Try for free

Data Processing Agreement (V1.0) pursuant to Art. 28 GDPR

Between
(hereinafter called “Controller”)

and Martin Kufner, 9 Avenue de Versailles, 75016 Paris, France
martin.kufner@quiz.baby
(hereinafter called „Processor”)

Subject and duration of the Data Processing Agreement

  1. Subject
    The subject of the Data Processing Agreement is the performance of the following tasks by the Processor:
    1. Help the Controller doing their work on social web platforms.
    2. For easier finding and organizing social contacts, retrieve and process data from the Controller's social web pages.
    3. Store metadata created by the Controller such as Taggings and Rating of social platform profiles, feeds and alike.
    4. Execute interactions by order of the Controller on social web pages.
  2. Duration
    The Data Processing Agreement is placed for an indefinite period and may be terminated by either party with a notice period of 3 weeks. The possibility of termination without notice remains unaffected by this.

Concretization of the content of the Service Agreement

Further details on the nature and purpose of the intended processing or use are given in Section A. of Attachment 1 to this Data Processing Agreement. The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Controller and may only take place if the special requirements of Artt. 44 et seq. GDPR are fulfilled. The adequate level of protection is established by Standard Contractual Clauses passed by the European Commission (Art. 46 para. 2 lit. c and GDPR); The categories of personal data are listed under Section B. of Attachment 1. The categories of data subjects are listed in Section C. of Attachment 1.

Technical-organizational measures

  1. The Processor shall document the implementation of the technical and organizational measures presented and required in advance to the execution of the Data Processing Agreement, and shall submit them to the Controller for review. If accepted by the Controller, the documented measures shall become the basis of the Data Processing Agreement. Insofar as the examination/audit of the Controller reveals a need for adaptation, this shall be implemented by mutual agreement.
  2. The Processor shall establish security pursuant to Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1 and 2 GDPR. Overall, the measures to be taken are data security measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. In this context, the state of technology, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 para. 1 GDPR must be taken into account [details in Attachment 2].
  3. The technical and organizational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the defined measures must not be undercut. Significant changes shall be documented.

Correction, restriction and deletion of data

  1. The Processor may not correct, delete or restrict the processing of the data processed under the Data Processing Agreement at its own initiative, but only in accordance with the documented instructions of the Controller. Insofar as a data subject contacts the Processor directly in this regard, the Processor shall forward this request to the Controller without delay.
  2. To the extent covered by the scope of services, the deletion, right to be forgotten, correction, data portability and information shall be ensured directly by the Processor in accordance with the Controller's documented instructions.

Quality assurance and other obligations of the Processor

In addition to compliance with the provisions of this Data Processing Agreement, the Processor shall have legal obligations pursuant to Art. 28 to 33 GDPR; in this respect, the Processor shall in particular ensure compliance with the following regulations:
  1. Written appointment of a data protection officer who carries out his activities in accordance with Art. 38 and 39 GDPR.
  2. The Processor is not obliged to appoint a data protection officer.
  3. As the Processor has its registered office outside the European Union, it shall appoint the following representative in accordance with Article 27 para. 1 GDPR within the European Union: [     Enter: first name, last name, organizational unit, telephone, e-mail]
  4. Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When performing the work, the Processor shall only use employees who have been obligated to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Processor and any person subordinate to the Processor who has access to personal data may process this data exclusively in accordance with the Controller's instructions, including the powers granted in this Agreement, unless they are legally obligated to process it.
  5. The implementation of and compliance with all technical and organizational measures required for this agreement in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR [details in Attachment 2].
  6. The Controller and the Processor shall, if requested, cooperate with the Supervisory Authority in the performance of their own duties.
  7. The Processor shall immediately inform the Controller about inspections and measures of the Supervisory Authority, insofar as they relate to this Data Processing Agreement. This shall also apply insofar as a Supervisory Authority investigates in the context of administrative offense or criminal proceedings regarding the processing of personal data processed under this Data Protection Agreement.
  8. Insofar as the Controller is exposed to an inspection by the Supervisory Authority, an administrative offense or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the processing of personal data processed under this Data Protection Agreement, the Processor shall support the Controller to the best of its ability.

Subcontracting relationships

  1. Subcontracting relationships within the meaning of this clause shall be understood as services which relate directly to the provision of the processing under this Data Processing Agreement. This does not include ancillary services which the Processor uses, for example, telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor shall be obligated to implement appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Controller's data even in the case of outsourced ancillary services.
  2. The Processor may engage sub-processors providing their services within the EU/EEA.

Control rights of the Controller

  1. The Controller shall have the right to carry out audits in consultation with the Processor or to have them carried out by auditors to be named in individual cases. It shall have the right to be ensured of the Processor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in due time.
  2. The Processor shall ensure that the Controller can satisfy itself of the Processor's compliance with its obligations pursuant to Art. 28 GDPR. The Processor undertakes to provide the Controller with necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
  3. Evidence of such measures can be provided by compliance with approved rules of conduct in accordance with Art. 40 GDPR; certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR; current attestations, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors); suitable certification by IT security or data protection audit (e.g., according to BSI-Grundschutz).
  4. The Processor may not claim remuneration for enabling inspections by the Controller in case these audits does not happen more than once a year or in justified individual cases.

Notification of violations by the Processor

  1. The Processor shall support the Controller in complying with the obligations set out in Art. 32 to 36 GDPR regarding the security of personal data, data breach notification obligations, data protection impact assessments and prior consultations. This includes, among other things
    1. ensuring an adequate level of protection through technical and organizational measures that consider the circumstances and purposes of the processing, as well as the predicted likelihood and severity of a potential security breach, and allow for the immediate detection of relevant breach events,
    2. obligation to report personal data breaches to the Controller without delay,
    3. the obligation to assist the Controller within the scope of its duty to inform the data subject and, in this context, to provide it with all relevant information without delay,
    4. the support of the Controller for its data protection impact assessment,
    5. support of the Controller within the scope of prior consultations with the supervisory authority
  2. The Processor may claim compensation for support services that are not included in the description of services or are due to the Processor's misconduct.

Authority of the Controller to issue instructions

  1. The Controller shall confirm verbal instructions without delay (at least in text form).
  2. The Processor shall inform the Controller immediately if the Processor is of the opinion that an instruction violates data protection regulations. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.

Deletion and return of personal data

  1. Copies or duplicates of the data will not be made without the Controller's knowledge. Excluded from this are security copies, insofar as they are necessary to ensure proper data processing, as well as data that is required with regard to compliance with statutory storage obligations.
  2. After completion of the contractually agreed work or earlier upon request by the Controller - at the latest upon termination of the service agreement - the Processor shall hand over to the Controller all documents, processing and utilization results created and data files related to the contractual relationship that have come into its possession or, after prior consent, destroy them in accordance with data protection requirements. The same shall apply to test and scrap material. The protocol of the deletion shall be submitted on request.
  3. Documentation that serves as proof of orderly and proper data processing shall be kept by the Processor beyond the end of the contract in accordance with the respective retention periods. The Processor may hand them over to the Controller at the end of the contract to exonerate the Processor.

Type of personal data

  1. Social relationships between the Controller or their clients and their social platform contacts.
  2. Visited profiles on the social web platform.
  3. Tags, ratings and personal notes to social contacts.
  4. Contact details.