Supplemental agreement for contract data processing pursuant to Article 28 GDPR
between
NAME
ORGANIZATION
STREET
POST CODE/CITY
COUNTRY
– Controller within the meaning of Art. 4(7) GDPR, hereinafter referred to as the “Controller” –
and
Rodalo GmbH, Münchhof 51, 53797, Germany
– Processor within the meaning of Art. 4(8) GDPR, hereinafter referred to as the “Processor” –
Preamble
This contract data processing agreement governs the obligations of the contracting parties with regard to data protection arising under the service agreement, including product descriptions.
Product: typeslide.com
Customer number: ____
Contract number: ____
URL: ____
Contract date: ____
This agreement applies to all activities related to the primary contract in which employees of the Processor or agents of the Processor may come into contact with personal data of the Controller. The Processor will collect, process and otherwise use personal data for the Controller exclusively within the scope of this contract data processing agreement in accordance with Art. 28 GDPR. Upon conclusion of this agreement, all previously concluded Data Privacy Agreements, if any, shall become invalid.
§ 1 Scope and responsibilities
- The subject, type and purpose of the contract are activities whose specification is based on the service contract referred to above and the associated product descriptions.
- The Processor shall not use data provided to them for processing for any other purposes. Copies and/or duplicates may not be made without the knowledge of the Controller. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required to comply with the statutory retention obligations.
- The Controller is solely responsible for assessing the lawfulness of the collection, processing and use of personal data by the Processor within the framework of their contractual relationship with regard to the provisions of the European General Data Protection Regulation (GDPR) and other relevant laws and regulations concerning data protection.
§ 2 Location of the intended data processing
The contractually agreed upon data processing shall take place exclusively within a Member State of the European Union or in another state that is party to the Agreement on the European Economic Area (EEA). The transfer of personal data to entities domiciled neither in a Member State of the European Union nor any other contracting state to the Agreement on the European Economic Area (so-called “third country”) requires the consent of the Controller and may only take place if the special requirements of Art. 44 ff. GDPR have been satisfied.
§ 3 Type of data processed and categories of data subjects
The personal data undergoing processing pursuant to this agreement includes the following data types/categories (list/description of data categories):
- Name
- Email address
- Profile picture (avatar image)
The categories of data subjects affected by the processing include:
- Employees of the Controller
- Customers of the Controller
- Suppliers of the Controller
For billing purposes the Processor processes the following data from the Controller:
- Company name
- Billing address
- Bank details
- VAT ID
For the purpose of optimizing the product and service the Contractor processes the following data from the Controller:
- Feedback and suggestions for improvement
- User behavior
- Ratings
§ 4 Technical and organizational measures
The Processor shall structure their internal organization in such a way that they will meet the special requirements applicable to data protection. The measures implemented by the Processor are set out in Annex 1 to this contract data processing agreement. The Processor shall keep their documentation of technical and organizational measures up to date at all times.
§ 5 Rectification, restriction and erasure of data
- The Processor may only rectify, erase or restrict the processing of data as processed pursuant to this contract if instructed to do so by the Controller. If a data subject contacts the Processor directly in this context, the Processor shall forward this request to the Controller.
- After completion of the contractual work, the Processor shall hand over to the Controller all data, documents and processing or usage results created in his possession and to subcontractors in connection with the contractual relationship or have them deleted or destroyed or have them destroyed in accordance with data protection regulations. The same applies to test and reject material. The deletion or destruction shall be confirmed to the Controller in writing or in a documented electronic format, stating the date. Any statutory storage obligations or other obligations to store the data shall remain unaffected.
§ 6 Obligations of the Controller
- The Controller is responsible for all data, automated procedures and data processing equipment within their area of responsibility as well as for safeguarding the rights of data subjects.
- The Client shall review the technical and organizational measures provided by the Contractor to determine whether they are appropriate for their data processing. Further measures shall be determined by the Client. The costs of such technical and organiational measures that must be implemented as part of the Contractor’s operations due to any special requirement by the Client shall be borne by the Client.
