Contacter PG TELECOM Spolka z o.o.:
PG TELECOM Spolka z o.o. Address: ul. Stefana Batorego 18/108, 02-591 Warsaw
Email: info@sipsim.com
Tel: +336 44 55 55 55
https://sipsim.com/
This Data Processing Agreement, along with its Exhibits and Appendices (referred to as the "DPA"), serves as an additional component to the Master Subscription Agreement or the Terms of Use existing between SipSim and the Customer for the acquisition of Services. This includes all relevant Order Form(s), Purchases, exhibits, and schedules as part of the "Agreement."
During the course of delivering the Services to the Customer as outlined in the Agreement, SipSim may engage in the Processing of Personal Data on behalf of the Customer. This DPA is a reflection of the mutually agreed-upon terms and conditions pertaining to the Processing of Personal Data.
The Parties involved commit to adhering to the following provisions in relation to any Personal Data, while exercising reasonable and good-faith judgment.
1.1 Compliance with Applicable Data Protection Laws
The Customer affirms that, to the best of its knowledge, this DPA aligns with all Applicable Data Protection Laws and encompasses all necessary provisions as required by these laws. Given the nature of the Services, the Customer acknowledges that the Processing of Personal Data under this DPA may be subject to various Applicable Data Protection Laws, even those not explicitly outlined in this DPA. This applicability is contingent upon the territorial scope of the Customer's use of the Services. The Customer bears the responsibility for promptly notifying SipSim of any disparities between this DPA and the requisites of the Applicable Data Protection Laws.
1.2 Applicability of European Data Protection Laws, Roles of the Parties
The parties recognize that the GDPR becomes applicable to the Processing of Personal Data if the conditions stipulated in Article 3 of the GDPR are met. Furthermore, the parties acknowledge that the FADP applies to the Processing of Personal Data if and when the conditions articulated by the FADP are satisfied. In instances where the European Data Protection Laws are applicable to the Processing of Personal Data under this DPA, the Customer may assume the roles of both Data Controller and Data Processor, while SipSim exclusively acts as a Data Processor.
In situations where the Customer functions as a Data Processor and engages SipSim as another Data Processor, as per Article 28(4) of the GDPR, the Customer:
1.3 Applicability of HIPAA
The Customer acknowledges and accepts that it must separately enter into and execute a Business Associate Agreement ("BAA") if:
In scenarios where the parties have entered into a BAA, the provisions of the BAA shall take precedence over this DPA concerning any Protected Health Information collected from patients in the United States and its territories and possessions.
2.1 Customer’s Processing of Personal Data
The Customer determines the purposes and methods of Processing Personal Data. The Customer's instructions for Processing Personal Data must align with Applicable Data Protection Laws.
2.2 Customer’s Liability
The Customer bears sole responsibility for the accuracy, quality, and legality of the Personal Data provided to SipSim and the means by which the Customer obtained such Personal Data. If European Data Protection Laws apply to the Processing of Personal Data under this DPA, the Customer is responsible for fulfilling its obligations as a Data Controller. This includes informing Data Subjects about the Processing of their Personal Data under this DPA, obtaining their consent if necessary, and ensuring that both the Customer and SipSim have the authority to use the Personal Data in line with the defined purposes herein.
2.3 SipSim’s Processing of Personal Data
SipSim will only Process Personal Data based on documented instructions provided by the Customer, including the transfer of Personal Data. However, the Customer acknowledges that SipSim may independently Process Personal Data as a separate Data Controller for other lawful processing purposes in compliance with Applicable Data Protection Laws. This may occur when SipSim has a legitimate interest in such processing or when applicable laws necessitate such processing by SipSim. In cases where SipSim acts as a Data Controller, it retains full responsibility for the Processing of Personal Data as described above. This DPA does not cover such processing of Personal Data. For more details on SipSim's processing of Personal Data, please refer to SipSim's Privacy Policy: SipSim Privacy Policy. If required by Applicable Data Protection Laws, SipSim will further restrict its Processing of Personal Data qualifying as customer proprietary network information, as defined by 47 U.S.C. § 222, as may be mandated by law and the regulations issued by the Federal Communications Commission.
2.4 Customer’s Instructions
The Customer instructs SipSim to Process Personal Data for the provision of Services, as specified in more detail in Exhibit A. This DPA, the Agreement, instructions provided via configuration tools within SipSim’s platform, and instructions via SipSim’s dedicated customer support portal constitute the Customer's comprehensive and definitive instructions to SipSim for the Processing of Personal Data. Any additional or alternative instructions must be separately agreed upon in writing.
