Table of contents
- Terms and Definitions
- Subject-Matter of the Processing
- Type of Processing
- Authority to issue instructions
- Technical and Organisational Measures (Safety and Security Concept)
- Measures in the Event of a threat to Data Protection or Data Breach
- Spatial Area of the Processing
- Obligations of the Customer
- Term, Continuation after Termination of the DPA and Deletion of Data
- Final Provisions
- Annex: Subject-Matter of the Processing
Data Processing Agreement (DPA)
This Data Processing Agreement (“Agreement“) forms part of the Contract for Services (“Principal Agreement“) between the Customer and freispace GmbH, Bellermannstr. 93, 13357 Berlin, Germany (the “Processor”), together as the “Parties”.
1. Terms and Definitions
- "Processing" - Pursuant to 4 (8) GDPR, "Processing" is understood to mean the processing of personal data as defined in Article 4 (2) GDPR carried out on behalf of the Controller, irrespective of the number of intermediary processors, by the Processor in accordance with the subject-matter of this DPA.
- "Principal Agreement" - The term " Principal Agreement" covers all types of ongoing business relations between the Customer and the Processor, under which the Processor processes personal data at the instruction of the Customer in accordance with the definition of the subject of the Processing in this DPA. Insofar as the validity of this DPA is otherwise limited (i.e. within this agreement or outside it, in other agreements or regulations) to certain types, categories or specific business relationships, contracts, etc., these are each to be understood as the Principal Agreement. The definition of the Principal Agreement also includes ongoing individual assignments by the Customer to the Processor, which are issued by the Customer within the scope of the Principal Agreement (e.g. in the case of framework contracts).
- "Personal Data" - In accordance with Article 4 (1) GDPR, "personal data" (hereinafter also referred to briefly as "data") is all information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- "Data subjects" - In accordance with Article 4 (1) GDPR, "data subjects" are defined as Persons who are at least identifiable by means of personal data. The data subjects concerned by this Processing are determined by the subject-matter of the Processing.
- "Third party" - "Third party" means according to Article 4 (10) GDPR a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
- "Sub-processing" - When a processor is not directly appointed by the Controller but by a processor who is the first processor appointed by the Controller, a "sub-processing" is present and the processors following the first processor are referred to as "sub-processors".
- "Electronic format" - declarations are deemed to have been made in "electronic format" in accordance with Article 28 (9) DSGVO if the declaring person is identifiable and the electronic declaration format is suitable as proof of the declaration. Electronic format" means in particular text form, an agreement stored on permanent data carriers (e.g. e-mail), digital signing procedures or the use of dedicated online functions (e.g. in user accounts).
2. Subject-Matter of the Processing
- The detailed information on the subject-matter of the Processing, Data processed, the data subjects and the nature, scope and purposes of the Processing are governed by the provisions of the Annex "The Subject-Matter of the Processing".
3. Type of Processing
- Insofar as the Customer acts as the Controller of the Processing, it shall be responsible within the scope of this DPA for compliance with the provisions of the data protection laws, in particular for the legality of the Data Processing as well as for the legality of the assignment of the Processor. Insofar as the Customer itself acts as a Processor, the Customer shall commission the Processor as a Sub-Processor. The controller of the processing may, on the basis of this DPA, directly invoke the rights to which the Customer is entitled to against the Sub-Processor.
4. Authority to issue instructions
- The Processor may process Data only within the scope of the Principal Agreement and of the Customer's instructions and only insofar as Processing within the scope of the Principal Agreement is necessary.
- The instructions are initially set out in the Principal Agreement or this DPA may subsequently be amended, supplemented or replaced by the Customer by issuing further instructions in writing or in an electronic format (text form, e.g. e-mail) to the Processor or to the entity designated by the Processor.
- Oral instructions may be given if they are required by the circumstances (e.g. urgency) and must be confirmed immediately in writing or in electronical form.
