This Data Processing Agreement (DPA) is an integral part of the General Terms and Conditions of 99BOTS GmbH and applies between the
99BOTS GmbH, Stadttor 1, 40219 Düsseldorf, Germany ("Processor")
and the
Contracting party to the General Terms and Conditions ("Controller")
Controller and Processor together the "Parties")
The controller has commissioned the processor in the contract already concluded (hereinafter "main contract") for the services specified therein. Part of the execution of the contract is the processing of personal data. Art. 28 GDPR in particular places certain requirements on such commissioned processing. In order to comply with these requirements, the parties conclude the following order processing agreement (hereinafter the "Agreement"), the fulfillment of which is not remunerated separately unless this is expressly agreed.
(1) Pursuant to Art. 4 (7) GDPR, the controller is the body which alone or jointly with other controllers determines the purposes and means of the processing of personal data.
(2) Processor is a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller pursuant to Art. 4 (8) GDPR.
(3) Pursuant to Art. 4 (1) GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(4) Particularly sensitive personal data are personal data pursuant to Art. 9 GDPR, which reveal the racial and ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and offenses or related security measures as well as genetic data pursuant to Art. 4 para. 13 GDPR, biometric data pursuant to Art. 4 para. 14 GDPR, health data pursuant to Art. 4 para. 15 GDPR and data concerning a natural person's sex life or sexual orientation.
(5) Processing means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction, in accordance with Art. 4 (2) GDPR.
(6) Pursuant to Art. 4 (21) GDPR, the supervisory authority is an independent public authority established by a Member State pursuant to Art. 51 GDPR.
(1) The processor shall provide the services specified in the main contract for the controller. In doing so, the processor shall have access to personal data which the processor processes for the controller exclusively on behalf of and in accordance with the instructions of the controller. The scope and purpose of data processing by the processor are set out in the main contract and any associated service descriptions. The controller is responsible for assessing the permissibility of the data processing.
(2) The parties conclude the present agreement in order to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract.
(3) The provisions of this contract shall apply to all activities related to the main contract and in which the processor and its employees or persons commissioned by the processor come into contact with personal data originating from the controller or collected for the controller.
(4) The term of this contract is based on the term of the main contract, unless the following provisions give rise to additional obligations or rights of termination.
(1) The processor may only collect, process or use data within the framework of the main contract and in accordance with the instructions of the controller. If the processor is obliged by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall inform the controller of these legal requirements prior to processing.
(2) The Controller's instructions are initially set out in this Agreement and may subsequently be amended, supplemented or replaced by the Controller in writing or in text form by individual instructions (individual instructions). The controller is entitled to issue corresponding instructions at any time. This includes instructions regarding the correction, deletion and blocking of data.
(3) All instructions issued must be documented by the person responsible. Instructions that go beyond the service agreed in the main contract shall be treated as a request for a change in service.
(4) If the processor is of the opinion that an instruction of the controller violates data protection regulations, it must inform the controller of this immediately. The processor shall be entitled to suspend the implementation of the instruction in question until it is confirmed or amended by the controller. The processor may refuse to carry out an obviously unlawful instruction.
(1) As part of the performance of the Main Agreement, the Processor shall have access to the personal data specified in more detail in Annex 1.
(2) The group of data subjects affected by the data processing is shown in Appendix 2 .
(3) A transfer of personal data to a third country (outside the EEA) may take place under the conditions of Art. 44 et seq. GDPR may take place.
(1) The processor is obliged to comply with the statutory provisions on data protection and not to disclose the information obtained from the controller's area to third parties or expose it to their access. Documents and data shall be secured against unauthorized access, taking into account the state of the art.
(2) The Processor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It has taken the technical and organizational measures specified in Annex 3 for the appropriate protection of the controller's data in accordance with Art. 32 GDPR, which the controller acknowledges as appropriate. The Processor reserves the right to change the security measures taken, whereby the Processor shall ensure that the contractually agreed level of protection is not undercut.
(3) The persons employed by the Processor for data processing are prohibited from collecting, processing or using personal data without authorization. The Processor shall obligate all persons entrusted by it with the processing and fulfillment of this Agreement (hereinafter "Employees") accordingly (obligation of confidentiality, Art. 28 para. 3 lit. b GDPR) and ensure compliance with this obligation with due care.
(4) The processor has appointed a data protection officer. The data protection officer of the processor is heyData GmbH, Schützenstr. 5, 10117 Berlin , datenschutz@heydata.eu, heyData GmbH .
(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the processor, suspected security incidents or other irregularities in the processing of personal data by the processor, persons employed by the processor within the scope of the contract or by third parties, the processor shall inform the controller immediately. The same applies to audits of the processor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:
(a) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories and number of personal data records concerned;
(b) a description of the measures taken or proposed to be taken by the processor to address the breach and, where appropriate, measures to mitigate its possible adverse effects;
(c) a description of the likely consequences of the personal data breach.
(2) The processor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences for the data subjects, inform the controller thereof and request further instructions.
(3) The processor shall also be obliged to provide the controller with information at any time if the controller's data is affected by a breach pursuant to paragraph 1.
(4) The processor shall inform the controller of any significant changes to the security measures pursuant to Section 5 (2).
(1) The controller may verify the technical and organizational measures of the processor before commencing data processing and thereafter on an annual basis. For this purpose, he may, for example, obtain information from the processor, have existing certificates from experts, certifications or internal audits presented to him or personally check the technical and organizational measures of the processor after timely consultation during normal business hours or have them checked by a competent third party, provided that the latter is not in a competitive relationship with the processor. The controller shall only carry out checks to the extent necessary and shall not disproportionately disrupt the processor's operations.
(2) The Processor undertakes to provide the Controller, at the Controller's verbal or written request, within a reasonable period of time, with all information and evidence necessary to carry out a check of the Processor's technical and organizational measures.
(3) The controller shall document the results of the inspection and inform the processor thereof. In the event of errors or irregularities that the controller discovers, in particular when checking the results of the order, the controller shall inform the processor immediately. If the inspection reveals circumstances that require changes to be made to the prescribed procedure in order to avoid them in the future, the controller shall inform the processor of the necessary procedural changes without delay.
(1) The contractually agreed services shall be performed using the service providers listed in Annex 4 (hereinafter referred to as "Subprocessors"). The Controller grants the Processor its general authorization within the meaning of Art. 28 para. 2 sentence 1 GDPR to commission further sub-processors within the scope of its contractual obligations or to replace those already commissioned.
(2) The processor shall inform the controller prior to any intended change with regard to the involvement or replacement of a sub-processor. The controller may object to the intended involvement or replacement of a sub-processor for good cause under data protection law.
(3) Objections to the intended addition or replacement of a sub-processor must be raised within 2 weeks of receipt of the information about the change. If no objection is raised, the addition or replacement shall be deemed approved. If there is an important reason under data protection law and it is not possible to find a solution by mutual agreement between the controller and the processor, the processor shall have a special right of termination at the end of the month following the objection.
(4) When engaging sub-processors, the processor shall obligate them in accordance with the provisions of this agreement.
(5) A subcontracting relationship within the meaning of these provisions does not exist if the processor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transportation and shipping services, cleaning services, telecommunications services with no specific connection to services provided by the processor for the controller and security services. Maintenance and testing services constitute subcontracting relationships requiring consent if they are provided for IT systems that are also used in connection with the provision of services for the controller.
(6) A transfer of personal data to a third country (outside the EEA) may take place under the conditions of Art. 44 et seq. GDPR may take place.
(1) The processor shall support the controller, where possible, with appropriate technical and organizational measures in fulfilling the controller's obligations under Art. 12-22 and 32 to 36 GDPR.
(2) If a data subject asserts rights, such as the right to information, rectification or erasure of their data, directly against the processor, the processor shall not respond independently but shall refer the data subject to the controller and await the controller's instructions.
(1) In the internal relationship with the processor, the controller shall be solely responsible to the data subject for compensation for damages suffered by the data subject due to inadmissible or incorrect data processing or use in the context of commissioned processing.
(2) The Processor shall be liable for damages without limitation insofar as the cause of the damage is based on an intentional or grossly negligent breach of duty by the Processor, its legal representative or vicarious agent.
(3) The Processor shall only be liable for negligent conduct in the event of a breach of an obligation whose fulfillment is essential for the proper execution of the contract and on whose compliance the Controller regularly relies and may rely, but limited to the average damage typical for the contract. Otherwise, the Processor's liability - including for its vicarious agents and assistants - is excluded.
(4) The limitation of liability pursuant to § 10.3 shall not apply to claims for damages arising from injury to life, limb or health or from the assumption of a guarantee.
(1) After termination of the main contract, the processor shall return to the controller all documents, data and data carriers provided to it or - at the request of the controller, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them. This also applies to any data backups at the processor. The processor must provide documented proof of proper erasure upon request.
(2) The controller has the right to check the complete and contractually compliant return or deletion of the data at the processor in an appropriate manner.
(3) The Processor shall be obliged to treat the data of which it becomes aware in connection with the main contract confidentially even after the end of the main contract. This Agreement shall remain valid beyond the end of the Main Agreement for as long as the Processor has personal data that was provided to it by the Controller or that it has collected for the Controller.
(1) Insofar as the processor does not expressly provide support free of charge in accordance with this agreement, it may charge the controller a reasonable fee for this, unless the processor's own actions or omissions have made this support directly necessary.
(2) Amendments and supplements to this agreement must be made in text form. This also applies to the waiver of this formal requirement. The precedence of individual contractual agreements remains unaffected by this.
(3) Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions.
(4) This agreement is subject to German law.
All data processed within the scope of the order, in particular:
Personal identification data
● First and last name
● Address
Phone number
● Date of birth
Gender
● Nationality
● E-mail address
Login data
● User name
Password (encrypted)
Technical data
IP address
Browser type and version
Operating system
Device type
Usage data
● Access times
● Duration of use
● Visited pages
● Interactions (e.g. clicks, downloads)
Transaction data
● Credit card information (encrypted)
Bank account details (IBAN, BIC)
● Transaction history
Communication data
● Contents of emails
● Chat protocols
● Feedback and support requests
Profile data
● User preferences
Settings
Subscription status
Marketing and tracking data
● Newsletter subscriptions
● Advertising preferences
● Tracking codes (e.g. UTM codes)
Referrer data (referrer URL)
Contract data
● Contract numbers
● Contract terms
● Contractual terms and conditions
Customer number
Social security and tax data
● Social security number
● Tax identification number
Professional data
Employer
● Position
● Place of work
● Job title
Customers of the controller
● Individual customers
● Business customers
Employees of the controller responsible for processing
● Internal employees (full-time, part-time, interns)
● External employees (freelancers, consultants)
Suppliers and service providers of the controller
● Representatives and contact persons of suppliers
● Representatives and contact persons of service providers (e.g. maintenance companies, IT service providers)
Business partners of the controller
● Representatives and contact persons of partner companies
● Representatives and contact persons of cooperation partners
Users and visitors of the controller
● Registered users of a platform or service
● Anonymous visitors to a website
Applicants of the controller
● Persons applying for a position in the company
Contracting partyner of the controller responsible for the processing
● Persons who are in contractual relationships (e.g. lessees, borrowers)
Authorities and institutions
● Contact persons at authorities and public institutions (e.g. tax offices, supervisory authorities)
Intermediaries and agents of the controller
● Representatives and contact persons of intermediaries (e.g. insurance agents, real estate agents)
This document summarizes the technical and organizational measures taken by the processor within the meaning of Art. 32 para. 1 GDPR. These are measures with which the processor protects personal data. The purpose of the document is to support the processor in fulfilling its accountability obligations under Art. 5 para. 2 GDPR.
The following implemented measures prevent unauthorized persons from gaining access to the data processing systems:
● Working from home: unauthorized persons have no access to employees' homes
● Work in the home office: instruction to employees to work in a separate office from their living space if possible
The following implemented measures prevent unauthorized persons from gaining access to the data processing systems:
● Authentication with user and password
● Use of anti-virus software
● Use of mobile device management
● Automatic desktop lock
● Management of user authorizations
● Creating user profiles
● Central password rules
● Use of 2-factor authentication
● Company policy for secure passwords
The following implemented measures ensure that unauthorized persons have no access to personal data:
● Use of an authorization concept
● The number of administrators is kept as small as possible
● Management of user rights by system administrators
● Instruction to employees that only absolutely necessary data is to be printed out
The following measures ensure that personal data collected for different purposes is processed separately:
● Separation of production and test system
Logical client separation (on the software side)
● Creation of an authorization concept
● Providing the data records with purpose attributes/data fields
● Container apps when using private devices for business purposes (BYOD)
It is ensured that personal data cannot be read, copied, changed or removed without authorization during transmission or storage on data carriers and that it is possible to check which persons or bodies have received personal data. The following measures have been implemented to ensure this:
● Provision of data via encrypted connections such as SFTP or HTTPS
● Prohibition of uploading business data to non-company servers
The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:
● Logging the entry, modification and deletion of data
● Retention of forms whose data has been transferred to automated processing
● Traceability of data entry, modification and deletion through individual user names (not user groups)
● Assignment of rights to enter, change and delete data on the basis of an authorization concept
The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:
● Hosting (at least of the most important data) with a professional hoster
The following measures are intended to ensure that the organization meets the basic requirements of data protection law:
● Use of the heyData platform for data protection management
● Appointment of the data protection officer heyData
● Obligation of employees to maintain data confidentiality
● Regular data protection training for employees
● Maintaining an overview of processing activities (Art. 30 GDPR)
The following measures are intended to ensure that reporting processes are triggered in the event of data protection breaches:
● Reporting process for data protection violations in accordance with Art. 4 (12) GDPR to the supervisory authorities (Art. 33 GDPR)
● Notification process for data breaches in accordance with Art. 4 (12) GDPR to the data subjects (Art. 34 GDPR)
● Involvement of the data protection officer in security incidents and data breaches
● Use of anti-virus software
The following implemented measures take into account the requirements of the principles of "privacy by design" and "privacy by default":
● Training of employees in "privacy by design" and "privacy by default"
● No more personal data is collected than is necessary for the respective purpose.
The following measures ensure that personal data can only be processed in accordance with the instructions:
● Written instructions to the contractor or instructions in text form (e.g. through an order processing contract)
● Ensuring the destruction of data after completion of the order, e.g. by requesting corresponding confirmations
● Confirmation from contractors that they commit their own employees to data secrecy (typically in the order processing contract)
Name | Function | Server location |
Amazon Web Services EMEA Sarl, 38 avenue John F. Kennedy, L-1855, Luxembourg | Hosters | EU |
Mistral AI SAS, 15 rue des Halles 75001, Paris, France | AI functions | EU |
OpenAI, L.L.C., 3180 18th St 100, San Francisco, CA 94110, USA | AI functions | EU |
Microsoft Ireland Operations, Ltd, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland | Standard software provider | EU |
TENIOS GmbH, c/o Spaces Breite Strasse, Gertrudenstr. 30-36, 50667 Cologne | Communication | EU |
http://CM.com Netherlands B.V. Konijnenberg 30, 4825 BD Breda, the Netherlands
| Communication | EU |
Pipedrive OÜ, Mustamäe tee 3a, 10615 Tallinn, Estonia | CRM | EU |
Frisbii Germany GmbH, Mainzer Landstraße 51, 60329 Frankfurt am Main | Payment processor | EU |
Celonis, Inc, One World Trade Center, 87th Floor, New York, NY, 10007, USA (Make) | External workflow and endpoint editor | EU |