Data Processing Agreement
According to Art. 28 (3) General Data Protection Regulation (GDPR)

Version 1.0, last updated: 16.06.2024

1. Subject-matter and duration of the processing

1.1 The subject matter of the Agreement is the rights and obligations of the parties in the context of the provision of services in accordance with the service description and general terms and conditions (herinafter referred to as the main contract), insofar as solutions-in-software (hereinafter referred to as the processor) processes personal data on behalf of the client as controller (hereinafter referred to as the client) according to Art. 28 GDPR. This includes all activities that the processor performs to fulfill the contract and that represent a data processing on behalf of the controller. This also applies if the order does not explicitly refer to this Data Processing Agreement.

1.2 The duration of the processing corresponds to the term agreed in the contract.

2. Nature and purpose of the processing

2.1 The nature of the processing includes all types of processing as defined by the GDPR to fulfill the contract.

2.2 Purposes of processing are all purposes required to provide the contracted services (see also Appendix 1 service description) in particular in terms of client support, communication with the client, consultancy, software development, deployment, delivery and providing Software as a Service (SaaS).

3. Type of personal data and categories of data subjects

3.1 The type of processed data is determined by the client by the product selection, the use of the services, and the transmission of data. See also the service description in Appendix 1.

3.2 The categories of data subjects are determined by the client via product selection, the use of the services, and the transmission of data. See also the service description in Appendix 1.

4. Responsibility and processing on documented instructions

4.1 The client is solely responsible for complying with the legal requirements of data protection laws, in particular, the legality of the transfer of data to the processor and the legality of data processing under this Agreement (‚Controller‘ in the sense of Art. 4 no. 7 GDPR). This also applies to the purposes and means of processing set out in this Agreement.

4.2 The instructions are initially determinded by the main contract and can then be changed by the client in writing or in an electronic format (text form) by individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. In the event of proposed changes, the processor shall inform the client of the effects that this will have on the agreed services, in particular, the possibility of providing services, deadlines, and remuneration. If the implementation of the instruction is not reasonable to the processor, the processor is entitled to terminate the processing. Unacceptability exists in particular if the services are provided in an infrastructure that is used by several clients/customers to the processor (shared services), and a change in the processing for individual clients is not possible or is unreasonable.

4.3 The contracutally agreed data processing takes place as a rule mainly in a Member State of the European Union or in another contracting state of the Agreement via the European Economic Area, unless the event that a transfer to a third country takes place, the processor shall ensure the requirements pursuant to Art. 44 ff. GDPR are fulfilled.

5. Rights of the clients, obligations of the processor

5.1 The processor may process data of data subjects only within the framework of the order and the documented instructions of the client, unless there is an exceptional case within the meaning of Article 28 (3) (a) GDPR (obligation under the law of the European Union or of a Member State). This also refers to transfers of personal data to third countries or international organisation. If there is a processing obligation contrary to an instruction, the processor shall inform the client of the relevant legal requirement before processing. Unless the law in question prohibits such information due to an important public interest. The processor shall inform the client without delay if it considers that an instruction violates applicable laws. The processor may suspend the implementation of the instruction until it has been confirmed or modified by the client. The instructions shall be documented by the Client and kept for at least the duration of the contractual relationship.

5.2 In the light of the nature of the processing, the processor shall, as far as possible, assist the client with appropriate technical and organisational measures in order to fulfill the rights of the data subjects laid down in Chapter III of the GDPR. The processor is entitled to demand appropriate compensation from the client for these services. The processor shall provide the client with cost information in advance, insofar as the support was not required due to a breach of law or contract by the processor.

5.3 The processor shall assist the client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the processor. The processor is entitled to demand appropriate compensation from the client for these services, insofar as the support was not required due to a breach of law or contract by the processor. The processor shall provide the client wih cost information in advance.

5.4 The processor ensures that the employees involved in the processing of the data of the client and other persons acting on behalf of the processor are prohibited from processing the data outside the instruction issued. Furthermore, the processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The same applies to the social secrecy, secrecy of telecommunications according to § 3 TTDSG (German Telecommunications and Telemedia Data Protection Act) and – in knowledge of criminal liability – for the preservation of secrets of professional secrecy according to § 203 StGB (German Penal Code). The obligation of confidentiality/secrecy persists even after the order has been completed.

5.5 The processor shall inform the client immediately if it becomes aware of violations of the protection of personal data of the client. The processor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the data subjects.

5.6 The processor guarantees the written appointment of a Data Protection Officer, who shall carry out his/her activity in accordance with Art. 38 and 39 GDPR. A contact option will be published on the website of the processor.

5.7 At he end of the provision of the processing services, the processor will, at the choice of the client, either delete or return the personal data, unless there is an obligation under European Union or nationl law to retain the personal data, or something else results under any other contractual arrangements. If the client does not exercise this option, deletion is deemed agreed. If the client chooses to return, the processor can demand a reasonalbe compensation. The processor shall provide the client with cost information in advance.

5.8 If a data subject asserts claims for compensation according to Art. 82 GDPR, the processor shall support the client in defending the claims within the scope of its possibilities. The processor may require an appropriate remuneration for this.

6. Obligations of the client

6.1 The client muss immediately and completely inform the processor if it identifies errors or irregularities with regard to data protection regulations when carrying out the order.

6.2 In the event of termination, the client undertakes to delete personal data which it has stored during its service, before the termination of the Contract.

6.3 At the request of the processor, the client appoints a contact person for data protection matters.

7. Requests from the data subjects

If the data subject approaches the processor with requests for correction deletion or information, the processor shall refer the data subject to the Client, provided that an assignment to the Client is possible according to the information of the data subject. The processor shall immediately forward the request of a data subject to the client. The processor shall support the client within the scope of its possibilities. The processor shall not be liable if the request of the data subject is not answered by the client, not answered correctly or not answered in due time.