- The Controller has the right to issue instructions concerning the type, scope and sequence of the work. All such instructions must be issued in writing. Oral instructions must be confirmed by the Controller in writing without undue delay.
- Persons who are authorized to issue instructions, take receipt of consignments and perform monitoring must be named in writing. They must identify themselves when performing their functions.
§ 7 Duties of the Processor
- In addition to complying with the provisions of this agreement, the Processor shall comply with the statutory obligations set out in Articles 28 to 33 GDPR. Without limitation, the Processor shall ensure compliance with the following requirements:
- Written appointment of a data protection officer who will perform their duties in accordance with Articles 38 and 39 GDPR. The contact details for the data protection officer are set out in Annex 1.
- Maintaining confidentiality in accordance with Articles 28(3)(b), 29, 32(4) GDPR. In carrying out their work, the Processor shall exclusively use employees who are bound to maintain confidentiality and who have previously been familiarized with the relevant data protection provisions. The Processor and any person under their authority who has access to personal data of the Controller may only process such data exclusively in accordance with instructions from the Controller, including the authority granted in this agreement, unless they are legally obliged to process such data.
- The implementation and compliance with all technical and organizational measures required for the respective contract data processing in accordance with Articles 28(3)(c), 32 GDPR. The technical and organizational measures are documented in Annex 1 to this agreement.
- Notification of the Controller regarding control procedures and measures taken by the supervisory authority in so far as they relate to the underlying contractual relationship.
- The Processor may only provide information to data subjects or third parties concerning the underlying contractual relationship with the consent of the Controller unless they are legally obliged to do so.
§ 8 Subcontractors
- Subcontracting relationships within the meaning of this provision shall be understood to mean those services which relate directly to the provision of the principal service. This does not include ancillary services used by the Processor, e.g. telecommunications services, postal/transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software used in data processing systems. However, the Processor shall be obliged to undertake appropriate and legally binding contractual agreements and control measures to ensure the data protection and the data security of the Controller’s data, including in relation to outsourced ancillary services.
- The Processor may only engage subcontractors to process personal data of the Controller if they are located in a Member State of the European Union or in another country which is a signatory to the Agreement on the European Economic Area (EEA). Forwarding, storing and processing data using automated data processing systems outside the EU or the EEA is not permitted.
- The Controller agrees to the engagement of those subcontractors listed on our website at the time the respective contract was concluded on condition of a contractual agreement in accordance with Art. 28(2)-(4) GDPR.
- Outsourcing to further subcontractors or changing an existing subcontractor shall become an integral element of the contract provided that:
- The Processor notifies the Controller in text form of outsourcing to such subcontractors prior to the start of processing by the respective subcontractor. This is done by sending a newsletter containing the intended change in subcontractors. The Controller’s right of objection extends for two weeks after notification, and notice must likewise be given in writing or in text form. The change as referred to in Art. 28(2) GDPR is deemed to have been authorized upon expiry of the objection period. 4.2 A contractual agreement in accordance with Art. 28(2)-(4) GDPR serves as the basis for the engagement.
- The Processor shall regularly check the subcontractor’s compliance with data protection requirements. It shall be contractually regulated that the subcontractor shall tolerate these control measures and any on-site inspections. Upon request, the client shall be entitled to obtain information on the essential content of the contract and the implementation of the subcontractor’s data protection obligations, if necessary also by inspecting the relevant contract documents.
- The transfer of personal data from the Controller to the subcontractor, and their commencement of work, are only permitted if all requirements for subcontracting are met.
- The Controller’s email address shall be used for purposes of implementing a change in subcontractors by means of sending a newsletter.
- If the Controller objects to a change in subcontractors without indicating data protection-related grounds, the Processor is entitled to exercise an extraordinary right to terminate the contract to provide services referred to in Section 1, provided that the Processor cannot reasonably be expected to remain obliged under such contract subject to retention of the contractor concerned.
