GDPR — Data Processing Information
1. Two Roles in Data Processing
Within the ESSW service, personal data is processed by AbejaIT Sp. z o.o. with its registered office in Poznań, Aleja Wielkopolska 29 lok. 6, 60-603 Poznań, Poland, entered in the register of entrepreneurs of the Polish National Court Register (KRS) under number 0001235099 (District Court Poznań – Nowe Miasto i Wilda in Poznań, 8th Commercial Division of the KRS), tax ID (NIP): 7812108949 (“AbejaIT”), in two distinct roles:
- AbejaIT as controller — with respect to Customers’ data, customer portal users, billing data and communication (details: Privacy Policy).
- AbejaIT as processor — with respect to all data that the Customer and its users enter into their ESSW ERP instance (e.g. data of contractors, suppliers of recyclable materials, purchase documents, the Customer’s employee data). The Customer is the controller of that data.
2. Data Processing Agreement (Art. 28 GDPR)
By concluding the service agreement, the Customer entrusts AbejaIT with the processing of personal data stored in their instance, to the extent and for the purpose necessary to provide the service, i.e.:
- subject matter and duration: hosting, maintenance, updates and backups of the instance — for the duration of the agreement;
- nature and purpose: storage and protection of data, technical operations necessary for the system to function; the Provider does not use the entrusted data for its own purposes;
- categories of data: identification and contact data of contractors and suppliers (including data from purchase documents required by law, e.g. name, surname, address, ID document number, PESEL — if registered by the Customer), instance user data, transactional and warehouse data;
- categories of data subjects: contractors, suppliers of materials, the Customer’s employees and associates.
3. AbejaIT’s Obligations as Processor
- Processing data only on the documented instructions of the Customer (the agreement and dispositions submitted through the portal are considered such instructions).
- Ensuring that authorised persons commit to confidentiality.
- Applying the security measures referred to in Art. 32 GDPR: encryption in transit (TLS), encrypted backups (AES-256), instance separation, access control and 2FA, operation logging, security updates.
- Assisting the Customer in fulfilling obligations under Art. 32–36 GDPR and in responding to data subject requests — to the extent technically and organisationally possible.
- Notifying the Customer of personal data breaches without undue delay after becoming aware of them.
- After termination of the agreement — deleting the instance data together with backups (no later than after 30 days) or, upon the Customer’s request submitted within that period, handing over a copy of the database.
- Making available information necessary to demonstrate compliance and allowing audits in an agreed manner.
4. Sub-processing and Data Location (EU/EEA)
The Customer gives general consent for AbejaIT to use further processors for: server infrastructure, encrypted backup storage, DNS/CDN services and notification delivery services (e-mail/SMS). Data entrusted by the Customer is stored and processed within the European Union / European Economic Area (EU/EEA). Current infrastructure sub-processors:
| Sub-processor | Role | Data location | Privacy information |
|---|---|---|---|
| Hetzner Online GmbH | Server infrastructure (hosting of ERP instances) | Germany and Finland (EU/EEA) | hetzner.com/legal/privacy-policy |
| Backblaze (EU region) | Encrypted backup storage | EU region (Amsterdam, the Netherlands) | backblaze.com/company/privacy |
| Amazon Web Services (AWS), EU region | Infrastructure/storage (optional) | EU/EEA regions (e.g. Frankfurt/Ireland) | aws.amazon.com/compliance/gdpr-center |
| Cloudflare, Inc. | DNS/CDN and attack protection | Processing with an EU data localization option | cloudflare.com/trust-hub/gdpr |
A data processing agreement (DPA) compliant with Art. 28 GDPR is in place with each sub-processor. Any transfer outside the EEA occurs solely on the basis of standard contractual clauses (SCCs) and appropriate safeguards; backups are additionally encrypted (AES-256). The full categories of sub-processors are listed in the Privacy Policy; the Customer is informed of material changes and may object.
5. Customer’s Obligations as Controller
- The Customer ensures that it has a legal basis for processing the data entered into the instance (including data from purchase documents required by waste and recyclable materials regulations).
- The Customer fulfils information obligations towards its contractors and employees (Art. 13/14 GDPR).
- The Customer manages the accounts and permissions of its instance users and is responsible for the quality and lawfulness of the data entered.
6. Information Clause for Portal Users (Art. 13 GDPR)
The controller of customer portal users’ data is AbejaIT Sp. z o.o., Aleja Wielkopolska 29 lok. 6, 60-603 Poznań, Poland, KRS 0001235099, NIP 7812108949 (contact: [email protected], phone +48 512 222 240). Data is processed for account management and service provision (Art. 6(1)(b) GDPR), billing (point (c)) and security (point (f)). You have the rights described in the Privacy Policy, including the right to lodge a complaint with the President of the Personal Data Protection Office (UODO). Data is not transferred to third countries except as described in the Privacy Policy and is not subject to automated decision-making producing legal effects.