Terms & Policies

General Terms of Service

Effective day 17 March 2023

The FundingBox OnePass allows Users to keep data in one place, reuse that data and share it. OnePass may contain references and links to other websites, which are not controlled by FundingBox and to which separate rules apply. We can’t take any liability for the consequences of using such references and external links by Users.

Please read these Terms of Service (the “Terms”) carefully because they govern your use of our online services https://getonepass.eu/  or https://app.getonepass.eu/.

The use of the OnePass is subject to certain rules and regulations. Rules are clear and open – there is no small print. Please spend a few minutes reading them before creating an account and starting to use our Services.

Contact details

  1. The owner of the OnePass and the Service provider is FundingBox Accelerator Sp. z o.o. Warsaw, POLAND, (hereafter “FundingBox” or “we”).
  2. In all matters related to OnePass you can contact us quickly and efficiently by:

Agreement to these Terms

  1. While using any of our Services you accept the rules and oblige to comply with them. If you don’t agree to them – please do not register and do not access or otherwise use any of the OnePass.
  2. If you are accessing and using the Services on behalf of a company (such as your employer) or any other legal entity, you represent and warrant that you have the authority to bind that company or other legal entity to these Terms. In that case, “you” and “your” will refer to that company or other legal entity.
  3. There are three pillars that govern our OnePass:
    • Terms of Services state the general terms and conditions for the provision of the OnePass by FundingBox to Users, as well as the rights and obligations of Users and FundingBox,
    • Privacy Policy describes how we take care of processing personal data,
    • Cookies policy describes how we deal with cookies and how you can manage them.

Definitions

We believe that it is important to have a common understanding of what we are talking about. So when we mention any of the terms below, we mean the description assigned to it.

  1. Account (for personal/organization)

    The part of the OnePass that, upon registration, is assigned just to you. Within the Account, the Registered User may enter and manage data, give or withdraw consents etc. as well as use the Services dedicated to Registered Users.

    Within the Account, data pertaining to the User and its activity within the OnePass are collected. The Account is rendered by electronic means and is free of charge. There are two types of Accounts:

    1. Personal acoount belongs to the natural persona and is required to manage the organization Account.
    2. Organization account belongs to the legal entity/person.

  2. Consumer

    A natural person who is acting for purposes which are outside his trade, business, craft or profession, speaking more formally a natural person who meets the criteria stated in EU consumer directives (e.g. directive 2011/83)

  3. Contract

    An agreement for providing electronic services between Service provider and the User (you), concluded at the moment you register on the OnePass and create an Account.

  4. Data controller

    Service provider – the entity that decides how your data is processed. Speaking more formally, the natural or legal person, public authority, agency or another entity which, alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.

  5. Data processor

    The natural or legal person, public authority, agency or other entity which processes personal data on behalf of the controller. The list of Processors or Sub-Processors is available here https://fundingbox.com/trust/terms/.

  6. Opportunities

    The funding opportunities available in the OnePass. Opportunities are created for investment. Funding searchers can apply to Opportunity to receive the funding.

  7. Services 

    All services provided through the OnePass described in Appendix 1 below.

  8. Services provider

    FundingBox Accelerator sp. z o.o. with its registered office in Warsaw, Poland, Postępu 15 (02-676); entered into the National Court Register, Register of Entrepreneurs kept by the District Court for the capital city of Warsaw in Warsaw, XII Commercial Division under KRS number 0000447935, VAT EU: PL 7010366812. FundingBox Accelerator Sp. z o.o. is part of FundingBox capital group.

