The platform's GDPR agreements
Controller
The Registered User as defined in the Terms of Service of the website MyOwnConference, to which this document is an attachment.
Processor
The Website Owner as defined in the Terms of Service of the website MyOwnConference, to which this document is an attachment.
Agreement
The agreement on entrusting personal data processing regulated herein. Other capitalized terms have the meanings specified in the Terms of Service of the website MyOwnConference, to which this document is an attachment.
§1
1.1. The Controller represents that they control the personal data of Guests, consisting of the data specified in Attachment A below (referred to as "Personal Data").
1.2. The parties confirm that they have concluded the Website Use Agreement (referred to as the "Cooperation Agreement"). The Processor's performance of the Cooperation Agreement requires processing the Personal Data managed by the Controller.
1.3. Under this Agreement, the Controller entrusts the Processor with Personal Data processing per the General Data Protection Regulation (GDPR), within the scope specified in Attachment A below, and strictly to perform the Cooperation Agreement.
1.4. The Processor confirms awareness of GDPR and ensures compliance with its provisions, guaranteeing the implementation of appropriate technical and organizational measures to meet GDPR requirements and protect the rights of individuals.
1.5. The Processor is authorized to perform the Personal Data processing operations specified in Attachment B below.
1.6. The Processor will not use other processors' services without the Controller's prior detailed or general written consent. In case of general written consent, the Processor will inform the Controller of any intended changes regarding other processors at least 21 days before the new processor begins processing. Lack of an explicit decision by the Controller by that date implies the Controller's lack of consent.
1.7 With the Controller's consent as specified in point 6 above, the Processor may use another processor's services, provided the agreement on entrusting Personal Data processing is concluded on terms not less restrictive than this Agreement and GDPR provisions.
1.8 If the Processor uses another processor for specific processing activities on behalf of the Controller, the other processor must protect the data in the same manner as this Agreement requires. If the other processor fails to meet its data protection obligations, the Processor assumes full responsibility for the other processor's compliance with this Agreement.
1.9 The Processor guarantees the efficient performance of the Controller’s entitlements specified in this Agreement, GDPR provisions, and applicable EU, member state, and Polish laws.
1.10 The Processor informs the Controller that other processors handle the Guests' personal data entrusted by the Controller. The Controller consents to this arrangement.
1.11 The European Commission and the United States have agreed on a new Trans-Atlantic Data Privacy Framework to facilitate data flows and address the Schrems II decision of July 2020. For more details, visit European Commission Press Corner.
1.12 The Controller is solely responsible for:
1.12.1 Meeting all obligations specified in personal data protection laws applicable to the Controller, particularly toward individuals whose data is processed by the Processor.
1.12.2 Choosing the range of personal data processed and defining the purpose and means of processing.
1.12.3 Bearing all consequences of failing to meet the above obligations, including recourse liability towards the Processor.
§2
2.1. The Processor guarantees not to process Personal Data for purposes beyond this Agreement, subject to point 4(1) below.
2.2. The Processor will process Personal Data and provide assistance per the general provisions of personal data protection laws, including GDPR, other EU laws, and Polish laws.
2.3. The Processor will adhere to the following principles:
2.3.1. Process Personal Data solely at the Controller's documented request, including transfers to other states or international organizations unless required by EU or member state laws, in which case the Processor will inform the Controller at least 21 days in advance, unless prohibited by law for public interest reasons.
2.3.2. Ensure authorized personnel maintain confidentiality or are subject to statutory confidentiality obligations.
2.3.3. Implement all measures required under GDPR Articles 30, 32, 35, and 36, informing the Controller daily and submitting initial assessments before commencing Personal Data processing.
2.3.4. Comply with the terms of service for other processors specified in paragraphs 1(6-9).
2.3.5. Ensure appropriate technical and organizational measures enable the Controller to respond to data subjects' requests concerning their GDPR rights.
