Data Processing Agreement

2. Roles of the parties

2.1 Controller

2.2 Processor

The Processor is the entity identified in the underlying service agreement (e.g., Partner Terms of Service, hosting agreement, analytics provider contract) that processes personal data on behalf of the Controller.

2.3 Joint controllership

Where both parties determine the purposes and means of processing (e.g., co-branded campaigns), a separate Joint Controller Agreement under Article 26 GDPR shall be executed.

3. Details of processing

3.1 Subject matter and purpose

The Processor processes personal data solely for the purpose of providing services to the Controller as specified in the underlying agreement. Typical purposes include:

• Hosting and infrastructure (cloud storage, CDN, database management)
• Analytics and performance monitoring
• Email delivery and notifications
• Payment processing (for donations via WhyDonate)
• NFC/QR tag scanning and EcoDrops reward processing
• Map and geolocation services
• Customer support tools

3.2 Categories of data subjects

• Registered users of BottleChallenge
• Website and app visitors
• Refill and reward partners (business contacts)
• Donors and supporters

3.3 Types of personal data

• Identity data (name, username, email)
• Contact data (email address, business address for partners)
• Technical data (IP address, device identifiers, browser type)
• Location data (GPS coordinates, approximate location)
• Usage data (scan history, EcoDrops balance, reviews, ratings)
• NFC/QR tag interaction data (tag UID, scan timestamp, location at scan)
• Transaction data (donation amounts, reward redemptions)

3.4 Duration of processing

Processing shall continue for the duration of the underlying service agreement. Upon termination, the Processor shall delete or return all personal data within 30 days, unless retention is required by applicable law.

4. Obligations of the controller

The Controller (BottleChallenge) shall:

• Ensure that the processing of personal data has a valid legal basis under GDPR
• Provide the Processor with clear, documented instructions for processing
• Inform data subjects about the processing in its Privacy Policy
• Respond to data subject rights requests (with Processor assistance where needed)
• Conduct Data Protection Impact Assessments (DPIAs) where required
• Notify the Processor of any changes to processing instructions
• Ensure ongoing compliance with applicable data protection laws

5. Obligations of the processor

The Processor shall:

• Documented instructions: Process personal data only on documented instructions from the Controller, unless required by EU or Member State law
• Confidentiality: Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under a statutory obligation of confidentiality
• Security: Implement appropriate technical and organizational security measures (see Section 8)
• Sub-processing: Not engage another processor without prior written authorization from the Controller (see Section 6)
• Assistance: Assist the Controller in responding to data subject requests and fulfilling obligations under Articles 32–36 GDPR
• Deletion/return: At the Controller's choice, delete or return all personal data upon termination of services
• Information: Make available all information necessary to demonstrate compliance and allow for audits
• Notification: Immediately inform the Controller if an instruction infringes GDPR or other data protection provisions

6. Sub-processors

6.1 Authorization

The Processor shall not engage any sub-processor without the prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended additions or replacements of sub-processors, giving the Controller the opportunity to object within 14 days.

6.2 Sub-processor obligations

The Processor shall impose the same data protection obligations as set out in this DPA on any sub-processor by way of a written contract. The Processor remains fully liable to the Controller for the performance of the sub-processor's obligations.

6.3 Current sub-processors

The Controller maintains a list of approved sub-processors. Partners and processors may request the current list by contacting [email protected].

7. International data transfers

The Processor shall not transfer personal data to a country outside the European Economic Area (EEA) unless one of the following safeguards is in place:

• Adequacy decision: The European Commission has determined the destination country provides adequate protection (Art. 45 GDPR)
• Standard Contractual Clauses (SCCs): The current EU-approved SCCs are incorporated or executed (Art. 46(2)(c) GDPR)
• Binding Corporate Rules: Approved BCRs are in place for intra-group transfers (Art. 47 GDPR)
• Derogations: An applicable derogation under Art. 49 GDPR applies (e.g., explicit consent)

Where SCCs are relied upon, the parties agree to conduct a Transfer Impact Assessment (TIA) and implement supplementary measures where necessary, in line with the EDPB recommendations.

8. Security measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including as appropriate:

8.1 Technical measures

• Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256 or equivalent)
• Pseudonymization of personal data where feasible
• Regular vulnerability scanning and penetration testing
• Firewalls, intrusion detection/prevention systems
• Secure authentication (multi-factor where available)
• Regular backup and disaster recovery procedures

8.2 Organizational measures

• Role-based access controls and least-privilege principle
• Staff training on data protection and security
• Confidentiality agreements for all personnel
• Regular security audits and compliance reviews
• Documented incident response procedures
• Data minimization practices

9. Data breach notification

9.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a personal data breach. Notification shall include:

• The nature of the breach, including categories and approximate number of data subjects affected
• The name and contact details of the DPO or other contact point
• The likely consequences of the breach
• Measures taken or proposed to address the breach, including mitigation

9.2 Notification to supervisory authority

The Controller is responsible for notifying the relevant supervisory authority within 72 hours of becoming aware of a breach (Art. 33 GDPR). The Processor shall cooperate fully and provide all necessary information.

9.3 Communication to data subjects

Where a breach is likely to result in a high risk to the rights and freedoms of data subjects, the Controller shall communicate the breach to affected individuals (Art. 34 GDPR). The Processor shall assist with this communication.

10. Data subject rights

The Processor shall assist the Controller in fulfilling its obligation to respond to data subject requests under Chapter III of the GDPR, including:

The Processor shall respond to the Controller's assistance requests within 5 business days.

11. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA.

• The Controller (or an appointed independent auditor) may conduct audits, including inspections, with 30 days' written notice
• Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations
• The Processor shall cooperate fully and provide access to facilities, equipment, records, and personnel
• The Controller shall bear the costs of the audit unless the audit reveals material non-compliance
• The Processor may satisfy audit requirements by providing relevant third-party certifications (e.g., SOC 2, ISO 27001)

12. Duration & termination

12.1 Duration

This DPA shall remain in effect for the duration of the underlying service agreement between the Controller and the Processor.

12.2 Upon termination

Upon termination of the service agreement, the Processor shall:

• Cease all processing of personal data immediately
• At the Controller's election, return or securely delete all personal data within 30 days
• Provide written certification of deletion upon request
• Delete existing copies unless EU or Member State law requires storage

12.3 Survival

Sections relating to confidentiality, liability, and audit rights shall survive termination of this DPA.

13. Liability & indemnification

13.1 Liability

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82 GDPR. The Processor shall be liable for damage caused by processing where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to the Controller's instructions.

13.2 Indemnification

The Processor shall indemnify the Controller against any costs, claims, damages, or expenses incurred as a result of the Processor's breach of this DPA or applicable data protection laws.

13.3 Limitation

Liability limitations in the underlying service agreement shall apply to this DPA, except that neither party may limit liability for intentional violations of data protection law, unauthorized processing, or failure to comply with data subject rights.

14. Contact

For questions about this DPA or to request a copy for execution:

BrainGreen Foundation
Warszawa, Polska
KRS: 0000964547 | NIP: 5252903313 | REGON: 521709494
Email: [email protected]
Website: BrainGreen Foundation website