Contract

  1. By registering an Account for you or other legal entity, you enter into a legally binding contract with Service Provider for provision of the Services by electronic means concluded by and between the Service Provider and the User. Before you conclude the Contract, you should read these Terms of Services and Privacy Policy.
  2. To conclude the Contract you shall have full legal capacity (depending on your local law requirements).
  3. The Contract is concluded for an indefinite period. You can terminate this Contract at any time by deleting your Account and no longer accessing or using our OnePass (about termination see section 10 below).
  4. Services provided by FundingBox are free of charge unless it is otherwise stated in the specific Terms of Use relating to particular Services.
  5. The Contract is concluded on the basis of the Polish Act of 18 July 2002 on providing electronic services which implements Directive 2000/31/EC of the European Parliament and of the Council of 8 June 2000 on certain legal aspects of information society services, in particular electronic commerce, in the Internal Market (‘Directive on electronic commerce’). This, of course, does not exclude – in the case of Consumers – the provisions of the law applicable to contracts with consumers. See below provisions on applicable law.
  6. The Contract is concluded upon registration. To register you should follow a few simple steps:
    • complete the registration form on the website; we value your privacy so we ask only for a minimum set of data: e-mail address, first name, last name (it has to be your real data), created username and access password;
    • read the content of these Terms of Services and the Privacy Policy and confirm that you accept them;
    • press the “Sign up” button;
    • pick up an e-mail with a link verifying the correctness of the e-mail address that we will send you (you must have an active e-mail account); and
    • confirm the correctness of the email by clicking the activation link.
  7. The Contract is concluded when the “sign up” button is selected. After registration is completed you officially become a Registered User and you will be able to enjoy all OnePass functionalities.
  8. If you don’t confirm your Account within 60 days, we will delete your data and your Account will be deleted as well.
  9. By completing and sending the registration form and making authentication, you declare that the data you provided are complete, true and don’t not violate any third party rights. Creating an Account with false information is a violation of our Terms of Services.
  10. The User can also use an external authentication service (e.g. LinkedIn), which allows to set up an Account and gain access to it.
  11. Please take into account that you will not be able to change your username. You will be able to change all other details on your account except this. Your username will be visible to other Users.

Processing personal data

  1. In the moment of entering the contract between the Service Provider and Organization, a Data Processing Agreement is concluded in accordance with Appendix 2.
  2. When the Organization launches the Opportunity, it becomes a data controller whereas Service Provider becomes the data processor. Within the Opportunity service processing of personal data is entrusted in accordance with Appendix 2.

Using account

  1. You are solely responsible for anything that results from the use of your Account.
  2. You are free to choose which Services you want to use and what kind of information you will include in your profile, your organisation profile and with whom you will share it. Through activation of relevant options in the Account settings, you can easily decide what kind of notifications or digests you want to receive. You may completely resign from receiving the notifications or digests, although we still might send you information required by law or necessary for the performance of the Services (like updates of these Terms, security warnings etc.).
  3. The OnePass is addressed to professionals, so it should be used only for professional purposes and in connection to your professional or business activity.
  4. You probably know it, but we remind you to choose a strong and secure password and not to disclose it to anyone. The User bears sole responsibility for any damage caused as a result of its disclosure to a third party. You shall inform the Service provider about any unauthorised entry or use of your Account. It will help us to secure your Account and monitor unauthorised actions within the OnePass.
  5. By registering an Account, you agree to comply with the provisions of these Terms of Services and Privacy Policy, as well as general rules of principles of social coexistence. Respect those Terms and Privacy Policy as well as other Users and treat them in a way you would like to be treated.
  6. Your peronal Account belongs to you – so you can’t transfer it to any other person.
  7. Organization Account belongs to the organisation to which the account was created.

Unacceptable use of OnePass

  1. You are free to use our Services. If you decided to do it, regardless of whether you are a User, you are obliged to follow these few basic rules:
    • provide true and up-to-date information and personal data; the content you provide or distribute cannot be fraudulent, false, or misleading;
    • comply with applicable laws and good practices;
    • respect the rights of others, including privacy and intellectual property rights;
    • don’t harass, bully or threaten others, or incite others to do so;
    • don’t undertake any activities that may abuse, harm, interfere with, or disrupt the functioning of the OnePass and the use of it in a manner inconvenient for FundingBox or other Users;
    • don’t copy, modify, distribute, transmit or otherwise use any works and databases made available on the OnePass, except for using them under fair use;
    • don’t send spam,
    • don’t publish advertisements for goods and services and any commercial information not related to the purpose of the OnePass.

