Data Processing Agreement (DPA) according to art. 28 GDPR
Data Processing Agreement (DPA) according to art. 28 GDPR
Data controller
For data processing responsible client
(hereinafter referred to as the client)
Data processor
Metasoul GmbH
Urstein Süd 15
5412 Puch bei Hallein
Austria
(hereinafter referred to as the contractor)
This data processing agreement is an integral part of the contractor’s general terms and conditions or other contracts between the client and the contractor, which are available at https://metasoul.com/en/reseller-agreement/. LIt applies between the client and the contractor whenever the contractor processes personal data on behalf of the client in the course of providing its services.
1. BACKGROUND AND SPECIFICATION OF DATA PROCESSING
1.1 The contractor is a company that offers the following services:
- Operating a SaaS platform to help customers meet data protection requirements.
1.2 The client is a company that plans to use the contractor’s services in the areas specified.
1.3 This Data Processing Agreement specifies the conditions for the processing of personal data by the contractor with the client’s approval in accordance with the General Data Protection Regulation (GDPR). The contractor acts as a processor within the GDPR’s definition.
2. NATURE, PURPOSE, OBJECT, AND LEGAL BASIS OF DATA PROCESSING
2.1 The services of the contractor are described in the relevant contracts concluded with the client.
2.2 In the course of providing services, the client shall provide the contractor with the personal data required for the provision of services in the appropriate manner in each case, for example, by electronic or physical means, via discussions and analyses, the performance of other contractually regulated activities, verbally, or via software tools.
2.3 Personal data may be processed, in particular, by organizing, arranging, storing, and, if necessary, adapting or modifying, querying, linking, restricting, deleting, combining, copying, hiding, connecting, analyzing, reading, receiving, sending, and updating, insofar as this is necessary for the provision of the agreed services.
2.4 The purpose of the processing is the contractually agreed provision of services to the client.
2.5 The Contractor is not obliged to verify the lawfulness of the client’s underlying data processing.
3. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS CONCERNED
3.1 As part of the agreed services, several categories of personal data may be processed. In particular, this can be the following categories:
- Login data
- Identification data
- Contact data
- Payment data
- Invoice data
- Data for error detection and error analysis
- Data for analyzing user behavior
- Data provided as free text
3.2 The Client acknowledges that the Contractor has no influence on the categories of personal data processed as part of the provision of services. This applies in particular to the possible transfer of special categories of personal data (Art. 9 GDPR).
3.3 In general, all categories of data subjects necessary for the provision of the agreed services are covered by the processing. In particular, this includes the following categories of data subjects:
- Clients of the client
- Service providers of the client
- Employees of the client
3.4 Given the nature of the agreed services, the client acknowledges that the contractor cannot review or maintain the list of categories of data subjects. Therefore, the client shall inform the contractor of any necessary changes to the list of categories of data subjects.
3.5 The contractor shall process the client’s personal data regarding all data subjects listed above in accordance with the agreed services. If, due to changes to the list of categories of data subjects, changes to the agreed processing operations become necessary, the client shall issue additional instructions to the contractor accordingly.
4. TERMS AND CONDITIONS OF DATA PROCESSING
4.1 The contractor shall comply with all requirements of the GDPR during the entire provision of services.
4.2 The contractor shall only process personal data based on written instructions in the form of a contract with the client. Deviations from these instructions require the client’s prior written consent.
4.3 The contractor processes the personal data in accordance with the principle of data minimization pursuant to Art. 5 para. 1 lit c GDPR and therefore only to the extent necessary to provide the agreed services.
4.4 Access to the client’s personal data is only granted to individuals who require this access due to contractual or legal obligations.
4.5 All individuals on the contractor’s side who have access to the client’s personal data shall be obliged to maintain confidentiality. In particular, the duty of confidentiality of the individuals entrusted with data processing shall remain even after termination of their activity with the contractor.
4.6 The contractor shall implement and maintain all suitable, appropriate, and state-of-the-art technical and organizational measures to ensure the availability, confidentiality, and integrity of personal data.
4.7 The contractor shall support the client in complying with its obligations under the GDPR, in particular with regard to the rights of data subjects.
4.8 Unless otherwise required by law, the contractor shall inform the client immediately if it receives information or notification from a data subject, the data protection supervisory authority, or another authority or a third party, and this information or notification is directly or indirectly related to the processing of personal data under this Data Processing Agreement.
4.9 In the context of the contracted data processing, the contractor shall support the client—to the extent required by law—in the creation and updating of the record of processing activities, in the performance of the data protection impact assessment, and, if required, in prior consultations with the data protection supervisory authority within the meaning of Art. 36 GDPR. The contractor shall provide all necessary details and information for this purpose. In addition, the contractor shall maintain its own record of processing activities and, if required, carry out data protection impact assessments and appoint a data protection officer.
4.10 The contractor shall inform the client immediately, but at the latest within 24 hours, if the personal data provided to the contractor has been used unlawfully and/or the data subjects are at risk of harm. The contractor shall provide the client with all necessary information so that the Client can fulfill its reporting obligations to the data subjects in accordance with data protection laws.
4.11 Any transfer of personal data by the contractor to a third country or international organization shall be in accordance with Union or national law and must, in particular, comply with the provisions of the GDPR.
5. SUB-PROCESSORS
5.1 Depending on the contractually agreed service provision, a dedicated approved list of sub-processors is involved in the data processing.
5.2 Data may be transferred to third countries through the use of sub-processors. The contractor shall ensure that the transfer of data to third countries is generally compliant with the GDPR. The client shall check whether the transfer of personal data to third countries in accordance with Articles 44-49 GDPR is feasible in the course of the individual use of the service offered by the contractor in compliance with the GDPR.
5.3 The following subcontractors are approved by the client and are involved in the provision of the contractually agreed services:
- Hetzner Online GmbH, Industriestr. 25; 91710 Gunzenhausen, Germany – Application hosting
- hundertzehn GmbH, In der Weid 15, 8122 Binz, Switzerland – Accounting
- Mollie B.V., Keizersgracht 126, 1015 CW Amsterdam, Netherlands – Payment processing
- seriouscode GmbH, Siedlungsgasse 16, 2111 Kleinrötz, Austria – Analysis of user behavior
- Functional Software, Inc., 45 Fremont Street, 8th Floor, San Francisco, CA 94105, USA – Error detection and error analysis
- Raintank, Inc. dba Grafana Labs, 165 Broadway 23rd Floor, New York, NY 10006, USA – Logging and monitoring
5.4 A contract shall be concluded between the Contractor and the sub-processors in accordance with Art. 28 (4) GDPR. The subcontract shall take into account the data protection requirements to the same extent as those agreed between the client and the contractor in this agreement, and data processing may only be carried out for the purpose specified in the separately contracted service.
5.5 The contractor shall regularly check compliance with the data protection obligations of the sub-processors under this Data Processing Agreement. Should the contractor become aware in the course of this review that the sub-processor does not sufficiently fulfill the data protection obligations incumbent upon it under this Data Processing Agreement, it shall inform the client thereof immediately and without being requested to do so.
5.6 The outsourcing to subcontractors or / the change of the existing subcontractor are permissible insofar as:
- the contractor indicates such outsourcing to subcontractors at least 2 weeks in advance in writing or in text form, and
- the client does not object to the planned outsourcing in writing or in text form until the date of transfer of the data to the contractor
In the event of an objection, the client and the contractor shall contact each other to resolve the conflict, whereby an extraordinary right of termination of the main agreement shall be agreed for both parties in the event that the conflict cannot be resolved.
6. AUDIT AND COMPLIANCE
6.1 The contractor shall permit the client or its designated representatives to conduct audits and inspections to verify compliance with the terms of this Data Processing Agreement. Such audits shall be conducted with reasonable advance notice and shall not unreasonably interfere with the contractor’s operations. The client is aware that any inspections of sub-processors must be coordinated directly with these sub-processors, and that the contractor has no influence on the conditions applied.
6.2 Any third-party auditors shall be subject to confidentiality agreements.
6.3 The contractor shall provide the client with all necessary information and work with the client to demonstrate compliance with the GDPR.
7. DURATION AND TERMINATION OF CONTRACT
7.1 This Data Processing Agreement shall remain in force for the duration of the data processing activities and shall terminate upon completion of the provision of the services or as otherwise agreed by the parties.
7.2 Upon termination of the Data Processing Agreement (or at any time prior thereto at the client’s request), the contractor shall, at the client’s discretion, either destroy the processed personal data (including any copies) itself or hand them over to the client in their entirety, provided that this does not conflict with any statutory or contractual obligation to retain them. The contractor shall continue to guarantee compliance with these clauses until the data is deleted or returned. If the client does not comment on the procedure, the contractor shall destroy the data six months after termination of the agreement, subject to statutory or contractual obligations to retain the data.
7.3 The contractor shall arrange the destruction or handover of data by any sub-processors.
8. FINAL CLAUSES
8.1 Amendments and supplements to this data processing agreement and all its components require a written agreement, which may also be in an electronic format (text form), and the express indication that it is an amendment or supplement to this data processing agreement. This also applies to the waiver of this formal requirement.
8.2 This Data Processing Agreement shall be governed by and construed in accordance with applicable law in Austria. The place of jurisdiction is Salzburg.
8.3 In case individual provisions of this Data Processing Agreement become invalid or unenforceable, the remainder of the Data Processing Agreement shall remain unaffected. These provisions shall be deemed to be replaced by valid and enforceable provisions that best achieve the economic purpose intended by the contracting parties.
This data processing agreement is generated and provided by the Metasoul DPA generator.
