Data Processing Agreement (DPA)

In connection with the provision of services under the principal agreement, it is necessary for the Processor to handle personal data for which the Controller acts as controller within the meaning of Art. 4 No. 7 GDPR (hereinafter "Controller Data") as a processor within the meaning of Art. 4 No. 8 GDPR. This agreement specifies the data protection rights and obligations of the parties in connection with the Processor's handling of Controller Data for the performance of the principal agreement.

2.1 The Processor processes Controller Data on behalf of and only in accordance with the instructions of the Controller. The Controller remains the responsible party under data protection law within the meaning of Art. 5(2) GDPR.

2.2 The collection, processing and use of Controller Data in the context of commissioned processing is carried out in accordance with the specifications on the nature and purpose of the processing set out in Annex 1 to this agreement. The processing relates to the types of personal data and categories of data subjects specified in Annex 1.

2.3 The contractually agreed data processing shall take place exclusively in a Member State of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the Controller and may only take place if the specific requirements of Art. 44 et seq. GDPR are met. An adequate level of protection outside a Member State of the European Union or another contracting state of the Agreement on the European Economic Area:

2.4 The term and termination of this agreement are governed by the provisions on term and termination in the principal agreement. Termination of the principal agreement automatically terminates this agreement as well. Separate termination of this agreement is excluded as long as this complies with statutory requirements. This agreement may also be replaced by a subsequent agreement.

3.1 The Processor shall use Controller Data exclusively in accordance with the Controller's instructions as expressed conclusively in the provisions of this agreement. Individual instructions that deviate from the provisions of this agreement or impose additional requirements require the Processor's prior consent and shall be issued in accordance with the change procedure set out in the principal agreement.

3.2 If the Processor believes that an instruction violates the GDPR or other data protection provisions of the EU or its Member States, it shall notify the Controller as soon as reasonably possible. The Processor is also entitled to suspend execution of the instruction until the Controller confirms the instruction.

3.3 Where the Processor is required by Union or Member State law applicable to the Processor to process personal data without an instruction from the Controller, the Processor shall notify the Controller of the relevant legal requirements before processing, unless the law prohibits such notification on important grounds of public interest.

3.4 Instructions from the Controller must be issued at least in text form (e.g. by email). Oral instructions shall be confirmed by the Controller without undue delay at least in text form (e.g. by email).

3.5 If claims for damages under Art. 82 GDPR are asserted against the Processor due to a violation of the GDPR, without the Processor having violated an instruction issued by the Controller or otherwise breached its contractual or statutory obligations, the Controller shall indemnify the Processor against all such claims. The Controller shall also bear the costs of the Processor's necessary legal defense, including all court and attorney fees. This indemnification obligation does not apply where an instruction was unlawful and this was obvious to the Processor, or where the claim for damages is based on a breach of a GDPR obligation specifically imposed on processors.

4.1 The Controller is responsible for the lawfulness of the collection, processing and use of Controller Data and for safeguarding the rights of data subjects. If third parties assert claims against the Processor due to the collection, processing or use of Controller Data, the Controller shall indemnify the Processor against all such claims.

4.2 The Controller remains the owner or rights holder of Controller Data and of any rights relating to Controller Data.

4.3 The Controller shall notify the Processor without undue delay and in full if, when reviewing the Processor's work results, it identifies errors or irregularities relating to data protection provisions or its instructions.

4.4 Where the Processor wishes to defend itself by legal means against a claim for damages under Art. 82 GDPR, against a threatened or imposed fine under Art. 83 GDPR or against other sanctions within the meaning of Art. 84 GDPR, the Controller permits the Processor to disclose details of the commissioned processing, including instructions issued, for the purpose of legal defense after coordinating the scope and disclosure with the Controller.

4.5 The Controller shall comply with its general duty to cooperate and provide support in the case of audits by supervisory authorities, administrative offence or criminal proceedings, the assertion of liability claims by a data subject or third party, or the assertion of any other claim, to the extent reasonable and necessary and where there is a connection with this commissioned processing.

5.1 The Processor may not create copies or duplicates of Controller Data in the context of commissioned processing without the Controller's prior consent. This does not apply to copies required to ensure proper data processing and proper provision of the services under the principal agreement (including data backups), or to copies required to comply with statutory retention obligations.

5.2 The Processor shall support the Controller, to the extent reasonable and necessary, in audits by supervisory authorities, administrative offence or criminal proceedings, the assertion of liability claims by a data subject or third party, or the assertion of any other claim, where there is a connection with this commissioned processing.

