Data Processing Agreement
between
Client (to be inserted)
- hereinafter referred to as the Controller -
and
IDIO Daten Import Export GmbH, Gottschedstr. 4, 13357 Berlin
- hereinafter referred to as the Processor -
1. Subject of the Agreement
1.1. The subject of the agreement is the operation of infrastructure and "software as a service" as agreed in the service contract.
1.2. The Processor processes personal data on behalf of the Controller. The subject of the contract, therefore, involves data processing on behalf of the Controller. The parties agree that the provisions of the EU General Data Protection Regulation (GDPR), particularly those concerning processing on behalf of a controller, apply to this agreement. The Processor declares that it is capable of properly fulfilling the commissioned services in accordance with Article 28 GDPR.
1.3. This agreement regulates the data protection measures in accordance with Article 28 GDPR and defines the rights and obligations of the Controller and the Processor to meet the data protection requirements.
2. Duration of the Agreement
2.1. The contract ends upon the completion of the last service order and the deletion/destruction of all personal data related to the commission.
2.2. The right to immediate termination remains unaffected. The Controller may terminate the agreement at any time without notice if a serious breach of data protection regulations or this agreement by the Processor or a sub-processor occurs, if the Processor or a sub-processor fails to comply with a directive of the Controller, or if the Processor or the sub-processor avoids reasonable data protection audits.
2.3. Termination of the agreement must be made in writing.
3. Categories of Data Subjects
3.1. The data processing concerns the following categories of natural persons:
- Employees of the Client
- Third-party users of the services
4. Types of Personal Data
4.1. The types/categories of personal data collected, processed, and/or used are as follows:
- Communication data (name, email)
- Data required for authentication, authorization, and authorization (name and/or login username)
- Log data
5. Location of Processing
5.1. Data processing takes place exclusively within the territory of the Federal Republic of Germany or within the European Union or the European Economic Area states. Processing in other countries is only permitted with the prior consent of the Controller and only if an adequacy decision from the EU Commission pursuant to Article 45(3) GDPR is in place, or if appropriate safeguards in accordance with Article 46(2) GDPR ensure an adequate level of data protection. The Processor must provide evidence of the existence of such safeguards and an adequate level of protection. Evidence can be provided by submitting an appropriate certificate from an accredited certification body under Article 43 GDPR. The Processor commits to ensuring compliance with the safeguards and maintaining an adequate level of data protection. The Controller reserves the right to check the existence of the safeguards and compliance with an adequate level of data protection at any time as part of its audit and control rights.
6. Rights of Control and Audit of the Controller
6.1. The responsibility for assessing the legality of the processing of personal data and for exercising the rights of data subjects lies solely with the Controller. In the case of data processing on behalf of the Controller, the Controller shall only work with processors that provide sufficient guarantees that appropriate technical and organizational measures have been implemented to fulfill the requirements of the GDPR in accordance with Article 28(1) sentence 1 GDPR.
6.2. The Controller is obligated and entitled to verify, before the start of data processing and at its discretion also repeatedly after prior coordination, during normal business hours and to the necessary extent, compliance with the data protection regulations and the contractual agreements, especially the technical and organizational measures taken by the Processor.
For this purpose, the Controller is authorized to request written information and evidence of the implemented data protection measures as well as the technical and organizational implementation thereof, to enter the premises and operational facilities of the Processor, to conduct inspections and audits at its discretion, and to review, to the necessary extent, processing-related documents, processing and operational protocols, systems, stored data, and regulations, guidelines, and manuals governing the commissioned data processing. This includes proof of the appointment of a Data Protection Officer, the obligation of employees to maintain confidentiality, and technical and organizational concepts, e.g., a data protection manual, relevant procedural instructions, and contracts with subcontractors. The Controller's representatives, such as auditors or experts, also possess the same rights, provided they are specifically bound by confidentiality or are subject to criminally sanctioned professional confidentiality obligations.
6.3. The Controller's rights exist during the term of this agreement and beyond until claims under this contract expire, but at least as long as the Controller stores personal data from the commissioned processing activities.
6.4. Audits are to be announced in advance. In special cases, particularly when there are processing issues, reportable incidents, or pending or initiated regulatory actions, the audit may be conducted without prior notice.