2.5 Obligations of SipSim
In accordance with Applicable Data Protection Laws, SipSim commits to the following:
a) Ensuring that individuals authorized to Process Personal Data are bound by confidentiality commitments or are subject to appropriate statutory confidentiality obligations. SipSim will grant access to Personal Data solely to personnel who require access to fulfill SipSim’s obligations under the Agreement.
b) Promptly informing the Customer if SipSim becomes aware that an instruction violates Applicable Data Protection Laws.
c) Taking all necessary measures to maintain the confidentiality of Personal Data and ensure the security of Processing, as further outlined in Section 3.
d) Assisting the Customer in complying with obligations related to Personal Data security, Customer’s notification and communication duties in the event of a Data Breach, conducting data protection impact assessments (or similar assessments mandated by Applicable Data Protection Laws), and consulting the supervisory authority as needed, considering the nature of Processing and the information available to SipSim.
e) Providing the Customer with all necessary information, on a reasonable basis, to demonstrate compliance with SipSim's obligations outlined in this DPA and in Applicable Data Protection Laws, if applicable.
3.1 Technical and Organizational Measures
SipSim, considering the prevailing technological capabilities, implementation costs, the nature, extent, context, and purposes of Processing, as well as the potential risks to the rights and freedoms of Data Subjects arising from Processing, will establish appropriate technical and organizational safeguards outlined in Exhibit B.
3.2 Reviews and Updates
SipSim will periodically assess and update the technical and organizational safeguards as necessary. The Customer consents to SipSim making unilateral updates to these measures, provided such updates do not significantly diminish the level of Personal Data protection. SipSim's commitment under Section 3.1 remains unchanged.
3.3 Information
Upon the Customer's request, SipSim will furnish additional details about securing, accessing, and utilizing Personal Data.
4.1 Data Subjects' Right to Information
The Customer shall be responsible for furnishing Data Subjects with information regarding the processing of their Personal Data.
4.2 Exercise of Data Subjects' Rights
SipSim will assist the Customer, to the extent feasible under Applicable Data Protection Laws, in meeting its obligations to address requests from Data Subjects, including but not limited to the right of access, rectification, erasure, objection, restriction of processing, data portability, and the right not to be subjected to automated individual decisions (including profiling).
4.3 Regulatory Action
In the event that SipSim becomes aware of a Regulatory Action related to the Personal Data processed under this DPA, SipSim shall, as mandated by Applicable Data Protection Laws, take the following steps:
a) Notify the Customer promptly through an email sent to the Admin User Email Address, providing adequate information about the Regulatory Action, including pertinent correspondence copies for the Customer's handling.
b) Offer the Customer reasonable cooperation and support through suitable technical and organizational means concerning the Regulatory Action.
c) Refrain from responding to any Regulatory Action, unless explicitly instructed to do so in writing by the Customer or as compelled by Applicable Data Protection Laws.
5.1 List of Subprocessors
SipSim utilizes Subprocessors as part of its service provision. The current list of Subprocessors engaged by SipSim can be found on SipSim's website. By accepting this DPA, the Customer provides authorization for SipSim to engage the Subprocessors listed on the website.
5.2 General Authorization
By executing this DPA, the Customer grants SipSim a general authorization to engage additional Subprocessors or make changes to the existing list of Subprocessors. If SipSim intends to modify the list, the Customer will be notified of the changes via email to the Admin User Email Address. This communication will clearly outline the processing activities to be subcontracted, as well as the name and contact information of the intended Subprocessor.
5.3 Objections
Where Applicable Data Protection Laws grant the Customer the right to object to proposed modifications involving the addition or replacement of Subprocessors, the Customer may reasonably object to such changes. Failure to raise objections in writing within ten (10) days of receiving the information will be deemed as the Customer's acceptance of the new Subprocessors. In the event of objections, both Parties will collaborate to find a mutually satisfactory solution.
5.4 Same Obligations
When SipSim engages another Subprocessor, it will establish a contract that imposes the same obligations on the Subprocessor as those imposed on SipSim under this DPA. SipSim will ensure the Subprocessor's compliance with the obligations stipulated in this DPA and the Applicable Data Protection Laws.
5.5 Subprocessor Agreements
As required by the Applicable Data Protection Laws and permitted by SipSim's confidentiality commitments, SipSim may furnish the Customer with a copy of the Subprocessor agreement, including subsequent amendments, upon the Customer's request.
