Contracting Party (hereinafter „Controller“)
and fraud0 (hereinafter „Processor“)
for the processing of personal data acting on behalf of a third party (“Agreement“). Definitions in the General Terms and Conditions or the service description also apply to this Data Processing Agreement. Definitions in this Data Processing Agreement apply only to this Data Processing Agreement. The company referred to as ”fraud0” is listed as fraud0 GmbH, Sendlingerstraße 7, 80331 Munich, Germany.
1.1 Subject of the Agreement
The subject of the Agreement is the collection, administration, documentation and transfer of traffic and quality classification of the Controller’s users. For this purpose, the Processor is processing personal data for the Controller within the meaning of Art. 4 No. 2 and Art. 28 GDPR on the basis of the General Terms and Conditions.
1.2. Duration of the Agreement
The duration of this Agreement (term) shall correspond to the duration of the main Contract.
2.1.Type of Data
Subject of the collection, processing and / or use of personal data are the following data:
-Customer data: Login Data
2.2.Categories of Data Subjects
The categories of data subjects affected by the processing of their personal data within the scope of this Agreement include:
– Website visitors or app users
-Customers / Registered users
3.1.The data is handled exclusively within the framework of the agreements made and in accordance with documented instructions from the Controller (cf. Art. 28 Para. 3 lit. a GDPR). Within the scope of the description of the data processing mandate in this Agreement, the client reserves the right to issue comprehensive instructions on the type, scope and procedure of data processing, which he can specify in more detail by means of individual instructions. Changes to the object of processing and procedural changes are to be jointly agreed and documented. Any additional expenses incurred are to be remunerated by the Controller on a time and material basis. The Processor may only provide information to third parties or the person concerned with the prior written consent of the Controller
3.2.Oral instructions will be confirmed by the Controller immediately in writing or by e-mail (in text form). The Processor shall not use the data for any other purposes and shall in particular not be entitled to pass them on to third parties. Excluded from this are back-up copies, insofar as they are necessary to ensure proper data processing, as well as data which is necessary in order to comply with legal obligations under Union law or the law of an EU member state, and to comply with retention obligations.
3.3.The Processor must inform the Controller without delay in accordance with Art. 28 para. 3 subpara. 2 GDPR if it believes that an instruction violates data protection regulations. The Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or amended by the person responsible at the Controller.
3.4.The processing of the Controller data by the Processor takes place within the EU / EEA. The Processor shall be obliged to inform the Controller prior to the commencement of the processing of the Controller’s data of a legal obligation of the Processor to carry out the processing of the Controller’s data at another location, unless such notification is prohibited by law. The processing and / or transfer to a third country outside the territory of the EU / EEA or to an international organization requires the prior written consent of the Controller. In this case, the Processor shall also be obliged to ensure an adequate level of data protection at the place of data processing in accordance with the applicable statutory provisions and the interpretations thereof by courts and authorities or – at the Controller’s option – to give the Controller the opportunity to ensure an adequate level of data protection, including by concluding or acceding to standard EU contractual clauses.
The Processor shall ensure that employees involved in the processing of personal data and other persons working for the Processor are prohibited from processing the personal data outside the scope of the instruction. Furthermore, the Processor shall ensure that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of secrecy. The confidentiality / secrecy obligation shall continue to exist after the termination of the Agreement.
5.1.Within his area of responsibility, the Processor shall design the internal organisation in such a way that it meets the special requirements of data protection. He will take appropriate technical and organisational measures to protect the personal data of the Controller which meet the requirements of Art. 32 GDPR. In particular, the technical and organisational measures are to be taken in such a way that the confidentiality, integrity, availability and resilience of the systems and services in connection with data processing are permanently guaranteed. These technical and organisational measures are described in Annex 1 of this agreement. The Controller is aware of these technical and organisational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.
5.2.The technical and organisational measures are subject to technical progress and further development. In this respect the Processor is permitted to implement alternative adequate measures. In doing so, the safety level of the specified measures may not be undercut. Significant changes must be documented.
6.1.The engagement and/or change of Subprocessors by the Processor is only allowed with the consent of the Controller. The Controller agrees to the engagement of Subprocessors as follows:
6.2.The Processor shall design the contractual arrangements with the Subprocessor(s) in such a way that they contain the same data protection obligations as defined in this Agreement, taking into account the nature and extent of data processing within the scope of the Subcontract. The Subprocessor’s commitment must be made in writing or in electronic format.
6.3.Subcontracting relationships within the meaning of this provision do not include services which the Processor uses with third parties as ancillary services to support the execution of the Agreement. These include, for example, telecommunications services, maintenance and user service, cleaning staff, inspectors or the disposal of data media. However, the Processor is obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the Controller’s data, even in the case of ancillary services contracted out to third parties.
7.1.The Processor shall support the Controller within the scope of its possibilities in meeting the requests and claims of affected persons in accordance with Chapter III of the GDPR.
7.2.The Processor shall only provide information about the data processed in the order, correct or delete such data or restrict data processing accordingly, if instructed to do so by the Controller. If a data subject should contact the Processor directly for information, correction or deletion of his/her data or with regard to the restriction of data processing, the Processor shall forward this request to the Controller without delay
8.1.The Processor shall assist the Controller in complying with the obligations regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations as set out in Articles 32 to 36 GDPR.
8.2.With regard to possible notification and reporting obligations of the Controller according to Art. 33 and Art. 34 GDPR the following applies: The Processor is obliged (i) to inform the Controller immediately of any violation of the protection of personal data and (ii) in the event of such a violation, to provide the Controller with appropriate support, if necessary, in its obligations under Art. 33 and 34 GDPR (Art. 28 para. 3 sentence 2 lit. f GDPR). Notifications pursuant to Art. 33 or 34 GDPR (notifications and reports of violations of personal data protection) for the Controller may only be carried out by the Processor following prior instructions pursuant to Section 3 of this Agreement.
8.3.If the Controller has an obligation to notify or report in the event of a security incident, the Processor is obliged to support the Controller at the Controllers expense.
9.1.To the extent required by law, the Processor shall appoint a data protection officer, who may resume his activities in accordance with Articles 38 and 39 GDPR, §§ 38, 6 BDSG. His contact details will be provided to the Controller for the purpose of direct contact upon request.
9.2.The Processor shall inform the Controller immediately of control actions and measures taken by the supervisory authority pursuant to Art. 58 GDPR. This shall also apply if a supervisory authority is investigating the Processor in accordance with Art. 83 GDPR.
9.3.The Processor shall ensure to execute the control of the proper contract performance and fulfillment by means of regular self-inspections, in particular the adherence to and, if required, the necessary adjustment of regulations and measures for the execution of the contract.
10.1.The Controller has the right to request the information required under Art. 28 Para. 3 h) GDPR to prove that the Processor has complied with the agreed obligations and to carry out inspections in agreement with the Processo or to have them carried out by auditors to be appointed in individual cases.
10.2.The parties agree that the Processor is entitled to submit convincing documentation to the Controller in order to prove adherence to his obligations and implementation of the technical and organizational measures. Convincing documentation can be provided by presenting a current audit certificate, reports or report extracts from independent institutions (e.g. auditors, auditing, data protection officer), appropriate certification through an IT security or data protection audit (e.g. ISO 27001) or certification approved by the responsible supervisory authorities.
10.3.This shall not affect the right of the Controller to conduct on-site visits. However, the Controller shall consider whether an on-site inspection is still necessary after submission of meaningful documentation, in particular taking into account the maintenance of the Processor’s regular business operations.
10.4.The Controller has the right to assure himself of the Processor’s compliance with this Agreement in his business operations by means of spot checks, which as a rule must be announced in good time. The Processor is committed to provide the Controller, upon request, with the information required to comply with his obligation to carry out inspections and to make the relevant documentation available.
At the discretion and request of the Controller – at the latest upon termination of the contract – the Processor shall hand over to the Controller all documents, processing and operating outputs as well as data resources that have come into his possession in the context of the contractual relationship, or destroy them in accordance with data protection laws after prior approval. The same applies to test and scrap material. The protocol of the deletion must be presented on request.
Documentation which serves as proof of the orderly and appropriate data processing shall be kept by the Processor in accordance with the respective retention periods beyond the end of the contract. He can hand them over to the customer at the end of the contract to exonerate him.
The parties’ liability under this Agreement shall be governed internally by the liability provisions in the Processor’s General Terms and Conditions, unless otherwise stated in the service description in the offer or in a separate agreement between the parties. For the external legal liability, the regulations according to Art. 82 GDPR apply.