Technical conditions

  1. In order to fully enjoy the functionalities of the OnePass, you should satisfy the following minimum technical conditions:
    • a device with the Internet access which enables displaying the OnePass interface,
    • an installed and updated Internet browser: Microsoft Edge, Opera 22.0 or higher, Mozilla Firefox 52.4 or higher, Apple Safari 10.2 or higher and Google Chrome 34.0 or higher,
    • an active and valid e-mail account,
    • enabled JavaScript and Cookies support.
  2. The e-mail address is inextricably linked to the Account and is the main form of your identification. We will also use it to contact you in all matters related to the provision of the Services. During registration, we verify that the person has provided an e-mail account. Therefore, if you contact another User, you must consider this (limited) nature of identity confirmation.
  3. Using the OnePass may involve standard risks related to the use of the Internet and you should take appropriate steps to minimise them.
  4. The password must be at least 8 characters and must contain a minimum of 1 numeric character, 1 lower case letter and 1 upper case letter

Changes to the Terms or Services

We demand more and more from ourselves. We know that you want us to provide you with better services. Therefore, we are constantly developing and improving existing functionalities and services, as well as adding new ones.

  1. We may modify the Terms at any time, at our sole discretion. If we do so, we will let you know either by posting the modified Terms or through other communications. If you continue to use the Services after such a change, you are indicating that you agree to the modified Terms. We may also change or discontinue all or any part of the Services, at any time and without notice, at our sole discretion.
  2. We will provide 14 days' notice prior to making any change to this document.
  3. It might affect these Terms of Services and Privacy Policy. Therefore, FundingBox reserves the right to change these Terms of Services for the following reasons:
    • if the change is necessary due to a change of the commonly binding laws;
    • fulfilment of the obligation resulting from a legally final and valid court ruling or decision of administrative bodies;
    • changes introduced for safety reasons, including those intended to make it impossible to use the Services in a manner which is at variance with law or these Terms of Services;
    • changes in the operation of the OnePass or the Services provided via the OnePass, including the ones connected with new functionalities, technical or technological progress, e.g. the changes in the IT systems;
    • changes in the business model of providing the Services.
  1. We believe that an increase in the safety level of the OnePass is always advantageous and shall not constitute a change of the regulations and does not require prior notification.
  2. In case of significant changes, we will inform you about updated Terms of Services 14 days before they get into force. Communication will be sent to your main e-mail address. In case of minor changes, we will include a relevant notice at the OnePass.

Termination of the Contract

  1. You may terminate the Contract at any time without giving a reason. To terminate the Contract, you can choose any of the procedures below:
    • send a request to e-mail: support@getonepass.eu (to make the process effective, you should use the e-mail address the Account has been registered for);
    • delete your Account using Delete my Account option within the User panel;
    • The denunciation shall take effect upon its receipt by us. You will be notified by us via e-mail about the fact of deleting the Account.
  2. If you are a Consumer, please check your additional options https://fundingbox.com/trust/consumer-rights/.
  3. There are three main situations when Service provider can terminate the Contract, block or delete your Account:
    • if you breach the provisions of these Terms of Services, Privacy rules, legal regulations, or perform other actions affecting the legally protected property or third party rights; or
    • if the court or other authority issue a legally binding decision to do so; or
    • if we decide to close the OnePass or stop providing given services.
  4. We will notify you via e-mail about the fact of blocking or deleting the Account.
  5. Service Provider reserves the right to close the OnePass. We will notify Users about it 60 days in advance to the address provided on the Account by the User.

Complaints and infringement notifications

  1. If you have complaints regarding the operation of the OnePass or you noticed abuse of our rules by other Users, or your rights have been violated or threatened by another User, you can report them to the following e-mail address: support@getonepass.eu
  2. In each complaint, please describe the reason why it is filed, as well as the date and time. We will do our best to deal with your complaint within 14 (fourteen) days from its receipt. We will respond to the complaint via e-mail address indicated on the Account.
  3. In case that we received reliable information on the unlawful nature of data or activity related to them, we might prevent access to such data, without giving prior notice to the User who has placed such data on the OnePass. In such cases, we shall not be held liable for any damage resulting from preventing the access to such data.