5.6 Liability
In accordance with the provisions of the Applicable Data Protection Laws, SipSim shall bear responsibility towards the Customer for the actions and omissions of its Subprocessors to the same extent that SipSim would be held directly liable if it were performing the services of each Subprocessor under the terms of this DPA.
6.1 Locations of Processing
SipSim commits to Processing Personal Data exclusively within its country of establishment and the countries specified in the list of SipSim's Subprocessors, as maintained under Section 5.1 of this agreement.
6.2 European Personal Data Transfers Subject to Appropriate Safeguards
The locations mentioned in Section 6.1 above may include countries situated outside the EEA, UK, and Switzerland. For the purposes of the applicable European Data Protection Law, these countries have either not been officially recognized by the relevant authority as providing an adequate level of personal data protection, as described in European Data Protection Law, or they are not covered by a suitable framework acknowledged by relevant authorities or courts as offering an adequate level of protection for personal data ("Locations Subject to Appropriate Safeguards"). When Processing Personal Data under European Data Protection Law, the Parties shall not transfer Personal Data to any Location Subject to Appropriate Safeguards unless they have taken the necessary measures to ensure compliance with the applicable European Data Protection Law.
6.4 UK Personal Data Transfers to SipSim
In cases where the Processing of Personal Data involves the transfer of Personal Data from a Customer subject to the UK GDPR to SipSim, located in a Location Subject to Appropriate Safeguards and not subject to the UK GDPR, the UK International Data Transfer Addendum shall apply. In accordance with clause 17 of this addendum, the Parties agree to modify the format of the information outlined in Part 1 of the addendum as follows:
a) Table 1 shall be considered complete with the information provided or referenced in the Agreement, including references in Section 6.3 of this DPA.b) For the purposes of table 2, the UK International Data Transfer Addendum shall be appended to the EU Standard Contractual Clauses for Data Transfers as defined in Section 6.3 of this DPA (including module and option selections and the exclusion of optional clauses as defined in Section 6.3 of this DPA).c) The appendix information listed in table 3 shall be considered complete with the information provided or referenced in Section 6.3 hereof.d) For the purposes of table 4, either the data importer or data exporter may terminate this addendum as outlined in clause 19 of the Addendum.
6.5 European Personal Data Onward Transfers
In scenarios where the Processing of Personal Data includes the transfer of Personal Data from SipSim, acting as a data exporter subject to European Data Protection Law, to a third party located in a Location Subject to Appropriate Safeguards and not subject to European Data Protection Law, and this third party acts as a data importer (including Subprocessors), SipSim may transfer Personal Data to the third party only if the conditions specified in Section 6.2 of this agreement are satisfied.
6.6 Conflict
In case of any conflict or inconsistency between this DPA and the EU Standard Contractual Clauses for Data Transfers to Third Countries incorporated herein, the EU Standard Contractual Clauses for Data Transfers to Third Countries shall take precedence.
7.1 Notification
SipSim will promptly inform the Customer of any Data Breach following its discovery by SipSim. In cases where European Data Protection Law is applicable, SipSim will notify the Customer within a maximum of 24 hours after detecting the Data Breach. The notification will be sent via email to the Admin User Email Address.
7.2 Provided Information
SipSim commits to providing the Customer with all necessary cooperation and assistance, along with comprehensive details of the Data Breach. These details are essential for the Customer to fulfill its obligations under the Applicable Data Protection Laws concerning the Data Breach.
8.1. Customer's Right to Audit
If the Applicable Data Protection Laws grant the Customer the right to conduct audits, the Customer or an independent third-party auditor, acceptable to SipSim (provided they are neither a competitor of SipSim nor lacking in suitable qualifications or independence), may audit the processes related to the handling of Personal Data by SipSim under the following conditions:
a) The Customer has valid reasons, substantiated in advance to SipSim, to suspect that SipSim is not handling Personal Data in accordance with this Data Processing Agreement or the Applicable Data Protection Laws, or if a Data Breach has been identified; or
b) The Customer's data protection authority formally requests an audit; or
c) The Applicable Data Protection Laws explicitly grant the Customer the direct right to conduct an audit.
8.2. Audit Frequency.
The Customer may perform an audit at most once within any twelve-month period, unless the Applicable Data Protection Laws necessitate more frequent audits.
8.3. Advance Notice.
The Customer shall provide SipSim with a minimum of thirty days' prior notice of any audit, unless a mandatory Data Protection Law or a competent data protection authority prescribes a shorter notice period. The frequency and scope of such audits will be mutually agreed upon by the parties in a reasonable and cooperative manner.
8.4. Audit Costs.
Each party shall bear its own expenses related to audits conducted under this Agreement.