§ 9 Control rights of the Controller
- Upon appropriate advance notice, the Controller is entitled to have inspections performed by auditors to be appointed on a case-by-case basis. The Processor shall ensure that the Controller can satisfy themselves of the Processor’s compliance with the obligations in accordance with Art. 28 GDPR. The Processor shall grant the Controller access to the Processor’s property and business premises upon prior arrangement of an appointment during normal local operating and business hours. The Processor is required to furnish the necessary information to the Controller on request and to demonstrate, in particular, the implementation of the technical and organizational measures.
- Proof of such measures, which do not only relate to a specific engagement, may be provided in the form of compliance with approved rules of conduct in accordance with Art. 40 GDPR; certification according to an approved certification procedure pursuant to Art. 42 GDPR; current certificates, reports or report extracts from independent bodies (e.g. auditor, internal audit department, data protection officer); suitable certification by IT security or data protection audit (e.g. according to BSI Basic Protection).
§ 10 Notification of breaches by the Processor
- The Processor shall inform the Controller of violations of the protection of personal data, disturbances, breaches of data protection regulations or the specifications made in a specific agreement by the Processor or persons employed by them or engaged by them. This is especially the case with regard to any legal obligations of the Controller to notify data subjects or the supervisory authorities.
- To the extent possible, the Processor shall assist the Controller in complying with the obligations set out in Articles 30 to 36 GDPR concerning the security of personal data, notification obligations in the event of personal data breaches, data protection impact assessments and prior consultations. This includes, in particular:
- Subdivision of the facility into individual security areas;
- Ensuring an adequate level of protection by means of technical and organiational measures that consider the circumstances and purposes of the processing, as well as the predicted likelihood and severity of a possible infringement due to vulnerabilities and that make immediate identification of relevant violations possible;
- The obligation to report personal data breaches to the Controller;
- The obligation to support the Controller in connection with their duty to inform data subjects;
- Supporting the Controller in connection with their obligations to carry out data protection impact assessments;
- Supporting the Controller in connection with prior consultations with the supervisory authority.
§ 11 Confidentiality obligations
- Both parties agree that all information obtained in the course of executing this contract shall be treated as confidential for an indefinite period and shall be used exclusively to perform the tasks agreed herein. Neither party is entitled to use this information in whole or in part for any other purposes other than those referred to above or to disclose such information to third parties.
- The foregoing obligation does not apply to information which one of the parties has demonstrably received from third parties without being bound to maintain confidentiality or which is publicly known.
§ 12 Contract term
- The validity of this agreement for contract data processing (“term”) corresponds to the term of the service agreement referred to in section 1. The confidentiality obligation survives the term of this contract.
- A violation of legal or contractual data protection provisions by the Processor represents good cause for the Controller to exercise their right of extraordinary termination as reserved in the service agreement referred to in section 1.
§ 13 Severability
Should one or more provisions of this agreement be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions of this agreement.
§ 14 Final provisions
- Amendments or supplements to this agreement must be made in writing and must be signed by both parties. This also applies to the amendment of this written form clause. E-mail does not satisfy the written form requirement.
- The assertion of a right of retention within the meaning of section 273 of the German Civil Code (BGB) is excluded with respect to the processed data and the associated data storage devices.
- This agreement is governed exclusively by the laws of the Federal Republic of Germany. The place of jurisdiction for all disputes arising under or in connection with this contract is Siegburg.
§ 15 Effective date
This agreement is effective upon its signing.
§ 16 Annexes
The following Annexes are appended to this contract data processing agreement:
- Annex 1: Technical and organizational data security measures
- Annex 2: Further Processors
§ 17 Signatures
Controller
______
NAME – ORGANIZATION
CITY, YYYY-MM-DD
Processor
Roman Roelofsen – Rodalo GmbH
53797 Lohmar, Germany