion, the Customer's instruction given in accordance with Sections. 6.1 and 6.3 above constitutes a violation of the RODO or other national or EU regulations on personal data protection; the information in this regard should include an appropriate justification and indication of the provision of law which, in Geosolution's opinion, has been violated.

6.11. Geosolution undertakes to promptly, but no later than within 3 days, inform (as long as this does not lead to a violation of applicable law) the Customer of any proceedings, in particular administrative or judicial proceedings, concerning the processing of data by Geosolution, of any administrative decision or ruling concerning the processing of data directed to Geosolution, of any checks and inspections concerning the processing of data by Geosolution, in particular those conducted by a supervisory authority, as well as of any complaints from persons related to the processing of their personal data. The above obligations apply to events related to the processing of data entrusted by the Customer. This obligation exists even after the expiration or termination of this Agreement. The Administrator, both during the term of this Agreement and after its expiration or termination, has the right to:

e. participate in the inspection,

f. to make comments on the content of the audit report,

g. to comment on the content of responses to letters and decisions of the supervisory authority regarding even indirectly the processing of entrusted personal data, as well as to comment on the content of responses to complaints from data subjects provided by Geosolution.

7. Geosolution staff and subcontractors

7.1. Geosolution may delegate the performance of the activities specified in the Agreement to third parties cooperating with Geosolution (Geosolution's personnel), obligating such persons to comply with the data protection standards set forth in the RODO and in this Agreement. Geosolution shall be liable for the acts and omissions of the above persons as for its own acts or omissions.

7.2. Geosolution may not entrust data processing to another entity (Geosolution's subcontractor) without the prior written consent of the Customer.

7.3. Geosolution obliges the entities to which it has entrusted data processing to comply with the personal data protection standards set forth in the RODO and in this Agreement to the extent provided therein. Geosolution shall be liable for the acts and omissions of the above entities as for its own acts or omissions.

7.4. Geosolution declares that it uses or will use only such entities that provide sufficient guarantees for the implementation of appropriate technical and organizational measures so that the processing meets the requirements of the RODO and protects the rights of data subjects. At the Customer's request, Geosolution will provide information on what specific criteria it used to select the entity and to what extent these criteria were met.

7.5. Geosolution undertakes that all persons performing data processing on behalf of Geosolution, before performing such activities:

a. will sign a statement of responsibility for the protection of entrusted personal data. At the request of the Customer, the content of the statement will be presented for approval

b. shall undertake to maintain secrecy or be subject to the relevant statutory obligation of secrecy and shall act only within the scope of the authorization granted to them, including undertaking only the activities referred to in this Agreement;

c. will be trained on regulations for processing personal data.

.

8. Processing control

8.1. Geosolution is obliged to control the processing of entrusted data at each stage of the process and inform the Customer about it.

8.2. The Customer shall have the right to verify that the data processing complies with the provisions of the License Agreement, this Agreement and the law, in particular the RODO.

8.3. Geosolution will enable the Administrator and will cooperate with the Customer or the Customer's authorized auditor in conducting inspections (audits) of the data processing process.

9. Reporting violations

9.1. Geosolution is obliged to notify the Customer immediately, but no later than within 8 h of becoming aware, of the occurrence of a data processing event that may bear the appearance of a personal data processing violation, to the e-mail address: [...] along with information about:

a. the nature and scale of the breach, i.e., in particular, the categories and approximate number of data subjects and the categories and approximate number of data records affected by the breach;

b. the expected time needed to remedy the damage caused by the violation;

c. The nature and scope of the affected data;

d. the possible consequences of the violation, taking into account the consequences for data subjects;

e. measures taken to minimize the consequences of the violation and proposed preventive and corrective actions;

9.2. In the event that it is not possible to provide complete information to the Customer within the timeframe indicated in paragraph 1 above, Geosolution will provide the Customer with the information in its possession, together with an indication of the timeframe for providing complete information.

9.3. A personal data breach is understood to be a breach of security leading to the accidental or unlawful destruction, loss, modification, unauthorized disclosure or unauthorized access to personal data transmitted, stored or otherwise processed on behalf of the Customer.

10. Responsibility

Geosolution undertakes to cooperate with the Customer in order to effectively dismiss the claims of the persons whose personal data has been entrusted for processing under the Agreement, as well as to provide explanations and undertake any possible defense in proceedings initiated by the competent authorities regarding the processing of data with Geosolution's participation.

11. Processing time and termination of the Agreement

11.1. Data processing under this Agreement shall be permitted only during the term of the License Agreement.

11.2. If Geosolution violates its obligations under this Agreement, the Customer may terminate the Agreement with immediate effect. In particular, the Customer may terminate the Agreement with immediate effect if an inspection by a competent authority or by the Customer reveals that Geosolution does not apply the principles described in this Agreement or arising from the RODO or other laws regarding the processing of personal data.

11.3. Geosolution, upon termination or expiration of the Agreement, is obliged to remove the data from its own media and systems, and return the media with the data received from the Customer to the Customer.

11.4. Geosolution prepares a protocol from the deletion activity.

12. Final provisions

12.1. This Agreement shall enter into force as of the date of signing the License Agreement.

12.2. Geosolution has designated [...] as the person responsible for maintaining day-to-day contact with the Customer on matters covered by this Agreement.

12.3. The Administrator has designated: [...] as the person responsible for maintaining ongoing contact with Geosolution on matters covered by this Agreement.

12.4. Matters not governed by the provisions of this Agreement shall be governed by the laws generally applicable in Poland, including in particular RODO. The court having jurisdiction over disputes arising from this Agreement shall be the court having jurisdiction over the Customer.

12.5. All amendments and supplements to this Agreement shall be in writing under pain of nullity.

12.6. This Agreement is drawn up in 2 (two) counterparts, one for each Party.