Data Processing Agreement (DPA)
Adverfly GmbH
Hindenburgstraße 37
51643 Gummersbach
and
Company / First name, surname
Street, house no.
Postcode, City, Country
(Optional) Managing Director(s)
Preamble and Scope of Application
1. Terms and Definitions
"Processing" - Pursuant to 4 (8) GDPR, "Processing" is understood to mean the processing of personal data as defined in Article 4 (2) GDPR carried out on behalf of the Controller, irrespective of the number of intermediary processors, by the Processor in accordance with the subject-matter of this DPA."Principal Agreement" - The term " Principal Agreement" covers all types of ongoing business relations between the Customer and the Processor, under which the Processor processes personal data at the instruction of the Customer in accordance with the definition of the subject of the Processing in this DPA. Insofar as the validity of this DPA is otherwise limited (i.e. within this agreement or outside it, in other agreements or regulations) to certain types, categories or specific business relationships, contracts, etc., these are each to be understood as the Principal Agreement. The definition of the Principal Agreement also includes ongoing individual assignments by the Customer to the Processor, which are issued by the Customer within the scope of the Principal Agreement (e.g. in the case of framework contracts)."Controller" - "Controller" is anyone who alone or jointly with others determines the purposes and means of processing (Article 4 (7) GDPR)."Personal Data" - In accordance with Article 4 (1) GDPR, "personal data" (hereinafter also referred to briefly as "data") is all information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person."Data subjects" - In accordance with Article 4 (1) GDPR, "data subjects" are defined as Persons who are at least identifiable by means of personal data. The data subjects concerned by this Processing are determined by the subject-matter of the Processing."Third party" - "Third party" means according to Article 4 (10) GDPR a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data."Sub-processing" - When a processor is not directly appointed by the Controller but by a processor who is the first processor appointed by the Controller, a "sub-processing" is present and the processors following the first processor are referred to as "sub-processors"."Electronic format" - declarations are deemed to have been made in "electronic format" in accordance with Article 28 (9) DSGVO if the declaring person is identifiable and the electronic declaration format is suitable as proof of the declaration. Electronic format" means in particular text form, an agreement stored on permanent data carriers (e.g. e-mail), digital signing procedures or the use of dedicated online functions (e.g. in user accounts). 2. Subject-Matter of the Processing
The Processing is carried out within the framework of the following legal relationship ( Principal Agreement): Usage data, IP addresses, order information (total amount and currency), and device and browser configurations.The detailed information on the subject-matter of the Processing, Data processed, the data subjects and the nature, scope and purposes of the Processing are governed by the provisions of the Annex "The Subject-Matter of the Processing".3. Authority to issue instructions
The Processor may process Data only within the scope of the Principal Agreement and of the Customer's instructions and only insofar as Processing within the scope of the Principal Agreement is necessary.The instructions are initially set out in the Principal Agreement or this DPA may subsequently be amended, supplemented or replaced by the Customer by issuing further instructions in writing or in an electronic format (text form, e.g. e-mail) to the Processor or to the entity designated by the Processor.Oral instructions may be given if they are required by the circumstances (e.g. urgency) and must be confirmed immediately in writing or in electronical form.If, on the basis of objective circumstances, the Processor considers that an instruction of the Customer is contrary to relevant data protection law, the Processor shall without delay inform the Customer thereof and provide objective reasons for his/her opinion. In this case, the Processor shall be entitled to suspend the execution of the instruction until the Customer expressly confirms the instruction and to refuse to execute the instruction in the case of obviously illegal instructions.The Processor may be obliged to carry out processing operations or to communicate information by Union or Member State law and by administrative and judicial measures to which the Customer is subject. In such a case, the Processor shall communicate the legal requirements of the overriding legal obligation to the Customer prior to the processing, unless the law or order in question prohibits such communication on the grounds of an important public interest; in the event of a prohibition on communication, the Processor shall take possible and reasonable measures to prevent or restrict the legally overriding Processing.The Processor shall document instructions given to her/him and their implementation.The Processor shall name the designated representatives authorised to receive instructions and shall be obliged to inform the Customer immediately of any changes to the designated representatives or their contact details, as well as representatives in case of non-temporary absence or inability to be available.4. Sub-Processing
