Data Processing Agreement

Contract for Data Processing by chatarmin.com GmbH according to Art. 28 GDPR, 08.07.2024

Please note that the German version of this Data Processing Agreement is the original and is authoritative in case of any interpretation issues. Translations are provided for informational purposes only and are not legally binding.

Art. 28 GDPR sets specific requirements for data processing. To meet these special requirements, the contracting parties enter into this data processing contract in addition to the Terms of Service. It applies to all activities related to the main contract where employees of the contractor or agents of the contractor process personal data (hereinafter "data") of the client. The definitions of the GDPR apply.

The definitions of the GDPR apply.

1. Subject of the Contract and the Client's Right to Issue Instructions

1. The subject of this contract is the services of the contractor for the client in the area of communication via WhatsApp using the chatarmin solution. Additionally, reference is made to Appendix 1 of this contract and the Terms of Service. If the commissioned service changes, this data processing contract in Appendix 1 must be adjusted and supplemented accordingly.

2. The client, as the responsible party, is solely responsible for assessing the legality of the data processing according to the GDPR.

3. In providing the service, the contractor gains access to personal data and processes this data exclusively on behalf of and according to the instructions of the client, unless the contractor is required by Union or Member State law to process it otherwise.

4. The instructions of the client are specified in this contract and can be changed, supplemented, or replaced by the client in at least documented electronic format through individual instructions. If the contractor is required by European Union or Member State law to process data further, they will inform the client of these legal requirements before processing (Art. 28 para. 3 lit. a) GDPR).

5. If the contractor believes that an instruction from the client violates data protection regulations, they must inform the client immediately. The contractor is entitled to suspend the execution of the instruction until it is confirmed or modified by the client. The contractor may refuse to execute an obviously illegal instruction without facing negative consequences. The client is responsible for issuing legally valid instructions (Art. 28 para. 3 sentence 3 GDPR).

6. The term of this contract corresponds to the term of the main contract unless additional obligations or termination rights arise from the following provisions.

2. Technical and Organizational Measures

1. The contractor complies with legal data protection requirements. Information of the client will not be disclosed to third parties without explicit instruction from the client. Documents and data are secured against unauthorized access considering the state of the art.

2. The contractor organizes their internal operations to meet the special requirements of data protection and ensures that all necessary technical and organizational measures to protect the client's data according to Art. 32 GDPR are taken. Reference is made to Appendix 2.

3. The client reviews the technical and organizational measures of the contractor before data processing begins and regularly thereafter. Changes to the agreed security measures can be made as long as they do not fall below the contractually agreed protection level.

3. Confidentiality

The contractor and their employees are prohibited from processing personal data without authorization. The contractor commits all individuals involved in the processing and fulfillment of this contract to confidentiality. The confidentiality obligations remain even after the termination of this contract or the employment relationship between the employee and the contractor.

4. Contractor's Information Obligations

1. In case of disruptions, suspected data protection violations, breaches of contractual obligations by the contractor, suspected security incidents, or other irregularities in the processing of personal data by the contractor or their personnel, the contractor will inform the client immediately in writing or documented electronic format. The same applies to audits by the data protection supervisory authority concerning this contract.

2. The notification of a personal data protection breach to the client will include, if possible, the following information:

a) a description of the nature of the personal data breach, including the categories and approximate number of affected individuals and records, if possible;

b) a description of the likely consequences of the breach, and

c) a description of the measures taken or proposed by the contractor to address the breach and mitigate its possible adverse effects.

3. The contractor takes immediate measures to secure the data and mitigate possible adverse effects on the affected individuals, informs the client, and requests further instructions.

4. If the client's data at the contractor is endangered by seizure, attachment, insolvency, or similar events, the contractor will inform the client immediately unless prohibited by court or official order. The contractor will inform all relevant parties that the decision-making authority over the data lies solely with the client as the "controller" according to the GDPR.

5. The contractor supports the client with appropriate technical and organizational measures to fulfill their obligations under Art. 12 to 22 (Art. 28 para. 3 lit. e) GDPR) and Art. 32 to 36 GDPR (Art. 28 para. 3 lit. f) GDPR).

5. Client's Control Rights

1. The contractor agrees to provide the client with all information and evidence required to conduct an audit of the contractor's technical and organizational measures upon oral, written, or electronic request within a reasonable timeframe.

2. Inspections by the client or their auditors, who must not be competitors of the contractor, can be conducted during normal business hours with 14 days' notice. The client conducts audits only to the necessary extent and in a manner that does not unreasonably disrupt the contractor's operations. The contractor may charge for assistance during an inspection, as agreed in a separate contract.

6. Use of Subcontractors

1. The contractually agreed services or the following partial services are carried out with the involvement of subcontractors listed in Appendix 3. All subcontractors already involved and approved by the client at the time of the contract conclusion are listed in Appendix 3. The client grants general approval to involve additional subcontractors for processing client data (subcontractors). We are obliged to inform our clients in writing of any new or changing subcontractors. Additionally, we enter into comparable data processing agreements with all subcontractors. We notify our clients at least 14 days in advance in writing of any intended changes to this list by adding or replacing subcontractors, giving the controller sufficient time to object to these changes before the subcontractor is engaged. The right to object under Art. 28 para. 2 sentence 2 GDPR expires if no objection is raised in writing within 14 days after notification. In case of an objection, both parties have the right to terminate the main contract and this data processing agreement with three months' notice.

2. A subcontractor relationship under these provisions does not exist if the contractor engages third parties for ancillary services. These include, for example, postal, transport, and shipping services, cleaning services, telecommunication services without a direct connection to services provided to the client, and security services. Maintenance and inspection services constitute subcontractor relationships if provided for IT systems used in delivering services to the client.

7. Liability

The client and contractor are liable to affected individuals according to the provisions of Art. 82 GDPR.

8. Termination of the Main Contract

1. Upon termination of the main contract or at any time upon request by the client, the contractor will return all documents, data, and storage media provided by the client or, at the client's request, delete them unless there is a legal obligation to retain personal data. This also applies to any data backups held by the contractor. The contractor must provide documented proof of proper deletion of any remaining data.

2. The contractor is obliged to keep data confidential even after the termination of the main contract. This agreement remains valid as long as the contractor has personal data provided by or collected for the client.

9. Final Provisions

1. The parties agree that the contractor cannot claim any right of retention regarding the data to be processed or the associated data carriers.
2. Changes and additions to this agreement must be in writing or documented electronic format.
3. If any provision of this agreement is or becomes invalid or unenforceable, the validity of the remaining provisions remains unaffected, and the legal regulations of Art. 28 GDPR apply.
4. This agreement is governed by Austrian law. The exclusive place of jurisdiction is Vienna.

Appendices:

Appendix 1 – Description of affected individuals/groups and special data/data categories

Appendix 2 – Technical and organizational measures of the contractor

Appendix 3 – Subcontractors

Appendix 1 – Description of Affected Individuals/Groups and Special Data/Data Categories

Appendix 2 – Technical and Organizational Measures of the Contractor

Information on the technical and organizational measures taken

The following measures for confidentiality, integrity, availability, and resilience, as well as procedures for regular review, assessment, and evaluation, have been implemented.

1. Confidentiality

Confidentiality = Personal data must not be made available or disclosed to unauthorized persons or organizations.

a.) Access Control to Data Processing Facilities where Personal Data is Processed

= Measures to prevent unauthorized access to data processing facilities

Alarm system; securing premises, windows, shafts; security locks and key policies, as well as logging key issuance; video surveillance of building entrances; visitor log; locked doors when unattended.

b.) Access Control to Data Processing Systems

= Measures to prevent unauthorized use of data processing systems

Two-factor authentication where possible, and in part biometric authorization; login with username and password; password complexity rules; use of a password safe; automatic screen lock & password entry for re-access; use of antivirus software; active firewall for hardware and software; no use of USB sticks; encryption of smartphones/laptops/tablets; user permissions based on the need-to-know principle; careful selection of service providers; clean desk policy; no print policy.

c.) Access Control

= Measures to allow only authorized personnel to access data, covering processing, usage, and storage (no unauthorized reading, copying, alteration, or removal)

Logging access to data processing systems (e.g., logging input, changes, and deletion); encryption of smartphones; authorization concept (rules for request, approval, implementation, and revocation of permissions), including rules for access to data backups; rights management by system administrators, minimizing the number of administrators (need-to-know principle).

d.) Pseudonymization/Anonymization

= Storing data in pseudonymized form, meaning it cannot be directly linked to individuals without additional information

No access to contact data stored in chatarmin; locally hosted test data; use of dummy data; separation of assignment data stored in separate, secured systems; deleting or fully anonymizing personal data after the statutory retention period; end-to-end encryption.

e.) Separation Control

= Separating data from different clients

Logical tenant separation software-wise; logical separation (folder structure, structured file storage); separation of development, test, and production environments; no use of personal real data for testing purposes; maintaining separate databases; multi-tenancy; authorization concept; defining database rights.

2. Integrity

Ensuring accuracy, unaltered state, and completeness of personal data

a.) Transfer Control

= No unauthorized reading, copying, or alteration of data during electronic transmission or transport

No transmission of sensitive data via email; end-to-end encryption; ban on certain transfers (e.g., USB stick, CDs, tapes); transmission in anonymized/pseudonymized form; transfer only on a need-to-know basis; transmission of paper documents in sealed, opaque envelopes; https encryption on the website; careful selection of service providers.

b.) Input Control

= Ability to determine whether, when, and by whom personal data was entered, changed, or removed in data processing systems

Machine logging of changes; differentiated user permissions (read, change, delete); assigning individual usernames; logging administrative activities.

3. Order Control

Ensuring order- and instruction-based data processing. Client's data is processed only according to their instructions. A data processing contract has been signed for this purpose. Subcontractors are engaged only according to the contractual provisions.

4. Availability & Resilience

Protection against destruction and loss and ensuring data usability Using redundant systems; implementing a backup concept; redundant system landscape.

5. Regular Review, Assessment & Evaluation of the Implemented Technical and Organizational Measures

Continuous review of TOMs; maintaining a processing register; appointing a data protection officer – contact: Mag.a iur. Elisa Drescher, office@scaleline-ltd.com; employee training; documented processes for GDPR compliance (responding to access requests on time, reporting breaches to the supervisory authority); careful selection of service providers; implementation of the purpose limitation principle.

Appendix 3 - Approved Subcontractors

Approved subcontractors according to section 6 of this contract: