Data Controller's Information on Data Transfer to Third Countries

Pursuant to Article 13(1)(f) of the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (hereinafter referred to as: Regulation 2016/679 or GDPR), it is the Data Controller’s obligation – when applicable – to provide information on:

1. the intention to transfer personal data to a third country or international organization,
2. the determination or lack thereof by the Commission of an adequate level of protection or, in the case of transfers referred to in Articles 46, 47, or 49(1) second subparagraph of the GDPR, a reference to appropriate or suitable safeguards, as well as information on how to obtain a copy of such safeguards or where they are made available.

In connection with the above, the DeoLink Association, located in Wisła, Malinka 65D/2 (43-460), hereinafter also referred to as the „Data Controller” informs that during the provision of services and delivery of content, there is a likelihood of transferring the collected personal data (including metadata) of users, contractors, or donors to third countries within the meaning of the GDPR. A detailed list of entities to which data may be disclosed, along with the purpose of processing and information regarding their security measures:

1. Salesforce.com, Inc. (USA)
   Purpose of processing: Maintenance (technical) of databases of users of content and services provided by the Data Controller and its contractors.
   Type of security measures, method of obtaining copies of safeguards, or location of their provision:
   • Records of the data processing agreement: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/Agreements/data-processing-addendum.pdf
   • EU-U.S. Privacy Shield Framework. Mechanism approved by the European Commission on July 10, 2023: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
   • Salesforce, Inc.’s entry into the Privacy Shield Framework can be verified at (you need to type entity’s name in ‘search’ field): https://www.dataprivacyframework.gov/list
   • Binding Corporate Rules: https://www.salesforce.com/content/dam/web/en_us/www/documents/legal/misc/Salesforce-Processor-BCR.pdf

    

2. Google LLC (USA)
   Purpose of processing:
   1. Conducting traffic analysis (user behavior) on websites and effectiveness of marketing campaigns (Google Analytics).
   2. Utilizing the login mechanism for services using a user account created on the platform.

   
   Type of security measures, method of obtaining copies of safeguards, or location of their provision:

   • EU-U.S. Privacy Shield Framework. Mechanism approved by the European Commission on July 10, 2023: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
   • Google LLC’s entry into the Privacy Shield Framework can be verified at (you need to type entity’s name in ‘search’ field): https://www.dataprivacyframework.gov/list
   • Description of security measures and GDPR compliance, including the utilization of standard contractual clauses: https://business.safety.google/gdpr/
   • Data security for Google Ads service: https://business.safety.google/adsprocessorterms/

    

3. Meta Platforms Inc. (formerly: Facebook) (USA)
   Purpose of processing: Utilizing the login mechanism for services using a user account created on the Facebook platform.
   Type of security measures, method of obtaining copies of safeguards, or location of their provision:
   • EU-U.S. Privacy Shield Framework. Mechanism approved by the European Commission on July 10, 2023: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
   • Meta’s entry into the Privacy Shield Framework can be verified at (you need to type entity’s name in ‘search’ field): https://www.dataprivacyframework.gov/list
   • Information from the Chief Data Security Officer about secure data transfer: Steps Taken to Transfer Data Securely
4. Stripe, Inc. (USA) Purpose of processing: Facilitating online payment transactions.
   Type of security measures, method of obtaining copies of safeguards, or location of their provision:
   • EU-U.S. Privacy Shield Framework. Mechanism approved by the European Commission on July 10, 2023: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/eu-us-data-transfers_en
   • Stripe’s entry into the Privacy Shield Framework can be verified at (you need to type entity’s name in ‘search’ field): https://www.dataprivacyframework.gov/list
   • Internal Privacy Shield Policy of Stripe: https://stripe.com/en-pl/legal/data-privacy-framework