Intellectual property rights and right of the third

  1. Within The OnePass you can send messages and share information in various ways. Information and content that you share or post may be seen by other Users. You are free to choose who can see this content to the extent that appropriate settings are available. In the case of Opportunities service, all Users will see what you share. Specific Terms of Use of particular Opportunities set out detailed rules on how we may use the content and information you provide.
  2. We are not obliged to publish any information or content by means of our Service and can remove it at our sole discretion, with or without notice.
  3. By using our Services, you agree to provide content or information that does not violate the law or anyone’s rights (including intellectual property rights). We may be required by law to remove certain information or content.
  4. We don’t authorise Users to publish any elements of the  OnePass or materials provided on the  OnePass to which they do not hold right, without our prior written consent. Users shall not have the right to record and copy the OnePass on any storage carrier.

Liabilities

  1. We strive to provide IT infrastructure and ensure efficient technical operation of the OnePass. However, we do not provide any guarantees of the quality of the Services and the absence of errors or disruptions in their functioning.
  2. With respect to consumer regulations, each Service is provided “as is” and we give no warranty of any kind, express or implied, including the results that may be obtained from the use of the Services, regarding the accuracy or reliability of any information obtained through the Services, or that the Services will meet any User’s requirements or expectations, or be uninterrupted, timely, secure or error free.
  3. We attach the utmost importance to the standard of confidentiality and data security within the OnePass. Although you use the Services, adding or downloading data and publishing through the OnePass is at your own discretion and risk.
  4. To the maximum extent permitted by applicable law, in no event we will be liable for any special, incidental, indirect, exemplary or consequential damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or any other pecuniary loss or damage) arising out of the use of or inability to use the Service, or the provision of or failure to provide technical or other support, whether arising in tort (including negligence), contract or any other legal theory.
  5. You bear exclusive liability for your activity on the OnePass. towards third parties and you undertake to discharge us from any liability on that account.
  6. We shall not be held liable for any damage resulting from the operation of the OnePass related to circumstances remaining beyond its control, and shall not be held liable for any damage related to:
    • any acts or omissions of Users or third persons, in particular infringing the provisions of these Terms of Services;
    • subject and provision of Opportunities organised by other Users or Organization;
    • lack of access to the OnePass for third persons resulting from reasons attributable to the User;
    • disclosure by the User of the username or password for his/her Account to third persons;
    • the activity of malware illegally provided to the OnePass by the User or third persons.
  1. We shall not bear any liability against the User for damage caused by the unintentional fault and shall be liable for the damage only to the extent of actual losses incurred by the User who is not a Consumer.
  2. We do not verify links shared by Users on the OnePass and shall not be held liable for the content of websites connected in such a way with the OnePass. The User uses such websites at its own risk.
  3. We shall not be liable to the User breaching these Terms for any damage caused as a result of ceasing to provide Services to them, including as a result of removing the Account.
  4. We are responsible for the content stored on the platform ONLY if:
    • We have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or
    • Upon obtaining such knowledge or awareness, we act expeditiously to remove or to disable access to the information.

Hosting

  1. Where an information society service is provided that consists of the storage of information provided by a recipient of the service, Member States shall ensure that the service provider is not liable for the information stored at the request of a recipient of the service, on condition that:
    • the provider does not have actual knowledge of illegal activity or information and, as regards claims for damages, is not aware of facts or circumstances from which the illegal activity or information is apparent; or
    • the provider, upon obtaining such knowledge or awareness, acts expeditiously to remove or to disable access to the information."

Final provisions

  1. Should any of the provisions of these Terms of Services be deemed invalid, illegal or unenforceable, then the validity of the remaining part of these Terms of Services remains intact.
  2. Within the OnePass we use English as the official language. All documents are provided in English. All requests and complaints should also be in English. To the extent allowed by law, the English language version of this Contract is binding and possible translations are for convenience only. This Contract (including additional policies and these Terms of Services) is the only agreement between us regarding the Services (contract for providing commercial services will be signed separately if you order such services)
  3. Taking into account the restrictions and rights resulting from consumer regulations, the User may not assign or transfer this Contract (or your membership or use of the Services) to anyone without our prior written consent. However, you agree that FundingBox may assign this Contract to its affiliates without your consent.
  4. To any matters not specified in these Terms of Services, relevant provisions of the Polish law shall apply. Polish law is also the governing law for liabilities resulting from the Contract and these Terms of Services. EU law applies as far as the protection of personal data is concerned. However, this does not exclude consumer rights that arise from the provisions determining the applicable law and jurisdiction in the case of contracts with consumers.
  5. The parties shall attempt to settle any dispute resulting from performance of the provisions of these Terms of Services in an amicable way. In the absence of agreement, disputes shall be settled by a common court having jurisdiction over our registered office.