8. Measures for the security of processing according to Art. 32 GDPR

8.1 The processor will take appropriate technical and organisational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and ensure the protection of the rights and freedoms of the data subjects. In accordance with Art. 32 GDPR, the processor shall take appropriate technical and organisation measures to ensure the confidentiality, integrity, availability and resilience of the processing systems and services in the long run.

8.2 The current technical and organisational measures of the processor will be provided to the client upon request.

9. Proof and verification

9.1 The processor shall provide the client with all the information necessary to prove compliance with the obligations laid down in Art. 28 GDPR and shall allow and contribute to audits, including inspections, carried out by the client or another auditor appointed by the client. The processor is entitled to demand a declaration of confidentiality from the client and its appointed auditor, which shall not, however, prevent the client from providing evidence of the supervisory authority responsible for him. The Processor may reject direct competitors of the Client or persons who work for direkt competitors of the Client as auditors.

9.2 The processor may require reasonable compensation for information and assistance, insofar as the audit and/or inspection was not required because of a breach of law or contract by the processor. The processor shall provide the client with cost information in advance.

10. Subprocessors (other processors)

10.1 The client grants the processor the general permission to use other processors within the meaning of Art. 28 GDPR for the fulfilment of the contract.

10.2 The processors currently used are listed in the attachment. The Client agrees to their use.

10.3 The processor shall inform the client if it intends to withdraw or replace other processors. The client may object to such changes.

10.4. The objection to the proposed change can only be raised against the processor for a factual reason within 14 days of receipt of the information about the change. In the event of an objection, the processor may choose to provide the service without the intended change or, if the performance of the service without the intended change is not reasonable to the processor, stop providing its service affected by the change to the client within a reasonable time (at least 14 days) after receipt of the objection.

10.5 If the processor places orders with other processors, it is the processor’s responsibility to impose its data protection obligations under this Contract to the other processor. The processor shall ensure, in particular through regular checks, that the other processors comply with the technical and organisational measures.

11. Liability and compensation

11.1 In the case of assertion of a claim for compensation by a data subject person pursuant to Art. 82 GDPR, the parties undertake to support each other and to contribute to the clarification of the underlying facts.

11.2 The liability regulation agreed between the parties in the main contract for the provision of services shall also apply to claims arising from this Data Processing Agreement and the internal relationship between the parties for claims of third parties under Art. 82 GDPR, unless expressly agreed otherwise.

12. Contract period, miscellaneous

12.1 The agreement begins with the initiation by the client by using any of the services listed in Appendix 1. It ends with the cease of the use of any of the services listed in Appendix 1. If any data processing on behalf of the client still takes place after termination of this contract, the regulations of these agreements are valid until the actual end of the processing.

12.2 The processor may amend the Agreement at its reasonable discretion. In particular, the processor expressly reserves the right to unilaterally amend this agreement if major legal changes in relation to this agreement occur. The processor shall inform the client of the changes by highlighting the changes to this Agreement and providing an actual „last updated“ date.

12.3 The client acknowledges this agreement as part of the general terms and conditions concerning the services used by him. In the event of any contradictions, the provisions of this Agreement for data processing shall prevail to the provisions of the main contract. Should individual parts of this Agreement be ineffective, this does not affect the validity of the remaining agreements.

12.4 The exclusive place of jurisdiction for all disputes arising from and in connection with this contract is the registered office of the processor. This applies subject to any exclusively legal place of jurisdiction. This Contract is subject to the statuary provisions of the Federal Republic of Germany.

12.5 If the data of the client is endangered by seizure or confiscation, by a bankruptcy or settlement procedure, or by events or measures of third parties, the processor shall inform the client immediately. The processor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data lie exclusively with the client as the ‚Controller‘ within the meaning of the GDPR.

Appendix 1 – Service Description

Client support / Communication with the client

Service description: If you contact me asking for support in any previously, current or future transaction between us or any other topic, I will try to support you in any way deemed sufficient for your request. I might use all information provided by you within any act of communication inititated by you.

Type of peronal data: master data (name, address, e-mail, telephone number) and additional data provided by the client

Categories of data subjects: Employees, website visitors, communication participants, customers

Consultancy

Service description: If you contract me for consultancy services, I will analyze your working processes, IT infrastructure (including hardware infrastructure, installed software, and configurations of hardware and software), processes, work-related interactions between the employees in your institution, and other information deemed necessary for fulfilling my consultancy contract. I will only process the information that either was observed by me during an on-site visit or that was provided by you.

Type of personal data: master data (name, function, responsibility, roles) and additional data provided by the client

Categories of data subjects: Employees, customers

software development/deployment/delivery

Service description: If you contract me with developing, deploying and delivering any software to you, I will use all information that are deemed necessary for implementing the requested software features and that are provided by you. This includes all data provided, generated and used for testing that software.

Type of peronal data: any data provided by the client for implementing the required software features

Categories of data subjects: Employees, customers

software as a service (saaS)

Service description: If you use any Software as a Service (SaaS) or other service offered by any of my websites, I will use all information you provide me when using the service.

Type of peronal data: Any data that you enter during the process of using the service provided by any of my websites

Categories of data subjects: Employees, website visitors, customers

Approved subprocessors/additional processors

Subprocessor	Address	Brief description of the service
STRATO AG	Otto-Ostrowski-Strasse 7, 10249 Berlin	Hosting of the website, Mail Server services
Microsoft Central and Eastern Europe Headquarters	Konrad-Zuse-Str. 1, 85716 Unterschleißheim, Germany	OneDrive Cloud-Hosting for Office365 files