DATA PROCESSING AGREEMENT (DPA)

Between:

Take2EU (hereinafter “Controller”)

DDC Spółka z o.o.

Wspólna 7B

45-837 Opole

Poland

VAT identification number: 8992793337

National Court Register (KRS): 0000626276

Email: support@take2eu.com

And:

Sub-Processor Name (hereinafter “Processor” or “Sub-Processor”)

Sub-processor address

Sub-processor registration details

Sub-processor contact email

Effective Date: To be completed upon execution

1. DEFINITIONS

• “Personal Data” – Any information relating to an identified or identifiable natural person as defined by the GDPR.
• “Processing” – Any operation performed on Personal Data, such as collection, storage, use, disclosure, deletion, or any other handling.
• “Data Controller” – Take2EU (DDC Spółka z o.o.), which determines the purposes and means of Processing Personal Data of Users of the Take2EU platform.
• “Data Processor” or “Sub-Processor” – The entity identified above that processes Personal Data on behalf of the Controller in connection with the Services.
• “Data Subject” – An identified or identifiable natural person, including Take2EU Users, prospective users, and contacts.
• “GDPR” – Regulation (EU) 2016/679 (General Data Protection Regulation).
• “Services” – The services provided by Sub-Processor to Controller as defined in the underlying Service Agreement (e.g. hosting, CRM, customer support, analytics, email delivery).
• “Confidential Information” – All Personal Data and business information disclosed between the Parties under this Agreement.

2. SUBJECT MATTER AND DURATION

2.1 This DPA governs the Processing of Personal Data by the Sub-Processor on behalf of the Controller in connection with the Services.

2.2 The duration of this DPA is the same as the underlying Service Agreement between the Parties. This DPA terminates automatically when the Service Agreement ends and all Personal Data is deleted or returned in accordance with Section 12.

3. NATURE AND PURPOSE OF PROCESSING

3.1 Sub-Processor shall process Personal Data solely for the purpose of providing the Services to the Controller, including but not limited to:

• Data hosting and storage infrastructure.
• Customer support, ticketing, and user assistance.
• Email delivery and communication services.
• Analytics, monitoring, and platform improvement activities.
• Document processing and profile optimisation support.

3.2 Sub-Processor shall not process Personal Data for any other purpose, including its own commercial purposes, without the Controller’s prior written consent.

4. TYPES OF PERSONAL DATA AND CATEGORIES OF DATA SUBJECTS

4.1 Types of Personal Data processed under this Agreement may include:

• **Identity ** name, email address, phone number, postal address, country of residence.
• **Professional ** CV/resumé, qualifications, employment history, work experience, certifications, skills, languages.
• **Account ** username, account settings, preferences, notification settings.
• **Communication ** support tickets, messages, feedback, survey responses.
• **Technical ** IP address, log data, device information, browser type, pages visited, session data.
• **Payment-related ** billing address, VAT ID (where payment processing is part of the Services; full card details are not processed by Controller or Sub-Processor but by payment processor).

4.2 Categories of Data Subjects include:

• Users of the Take2EU platform (job seekers and professionals).
• Prospective users and contacts who have interacted with the Platform.
• Where applicable, employees or representatives of Employers using the Platform.

5. OBLIGATIONS OF THE SUB-PROCESSOR

5.1 Sub-Processor shall:

• Process Personal Data only on documented written instructions from the Controller, including as set out in this DPA and the underlying Service Agreement.
• Ensure that all persons authorised to process Personal Data are bound by legally enforceable confidentiality obligations (by contract or statutory duty).
• Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as described in Section 6.
• Assist the Controller in fulfilling its obligations under Articles 32 to 36 GDPR, including:
• Security of processing.
• Notification of personal data breaches.
• Data protection impact assessments.
• Prior consultation with supervisory authorities where required.
• Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections as provided in Section 11.
• Immediately inform the Controller if, in the Sub-Processor’s opinion, an instruction from the Controller infringes the GDPR or other applicable data protection laws.

5.2 Sub-Processor shall not:

• Use or process Personal Data for its own purposes or for purposes other than those instructed by the Controller.
• Sell, rent, lease, or disclose Personal Data to third parties except as expressly authorised by the Controller in writing.
• Transfer Personal Data to countries or territories outside the agreed Processing locations without the Controller’s prior written consent and appropriate safeguards in place.