Appendix 1 Description of the Services

Please visit: https://getonepass.eu/faqs 

  1. Personal account
  2. Authorization with external vendors
  3. Search engine for opportunities
  4. Joining Opportunities
  5. Subscribing the opportunities updates
  6. Subscribing the email alerts
  7. Subscribing to the newsletter
  8. File upload and file storage
  9. Internal notifications for users

Appendix 2 Data Processing Agreement

SECTION I

Clause 1

Purpose and scope

(a) The purpose of these Standard Contractual Clauses (the Clauses) is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).

(b) The controllers and processors listed in Annex I have agreed to these Clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.

(c) These Clauses apply to the processing of personal data as specified in Annex II.

(d) Annexes I to IV are an integral part of the Clauses.

(e) These Clauses are without prejudice to obligations to which the controller is subject by virtue of Regulation (EU) 2016/679.

(f) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

Clause 2

Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.

(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3

Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679 respectively, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679 respectively.

(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4

Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Clause 5

Docking clause

(a) Any entity that is not a Party to these Clauses may, with the agreement of all the Parties, accede to these Clauses at any time as a controller or a processor by completing the Annexes and signing Annex I.

(b) Once the Annexes in (a) are completed and signed, the acceding entity shall be treated as a Party to these Clauses and have the rights and obligations of a controller or a processor, in accordance with its designation in Annex I.

(c) The acceding entity shall have no rights or obligations resulting from these Clauses from the period prior to becoming a Party.

SECTION II

OBLIGATIONS OF THE PARTIES

Clause 6

Description of processing(s)

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the controller, are specified in Annex II.

Clause 7

Obligations of the Parties

7.1.   Instructions

(a) The processor shall process personal data only on documented instructions from the controller, unless required to do so by Union or Member State law to which the processor is subject. In this case, the processor shall inform the controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. Subsequent instructions may also be given by the controller throughout the duration of the processing of personal data. These instructions shall always be documented.

(b) The processor shall immediately inform the controller if, in the processor’s opinion, instructions given by the controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.

7.2.   Purpose limitation

The processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II, unless it receives further instructions from the controller.

7.3.   Duration of the processing of personal data

Processing by the processor shall only take place for the duration specified in Annex II.

7.4.   Security of processing

(a) The processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

(b) The processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring of the contract. The processor shall ensure that persons authorised to process the personal data received have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

7.5.   Sensitive data

If the processing involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (“sensitive data”), the processor shall apply specific restrictions and/or additional safeguards.

7.6.   Documentation and compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The processor shall deal promptly and adequately with inquiries from the controller about the processing of data in accordance with these Clauses.

(c) The processor shall make available to the controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679. At the controller’s request, the processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the controller may take into account relevant certifications held by the processor.

(d) The controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the processor and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

7.7.   Use of sub-processors

(a) The processor has the controller’s general authorisation for the engagement of sub-processors from an agreed list. The processor shall specifically inform in writing the controller of any intended changes of that list through the addition or replacement of sub-processors at least 14 days in advance, thereby giving the controller sufficient time to be able to object to such changes prior to the engagement of the concerned sub-processor(s). The processor shall provide the controller with the information necessary to enable the controller to exercise the right to object.

(b) Where the processor engages a sub-processor for carrying out specific processing activities (on behalf of the controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the data processor in accordance with these Clauses. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679.

(c) At the controller’s request, the processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the controller. To the extent necessary to protect business secret or other confidential information, including personal data, the processor may redact the text of the agreement prior to sharing the copy.

(d) The processor shall remain fully responsible to the controller for the performance of the sub-processor’s obligations in accordance with its contract with the processor. The processor shall notify the controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) The processor shall agree a third party beneficiary clause with the sub-processor whereby - in the event the processor has factually disappeared, ceased to exist in law or has become insolvent - the controller shall have the right to terminate the sub-processor contract and to instruct the sub-processor to erase or return the personal data.

