top of page

Data processing agreement (DPA)

Effective date, October 31st 2022

privacy@getfeebee.io

 

Data Processing Agreement (“DPA”) for Feebee, a product of Feebey UG.

 

1. Introduction  

Here we outline the steps regarding the processing of Personal Data (the “Data Processing Agreement” “DPA”) and it regulates Feebey UG c/o Pettenkoferstr. 8a, 10247 Berlin Germany (the “Data Controller”) in the processing of personal data. 

 

2. Legislation 

The Data Processing Agreement highlights that Feebey UG (the “Data Controller”) complies, at all times, with the applicable Data Protection legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (“GDPR”). 

 

3. Processing of Personal Data  

3.1 Purpose: The purpose of the processing of Personal Data is to enable the provision of the Services by the Data Controller.

3.2 In connection with the Data Controller’s delivery of the Services, the  Data Controller will process certain categories and types of the customer’s personal data.

3.3 Personal data includes “any information relating to an identified or identifiable natural person  (‘data subject’)” as defined in GDPR, Article 4(1) (“Personal Data”). The Data Controller only performs processing activities that are necessary and relevant to perform the Services for the customer. 

3.4 The Data Controller shall have and maintain a register of processing activities (“ROPA”) in accordance  with GDPR, Article 30. That record shall contain a general description of the security measures implemented by  the Data Controller, both technical (such as encryption) and organisational (such as restricting who has access to systems), in order to protect the data; d) the categories of processing being carried out (“any operation or set of operations which is performed on personal data or on sets of personal  data, whether or not by automated means, such as collection, recording, organisation, structuring,  storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission,  dissemination or otherwise making available, alignment or combination, restriction, erasure or  destruction”); and If the Data Controller transfers data outside of the EEA/EU Commission approved jurisdictions, Data Controller will document where the data is transferring to and the safeguards determined to be in place to protect that data. 

3.5 The Data Controller may only act and process the Personal Data in accordance with the Bfdi (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit), unless required by law, Court order or legislative measure, to act without such instruction.

3.6 The Data Controller may only process the Personal Data with the purpose of delivering the Services as described. 

3.7 The Data Controller will be required to inform the Bfdi of any instruction that it deems to be in violation of Applicable Law and shall not execute the instructions until they  have been confirmed as appropriate or modified as required.  

 

4. Data Controller’s Obligations  

4.1 Confidentiality of Personal Data 

4.1.1 The Data Controller shall treat all Personal Data as strictly confidential information. 

4.1.2 The Data Controller’s employees/sub-contractors and/or any agents shall be subject to  the same obligation of confidentiality that ensures that all such parties shall treat all the Personal Data under this DPA with the strictest confidentiality.  

4.1.3 Personal Data will only be made available to employees/sub-contractors and/or any  agents that require access to such Personal Data for the delivery of the Services under the Original Contractual Agreement and this DPA.  

4.2 The Data Controller is responsible for ensuring that employees/sub-contractors and/or any  agents processing the Personal Data only process the Personal Data in accordance with the  Instruction. Nothing in this DPA or original Agreement(s) relieves the Data Controller of its own  direct responsibilities and liabilities under the Applicable Law. 

4.3 Security of Personal Data 

4.3.1 The Data Controller shall implement the appropriate technical and organizational measures as set out  in this Agreement and in the Applicable Law, including in accordance with GDPR Article 32. Parties  need to specifically consider the risks that are presented by their processing, in particular from  accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed. 

4.3.2 The security measures are subject to continued development. The Data Controller may update or modify the security measures from time-to-time provided that such updates and  modifications do not result in the degradation of the overall security. 

4.3.3 The Data Controller shall provide documentation detailing and confirming the Data Controller’s security measures if requested to do so by the Bfdi.

 

5. Rights of Data Subjects  

If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and satisfactory reply to such request necessitates the Data Controller’s input and assistance, they shall assist by providing the necessary information and documentation as soon as possible. 

The Data Controller shall be allowed a reasonable timeframe to assist with such requests in accordance with the Applicable Law.  

 

6. Personal Data Breaches  

6.1 The Data Controller shall give immediate notice to the Bfdi (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) if a breach occurs  that could lead to the accidental or unlawful destruction, loss, alteration, unauthorized  disclosure of or access to, personal data transmitted, stored or otherwise processed regarding  the Personal Data processed.

6.2 The Data Controller shall make reasonable efforts to identify the cause of such a breach  and take whatever steps are deemed necessary to establish the cause, and to prevent such a  breach from reoccurring. 

 

7. Data Transfers  

7.1 Data Transfers Generally  

7.1.1 In the usual course of Business, the Data Controller will not transfer data, which was transferred from the Data Subject to the Data Controller for processing purposes, to countries outside the European Economic Area (“EEA”) or those approved for the purposes of  Applicable Law by the EU Commission (“Commission Approved Territories”).  

7.1.2 In some cases, personal data may be saved on storage solutions that have servers outside the European Economic Area (EEA) or Commission Approved territories, [for example,  Dropbox or Google]. Only those storage solutions that provide secure services with adequate relevant safeguards will be utilized by the Controller. 

7.2 Data Transfers to Sub-processors

7.2.1 The Data Controller has general authorisation to engage third-parties to process  Personal Data (“Sub-processors”).

7.2.2 The Data Controller shall complete a written sub-processor agreement with any Sub processors/contractors. Such an agreement shall at a minimum provide the same data protection obligations as the ones applicable to the Data Controller under Applicable Law. The Data Controller shall, on an ongoing basis,  monitor and control its Sub-processors/contractors compliance with the Applicable Law. 

7.2.3 The Data Controller is accountable for any action(s) of the Sub processor/contractor in the same way as for its own acts and/or omissions.  

7.2.4 The Data Controller is, at the time of entering into this DPA using the Sub processors/contractors listed in Appendix A.

 

8. Contact 

The data Controller can be contacted at privacy@getfeebee.io

 

9. Governing Law and Jurisdiction  

9.1. This DPA shall be governed and interpreted in accordance with the laws of Germany and the European Union. The Bfdi (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) is the governing body in Germany.
 

10. Miscellaneous Provisions 

10.1. Nothing in this DPA shall in any way reduce the obligations directly applicable to the Data Controller under the GDPR and the applicable law. 

10.2. Data Controller’s liability under this DPA is not subject to any limitations of liability.


 

Appendix A 

 

Sub-processor

1.1 The following Sub-processors are used by the Data Controller

 

  1. Amazon Web Services (Server hosting)

  2. Google Cloud Services (Google Workspace inc emails, google drive)

  3. App for Slack (App for Slack service)

  4. Wix Website Services (Cookies etc)

bottom of page