6. SECURITY MEASURES

6.1 Sub-Processor shall implement and maintain appropriate technical and organisational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Such measures shall include, but are not limited to:

• Encryption: encryption of data in transit (TLS/SSL or equivalent) and, where appropriate, at rest (AES-256 or equivalent standard).
• Access control: role-based access control (RBAC) implementing the principle of least privilege; access limited to personnel who require it to perform the Services.
• Authentication: multi-factor authentication (MFA) for administrative and privileged accounts where technically feasible.
• Network security: firewalls, intrusion detection and prevention systems, network segmentation where appropriate.
• Logging and monitoring: logging of access to Personal Data and regular monitoring for anomalous activity.
• Vulnerability management: regular vulnerability scanning, patch management, and penetration testing.
• Backup and recovery: secure backup procedures and tested disaster recovery plans.
• Physical security: appropriate physical access controls for facilities where Personal Data is stored or processed.

6.2 Sub-Processor shall document these measures and provide a summary description to the Controller upon reasonable request. Sub-Processor shall review and update these measures regularly to address evolving threats and technological developments.

7. USE OF SUB-SUB-PROCESSORS

7.1 Sub-Processor shall not engage another processor (“Sub-Sub-Processor”) to carry out Processing activities on behalf of the Controller without:

• Prior specific written authorisation from the Controller for each Sub-Sub-Processor, or
• Prior general written authorisation from the Controller, subject to the Controller’s right to object.

7.2 Where the Controller has given general authorisation, Sub-Processor shall:

• Inform the Controller of any intended changes concerning the addition or replacement of Sub-Sub-Processors at least 30 days in advance.
• Provide the Controller with sufficient information to assess the Sub-Sub-Processor (including location, nature of services, and security measures).
• Allow the Controller a reasonable opportunity to object to such changes. If the Controller objects on reasonable data protection grounds, the Parties shall discuss in good faith to find an alternative solution.

7.3 Where Sub-Sub-Processors are engaged:

• Sub-Processor shall impose on them, by way of a written contract, the same data protection obligations as set out in this DPA, including obligations regarding security, confidentiality, assistance, audits, and international transfers.
• Sub-Processor remains fully liable to the Controller for the performance of the Sub-Sub-Processor’s obligations under such contract.

7.4 Sub-Processor shall maintain an up-to-date list of all Sub-Sub-Processors (including their names, locations, and nature of Processing) and provide it to the Controller upon request.

8. INTERNATIONAL DATA TRANSFERS

8.1 If Sub-Processor processes Personal Data outside the European Economic Area (EEA), including in India, Bangladesh, the Philippines, or other third countries, it must ensure compliance with Chapter V of the GDPR and provide appropriate safeguards.

8.2 The Parties agree that the Standard Contractual Clauses (SCC) adopted by the European Commission under Implementing Decision (EU) 2021/914, Module Two: Controller to Processor, are hereby incorporated into this DPA by reference and form an integral part of this Agreement.

8.3 In relation to international transfers and the SCC, Sub-Processor shall:

• Comply with all obligations set out in the SCC, including implementing supplementary measures where necessary to ensure an adequate level of protection.
• Notify the Controller without undue delay of:
• Any legally binding request for disclosure of Personal Data by a public authority (e.g. law enforcement, security agencies), unless prohibited by law.
• Any legal requirement under local law that may prevent the Sub-Processor from fulfilling its obligations under the SCC.
• Any access to Personal Data by public authorities of which the Sub-Processor becomes aware.
• Assess, together with the Controller where appropriate, whether the laws and practices of the third country provide sufficient protection. If risks are identified, Sub-Processor shall implement supplementary measures (such as enhanced encryption, access restrictions, contractual commitments, or other technical and organisational safeguards).
• Challenge any unlawful, disproportionate, or overly broad data access request by public authorities, where reasonable and legally possible.

8.4 A copy of the executed SCC and any supplementary documentation relating to international transfers shall be provided to the Controller upon request.

9. DATA BREACHES

9.1 Sub-Processor shall notify the Controller without undue delay and, where feasible, no later than 24 hours after becoming aware of a Personal Data breach affecting Personal Data processed under this Agreement.