5.3 If the Processor is affected by an audit or measure by a supervisory authority that also relates to this commissioned processing, the Processor shall inform the Controller accordingly. This also applies where an authority investigates the Processor in administrative offence or criminal proceedings relating to the processing of personal data in commissioned processing.

5.4 The Processor shall bind persons engaged in processing Controller Data to confidentiality in writing in accordance with Art. 28(3), sentence 2(b) GDPR and shall first familiarise them with the data protection provisions relevant to them. This is not separately required where the persons engaged in processing Controller Data are already subject to an appropriate statutory duty of confidentiality.

5.5 Where and as long as the statutory requirements for appointing a data protection officer are met, the Processor shall appoint in writing a knowledgeable, capable and reliable company data protection officer with expertise in data protection law and practice, who performs the duties under Art. 38 and 39 GDPR and Section 38(2) BDSG. The contact details of the data protection officer shall be communicated to the Controller at least in text form (e.g. by email) for the purpose of direct contact. Any change of data protection officer shall be communicated to the Controller without undue delay. If there is no obligation to appoint a company data protection officer, the Processor shall designate a contact person for data protection matters to the Controller at least in text form (e.g. by email) and communicate that person's contact details. If the Processor is established outside the EU, it shall designate a representative in the EU under Art. 27(1) GDPR and communicate that representative's contact details to the Controller.

5.6 The Processor is subject to supervisory authority oversight under Section 40 BDSG and to the fine and criminal provisions in Sections 42 and 43 BDSG and Art. 83(4)-(6) GDPR in accordance with Section 41 BDSG.

5.7 The Processor shall ensure that the Controller can verify the Processor's compliance with its obligations under Art. 28 GDPR. The Processor undertakes to provide the Controller, upon request, with the required information and, in particular, to demonstrate implementation of the technical and organisational measures to be taken under Annex 2 within the scope of the audit rights under Clause 8 of this agreement.

6.1 Before beginning to process Controller Data, the Processor shall implement the technical and organisational measures listed in Annex 2 to this agreement in accordance with Art. 28(3), sentence 2(c) and Art. 32 GDPR and maintain them throughout the term of the agreement. Overall, the measures to be taken are data security measures intended to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of systems. The state of the art, implementation costs, and the nature, scope and purposes of processing, as well as the varying likelihood and severity of risks to the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR, must be taken into account.

6.2 Since technical and organisational measures are subject to technical progress and technological development, the Processor is permitted to implement alternative adequate measures, provided that the security level of the measures specified in Annex 2 is not reduced. The Processor shall document such changes. Material changes to the measures require the Controller's prior written consent and shall be documented by the Processor and made available to the Controller upon request.

7.1 Taking into account the nature of the processing and the information available to the Processor, the Processor shall assist the Controller in complying with the obligations set out in Art. 32 to 36 GDPR regarding the security of personal data, notification obligations in the event of personal data breaches, data protection impact assessments and prior consultations. This includes, in particular:

7.2 For assistance services that are not included in the service description or are attributable to misconduct by the Controller, the Processor may claim remuneration appropriate to the scope of services.

8.1 The Controller is entitled, during normal business hours, at its own cost, without disrupting operations and subject to strict confidentiality regarding the Processor's trade and business secrets, to enter the Processor's business premises where Controller Data is processed in order to verify compliance with the obligations arising from this agreement, in particular the technical and organisational measures under Annex 2 to this agreement. Upon request, the Processor shall demonstrate implementation of the technical and organisational measures to the Controller.

8.2 The Processor shall grant the Controller the access, information and inspection rights required to carry out audits under Clause 8.1.

8.3 The Controller shall notify the Processor in good time (generally at least two weeks in advance) of all circumstances connected with conducting the audit. As a rule, the Controller may conduct one audit per calendar year. This does not affect the Controller's right to conduct further audits in the event of special incidents or due to official or judicial obligations.

8.4 If the Controller engages a third party to conduct the audit, the Controller shall impose written obligations on the third party equivalent to those imposed on the Controller toward the Processor under Clause 8 of this agreement. The Controller shall also bind the third party to confidentiality and secrecy unless the third party is subject to a professional duty of confidentiality. Upon request by the Processor, the Controller shall provide the Processor with the corresponding undertaking agreements with the third party without undue delay. The Controller may not engage a competitor of the Processor to conduct the audit.

8.5 At the Processor's option, evidence of compliance with the technical and organisational measures under Annex 2 may, instead of an on-site audit, also be provided through compliance with approved codes of conduct under Art. 40 GDPR, certification under an approved certification mechanism under Art. 42 GDPR, submission of suitable current attestations, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors), or suitable certification by IT security or data protection audits, e.g. according to BSI baseline protection, provided that the audit report enables the Controller in an appropriate manner to verify compliance with the technical and organisational measures under Annex 2 to this agreement.