7. Instruction Rights of the Controller
7.1. The processing of data is carried out exclusively within the framework of the agreed terms and in accordance with the Controller's instructions. The Controller reserves the right, within the framework of the order description, to issue individual instructions regarding the nature, scope, and method of data processing, as well as changes to the processing. The instructions particularly but not exclusively concern the data protection-compliant execution of the commissioned processing and other actions necessary to ensure lawful processing. The instructions are issued in writing, in text form, or in another suitable electronic format. Oral instructions must be confirmed immediately in writing, in text form, or in an electronic format. The instructions must be retained for the duration of the contractual relationship, but at least for the period of their validity.
The Processor must immediately inform the Controller if it believes that an instruction violates the GDPR or other data protection regulations. The Processor may suspend the execution of the instruction until it is confirmed by the Controller. The Controller is liable for unlawful instructions and indemnifies the Processor from any claims for damages or other demands in this regard.
Authorized persons for instructions from the Controller are: Name
Instruction recipients at the Processor are: Simon Wörpel
Changes to the authorized persons or instruction recipients must be communicated without delay.
7.2. Changes to the subject of processing and procedural changes must be agreed upon and documented jointly.
8. Contractor's Duties
8.1 Processing Obligations
The contractor shall execute the contract exclusively in accordance with the agreements made and the instructions of the client. The contractor will not use the data for any other purposes, nor is it permitted to pass it on to third parties.
Excerpts, copies, or duplicates of data or data carriers may only be made or used without the client's knowledge if necessary for the execution of the contract or to ensure proper data processing, or if a legal or other retention obligation exists. Any excerpts, copies, or duplicates made must be promptly and securely deleted, destroyed, or handed over to the client after processing or use is completed.
Any security-relevant decisions regarding the organization of data processing and the procedures applied must be coordinated with the client. The contractor is not permitted to provide information to third parties or the data subject without the client's instruction. Information to the client's employees may only be provided to authorized individuals.
The contractor commits to using only software, data, or data carriers that have been reliably checked for harmful software, to avoid the introduction of viruses, etc.
8.2 Compliance Obligations in Inspections
The contractor agrees to demonstrate compliance with the implemented technical and organizational measures during inspections by the client, provide information, and present or allow access to the relevant documents and systems after prior coordination. The contractor must tolerate and support any inspections by the client on-site and provide all necessary information in the event of data protection and data security incidents.
The contractor can also demonstrate compliance with adequate technical and organizational measures by providing certificates or undergoing certification or a data protection audit by an independent institution or an authorized expert. Regardless of these, the contractor must allow the client to conduct inspections per § 6 of this agreement.
8.3 Reporting Obligations
The contractor must report any significant changes in technical or organizational circumstances that could undermine the security or proper conduct of the contracted services without delay to the client.
The contractor must notify the client of any inspections by the data protection supervisory authority, particularly according to Article 58 GDPR, and any measures or orders regarding the protection of personal data.
The contractor is also required to provide the client with all necessary information needed for the client’s control of the contract and make relevant documentation available upon request. In addition, the contractor must inform the client of any expiration or revocation of certificates or measures according to Article 41(4) GDPR.
The contractor will communicate any changes in the company's data protection officer’s name and contact information or, if no officer is required, the name and contact details of the responsible body to the client.
8.4 Cooperation and Support Obligations
Under Article 28(3) GDPR, the contractor is obligated to provide all information necessary for the processing activity records, risk assessments, and any required data protection impact assessments. Furthermore, the contractor must support the client in fulfilling the rights of the data subjects.
8.5 Organizational Obligations
The contractor is required to implement measures and document procedures that allow for monitoring and traceability of all tasks and processes related to contract processing. Data protection incidents and other significant security disruptions must be documented, including their impact and corrective actions taken, and reported to the client. The documentation must be promptly made available to the client.
If processing occurs from private residences or third-party locations, the client must be informed. The contractor must ensure that confidentiality and security measures are equal to those at the contractor's premises. Any deviation from this must be authorized in writing by the client.
The contractor guarantees that, under Article 37 GDPR and § 38 of the German Federal Data Protection Act (BDSG), a data protection officer is appointed and monitors compliance with the relevant legal data protection provisions.