9.2 The notification shall include, at a minimum, the following information (to the extent available at the time of notification):

• A description of the nature of the breach, including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of data records concerned.
• The name and contact details of the Sub-Processor’s data protection contact or other point of contact for further information.
• A description of the likely consequences of the breach.
• A description of the measures taken or proposed by the Sub-Processor to address the breach, including, where appropriate, measures to mitigate its possible adverse effects.

9.3 If it is not possible to provide all the required information at the same time, the Sub-Processor shall provide the information in phases without undue further delay as it becomes available.

9.4 Sub-Processor shall fully cooperate with the Controller in investigating and remediating the breach, including by:

• Providing access to relevant forensic data, logs, and reports.
• Assisting the Controller in notifying supervisory authorities and affected Data Subjects where required by law.
• Implementing remedial measures as agreed with the Controller.

10. ASSISTANCE WITH DATA SUBJECT RIGHTS

10.1 If Sub-Processor receives a request directly from a Data Subject exercising their rights under the GDPR (e.g. right of access, rectification, erasure, restriction, data portability, objection), the Sub-Processor shall:

• Not respond directly to the Data Subject unless expressly authorised by the Controller to do so.
• Immediately forward the request to the Controller without undue delay (and in any event within 48 hours of receipt).

10.2 Sub-Processor shall, taking into account the nature of the Processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller’s obligation to respond to requests from Data Subjects for the exercise of their rights under Chapter III of the GDPR, including:

• Right of access (Article 15).
• Right to rectification (Article 16).
• Right to erasure (“right to be forgotten”) (Article 17).
• Right to restriction of processing (Article 18).
• Right to data portability (Article 20).
• Right to object (Article 21).

10.3 Where the Controller requests assistance, Sub-Processor shall provide such assistance in a timely manner and, where technically feasible, enable the Controller to directly access, correct, delete, or export relevant Personal Data.

11. AUDITS AND INSPECTIONS

11.1 The Controller or its appointed auditor (including independent third-party auditors) may conduct audits or inspections of the Sub-Processor’s data processing facilities, systems, and practices to verify compliance with this DPA and applicable data protection laws.

11.2 The Controller shall provide the Sub-Processor with at least 15 days’ prior written notice of any such audit or inspection, unless:

• A shorter period is justified by urgent circumstances (e.g. following a data breach or regulatory investigation), or
• Applicable law or a supervisory authority requires a shorter notice period.

11.3 Audits and inspections shall be conducted during normal business hours and in a manner that minimises disruption to the Sub-Processor’s operations. The Controller shall ensure that any auditors are bound by confidentiality obligations.

11.4 Sub-Processor shall:

• Provide reasonable access to relevant documentation, systems, and personnel.
• Cooperate fully with the auditor and respond promptly to requests for information.
• Where deficiencies or non-compliance issues are identified, work with the Controller to address them within a mutually agreed timeframe.

11.5 Where a third-party audit report or certification (e.g. SOC 2 Type II, ISO/IEC 27001, or equivalent) is available and covers the Processing activities under this DPA, the Sub-Processor may provide such report in lieu of an on-site audit, subject to the Controller’s reasonable approval. The Controller retains the right to conduct an on-site audit if the report is insufficient or if specific concerns arise.

12. RETURN AND DELETION OF DATA

12.1 Upon termination of the Services or upon the Controller’s written request, Sub-Processor shall, at the Controller’s choice:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (e.g. CSV, JSON, or other agreed format); or
• Delete all Personal Data, including all copies, and certify such deletion in writing to the Controller.

12.2 The Controller shall specify its choice within a reasonable period before or promptly after termination. If no choice is specified, Sub-Processor shall delete the data in accordance with Section 12.1.

12.3 Sub-Processor may retain Personal Data only to the extent and for the period required by applicable law (e.g. tax, accounting, or regulatory retention obligations). Any such retained Personal Data shall:

• Remain subject to the confidentiality and security obligations of this DPA.
• Be isolated from active systems and accessible only for the legally required purpose.
• Be deleted as soon as the legal retention period expires.

12.4 Sub-Processor shall provide the Controller with written certification of deletion or return within 30 days of completion.