7.8.   International transfers

(a) Any transfer of data to a third country or an international organisation by the processor shall be done only on the basis of documented instructions from the controller or in order to fulfil a specific requirement under Union or Member State law to which the processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679.

(b) The controller agrees that where the processor engages a sub-processor in accordance with Clause 7.7. for carrying out specific processing activities (on behalf of the controller) and those processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

Clause 8

Assistance to the controller

(a) The processor shall promptly notify the controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the controller.

(b) The processor shall assist the controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations in accordance with (a) and (b), the processor shall comply with the controller’s instructions.

(c) In addition to the processor’s obligation to assist the controller pursuant to Clause 8(b), the processor shall furthermore assist the controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the processor:

(1) the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (a ‘data protection impact assessment’) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons;

(2) the obligation to consult the competent supervisory authority/ies prior to processing where a data protection impact assessment indicates that the processing would result in a high risk in the absence of measures taken by the controller to mitigate the risk;

(3) the obligation to ensure that personal data is accurate and up to date, by informing the controller without delay if the processor becomes aware that the personal data it is processing is inaccurate or has become outdated;

(4) the obligations in Article 32 of Regulation (EU) 2016/679.

(d) The Parties shall set out in Annex III the appropriate technical and organisational measures by which the processor is required to assist the controller in the application of this Clause as well as the scope and the extent of the assistance required.

Clause 9

Notification of personal data breach

In the event of a personal data breach, the processor shall cooperate with and assist the controller for the controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, where applicable, taking into account the nature of processing and the information available to the processor.

9.1   Data breach concerning data processed by the controller

In the event of a personal data breach concerning data processed by the controller, the processor shall assist the controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the controller has become aware of it, where relevant/(unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);

(b) in obtaining the following information which, pursuant to Article 33(3) of Regulation (EU) 2016/679, shall be stated in the controller’s notification, and must at least include:

(1) the nature of the personal data including where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;

(2) the likely consequences of the personal data breach;

(3)  the measures taken or proposed to be taken by the controller to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(c) in complying, pursuant to Article 34 of Regulation (EU) 2016/679, with the obligation to communicate without undue delay the personal data breach to the data subject, when the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2   Data breach concerning data processed by the processor

In the event of a personal data breach concerning data processed by the processor, the processor shall notify the controller without undue delay after the processor having become aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

(b) the details of a contact point where more information concerning the personal data breach can be obtained;

(c) its likely consequences and the measures taken or proposed to be taken to address the breach, including to mitigate its possible adverse effects.

Where, and insofar as, it is not possible to provide all this information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

The Parties shall set out in Annex III all other elements to be provided by the processor when assisting the controller in the compliance with the controller’s obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

SECTION III

FINAL PROVISIONS

Clause 10

Non-compliance with the Clauses and termination

(a) Without prejudice to any provisions of Regulation (EU) 2016/679, in the event that the processor is in breach of its obligations under these Clauses, the controller may instruct the processor to suspend the processing of personal data until the latter complies with these Clauses or the contract is terminated. The processor shall promptly inform the controller in case it is unable to comply with these Clauses, for whatever reason.

(b) The controller shall be entitled to terminate the contract insofar as it concerns processing of personal data in accordance with these Clauses if:

(1) the processing of personal data by the processor has been suspended by the controller pursuant to point (a) and if compliance with these Clauses is not restored within a reasonable time and in any event within one month following suspension;

(2) the processor is in substantial or persistent breach of these Clauses or its obligations under Regulation (EU) 2016/679;

(3) the processor fails to comply with a binding decision of a competent court or the competent supervisory authority/ies regarding its obligations pursuant to these Clauses or to Regulation (EU) 2016/679.

(c) The processor shall be entitled to terminate the contract insofar as it concerns processing of personal data under these Clauses where, after having informed the controller that its instructions infringe applicable legal requirements in accordance with Clause 7.1 (b), the controller insists on compliance with the instructions.

(d) Following termination of the contract, the processor shall, at the choice of the controller, delete all personal data processed on behalf of the controller and certify to the controller that it has done so, or, return all the personal data to the controller and delete existing copies unless Union or Member State law requires storage of the personal data. Until the data is deleted or returned, the processor shall continue to ensure compliance with these Clauses.


ANNEX I

List of parties

You are the data controller.

Processor(s): [Identity and contact details of the processor(s) and, where applicable, of the processor’s data protection officer]

We are data processor (Service provider)

ANNEX II

Description of the processing

Categories of data subjects whose personal data is processed

  • Applicants of given opportunities

Categories of personal data processed

  • Business contact details  and organisational data (work-related)
  • Contact details of individuals applying in an opportunity

Sensitive data processed (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures (if no special cateogies of personal data are processed mark as “not applicable”).

  • Not applicable

Nature of the processing

[The nature of the processing determines the means that the processor use to perform the contract.]

  • Data processing using the online platform

Purpose(s) for which the personal data is processed on behalf of the controller

[Please explain the purpose of the data processing that will take place under the entrustment.]

  • To realize the agreement between Controller and Processor

Duration of the processing

Time of performance of the agreement.

For processing by (sub-) processors, also specify subject matter, nature and duration of the processing

https://fundingbox.com/trust/subprocessors/ 

ANNEX III

Technical and organisational measures including technical and organisational measures to ensure the security of the data

EXPLANATORY NOTE:

The technical and organisational measures need to be described concretely and not in a generic manner.

Description of the technical and organisational security measures implemented by the processor(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, as well as the risks for the rights and freedoms of natural persons.

[Please mark with (x) the applicable ones and specify under “Description”.]

(x)

Examples of possible measures:

  1. Measures of pseudonymisation and encryption of personal data

x

Substitution of personal data by internal codes (hashes)

x

Encryption by a symmetric key stored outside the database part of the infrastructure

  1. Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

x

Username and password for exclusive access

x

A policy of regular auditing of IT systems

x

Data verification policy

x

Data access management policy

x

Automatic reporting and countermeasures deployment

  1. Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

x

Backup copy is made, stored in a place where only the person in charge of data processing has access. Only the data processor has access.

x

Periodic testing to restore business continuity

  1. Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

x

Upgrading devices and computers.

x

Information security auditing policy

x

Regular safety tests

x

Process to periodically check current vulnerabilities is implemented throughout the infrastructure

x

Automatic reporting of found vulnerabilities based on installed software packages and their version is implemented

x

Regular verification of the effectiveness of technical and organizational measures

  1. Measures for user identification and authorisation

x

Users and passwords for personal access

x

User management policy (each person has a dedicated, personal account in the system, the use of shared accounts and sharing the password between users is prohibited)

  1. Measures for the protection of data during storage

x

No unauthorised persons are allowed access. Only the person in charge of the processing of personal data has access. It takes place in secure locations. Tier I.

x

Two-step access control system: (1) login and password, (2) encrypted connection to data on servers

  1. Measures for ensuring physical security of locations at which personal data are processed

x

Lockable doors to the rooms where data is processed

  1. Measures for ensuring events logging

x

logging of all events in systems

  1. Measures for ensuring system configuration, including default configuration

x

Data protection-friendly default settings

  1. Measures for internal IT and IT security governance and management

x

Data verification policy

x

Data access management policy

x

Information security auditing policy

  1. Measures for certification/assurance of processes and products

x

Regular training of staff, use of policies/manuals or work instructions

x

Data protection measures and information in staff onboarding/offboarding process

x

Appropriate technical and organisational measures as provided in Art. 32

  1. Measures for ensuring data minimisation

x

Periodic erasure of data

x

Data erasure policy

  1. Measures for ensuring data quality

x

Regular quality check of data

  1. Measures for ensuring limited data retention

x

Data retention policy

  1. Measures for ensuring accountability

x

Data log of activities users in IT system

  1. Measures for allowing data portability and ensuring erasure

x

Export and import tools.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller

  • Same as above – technical and organisational measures required from sub-processors are at ensuring at least the same level of security as the measures implemented by the Processor.

Description of the specific technical and organisational measures to be taken by the processor to be able to provide assistance to the controller

  • in accordance with the main agreement

ANNEX IV

List of sub-processors

EXPLANATORY NOTE:

This Annex needs to be completed in case of specific authorisation of sub-processors (Clause 7.7(a), Option 1)

The controller has authorised the use of the following sub-processors:https://fundingbox.com/trust/subprocessors/.