2.3.6. Ensure compliance with GDPR Articles 30-36 obligations, based on processing nature and available information.
2.3.7. Submit all requests and communications from data subjects to the Controller within 12 hours electronically, and within 3 days by mail.
2.3.8. Respond promptly to the Controller's requests related to this Agreement, providing evidence within 3 days.
2.3.9. Cease processing Personal Data and either delete or return all data upon Agreement termination or the Controller's request unless EU or member state laws require data retention.
2.3.10. Provide all necessary information to demonstrate compliance with GDPR Article 28 and enable audits by the Controller or an authorized auditor.
2.4. The Processor will:
2.4.1. Follow the Controller's instructions regarding the scope, purpose, and means of Personal Data processing.
2.4.2. Implement full protection measures for processed Personal Data, safeguarding against unauthorized access, damage, or destruction.
2.4.3. Allow only authorized personnel to handle IT systems and devices involved in data processing.2.4.4. Maintain records of personnel involved in Personal Data processing.
2.5. The Processor will promptly inform the Controller of any Personal Data protection breaches electronically within 12 hours. The breach notice will include:
2.5.1. A description of the breach, including the affected data categories and the estimated number of data subjects and entries.
2.5.2. Contact information for the data protection officer or relevant contact point.
2.5.3. Potential consequences of the breach.
2.5.4. Measures taken or proposed to address the breach and mitigate its impact.
2.6. The Processor will document all circumstances and gather evidence to help the Controller investigate the breach, including the nature, scale, consequences, timing, responsible parties, and affected individuals. The Processor will maintain incident records detailing each breach, its consequences, and countermeasures.
§3
3.1. The Processor will address deficiencies found during verifications, audits, and inspections within the Controller's specified deadline, no later than 7 days from notification.
3.2. The Processor will provide all necessary information to the Controller to demonstrate compliance with legal obligations at the Processor's expense.
§4
4.1. The Processor is fully liable to the Controller for non-compliance with data protection obligations, including those of any sub-processors. This liability includes unauthorized disclosure or use of Personal Data.
4.2. The Processor will promptly inform the Controller of any proceedings, decisions, or planned verifications related to Personal Data processing within 3 days of occurrence.
4.3. The Processor will document Personal Data processing activities and compliance with this Agreement, GDPR, and applicable laws. Documentation will be provided to the Controller upon request within 3 days.
§5
5.1. The Processor will keep all information, data, materials, documents, and Personal Data received from the Controller confidential.
5.2. The Processor will not use, disclose, or make available confidential data without the Controller's written consent, except as required by law or this Agreement.
5.3. Both parties will ensure communication methods used to handle confidential data provide adequate protection against unauthorized access.
§6
6.1. This Agreement is valid for the duration necessary to perform the Cooperation Agreement and will expire upon its termination. In any case, this Agreement remains in force until the purpose of data processing specified in §1(3) is achieved.
§7
7.1. This Agreement is an integral part of the Cooperation Agreement.
7.2. Matters not addressed in this Agreement will be governed by applicable Polish law, including GDPR.
Attachment A: Range of guests’ personal data
1. Email;
2. Presenter’s website address;
3. Nickname;
4. Password;
5. Name and Surname;
6. Telephone number;
7. Country
8. Position and Company name;
9. Time zone;
10. Photograph (avatar);
11. Information note;
12. IP address;
13. Operating System;
14. Browser name and version;
15. Device type;
16. Meeting entry and exit times;
17. Participant role;
18. Browser tab activity;
19. Connection establishment;
20. Connection summary;
21. Connection issues;
22. Responses to requests;
23. Action confirming meeting participation or absence;
24. Broadcasting start and end;
25. Video playback start;
26. Video playback stop;
27. Playback position change;
28. Video playback end;
29. Slideshow start;
30. Slide change;
31. Slideshow end;
32. File viewer start.
Attachment B: Operations of personal data processing
1. Collection via the Internet;
2. Storage;
3. Electronic transmission to the Controller;
4. Analysis and deduplication.
(Last edited: June 13, 2024. Revision: 3.12)