9. Confidentiality and Other Secrets
9.1. Personal and other data or information that the Processor becomes aware of in the course of fulfilling this contract may only be used by the Processor for the purposes of the commissioned service. The Processor commits to maintaining the confidentiality and integrity of personal data and to treat all personal data and other internal business circumstances, data, and information (trade secrets) confidentially, which the Processor becomes aware of in connection with the acceptance and execution of the contract. The Processor shall also bind all employees involved in the performance of this contract to maintain confidentiality in writing, even beyond the termination of the employment relationship, and shall instruct them regarding the data protection obligations under this contract, the dependency on instructions for data processing, and the purpose limitation of such processing. This confidentiality obligation shall also apply beyond the termination of the contractual relationship.
9.2. The Processor confirms that it is familiar with the relevant data protection regulations. The Processor ensures that it uses only its own personnel to perform the tasks and that the employees involved in the execution of the contract are familiar with the applicable data protection regulations and receive regular training.
9.3. The Processor commits to observe all other applicable confidentiality obligations, insofar as they are relevant for the processing, such as social confidentiality, telecommunications confidentiality, and other professional secrets pursuant to § 203 of the German Criminal Code (StGB). The Processor also commits to instructing and obliging its employees to ensure compliance with these confidentiality obligations.
9.4. The Processor is obliged to keep confidential all knowledge acquired during the contractual relationship regarding administrative access data and the Client’s data security measures and under no circumstances make them available to third parties. The Processor may only use the access rights granted to it to the extent necessary for the performance of the data processing. The obligation to maintain confidentiality and other secrets shall also continue beyond the termination of this contract.
10. Subcontracting and subprocessing
10.1. The engagement of subcontractors is only permitted if the client has given written consent prior to awarding the subcontracted services. The client may revoke this consent if there is an important reason, particularly in the case of a breach of law or contract. In such cases, subcontracting must be immediately discontinued. The contractor must ensure that the contractual agreements with the subcontractor are designed to comply with the data protection provisions of this agreement. The contractor is required to regularly monitor compliance with these obligations. The forwarding of data to the subcontractor is only permissible once a contract has been concluded in accordance with these conditions and the subcontractor has fulfilled all the requirements of this agreement.
10.2. The subcontractor must be subject to the same contractual provisions as those applicable to the contractor. The client must be granted the same rights of instruction, control, and audit concerning the subcontractor as those provided in this agreement and Article 28 of the GDPR concerning the contractor. This includes the right of the client to obtain, upon written request, information from the contractor regarding the essential content of the contract and the implementation of data protection obligations in the subcontracting relationship, if necessary by reviewing the relevant contract documents.
10.3. Services that the contractor uses from third parties as ancillary services to support the execution of the contract are not considered subcontracting under this provision. This includes, for example, telecommunications services, maintenance and user services, cleaning services, auditors, or the disposal of data carriers. However, the contractor is required to ensure the protection and security of the client's data by making appropriate and legally compliant contractual agreements and implementing control measures even for outsourced ancillary services.
10.4. Engaging subcontractors outside the territory of the Federal Republic of Germany or the European Union, or the states of the European Economic Area, is only permitted with prior consent from the client and only if there is an adequacy decision by the EU Commission in accordance with Article 45(3) of the GDPR or if other suitable guarantees in accordance with Article 46(2) of the GDPR ensure an adequate level of data protection. Furthermore, the provisions of Section 5 of this agreement also apply to the engagement of subcontractors.
11. Reporting Obligations in Case of Disruptions and Data Breaches
11.1. In the event of a disruption of processing or a data breach, the Processor shall promptly implement all suitable and necessary measures to secure the data and mitigate any potential harm to the affected individuals and the Controller.
11.2. The Processor commits to promptly informing the Controller of any violations of data protection regulations or of the provisions established in this Agreement. This includes serious operational disruptions, suspicions of other violations of data protection regulations, or other irregularities in the handling of personal data of the Controller that could have consequences for the affected individuals or the Controller or cause damage. Data protection breaches specifically include the loss of confidentiality and the loss, destruction, or alteration of the Controller's data or other confidential information under this Agreement.
11.3. The notification to the Controller must include all information necessary for the Controller to assess the incident and its reporting obligations to the supervisory authority and the notification requirements to the affected individuals under Articles 33 and 34 GDPR. This notification must include details about the nature of the incident and the data protection breach, a description of the likely risks to the interests, rights, and freedoms of the affected individuals, and a description of the measures already taken to address or mitigate any potential damage or other risks to the affected individuals and the Controller.