13. LIABILITY AND INDEMNITY

13.1 Sub-Processor shall be liable for any damage caused by Processing where:

• Sub-Processor has not complied with obligations under this DPA or the GDPR specifically directed to processors, or
• Sub-Processor has acted outside or contrary to lawful instructions from the Controller.

13.2 Sub-Processor shall indemnify and hold harmless the Controller from and against:

• Claims, damages, or compensation sought by Data Subjects arising from the Sub-Processor’s breach of this DPA or the GDPR.
• Fines or penalties imposed by supervisory authorities that are attributable to the Sub-Processor’s conduct or non-compliance.
• Reasonable legal fees, costs, and expenses incurred by the Controller in relation to such claims or regulatory proceedings.

13.3 Unless otherwise expressly agreed in writing between the Parties, Sub-Processor’s total aggregate liability under this DPA (including indemnity obligations) shall not exceed the total fees paid by the Controller to the Sub-Processor for the Services in the 12 months preceding the incident giving rise to liability, except in cases of gross negligence, wilful misconduct, or breach of confidentiality or security obligations, for which liability shall be unlimited.

13.4 Nothing in this DPA shall limit or exclude either Party’s liability for:

• Death or personal injury caused by negligence.
• Fraud or fraudulent misrepresentation.
• Any other liability that cannot be limited or excluded under applicable law.

14. GOVERNING LAW AND JURISDICTION

14.1 This DPA shall be governed by and construed in accordance with the laws of Poland, without regard to its conflict-of-law provisions.

14.2 Any dispute, controversy, or claim arising out of or in connection with this DPA, including its validity, breach, or termination, shall be subject to the exclusive jurisdiction of the courts of Opole, Poland, unless otherwise required by mandatory applicable law (including consumer protection laws or the provisions of the Standard Contractual Clauses).

14.3 Where this DPA incorporates the Standard Contractual Clauses, and in the event of any conflict between this Section 14 and the SCC, the SCC provisions regarding governing law and dispute resolution shall prevail.

15. MISCELLANEOUS

15.1 Relationship to Service Agreement

This DPA forms an integral part of the Service Agreement between the Parties. In the event of any conflict between this DPA and the Service Agreement with respect to data protection and privacy matters, the provisions of this DPA shall prevail.

15.2 Severability

If any provision of this DPA is found to be invalid, illegal, or unenforceable by a court or competent authority, such provision shall be severed or limited to the minimum extent necessary, and the remaining provisions shall remain in full force and effect.

15.3 Amendments

Amendments or modifications to this DPA must be made in writing and signed by authorised representatives of both Parties, except where amendments are required by law or by supervisory authorities, in which case the Controller may amend this DPA upon reasonable notice to the Sub-Processor.

15.4 Survival

The obligations under this DPA that by their nature should survive termination (including confidentiality, data return/deletion, liability, and indemnity) shall survive termination of the Service Agreement.

15.5 No Waiver

The failure of either Party to enforce any provision of this DPA shall not constitute a waiver of that provision or of the right to enforce it at a later time.

15.6 Entire Agreement

This DPA, together with the Service Agreement and any incorporated Standard Contractual Clauses, constitutes the entire agreement between the Parties with respect to the Processing of Personal Data and supersedes all prior or contemporaneous understandings or agreements, whether written or oral, relating to such subject matter.

16. SIGNATURES

The Parties hereby execute this Data Processing Agreement as of the Effective Date stated above.

For Take2EU (Controller):

Signature: __________________________________

Name: __________________________________

Title: __________________________________

Date: __________________________________

For Sub-Processor Name:

Signature: __________________________________

Name: __________________________________

Title: __________________________________

Date: __________________________________

ANNEX A – STANDARD CONTRACTUAL CLAUSES (SCC)

The Parties agree that the EU Commission Standard Contractual Clauses for Controller-to-Processor transfers (Module Two) adopted by Implementing Decision (EU) 2021/914 are incorporated into this DPA by reference and form an integral part of this Agreement.

A fully executed copy of the Standard Contractual Clauses, including all required Annexes (description of processing, technical and organisational measures, list of sub-processors), shall be attached to this DPA or provided separately upon execution.