1. Definitions
Terms have the meanings defined in Article 4 GDPR:
"Data Controller" means the entity that determines the purposes and means of processing personal data.
"Data Processor" means Cardiac Purr (2info sp. z o.o.), which processes personal data on behalf of the Data Controller.
"Data Subject" means an identified or identifiable natural person whose personal data is processed.
"UODO" means the Polish Data Protection Authority (Urząd Ochrony Danych Osobowych).
"EDPB" means the European Data Protection Board.
"Personal Data Breach" has the meaning given in Article 4(12) GDPR.
2. Roles and Data Governance
2.1 Controller and Processor
Cardiac Purr acts as Data Processor under Article 28 GDPR when processing personal data on behalf of a Data Controller. The Data Controller determines the purposes and means of processing. Both parties maintain records of processing activities as required by Article 30 GDPR.
Note: Legislative proposals currently under consideration at EU level may in future modify the Article 30 record-keeping exemption threshold for small organisations. Until any such amendment enters into force, the current threshold of 250 employees applies.
2.2 Processing Instructions
Cardiac Purr processes personal data only on the documented instructions of the Controller, unless required to do so by EU or Polish law, in which case Cardiac Purr shall inform the Controller of that legal requirement before processing, unless such disclosure is prohibited on grounds of public interest.
3. Processing Activities
3.1 Purpose Limitation
We process personal data only for documented instructions from the Controller, including:
- Service provision and maintenance
- Customer support (legitimate interest basis, balanced against user rights)
- Security and fraud prevention (vital interest / legal obligation)
- Compliance with applicable EU and Polish law, including DSA obligations
3.2 Data Minimization
Following EDPB guidelines on data minimization:
- We pseudonymize data where possible (Article 4(5) GDPR)
- Data retention follows strict time limits (Article 5(1)(e) GDPR)
- We collect only the minimum data necessary for the specified purpose
3.3 Confidentiality
We ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, in accordance with Article 28(3)(b) GDPR.
4. Data Subject Rights
We assist Controllers in fulfilling rights under Articles 15–22 GDPR, taking into account the nature of the processing and the information available to us.
4.1 Right to Erasure (Article 17) — EDPB 2025 Enforcement Priority
The EDPB selected Article 17 as a 2025 coordinated enforcement priority. Our procedures include:
- 30-day response time (extendable to 60 days with prior notification under Article 12(3) GDPR)
- Assessment of exceptions under Article 17(3) GDPR
- Cascading deletion across backup and archival systems
- Documentation of erasure actions for regulatory accountability under Article 5(2) GDPR
4.2 Right to Data Portability (Article 20)
We provide personal data in structured, commonly used, machine-readable formats (JSON, CSV), including direct provision to another controller where technically feasible and instructed by the Controller.
4.3 Assistance with Other Rights
We assist the Controller in responding to requests for access (Article 15), rectification (Article 16), restriction (Article 18), and objection (Article 21), by implementing appropriate technical and organisational measures and providing relevant information held by us.
5. Subprocessors and International Transfers
5.1 Subprocessor Governance
We maintain a current list of subprocessors, available upon written request to legal@cardiac-purr.com. All subprocessors:
- Are bound by data protection obligations no less protective than those in this DPA, pursuant to Article 28(4) GDPR
- Comply with the EU Data Act (Regulation (EU) 2023/2854) where applicable
- Undergo prior security and compliance vetting
We will inform the Controller of any intended changes to subprocessors, giving the Controller the opportunity to object before the change takes effect, in accordance with Article 28(2) GDPR.
5.2 International Transfers
For transfers of personal data to third countries outside the EEA, we rely on:
- EU–US Data Privacy Framework (DPF): The adequacy decision was upheld by the EU General Court on 3 September 2025 (Case T-553/23, Latombe v. Commission). An appeal has been filed before the CJEU on 31 October 2025 and remains pending. The DPF adequacy decision is fully operative during appeal proceedings. We maintain SCCs as a parallel safeguard for all US transfers.
- Standard Contractual Clauses (SCCs): European Commission Decision 2021/914 of 4 June 2021 — Module 2 (controller to processor) or Module 1 (controller to controller) as applicable. SCCs are used as both a parallel mechanism for US transfers and as the primary mechanism for other third-country transfers.
- Transfer Impact Assessments (TIAs) are conducted for all third-country transfers in accordance with EDPB Recommendations 01/2020.
- Polish UODO guidance on international transfers is followed where applicable.
6. Security and Breach Notification
6.1 Technical and Organisational Measures
We implement Article 32 GDPR measures appropriate to the risk, including:
- Encryption of data at rest (AES-256) and in transit (TLS 1.3)
- Pseudonymization and strict access controls
- Regular penetration testing and vulnerability assessments
- Staff data protection training and confidentiality obligations
- Business continuity and disaster recovery procedures
6.2 Personal Data Breach Response
Under Articles 33–34 GDPR and Polish notification requirements:
- We notify the Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of a Personal Data Breach, to allow the Controller to meet the 72-hour notification deadline to the supervisory authority under Article 33 GDPR
- Notification to data subjects without undue delay where a high risk to their rights and freedoms exists (Article 34 GDPR), coordinated with the Controller
- Documentation of all breaches in accordance with the accountability principle (Article 5(2) GDPR)
- Full cooperation with the Controller's breach response procedures
7. Data Return and Deletion
Upon termination or expiry of this DPA, or upon the Controller's request:
- We return or securely delete all personal data processed on behalf of the Controller, at the Controller's election
- Deletion certificates are provided upon request
- Retention of personal data by us continues only where required by EU or Polish law, with the legal basis and retention period documented in writing
- Polish archiving laws (Ustawa o narodowym zasobie archiwalnym i archiwach) are respected where applicable
8. Audit and Compliance
We provide the Controller with all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits and inspections, including:
- Annual compliance reports for high-risk processing activities
- Documentation of processing activities (Article 30 GDPR) upon request
- Cooperation with EDPB coordinated enforcement investigations
- Readiness for UODO inspections
9. Contact and Supervisory Authorities
| Data Processor / DPO | 2info sp. z o.o. trading as Cardiac Purr |
| legal@cardiac-purr.com | |
| Address | Grunwaldzka 10/1, 31-526 Kraków, Poland |
| Website | cardiac-purr.com |
| Polish Supervisory Authority | UODO — Urząd Ochrony Danych Osobowych |
| Address | ul. Stawki 2, 00-193 Warszawa, Poland |
| Website | uodo.gov.pl |
| EU Lead Authority | Per Article 56 GDPR where applicable |