11.4. The Processor shall document the incident and assist the Controller in fulfilling its reporting and notification obligations under Articles 33 and 34 GDPR, and shall undertake all necessary actions within its scope of responsibility to mitigate adverse consequences for the affected individuals and to investigate the incident and its consequences. This obligation continues even after the termination of the contractual relationship.
12. Rights of the Data Subjects
12.1. The Client is solely responsible and competent for upholding the rights of the data subjects. The Processor may only implement the rights of the data subjects in accordance with the Client's instructions. However, the Processor shall support the Client in fulfilling requests and claims from data subjects.
12.2. Requests from data subjects regarding their rights, or requests for information, corrections, or deletions of data, shall be promptly forwarded by the Processor to the Client for resolution. Information to third parties may only be provided following the Client's instructions or must be forwarded to the Client for resolution. Similarly, information to the Client's employees must not be provided directly to them but only through the agreed-upon contact persons.
13. Technical and Organizational Measures
13.1. The Contractor guarantees an adequate level of protection for personal data relative to the risks to the rights and freedoms of data subjects. To this end, the Contractor commits to organizing its internal operations and implementing the necessary technical and organizational measures, taking into account the current state of the art, the implementation costs, and the nature, scope, and purposes of the processing as well as the varying likelihood and severity of the risks to the rights and freedoms of data subjects. These measures shall be designed and continually updated to meet the specific requirements of data protection under the GDPR and to ensure the protection of the rights of the data subjects.
The technical and organizational measures specifically include:
- Ensuring the ongoing confidentiality, integrity, availability, and resilience of systems and services related to the processing of data.
- Rapidly restoring the availability of personal data and access to it in the event of a physical or technical incident.
- Implementing and maintaining procedures for regularly reviewing, assessing, and evaluating the effectiveness of the technical and organizational measures to ensure the security of processing.
13.2. The Contractor ensures compliance with the measures and regulations specified in the self-disclosure attached as an appendix. These measures are considered agreed upon, and the description of the measures will become part of this contract.
13.3. The technical and organizational measures are subject to technological progress and development. Therefore, the Contractor is permitted to implement alternative adequate measures, provided that the security level of the established measures is not undermined. Significant changes must be documented.
13.4. The Contractor may demonstrate the suitability of the technical-organizational measures required under Article 32 of the GDPR by adhering to approved codes of conduct under Article 40 of the GDPR or a data protection seal or certification mark under Article 42 of the GDPR, provided that it is issued for the processing procedures and locations relevant to the contract and pertains to the processing procedures covered by this agreement. The Contractor must promptly inform the Client of any changes to or expiration of the certification. The Client's rights to control and audit remain unaffected.
14. Procedure After Termination of the Contract
14.1. After the completion of the processing, and at the latest upon termination of this contract, the Processor must return to the Controller all documents and results of processing or use, or any personal or other confidential data created or copied in connection with the performance of the contract. Alternatively, these documents and data must be destroyed or securely deleted in accordance with data protection regulations, in coordination with the Controller. Test and scrap materials must be promptly destroyed or handed over to the Controller in a data protection-compliant manner. This obligation also applies equally to any subcontractors involved. Data whose deletion is technically impossible or would involve a disproportionate effort, as well as copies required for proving the proper processing of data or for fulfilling liability and warranty claims, remain unaffected.
14.2. For such data, processing must be restricted in accordance with Article 18 of the GDPR. The Processor may retain these data beyond the end of the contract according to the applicable retention periods and must securely delete them immediately after the expiration of the retention period. The Controller must be informed about the nature and extent of these stored data. The Processor may hand over these data to the Controller at the end of the contract for the Processor's own relief.
14.3. Upon termination of the contract, the Processor must provide written confirmation to the Controller of the secure deletion or destruction of all documents in its possession.
15. Effectiveness of the Agreement
15.1 If individual provisions are deemed invalid, the remaining provisions remain effective.
16. Liability
16.1 Liability follows Article 82 GDPR.
17. Applicable Law and Jurisdiction
17.1. The law of the Federal Republic of Germany applies, excluding the UN Convention on Contracts for the International Sale of Goods (CISG).
17.2. The place of jurisdiction for all disputes arising from or in connection with this agreement, as well as data protection-related disputes, is Berlin.
17.3. Statutory provisions regarding exclusive jurisdictions remain unaffected.
Place/Date Controller Place/Date Contractor
Signature/Stamp Controller Signature/Stamp Contractor
Version 1.0 | 17.09.2024 | legal@investigativedata.org