9.1 The Processor may establish sub-processing relationships (sub-processors) concerning the processing or use of Controller Data. The sub-processors currently engaged by the Processor are listed by name, address and subject matter in Annex 3. The Controller agrees to their engagement. The Processor shall always inform the Controller of any intended change relating to the engagement or replacement of other sub-processors. If the Controller does not object to a new sub-processor within 4 weeks of receipt of the notification about the new sub-processor, the engagement shall be deemed approved by the Controller; where, exceptionally, earlier approval by the Controller is strictly necessary to avoid delaying contractual performance, the Processor shall inform the Controller of this when notifying it of the new sub-processor and the above period shall be shortened to 2 weeks.

9.2 Services that the Processor obtains from third parties as ancillary services to support performance of the commissioned processing are not considered sub-processing relationships within the meaning of this provision. These include, for example, telecommunications services, maintenance and user support, cleaning staff, auditors or disposal of data carriers, provided that they do not relate exclusively to this commissioned processing relationship. However, the Processor is obliged to enter into appropriate and legally compliant contractual arrangements and implement control measures to ensure the protection and security of the Controller's data also in the case of outsourced ancillary services.

9.3 The obligation of the sub-processor must be in writing, which may also be in electronic format (e.g. by email). The Processor shall carefully select the sub-processor and, before engagement, verify that the sub-processor can comply with the agreements made between the Controller and the Processor. For each sub-processing engagement, the Processor shall ensure that the conditions set out in Art. 28(2) and Art. 28(4) GDPR are met.

9.4 The Processor shall ensure that the provisions agreed in this agreement and any supplementary instructions from the Controller also apply to the sub-processor. Exercise of the Controller's audit rights under Clause 8 must generally also be possible with respect to the sub-processor. Upon written request, the Controller is entitled to receive from the Processor information about the material data protection content of the sub-processing agreement and the implementation of the sub-processor's data protection obligations, where necessary also by inspecting the relevant contractual documents.

9.5 The provisions in this Clause 9 also apply if a sub-processor is engaged in a third country. In such case, the Processor shall ensure data protection lawfulness through suitable legal instruments, for example EU standard contractual clauses and an accompanying transfer impact assessment. All relevant information shall be provided to the Controller. The Processor is liable to the Controller for the lawfulness of involving the sub-processor, including with regard to the lawfulness of the transfer.

9.6 Disclosure of Controller Data to the sub-processor and the sub-processor's initial activity are permitted only once all requirements for sub-processing have been met.

10.1 The rights of persons affected by the data processing under Chapter 3 GDPR (Art. 12-23 GDPR), taking into account Part 2, Chapter 2 BDSG (Sections 32-37 BDSG), in particular rights to information, access, rectification, erasure, restriction of processing, data portability or objection regarding stored Controller Data, must be asserted against the Controller.

10.2 If a data subject contacts the Processor directly regarding the rights listed in Clause 10.1, the Processor shall forward the request to the Controller without undue delay.

10.3 Where a data subject exercises rights within the meaning of Clause 10.1, the Processor shall support the Controller in fulfilling those claims with appropriate technical and organisational measures, taking into account the nature of the processing and to the extent appropriate and necessary for the Controller.

10.4 The Processor shall enable the Controller to rectify, erase or restrict/block Controller Data or, at the Controller's request, carry out the rectification, restriction/blocking or erasure itself if and to the extent this is impossible for the Controller.

11.1 Upon request, the Processor shall securely delete all Controller Data after completion of the contracted service provision (in particular upon termination or other end of the principal agreement), or earlier upon request by the Controller, and shall return any data carriers received from the Controller that still contain Controller Data at that time. The same applies to test and reject material. This does not apply where storage of the personal data is required under Union or Member State law.

11.2 The Processor shall create a record of deletion or destruction of Controller Data and provide it to the Controller upon request.

11.3 Documentation serving as proof of commissioned and proper data processing or statutory retention periods shall be retained by the Processor beyond the end of the agreement in accordance with the applicable retention periods.

Unless this agreement contains specific provisions, the provisions of the principal agreement apply. In the event of contradictions between this agreement and provisions of other agreements, in particular the principal agreement, the provisions of this agreement prevail.

The provisions of this "Data Processing Agreement under Art. 28 GDPR" apply from 25 May 2018. Until the end of 24 May 2018, only the preceding "Agreement on Commissioned Data Processing under Section 11 BDSG" applied.