- If, on the basis of objective circumstances, the Processor considers that an instruction of the Customer is contrary to relevant data protection law, the Processor shall without delay inform the Customer thereof and provide objective reasons for his/her opinion. In this case, the Processor shall be entitled to suspend the execution of the instruction until the Customer expressly confirms the instruction and to refuse to execute the instruction in the case of obviously illegal instructions.
- The Processor shall document instructions given to her/him and their implementation.
5. Technical and Organisational Measures (Safety and Security Concept)
- The Processor shall structure the internal organisation in his area of responsibility in accordance with the legal requirements and shall in particular implement technical and organisational measures (hereinafter referred to as "TOMs") for appropriate security, in particular the confidentiality, integrity and availability of the Customer's Data, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of the persons concerned, and shall ensure that these measures are maintained, in particular by means of regular evaluation, at least once a year. With regard to the protection of the Data, the TOMs include in particular physical and logical access control, transfer control, input control, order control, integrity and availability control, separation control and the safeguarding of the rights of the Data Subjects.
- The TOMs declared by the Processor upon conclusion of the contract define the minimum security level guaranteed by the Processor. The TOMs may and should be further developed in accordance with technical and legal progress and replaced by adequate protective measures, provided that they do not fall below the safety level of the defined measures and that any substantial changes are notified to the Customer. The description of the measures must be so detailed that a competent third party can at all times see beyond doubt that the required legal data protection level and the defined minimum security level are not undercut.
- The Processor shall ensure that the employees, agents and other persons acting on behalf of the Processor are prohibited from processing the Data outside the scope of the Instruction. The Processor shall further ensure that the persons authorised to process the Client's Data have been instructed in the data protection provisions of law and of this DPA and have been bound to confidentiality and secrecy or are subject to a corresponding and appropriate legal obligation of secrecy. The Processor shall ensure that the persons employed for the Processing are with regard to the fulfilment of the data protection requirements appropriately instructed and supervised on an ongoing basis.
- The Processor shall ensure that the persons employed by him/her to process the Data participate in a reasonable frequency of periodic training and awareness raising activities with regard to the protection of personal data and compliance with legal data protection requirements.
- The processing of the Data outside of the premises of the Processor (e.g. in the home or mobile office or in case of remote access) is permitted, provided that the necessary technical and organisational measures are taken and documented, which take into account the specifics of these processing situations in an appropriate manner and in particular also allow sufficient control of the Data processing (e.g. conclusion of a data protection agreement with employees in the home and mobile office). The Processor shall provide the Principal with documentation of the implemented technical and organizational measures for such home, mobile or other remote processing upon request.
- The Processing of personal data on the private devices of the employees of the Processor and its contractors is permitted, provided that the necessary technical and organisational measures are taken and documented, which take into account the specifics of these processing situations in an appropriate manner and, in particular, also allow for sufficient control of the Processing (e.g. conclusion of an agreement which allows for an appropriate control of the private devices). On request, the Processor shall provide the Customer with documentation of the implemented technical and organisational measures for these types of Processing upon request.
- If required by law, the processor shall appoint a data protection officer in accordance with the legal requirements. The Processor shall inform the Customer of the contact details of the data protection officer and of any subsequent changes.
- The Data and data carriers and all copies made thereof, which are provided within the scope of the DPA, remain the property or ownership of the Customer, are subject to the Customer's control, must be carefully safeguarded by the Processor, protected from access by unauthorized third parties and may only be deleted, erased or disposed with the Customer's consent. Destruction must be carried out in accordance with data protection regulations and in such a way that a recovery of even residual information is no longer possible and cannot be expected with reasonable effort. Copies of data may only be made if they are necessary for the fulfilment of the principal and secondary obligations of the Processor towards the Customer (e.g. backups) and the contractual and statutory data protection level is guaranteed.
- The processor shall be obliged to ensure the immediate return or deletion of the Data and data carriers, including those of sub-processors, in accordance with this DPA.
- The Processor shall keep evidence of the destruction or deletion of Data and files properly performed within the scope of this DPA and shall make it available to the Customer upon request.
- The right of retention is excluded with regard to the Data processed and the associated data carriers.
- If the security measures taken do not or no longer meet the requirements of the Customer or the statutory requirements, the Processor shall notify the Customer immediately.
- The technical and organizational measures already existing at the conclusion of this DPA are listed by the Processor in the Annex "Technical and Organizational Measures" and accepted by the Customer.
6. Measures in the Event of a threat to Data Protection or Data Breach
- In the event that the Processor becomes aware of facts which give rise to the assumption that the protection of the processed Data may have been breached within the meaning of Article 4 (12) GDPR, the Processor shall inform the Customer without delay and in full, take the necessary protective measures without delay, and assist the Customer in the performance of the Customer's obligations, in particular in relation to the notification of competent authorities or data subjects.
- Information about a (possible) violation of the protection of the Data must be provided without undue delay, in general within 24 hours from the time of obtaining knowledge.
- The notification from the Processor must according to Article 33 (3) GDPR contain at least the following information:
- description of the nature of the data breach or threat, specifying, where possible, the categories of data concerned and the approximate number of persons and personal data sets concerned;
- the name and contact details of the data protection officer or any other known contact point for further information;
- a description of the likely consequences of the data breach or threat (e.g. with further details: identity theft, financial loss, etc.);
- a description of the measures taken or proposed by the Processor to remedy the data breach and, where appropriate, measures to mitigate its possible adverse effects
- Also to be reported immediately are significant disruptions, failures or troubles in the Processing as well as violations of data protection regulations or of this DPA by the Processor or the Processor's employees or agents.
- Without prejudice to any restrictions imposed by the Principal Agreement, the Customer expressly agrees that the Processor may use sub-processors in the context of the Processing. The Processor shall inform the Customer of any new sub-processors within a reasonable period of time, which shall normally be 14 working days, and shall give the Customer the opportunity to reasonably inspect the sub-processors before using them and to object to the use of sub-processors if the Customer has a legitimate interest. If the Customer does not raise an objection within the preliminary period, the authorisation shall be deemed to have been granted. The Customer shall exercise the right to object to the changes only in accordance with the principles of good faith and of reasonableness and fairness.
- If the processor uses the services of a sub-processor (e.g. a subcontractor) in order to carry out certain Processing activities on behalf of the Customer, it must impose on the sub-processor, by means of a contract or any other legal instrument permitted by law, the same data protection obligations as those to which the Processor has committed him/herself in this DPA (in particular as regards following instructions, complying with the TOMs, providing information and allowing audits).
- The sub-processor shall be carefully selected by the Processor, having particular regard to the suitability and reliability of the sub-processor to comply with the obligations under this DPA for Processing and the adequacy of the TOMs implemented by the sub-processor.
- The Processor shall audit compliance with the obligations of the sub-processors, in particular the TOMs, on a regular basis and at least every 12 months, to an appropriate extent. The inspection and its results shall be documented in a comprehensible manner so that they are comprehensible to a competent third party. The documentation shall be presented to the Customer on request. Instead of his own audit, the Customer may refer to an audit by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct ( Article 40 GDPR) or suitable data protection or IT security certifications in accordance with Article 42 GDPR. The Customer shall immediately notify the Customer of the exclusion of approved rules of conduct pursuant to Art. 41 (4) GDPR, the revocation of a certification pursuant to Art. 42 (7) GDPR and any other form of revocation or substantial modification of the above-mentioned proofs.
- The responsibilities for performing the obligations under this DPA and under the law must be clearly defined and allocated between the processor and the sub-processor.
- The Customer must be able to exercise effectively his/her rights towards the Processor, also towards the sub-processor. In particular, the Customer must be entitled to carry out audits on sub-processors at any time to the extent laid down in this DPA.
- Processing of personal data which is not directly related to the provision of the main contractual obligation and where the Processor uses the assistance of third parties as a mere ancillary service in order to carry out its business activity (e.g. cleaning, security, maintenance, telecommunications or transport services) does not constitute sub-processing within the meaning of the above provisions of this DPA. Nevertheless, the processor shall ensure, e.g. by contractual agreements or notices and instructions, that the security of the data is not endangered and that the provisions of this processing contract and the data protection regulations are observed.
- Sub-processing relationships of which the Customer was notified at the time of the conclusion of this DPA shall be deemed approved to the extent of the notification and subject to the provisions of this DPA on sub-processing.
- The current list of sub-processors is available at the following web address: https://freispace.com/subprocessors/
8. Spatial Area of the Processing
- The Data is processed within the scope of the DPA in a member state of the European Union (EU) or in another state that is a party to the Agreement on the European Economic Area (EEA).
9. Obligations of the Customer
- The Customer must inform the Processor without delay and in full if he/she discovers errors or irregularities in the Processing results, instructions or processing procedures with regard to data protection regulations.
- In the event of a claim against the Processor by data subjects, third parties, bodies or authorities with regard to possible entitlements arising from the processing of the Data within the scope of this DPA, the Customer undertakes to support the Processor in the defence of the claim within the scope of its possibilities and taking into account the degree of fault of the Contracting Parties.
- The statutory liability provisions apply, in particular Article 82 GDPR and, in the case of the use of a sub-processor, Article 28 (4) S. 2 GDPR.
- Liability regulations and limitations of the Principal Agreement shall apply.
11. Term, Continuation after Termination of the DPA and Deletion of Data
- The effective term and termination of this DPA shall be determined by the erm and termination of the Principal Agreement.
- The obligations to protect confidential information arising from the DPA shall continue to apply after the end of the DPA, provided that the Processor continues to process the Personal Data covered by the DPA and that compliance with the obligations can reasonably be expected of the Processor even after the end of the DPA.
12. Final Provisions
- The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA shall be the residential domicile or the (registered) office of the Processor and insofar as mandatory by applicable law, the Customer is a merchant, a legal entity under public law or a special fund under public law or if the the Customer has no place of jurisdiction within the jurisdiction of the applicable law. The Processor reserves the right to assert claims at the statutory place of jurisdiction.
- The DPA constitutes the entire agreement concluded between the Contractual Parties. There are no additional agreements.
- Amendments and additions to this DPA, as well as the termination of this clause must be made at least in electronic format.
- In the event of a conflict with the Principal Agreement, the DPA shall take precedence.
- Should one or more provisions of this DPA be invalid or unenforceable, this shall not affect the validity of the remaining provisions. Rather, the invalid provisions shall be replaced by way of a supplementary interpretation by such a provision which comes as close as possible to the economic purpose visibly pursued by the parties with the invalid provision(s). If the above-mentioned supplementary interpretation is not possible due to legally binding requirements, the Contracting Parties shall agree on a corresponding provision.
The DPA is concluded in electronic format and is effective without the signatures of the parties.
13. Annex: Subject-Matter of the Processing
Purposes of Processing
Personal data of the Customer shall be processed on the basis of this Data Processing Agreement for the following purposes:
- Customer management and / or customer support.
- Planning, implementation and / or support of media productions.
- Software-as-a-Service (SaaS).
- Services in the field of software development and / or maintenance.
- Corporate communication (internal/external).
- Administrative, management and / or governance services.
Types and Categories of Data
The types and categories of personal data processed on the basis of this DPA include:
- Master/ Inventory data.
- Contact information.
- Content data.
- Images and/or video recordings.
- Contract details.
- Employee data.
- Business Information.
Sources of the Processed Data
The categories of data subjects affected by the processing of personal data on the basis of this DPA include:
- Software users.
- Business customers.
- Business partners.
- Employees / workers.