The sub-processor shall be carefully selected by the Processor, having particular regard to the suitability and reliability of the sub-processor to comply with the obligations under this DPA for Processing and the adequacy of the TOMs implemented by the sub-processor.Sub-processing relationships of which the Customer was notified at the time of the conclusion of this DPA shall be deemed approved to the extent of the notification and subject to the provisions of this DPA on sub-processing.The sub-processing relationships already in existence at the time of the conclusion of this DPA are listed by the Processor in the Annex "Sub-Processors" and updated by the Processor.5. Spatial Area of the Processing
The Data is processed within the scope of the DPA in a member state of the European Union (EU) or in another state that is a party to the Agreement on the European Economic Area (EEA).6. Obligations of the Customer
The Customer must inform the Processor without delay and in full if he/she discovers errors or irregularities in the Processing results, instructions or processing procedures with regard to data protection regulations.The Customer shall name the designated representatives authorised to receive instructions and shall be obliged to inform the Processor immediately of any changes to the designated representatives or their contact details, as well as representatives in case of non-temporary absence or inability to be available.In the event of a claim against the Processor by data subjects, third parties, bodies or authorities with regard to possible entitlements arising from the processing of the Data within the scope of this DPA, the Customer undertakes to support the Processor in the defence of the claim within the scope of its possibilities and taking into account the degree of fault of the Contracting Parties.7. Term, Continuation after Termination of the DPA and Deletion of Data
This DPA becomes effective upon its signature or conclusion in an electronic format.The DPA may be terminated by either Contractual Party by giving three months' notice.The right of extraordinary termination is reserved to the Contractual Parties, in particular in the event of a serious breach of the obligations and specifications of this DPA and the applicable data protection law. A serious breach shall be deemed to have occurred in particular if the Processor fails or has failed to perform to a considerable extent the duties specified in the DPA and the agreed technical and organisational measures.In the case of non-material breaches of duty, the termination for good cause must be preceded by a warning notice of the breaches with a reasonable period of notice to remedy them, whereby the warning notice is not required if it is not to be expected that the breaches complained of will be remedied or if they are so substantial that the terminating Contractual Party cannot reasonably be expected to adhere to the DPA.The termination of the Agreement, as well as the termination of this clause must be made at least in electronic format.Upon completion of the Processing under this DPA, the Processor shall, at the Customer's discretion, either destroy or return all Data and copies thereof (as well as all documents, processing and usage results and data files coming into its possession in connection with the contractual relationship), unless there is a legal obligation to store the Data, in which case the Processor shall inform the Customer of the obligation and its scope, unless the Customer can be expected to be aware of the obligation. The destruction or deletion must be carried out in accordance with data protection regulations and in such a way that a recovery of even residual information is no longer possible or cannot be expected with reasonable effort. The objection of a right of retention is excluded with regard to the processed Data and the associated data carriers. With regard to the deletion or return, the rights of the Customer to information, proof and audit apply in accordance with this DPA.The obligations to protect confidential information arising from the DPA shall continue to apply after the end of the DPA, provided that the Processor continues to process the Personal Data covered by the DPA and that compliance with the obligations can reasonably be expected of the Processor even after the end of the DPA.The DPA is concluded in electronic format and is effective without the signatures of the parties.
8. Annex: Subject-Matter of the Processing
Purposes of Processing
Personal data of the Customer shall be processed on the basis of this Data Processing Agreement for the following purposes:
Anonymization and pseudonymization of all personal data upon receipt.Types and Categories of Data
The types and categories of personal data processed on the basis of this DPA include:
Usage data.IP addresses.Order information (total amount and currency).Device and browser configurations.Sources of the Processed Data
The categories of data subjects affected by the processing of personal data on the basis of this DPA include:
Website visitors.Sources of the Processed Data
The data processed on the basis of this DPA are collected or otherwise received from the sources or within the framework of the procedures mentioned below:
Collection in the context of the use of software, websites and other online services.Annex: Sub-Processors
The Processor shall use the following sub-processors in the Processing of data on behalf of the Client:
- A1 Digital Deutschland GmbH (Exoscale): Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: A1 Digital Deutschland GmbH (Exoscale), St. Martin Straße 59, 81669 München; Website: https://www.exoscale.com/; Privacy Policy: https://www.exoscale.com/privacy/.
