Data Processing Agreement pursuant to Art. 28 (3) DSGVO
16th June 2023
1. Scope and subject matter
1.1 This Data Processing Agreement applies insofar as Bloofusion Germany GmbH – Elbersstr. 8, 48282 Emsdetten (hereinafter referred to as “Processor”) processes personal data within the scope of contracts with the Customer (hereinafter referred to as “Controller”), which concern the use of the software SEA Safeguard (hereinafter also referred to as “Software Product” or “SEA Safeguard”) and which fall within the area of responsibility of the Controller under data protection law.
1.2 The personal data provided to the Processor by the Controller are subject to the provisions of the GDPR and other data protection regulations (e.g. BDSG). This agreement sets out the framework conditions to ensure compliance with the data protection regulations.
1.3 The contract shall come into force with the inclusion of the Terms of Service into the service agreement and shall remain in force until the agreed upon data processing has been completed.
2. Subject of the processing activities
2.1 In order to perform the agreed services in compliance with the provisions of this contract, the Processor shall be entitled to carry out all necessary processing steps of the data provided by the Controller as well as of the data collected for the Controller, if applicable, provided that this does not lead to a transformation of the content.
2.2 The scope, nature and purpose of the commissioned processing is limited to the processing operations required in the context of the use of SEA Safeguard. The data will only be processed by the Processor to the extent necessary for the provision of the software product and the associated services. This includes, in particular, support in the optimisation of advertising accounts as well as related services such as testing, monitoring and evaluation. Personal data is only processed in exceptional cases when accounts are checked for potential problems. This includes unusual or potentially problematic activities, cases in which personal data was supposedly unintentionally collected in Google Analytics (e.g. email addresses in URLs) and other cases where applicable. Personal data is only stored if potential problems are found. It is then used to present said problems to the Controller. After the problem has been resolved, the corresponding messages are deleted together with the associated personal data. The categories of data subjects of the processing include users of the connected services and website visitors.
2.3 The categories of data processed and the group of data subjects may also depend on the Controller’s individual use of the software product.
2.4 The Controller’s connected services are checked regularly or on request. In doing so, SEA Safeguard can also access personal data if it is available via the connected services. This includes in particular user activities within the connected services (e.g. in the change history), e-mail addresses of users from connected services (e.g. Google accounts in the form of e-mail addresses), data on website users from Google Analytics and, if applicable, further data.
2.5 The Controller is solely responsible for assessing the permissibility of the commissioned processing as well as for complying with information obligations and safeguarding the rights of data subjects. As the controller under data protection law, the Controller is responsible for ensuring that there is a suitable legal basis for the processing of personal data and, if applicable, that other relevant legal requirements are met.
3. Technical and organisational measures
3.1 The Processor shall establish security pursuant to Art. 28 (3) c, 32 GDPR, in particular in connection with Art. 5 (1), (2) GDPR. The Processor shall take suitable technical and organisational measures to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. In doing so, the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR shall be taken into account. Insofar as processing is permitted outside the Processor’s premises, the same level of protection shall be ensured.
3.2 The technical and organisational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes shall be documented. Details of the technical and organisational measures shall be made available on request.
3.3 As a matter of principle, the agreed data processing shall take place in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
4. Obligations of the Processor
4.1 The Processor may not correct, delete or restrict the processing of data processed under the order on its own authority, but only in accordance with documented instructions from the Controller.
4.2 The Processor has appointed a data protection officer who performs their duties in accordance with Articles 38 and 39 of the GDPR.
4.3 The Processor shall ensure that confidentiality is maintained in accordance with Art. 28 (3) sentence 2 lit. b, 29, 32 (4) GDPR. When carrying out the work, the Processor shall only use employees who are bound to confidentiality and who have previously been familiarised with the data protection provisions relevant to them. The Processor and any person subordinate to the Processor who has access to personal data shall process such data solely in accordance with the Controller’s instructions, including the powers granted in this Contract, unless the Processor is obliged to process under the law of the Union or the Member States to which the Processor is subject. In such a case, the Processor shall notify the Controller of such legal requirements prior to the processing, unless the law in question prohibits such notification on grounds of important public interest.
4.4 The Controller and the Processor shall, upon request, cooperate with the supervisory authority in the performance of their duties.
4.5 The Processor shall inform the Controller without undue delay about control actions and measures of the supervisory authority insofar as they relate to this contract. This shall also apply insofar as a competent authority investigates in the context of administrative offence or criminal proceedings with regard to the processing of personal data during the commissioned processing at the Processor.
4.6 The Processor shall support the Controller to the extent necessary in the event that the Controller is subject to an inspection by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a data subject or a third party or any other claim in specific connection with the commissioned processing at the Processor.
4.7 The Processor shall support the Controller in its duty to respond to requests for the exercise of asserted rights by data subjects to a reasonable extent.
5.1 Subprocessor relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. This does not include ancillary services which the Processor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Processor is obliged to take appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Client’s data also in the case of outsourced ancillary services.
5.2 It is not planned that subprocessors will be used for the provision of the services. The Processor shall have the general approval of the Controller for the future engagement of subprocessors, which shall be included in a list. The Processor shall expressly inform the Controller in writing in advance of any intended changes to this list by adding or substituting subprocessors and shall allow the Controller sufficient time to object to these changes before commissioning.
5.3 The disclosure of personal data of the Controller to the subprocessor and its initial activity shall only be permitted once all the prerequisites for subcontracting have been met.
5.4 If the subprocessor provides the agreed service outside the EU / EEA, the Processor shall ensure that it is admissible under data protection law by taking appropriate measures – in particular by concluding contracts in accordance with the current standard contractual clauses of the EU Commission. All contractual regulations on commissioned processing must also be imposed on other subprocessors.
6. Controller’s rights of supervision
6.1 The Processor shall ensure that the Controller is able to convince itself of the Processor’s compliance with its obligations pursuant to Art. 28 GDPR. The Processor undertakes that it will provide the Controller with all necessary information to prove compliance with the agreed obligations.
6.2 The Controller shall enable audits to be carried out by the Controller or another auditor commissioned by the Controller, insofar as the necessity is demonstrated by the Controller.
7. Notification of infringements and information obligations of the Processor
7.1 The Processor shall assist the Controller, taking into account the nature of the processing and the information available to the Controller, in complying with the obligations referred to in Articles 32 to 36 of the GDPR regarding security of personal data, data breach notification obligations, data protection impact assessments and prior consultation.
7.2 The Processor shall inform the Controller without delay if it is of the opinion that an instruction violates data protection regulations. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.
8. Deletion and return of data
8.1 Copies or duplicates of the data shall not be made without the Controller’s knowledge. This does not apply to backup copies, insofar as they are necessary to ensure proper data processing, as well as data required with regard to compliance with statutory retention obligations.
8.2 Upon completion of the provision of the Processing Services, the Processor shall, at the Controller’s option, either delete or return all personal data and existing copies, unless there is an obligation under Union or Member State law to retain the personal data.
8.3 Documentation which serves as proof of the orderly and proper processing of data shall be retained by the Processor beyond the end of the contract in accordance with the respective retention periods.