9.1. Data Export and Deletion.
Upon the termination of the Agreement, SipSim will allow the Customer, at their own expense, to export the Personal Data processed under this Data Processing Agreement, in accordance with the functionalities provided by the Service, within a thirty (30) day period following the termination.
After this thirty-day period, SipSim will proceed to delete all Personal Data that was stored or processed by SipSim solely on behalf of the Customer, along with any associated copies, unless there exists a legal requirement for the retention of such personal data. The Customer explicitly agrees to this deletion process and acknowledges that after the specified thirty-day period, SipSim will no longer be able to facilitate the export of Personal Data to the Customer.
The reason being that such Personal Data will have either been deleted or archived by SipSim, acting as a Data Controller, in accordance with the purposes and durations indicated in SipSim's Privacy Policy.
10.1. Start Date and Previous Agreements.
This Data Processing Agreement (DPA) comes into effect on the date when the Customer accepted its terms and supersedes any previously applicable data processing provisions concerning the handling of Personal Data by SipSim on behalf of the Customer, starting from the same date.
10.2. Duration.
This DPA will remain in effect for the same duration as the Agreement.
10.3. Modifications.
The Customer explicitly acknowledges and agrees that this DPA may be modified in the same manner as mutually determined by the parties for amending the Agreement. This includes SipSim's right to periodically update the terms of the Agreement, its policies, and this DPA at its sole discretion, with prior notice to the Customer sent to the Admin User Email Address.
11.1. SipSim’s Combined Liability.
The total liability of each party and all its related companies, collectively, arising from or connected to this Data Processing Agreement (DPA) and all other DPAs between related companies and SipSim, whether in contract, tort (including negligence), or based on any other legal theory, is subject to the 'Limitation of Liability' section found in the Agreement (or the section within the Agreement that addresses the exclusion and limitation of liability, even if it lacks that specific heading). Any mention in such a section regarding a party's liability refers to the overall liability of that party and all of its related companies under the Agreement and all DPAs together.
11.2. Liability to Customer’s Related Companies.
To avoid any doubt, the total liability of SipSim and its related companies for all claims made by Customer and all of its related companies stemming from or relating to the Agreement and all Data Processing Agreements, whether in contract, tort (including negligence), or under any other legal theory, will be applied collectively for all claims under both the Agreement and the Data Processing Agreements established under the Agreement or otherwise concluded between SipSim and the Customer and/or any related company, and, specifically, shall not be interpreted as applying individually and separately to Customer and/or any related company that is a contractual party to, or otherwise entitled to make claims under, any such Data Processing Agreement.
12.1. Applicable Law.
While acknowledging the mandatory applicability of Applicable Data Protection Laws and recognizing their potential priority, the laws of the country or territory specified in the Agreement for this purpose shall govern and interpret this DPA. Each of the Parties agrees to accept the chosen jurisdiction as outlined in the Agreement concerning any claim or matter arising from or related to this DPA.
12.2. Dispute Resolution
To amicably resolve any disputes arising from the interpretation, execution, or termination of this DPA, the Parties agree to engage in negotiations following receipt of a notice from one of the Parties. The objective is to reach an amicable resolution within thirty (30) days after one Party notifies the other of the dispute, explicitly referring to this provision. If the Parties fail to reach an amicable settlement by executing a settlement agreement during this period, they shall refer the dispute to the relevant court with jurisdiction to adjudicate the matter.
SipSim is authorized to process, on behalf of the Customer, the necessary personal data for providing SipSim products and related services.
Purposes of the Processing:
Provision of SipSim products and services:
Nature of Operations Carried Out on the Personal Data:
Categories of Data Subjects:
Types of Personal Data:
Retention Period for Personal Data:Personal Data Processed by SipSim exclusively on behalf of the Customer will be retained for a period agreed upon between SipSim and the Customer (based on Customer's pricing plan), unless the Customer instructs SipSim to delete certain Personal Data sooner. Personal Data processed for the provision of telephone numbers will be retained for the duration of the Agreement for provision of additional telephone numbers in the same location, unless instructed otherwise. Personal Data Processed by SipSim also as a separate Data Controller will be retained for the retention period set forth in SipSim's Privacy Policy. Following the termination of the Agreement or the expiration of the agreed period for return and deletion of Personal Data, Personal Data Processed by SipSim exclusively on behalf of the Customer will be deleted.
As of the effective date of this DPA, SipSim, when Processing Personal Data on behalf of the Customer, has implemented and maintains the following technical and organizational security measures for the Processing of such Personal Data: