Data Processing Agreement
Between the Customer as Controller and GraphApi.io GmbH als Processor.
Subject of the assignment
- The Controller commissions the Processor to process personal data based on the contract to which this processing agreement is annex to (the "Main Agreement"). This data processing Agreement shall take precedence over the Main Agreement in the event of any contradictions.
- The purpose of the processing of personal data by the Processor is to provide the services stipulated in the Main Agreement. The categories of data subjects and personal data affected by the processing shall be specified by the Controller in the settings of the client dashboard under "Processing of personal data". If no indication is made, the customers and employees of the Controller (current, potential and former in each case) as well as data of all kinds shall be affected by the processing.
Place of commissioned processing
The commissioned processing shall occur exclusively in a member state of the European Union or another contracting state of the Agreement on the European Economic Area unless otherwise agreed with the Controller.
Responsibility and right of instruction of the Controller
- For the commissioned processing, the Controller is the responsible party within the meaning of Art. 4 No. 7 DSGVO. He is responsible for compliance with the legal provisions on data protection, in particular for the lawfulness of the transfer of the data to the Processor and the legality of the data processing by the Processor.
- The Controller has the right at any time to issue instructions supplementing the Main Agreement regarding the type, scope, and procedure of the processing of personal data. Instructions may be given verbally or in text form. The Controller shall confirm verbal instructions in text form without undue delay. Insofar as the Controller issues instructions through the website provided by the Processor for the purposes of the commissioned processing, the Processor shall document the issuance of the instructions.
- The Processor shall immediately inform the Controller in text form if, in its opinion, an instruction issued by the Controller violates statutory regulations. As long as the parties have not resolved the Processor's concerns, the Processor shall be entitled to suspend the implementation of the relevant instruction. If the parties cannot reach an agreement and the Controller adheres to its instruction, the Processor shall be entitled to terminate this Agreement with reasonable notice, which shall be at least two weeks. If, in this case, the Main Agreement cannot be executed, the Controller shall be entitled to terminate this processing agreement if the Main Agreement could only be performed by implementing the unlawful instruction, and this was not apparent to either party at the time the contract was concluded.
- If the Processor believes that it cannot follow an instruction of the Controller for technical reasons, it shall inform the Controller of this in text form and coordinate further action with the Controller.
Duties of the Processor
- Any processing of personal data shall be carried out exclusively per the specifications of the Main Agreement and any instructions issued by the Controller. This shall also apply to transferring personal data to a third country or an international organization. This paragraph 1 shall not apply if the Processor is required to process by the law of the Union or the Member States to which it is subject; in such a case, the Processor shall notify the Controller of such legal requirements before the processing, unless the relevant law prohibits such notification due to an essential public interest.
- The Processor confirms that it is not required by law to appoint a data protection officer. It shall name a contact person for the Controller in its place for all matters relating to data protection and the implementation of this Agreement.
- The Processor shall impose a confidentiality obligation on the persons authorized to process the personal data unless they are already subject to an appropriate statutory duty of confidentiality. The scope of the obligation shall be proportionate to the data processed and the consequences of any breach of personal data protection. It shall also relate to all personal data that the Processor processes for the Controller. The content and the fact of the obligation shall be proven to the Controller upon request. Any further obligations resulting from a separate confidentiality agreement concluded between the parties shall remain unaffected.
- The Processor shall support the Controller in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the type of processing and the information available to it. For this purpose, he shall, in particular, provide the services provided for in this contract.
- To the extent necessary, the Processor shall support the Controller in carrying out a data protection impact assessment under Art. 35 GDPR and shall provide the Controller with all information and evidence required from its sphere for this purpose. He shall be obligated accordingly if the Controller has to conduct a prior consultation with a supervisory authority, according to Art. 36 GDPR. For the services to be provided under this paragraph, the Processor shall be entitled to an appropriate fee based on the time spent. The Processor may not make the performance of the services owed by it dependent on the Controller recognizing a specific remuneration and/or making advance payments.
- At the legitimate request of the Controller, the Processor shall provide the Controller with all necessary information to prove compliance with the obligations incumbent on the Processor under Article 28 GDPR.
- If the Controller's data at the Processor is endangered by attachment, seizure, insolvency, or composition proceedings or by other events or measures of third parties, or if such actions have been taken, the Processor shall immediately inform the Controller thereof in full, unless it is not permitted to do so by law. Furthermore, the Processor shall be obliged to notify all relevant third parties that the data is personal data for which the Controller is the controller and that the Processor itself is only acting as a processor.
Obligations of the Controller
The Controller shall inform the Processor without undue delay, stating the reasons, if it discovers errors or irregularities in the processing results or concerning the Processor's activities in respect to the requirements of this Agreement or the GDPR.
Safety of the processing
- The Processor shall take all measures required according to Art. 32 DSGVO, in particular appropriate technical and organizational measures, to ensure a level of protection appropriate to the risk of the data processing. At the time of the conclusion of the contract, these are the measures described in Annex 1. He shall prove compliance with these requirements to the Controller by suitable means at the latter's request.
- To adapt to changed technical or legal circumstances, the Processor shall be entitled to make changes to the measures described in Annex 1. Changes that could affect the integrity, confidentiality, or availability of the personal data, increase the risks to the rights and freedoms of the data subjects affected by the processing, or generally reduce the agreed level of protection shall require the consent of the Controller. Other changes, in particular an improvement of the measures taken, may be implemented by the Processor without the consent of the Controller. After making such changes, the Processor shall adapt Annex 1 accordingly and shall, without undue delay, communicate the respective current version of Annex 1 to the Controller or point out to the Controller where the new version is made available on the Processor's website.
Data subject rights
- The Processor shall, insofar as possible and reasonable for it to do so, support the Controller with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise the rights of the data subjects set out in Chapter 3 of the GDPR. For this purpose, the Controller shall inform the Processor in text form which actions of the Processor it requires and provide the Processor with the necessary data to fulfill the request. Insofar as one party requires further information from the other party, it shall immediately inform the other party in text form. The Processor shall provide its support within a reasonable time so that the Controller can meet the deadlines incumbent upon it. The Processor shall inform the Controller without undue delay, stating the reasons, if it considers itself unable to provide the requested support action.
- If a data subject should contact the Processor directly to exercise the rights to which it is entitled under Chapter 3 GDPR, the Processor shall refer it to the Controller, insofar as it is possible for him to assign the data subject to the Controller. If it is not possible to assign the data subject to the Processor and the Processor is not directly obligated to the data subject as a controller under Chapter 3 GDPR, the Processor shall inform the data subject that it is acting as a processor for third parties and that it cannot identify the third party concerning the data subject. If and to the extent that the Processor is obligated to the Data Subject as a Controller under Chapter 3 GDPR, the Processor alone shall be responsible for fulfilling the corresponding obligations as Controller.
- The Processor shall be entitled to a reasonable fee for the services rendered to the Controller under this Clause, based on the time spent. The Processor may not make the performance of the services owed by it dependent on the Controller acknowledging and/or paying a specific remuneration in advance.
Control rights of the Controller
- The Controller shall be entitled to all control rights, in particular inspections, necessary to comply with its obligations under the provisions of the GDPR. The right of inspection shall be exercised with reasonable notice and during the Processor's regular business hours. To reduce the impact of inspections on its business operations, the Processor shall be entitled to combine such inspections with those of other Controllers to the extent that this is reasonable for the Controller (e.g., joint inspection dates carried out within a reasonable period of time). The Controller shall ensure that inspections are only done to the extent necessary to not disproportionately disrupt the Processor's business operations.
- The Controller is entitled to transfer the exercise of the control rights to a third party commissioned by the Controller. If the third party is in a competitive relationship with the Processor, the Processor shall have the right to object to its activities.
- The Processor shall cooperate in the exercise of the inspection rights to the extent required. The Processor may make inspections by the Controller dependent on signing of a customary and appropriate confidentiality agreement insofar as this is necessary to protect its business secrets under the statutory requirements.
- For the services to be provided under this clause, the Processor shall be entitled to a reasonable fee based on the time spent. The Processor may not make the performance of the services owed by it dependent on the Controller acknowledging and/or paying a specific remuneration in advance.
Measures by supervisory authorities
- To the extent permissible, the Processor shall inform the Controller without undue delay about control actions and measures of a (supervisory) authority insofar as they relate to this Agreement. This shall apply in particular insofar as an authority investigates the Processor in the context of administrative offense or criminal proceedings concerning the commissioned processing.
- Insofar as the Controller is exposed to a review by the (supervisory) authority, administrative offense, or criminal proceedings, the liability claim of a data subject or a third party or another claim in connection with the commissioned processing at the Processor, the Processor shall support the Controller to the extent necessary. For the services to be rendered in this respect, the Processor shall be entitled to an appropriate fee based on the time spent, unless and to the extent that the Processor is not responsible for the corresponding control, etc. The Processor may not make the performance of the services owed by it dependent on the Controller acknowledging and/or making advance payment of a specific remuneration.
- Processor shall use the sub-processors designated in Annex 2 for the processing.
The Processor shall inform the Controller in text form about changes to the commissioning of subcontracted processors. For this purpose, the Processor shall send the Controller the following information in text form:
- Description of the proposed change;
- Name and address of the sub-processor;
- which services the sub-processor is to provide and which personal data and which category of data subjects are affected by this;
- the content of the relevant agreements with the sub-processor and, where applicable, any evidence of compliance with Chapter 5 of the GDPR;
- the above information shall also be made available to any further sub-processors who are to provide relevant services below the sub-processor;
- The Controller may object to the change within two weeks from receipt of the information. The Processor shall not implement the change before the expiry of the objection period. In the event of an objection, the Processor shall be entitled to terminate the Order Processing Agreement with a notice period of at least one month, provided that the change would have been reasonable for the Controller and the objection is unreasonable for the Processor. Reasonableness for the Controller is given if no disadvantages for the Controller would have had to be feared with the change and, in particular, it would have been ensured that the requirements of this Agreement and the GDPR would have continued to be complied with upon implementation of the change. Unreasonableness for the Processor is given if it provides its processing services as an essentially uniform process for a large number of controllers, and individual deviations in the subcontracted processors are not easy to implement for the Processor (e.g., all controllers use the same, standardized software platform).
- The Processor shall comply with the conditions set out in paragraphs 2 and 4 of Art. 28 GDPR for any sub-processors. The Processor shall also ensure that the contractual agreements otherwise concluded with the Controller in this respect and any supplementary instructions of the Controller are also complied with by the sub-processors. He shall provide evidence of this to the Controller at the latter's request.
Violation of data protection regulations, agreements, or instructions
The Processor shall be obliged to notify the Controller in text form of any breach of data protection regulations, of the agreements made and/or of the instructions issued without delay, at the latest 24 hours after first becoming aware of such breach. The corresponding notification shall contain at least the following information:
- A description of the nature of the breach, including, to the extent possible, the type and amount of data involved and categories of data subjects;
- The name and contact information of the data protection officer or other points of contact for further details;
- A description of the likely consequences of the personal data breach;
- A description of the measures taken or proposed by the data controller to address the personal data breach and, where appropriate, measures to mitigate its potential adverse effects.
- Any notification to a supervisory authority or information of affected parties that may be required shall be the sole responsibility of the Controller. The Processor shall cooperate in this to the extent necessary.
- The Processor shall further be obligated to immediately clarify the violation to the extent required and to provide the Controller with corresponding documentation. The documentation shall include a description of the measures taken by the Processor to prevent further violations and why the Processor believes that the measures taken are sufficient to comply with the requirements of this Agreement and the statutory provisions.
Remuneration of the Processor
The Processor shall not be entitled to any separate remuneration for its services under this Agreement unless otherwise agreed in this Agreement.
Liability of the parties shall be governed by the agreements of the Main Agreement. The direct liability of the parties to a data subject under statutory provisions of data protection remains unaffected.
The term of this contract is based on the term of the Main Agreement. It may only be terminated in isolation from the Main Agreement for a good cause, unless this contract or mandatory statutory provisions stipulate otherwise.
Consequences of the termination of the contract
- Upon completion of the provision of the Processing Services, the Processor shall either delete or return all Personal Data at the option of the Controller and delete the existing copies unless there is an obligation to store the Personal Data under Union law or the law of the Member States to which the Processor is subject. The Processor shall confirm to the Controller that the deletion has been carried out in accordance with the Controller's instructions.
- The Controller has the right to control the complete and contractual return and deletion of the data at the Processor.
- Any right of retention of the Processor with regard to the processed data and the associated data carriers is otherwise excluded.
Annex 1 - Technical and organizational measures
Confidentiality (Art. 32 para. 1 lit. b DSGVO)
Access Control - The following implemented measures prevent unauthorized persons from accessing data processing systems.
- Personal and individual user log-in when logging on to the system or company network
- Authorization process for access permissions
- Limitation of authorized users
- Electronic documentation of passwords and protection of this documentation against unauthorized access
- Logging of the access
- Additional system log-in for certain applications
- Automatic locking of clients after a certain period of time without user activity (also password-protected screen saver or automatic pause)
Access control - The following implemented measures ensure that unauthorized persons do not have access to personal data
- Management and documentation of differentiated authorizations
- Conclusion of contracts for commissioned data processing for the external maintenance, servicing and repair of data processing systems, provided that the processing of personal data is the subject of the service in the case of remote maintenance.
- Evaluations/logging of data processing operations
- Authorization process for permissions
- Approval routines
- Encryption of external hard disks and/or laptops (e.g. via operating system, GPG)
- Four-eyes principle
- Segregation of Duties
Segregation control - The following measures ensure that personal data collected for different purposes are processed separately
- Storage of data sets in separate databases
- Processing on separate systems
- Access permissions according to functional responsibility
- Separate data processing through differentiating access regulations
- Multi-client capability of IT systems
- Use of test data
- Separation of development and production environment
Integrity (Art. 32 para. 1 lit. b DSGVO)
Transfer control - It is ensured that personal data cannot be read, copied, changed or removed without authorization during transfer or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures are implemented to ensure this:
- Encryption of email or email attachments (e.g. GPG)
- Encryption of the storage medium of laptops
- Secure file transfer (e.g. sftp)
- Secure data transport (e.g. SSL, ftps, TLS)
- Encryption of external hard disks or USB sticks
- Packaging and shipping instructions
- Electronic signature
- Secured WLAN
- "Data Loss Prevention (DLP) System."
- Regulation on the handling of mobile storage media (e.g. laptop, USB stick, cell phone)
- Logging of data transmission or data transport
- Logging of read accesses
- Logging of copying, modification or removal of data
Input control - The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time.
- Access rights
- Logging on the system side
- Document Management System (DMS) with change history
- Security/logging software
- Functional responsibilities, organizationally defined responsibilities
- Multi-eye principle
- "Data Loss Prevention (DLP) System."
Availability and resilience (Art. 32 para. 1 lit. b DSGVO)
Availability control and resilience control - The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client.
- Security concept for software and IT applications
- Additionally for a fee bookable back-up procedures
- Ensuring data storage in the secured network
- Importing security updates as needed
- Virus protection
- Redundant, locally separated data storage (offsite storage)
Procedures for regular review, assessment and evaluation (Art. 32(1)(d) GDPR; Art. 25(1) GDPR)
Data protection management - The following measures are intended to ensure that an organization that meets the basic requirements of data protection law is in place:
- Guidelines/instructions to ensure technical/organizational measures for data security
- Appointment of a data protection officer
- Obligation of employees to data secrecy
- Sufficient training of employees in data protection matters
- Keeping an overview of processing activities (Art. 30 GDPR)
- Carrying out data protection impact assessments, where required (Art. 35 GDPR)
Incident response management - The following measures are designed to ensure that notification processes are triggered in the event of data privacy breaches:
- Data breach notification process pursuant to Art. 4 No. 12 GDPR to the supervisory authorities (Art. 33 GDPR)
- Data breach notification process pursuant to Art. 4 No. 12 DSGVO vis-à-vis data subjects (Art. 34 DSGVO)
The following measures ensure that personal data can only be processed in accordance with the instructions.
- Agreement on commissioned processing with regulations on the rights and obligations of the contractor and client
- Process for issuing and/or following instructions
- Determination of contact persons and/or responsible employees
- Control/verification of order execution according to instructions
- Training/instruction of all employees with access rights at the contractor's premises
- Obligation of employees to data secrecy
- Agreement on contractual penalties for violations of instructions
- formalized order management
- documented procedure for the selection of service providers
- Standardized contract management for pre- and post-control of service providers