Data Processing Agreement
of Pidoco GmbH, Commercial Register Berlin Charlottenburg, HRB 115010 B
Email: contact@pidoco.com, Telephone +49 30 4881 6385
In case of doubt, the German version shall prevail.
1. Scope, duration and specification of the Data Processing
1. This Data Processing Agreement (“DPA”), agreed between us, Pidoco GmbH, Commercial Register Berlin Charlottenburg, HRB 115010 B (henceforward “Pidoco”) as processor and you as controller, details our mutual obligations on the protection of personal data, associated with the processing of personal data on your behalf. Its provisions shall apply to any and all processing of personal data (“Data”, and “Data Processing”, respectively) that we carry out for you under the agreement between us on your use of our product (the “Agreement”).
2. Pidoco processes personal data on your behalf.
3. Specifically, the Data Processing entails the following Data for the following purpose:
a) Scope of mandate:
Storage of contact details of third parties chosen by you as well as transmission of messages to those.
b) Scope, Type and purpose of data collection, processing and use:
You enter email addresses and names of other users of our product or third party individuals who you want to invite to assess, comment on, and/or modify (software) designs you have created with our product
c) Type of data:
Email address, name of invited person.
d) Categories of data subjects affected:
Designated recipients of your emails.
2. Your rights and obligations
1. You as the »controller« shall be solely responsible for compliance with the applicable statutory requirements on data protection, including, but not limited to, the lawfulness of the Data Processing and the protection of the rights of the data subjects (Article 28 of the GDPR). Data subjects shall assert their rights vis-à-vis you.
2. You shall issue instructions in writing. Changes to the subject matter of this DPA and procedural changes must be agreed upon by the parties and determined according to § 1 (3) of this Agreement.
3. You shall, prior to the start of the Data Processing as well as subsequently from time to time, check compliance with the agreed technical and organizational measures. You shall document the result in an appropriate form.
4. You have the right to issue instructions relating to the processing of data collected on your behalf. You shall, without undue delay, confirm in writing any oral instruction given or any instruction given in text form (e.g. email). We shall be allowed a reasonable period of time for carrying out such instructions.
5. You shall notify us without undue delay of any defect or irregularity detected by you in the results of our work or during Data Processing by us.
6. You shall keep in confidence any knowledge acquired under this DPA about our trade secrets and data protection measures.
3. Our obligations
1. Except where expressly permitted by Article 28 (3) lit. a) of the GDPR, we and our employees or other such persons acting on our behalf shall process Data only within the scope of the Agreement, this DPA and your instructions. We shall correct, erase or restrict the processing of Data if so agreed or instructed by you. We shall not correct, erase or restrict the processing of Data without proper instruction. We shall not use data transmitted for Data Processing for any other purposes. We shall not create copies or duplicates without your knowledge, except for backup copies required for ensuring proper Data Processing or data required to fulfill legal retention obligations.
2. Data storage devices provided by you or used on your behalf shall be marked and subject to automatized management. Inbound and outbound transfers shall be documented.
3. We warrant that Data Processing shall be carried out as agreed. We further warrant that Data shall be strictly separated from other data.
4. Where we believe that an instruction given by you would be in breach of applicable law, we shall notify you of such belief without undue delay. We are entitled to suspending performance on such instruction until you confirm or modify such instruction.
5. We shall support you in fulfilling your obligations relating to the security of personal data, notification obligations in the case of data breaches according to Articles 33 and 34 of the GDPR, the data protection impact assessment and prior consultations. Our obligations include without limitation
-
•ensuring an adequate level of protection of your Data by implementing technical and organizational measures, which measures shall take into account the circumstances and purposes of the Data Processing as well as the likelihood and impact of a potential breach through security vulnerabilities, and enable a timely recognition of relevant breaches,
-
•informing you of any breach of data protection regulations or contractual obligations and/or issued instructions relating to the processing of your Data without undue delay,
-
•supporting you in fulfilling your information obligation vis-à-vis the data subject and providing you with all relevant information to this end without undue delay,
-
•supporting you in your data protection impact assessment (if and where applicable),
-
•and supporting you in relation to prior consultations with the supervisory authority.
We may demand a fee for any support which is not part of our obligations under the Agreement or duties that have otherwise been agreed or is not a result of a culpable breach on our part.
6. You shall be entitled to check to the extent necessary our compliance with data protection regulations and contractual obligations under the Agreement and this DPA at any time, especially by collecting information and inspection of stored Data and the respective systems used for Data Processing.
7. We confirm that we have appointed a data protection officer who carries out his duties according to Articles 38 and 39 of the GDPR. The data protection officer is stated on our website.
8. We shall delete the Data at the time of deletion of the respective user account, except where retention obligations apply to us.
9. Data Processing under this DPA shall occur only in one of the member states of the European Union or in a country that is part of the European Economic Area. Any transfer to a third country shall only occur with your prior consent, and only provided that the special conditions according to Articles 44 ff. of the GDPR are met.
10. We may make use of subcontractors. We shall ensure that in this case the regulations of the Agreement and this DPA are also valid and binding upon such subcontractor. We shall regularly check the compliance with such obligations. Transfer of Data is only permissible once the subcontractor has met the obligations according to Article 28 of the GDPR. You hereby consent to our use of the subcontractors stated in Annex 2, provided that we conclude with such subcontractors the contractual instruments necessary to ensure an appropriate level of data protection and information security in accordance with Article 28 (2)-(4) of the GDPR. Such subcontractors shall also process Data solely in one of the member states of the European Union or in a country that is part of the European Economic Area. Any further transmission by the subcontractor shall require our consent at least in writing (including email). Subcontractor in the sense of this DPA shall only mean service providers whose services directly relate to the performance of our main contractual obligation under the Agreement. Ancillary services such as telecommunication services, postal or transport services, maintenance, user support or the disposal of storage media as well as any measures for ensuring the confidentiality, availability, integrity and resilience of hardware and software do not fall under this regulation.
11. Decisions regarding organization of Data Processing under this DPA and the processes employed shall be agreed between the parties where they substantially affect security.
12. We shall inform you about inspections and measures of supervisory authorities where they relate to Data Processing under this DPA. This also applies where we are subject to a civil or criminal investigation by an authority with statutory competence in relation to the processing of data by us on behalf of others. Where you are subject of such an investigation or a data subject or third party asserts private law claims against you in relation to the Data Processing on your behalf, we shall where possible support you.
13. We shall regularly check internal processes and the technical and organizational measures (see Annex 1) in order to ensure that Data Processing is in compliance with applicable data protection law at all times.
4. Data secret
1. We shall ensure confidentiality in relation to the Data Processing under this DPA and under the instructions given by you, according to Articles 28 (3) clause 2 lit. b), Article 29 and Article 32 (4) of the GDPR. We shall ensure the same commitment to secrecy that we are bound to. You shall inform us of any special commitments to secrecy.
2. We confirm that we are familiar with applicable data protection regulations. We warrant that we inform employees involved in Data Processing about the data protection regulations applicable to them. We monitor compliance with data protection regulations.
5. Compliance with rights of data subjects
1. You shall be solely responsible for the protection of the rights of the data subjects. Where a data subject asserts claims for rectification, erasure or access against us, we shall refer such inquiry directly to you.
2. Where our support is required for you to protect the rights of data subjects, we shall support you based upon you instructions. Support concerns primarily the rights to information, rectification, restriction of data processing, objection and erasure.
6. Confidentiality
1. Both parties undertake to keep all information they obtain in connection with the execution of this DPA confidential without limitation in time, and to only use such information for the execution of this DPA. Neither party shall be allowed to use such information or parts thereof for any other purposes or to make them available to any third party.
2. This confidentiality obligation does not apply to facts and/or documents
-
•that at the time of disclosure by the other party were publicly available or known without either party’s breach of this DPA;
-
•where the other party has issued written consent regarding the disclosure of such facts or documents;
-
•or where disclosure is necessary for legal reasons due to an order by an authority or court or due to a disclosure obligation vis-à-vis an authority. In this case the respective party will inform the other party to the extent legally permissive.
7. Data protection measures
1. We shall comply with the technical and organizational measures set forth in Annex 1.
2. We shall ensure the safety of Data Processing according to Article 28 (3) lit. c and Article 32 of the GDPR in connection with Article 5 (1) and (2) of the GDPR. We shall implement measures and safeguards that ensure data security and a risk-adequate level of protection regarding confidentiality, integrity, availability and resilience of processing systems and services. In so doing we shall consider the state of technology, the implementation costs and the type, scope and purpose of the Data Processing as well as the varying likelihood and impact of risks for the rights and freedom of individuals according to Article 32 (1) of the GDPR.
3. We may demonstrate measures that do not relate solely to the individual contract by complying with approved codes of conduct according to Article 40 of the GDPR, obtaining certification under an approved certification process according to Article 42 of the GDPR, obtaining current certificates, reports or parts thereof from independent third parties (e.g. auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors) or by undergoing an appropriate IT security or data protection audit (e.g. BSI-Grundschutz).
4. As technical and organizational measures are subject to technical progress and development, we may employ alternative adequate technical and organizational measures in order to ensure an adequate level of security. The level of security shall not be less protective than defined herein. We shall document substantial changes.
8. Liability and damages
Article 82 of the GDPR applies in our respective relations towards the data subject.
9. Term
The term of this DPA shall mirror the term of the respective Agreement on the use of our product.
10. Miscellaneous
1. Where your Data, while in our control, becomes endangered by measures by third parties (such as confiscation during bankruptcy or search and seizure), insolvency or settlement procedures or similar events, we shall notify you of such action without undue delay.
2. Any modifications of this DPA must be in writing. The foregoing shall also apply to any waiver or modification of this mandatory written form.
3. Where individual regulations of this DPA are invalid or unenforceable, the validity and enforceability of the other provisions of this DPA shall not be affected.
4. This DPA is subject to the laws of Germany.
Revised: May 2019
Annex 1 – Technical and organizational measures
Pseudonymization
-
•Not applicable
Encryption
-
•Encryption of data connections via HTTPS
-
•Encryption of backups
Confidentiality
-
•Physical access control via documented key issue and guidelines for visitor accompaniment
-
•Access control via password protected personalized user accounts with minimum password requirements
-
•Access control via user roles and strictly limited range of authorized personnel
-
•Confidentiality agreements and written obligation to comply with data protection laws
Integrity
-
•Data entry solely by user
-
•Processing is automated without manual interference (entry control)
-
•Regular employee training relating to data protection laws and processes
Assurance of availability and resilience of systems
-
•Business continuity through redundant IT systems
Procedures for recovery of personal data after a physical or technical incident
-
•Availability through redundant data storage during processing
-
•Backup concept with regular daily backup at physically independent locations
Procedures for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures
-
•Regular internal evaluation of implemented protective measures
Revised: May 14, 2019
Annex 2 – Subcontractors
Mailjet SAS, 13-13 bis, rue de l’Aubrac, 75012 Paris, France
Purpose: Sending of emails to other users and third parties
Revised: May 14, 2019