Data processing agreement (DPA)
Effective date, October 31st 2022
Data Processing Agreement (“DPA”) for Feebee, a product of Feebey UG.
Here we outline the steps regarding the processing of Personal Data (the “Data Processing Agreement” “DPA”) and it regulates Feebey UG c/o Pettenkoferstr. 8a, 10247 Berlin Germany (the “Data Controller”) in the processing of personal data.
The Data Processing Agreement highlights that Feebey UG (the “Data Controller”) complies, at all times, with the applicable Data Protection legislation (the “Applicable Law”), including in particular The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) (“GDPR”).
3. Processing of Personal Data
3.1 Purpose: The purpose of the processing of Personal Data is to enable the provision of the Services by the Data Controller.
3.2 In connection with the Data Controller’s delivery of the Services, the Data Controller will process certain categories and types of the customer’s personal data.
3.3 Personal data includes “any information relating to an identified or identifiable natural person (‘data subject’)” as defined in GDPR, Article 4(1) (“Personal Data”). The Data Controller only performs processing activities that are necessary and relevant to perform the Services for the customer.
3.4 The Data Controller shall have and maintain a register of processing activities (“ROPA”) in accordance with GDPR, Article 30. That record shall contain a general description of the security measures implemented by the Data Controller, both technical (such as encryption) and organisational (such as restricting who has access to systems), in order to protect the data; d) the categories of processing being carried out (“any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction”); and If the Data Controller transfers data outside of the EEA/EU Commission approved jurisdictions, Data Controller will document where the data is transferring to and the safeguards determined to be in place to protect that data.
3.5 The Data Controller may only act and process the Personal Data in accordance with the Bfdi (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit), unless required by law, Court order or legislative measure, to act without such instruction.
3.6 The Data Controller may only process the Personal Data with the purpose of delivering the Services as described.
3.7 The Data Controller will be required to inform the Bfdi of any instruction that it deems to be in violation of Applicable Law and shall not execute the instructions until they have been confirmed as appropriate or modified as required.
4. Data Controller’s Obligations
4.1 Confidentiality of Personal Data
4.1.1 The Data Controller shall treat all Personal Data as strictly confidential information.
4.1.2 The Data Controller’s employees/sub-contractors and/or any agents shall be subject to the same obligation of confidentiality that ensures that all such parties shall treat all the Personal Data under this DPA with the strictest confidentiality.
4.1.3 Personal Data will only be made available to employees/sub-contractors and/or any agents that require access to such Personal Data for the delivery of the Services under the Original Contractual Agreement and this DPA.
4.2 The Data Controller is responsible for ensuring that employees/sub-contractors and/or any agents processing the Personal Data only process the Personal Data in accordance with the Instruction. Nothing in this DPA or original Agreement(s) relieves the Data Controller of its own direct responsibilities and liabilities under the Applicable Law.
4.3 Security of Personal Data
4.3.1 The Data Controller shall implement the appropriate technical and organizational measures as set out in this Agreement and in the Applicable Law, including in accordance with GDPR Article 32. Parties need to specifically consider the risks that are presented by their processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.
4.3.2 The security measures are subject to continued development. The Data Controller may update or modify the security measures from time-to-time provided that such updates and modifications do not result in the degradation of the overall security.
4.3.3 The Data Controller shall provide documentation detailing and confirming the Data Controller’s security measures if requested to do so by the Bfdi.
5. Rights of Data Subjects
If the Data Controller receives a request from a data subject for the exercise of the data subject’s rights under the Applicable Law and the correct and satisfactory reply to such request necessitates the Data Controller’s input and assistance, they shall assist by providing the necessary information and documentation as soon as possible.
The Data Controller shall be allowed a reasonable timeframe to assist with such requests in accordance with the Applicable Law.
6. Personal Data Breaches
6.1 The Data Controller shall give immediate notice to the Bfdi (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) if a breach occurs that could lead to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to, personal data transmitted, stored or otherwise processed regarding the Personal Data processed.
6.2 The Data Controller shall make reasonable efforts to identify the cause of such a breach and take whatever steps are deemed necessary to establish the cause, and to prevent such a breach from reoccurring.
7. Data Transfers
7.1 Data Transfers Generally
7.1.1 In the usual course of Business, the Data Controller will not transfer data, which was transferred from the Data Subject to the Data Controller for processing purposes, to countries outside the European Economic Area (“EEA”) or those approved for the purposes of Applicable Law by the EU Commission (“Commission Approved Territories”).
7.1.2 In some cases, personal data may be saved on storage solutions that have servers outside the European Economic Area (EEA) or Commission Approved territories, [for example, Dropbox or Google]. Only those storage solutions that provide secure services with adequate relevant safeguards will be utilized by the Controller.
7.2 Data Transfers to Sub-processors
7.2.1 The Data Controller has general authorisation to engage third-parties to process Personal Data (“Sub-processors”).
7.2.2 The Data Controller shall complete a written sub-processor agreement with any Sub processors/contractors. Such an agreement shall at a minimum provide the same data protection obligations as the ones applicable to the Data Controller under Applicable Law. The Data Controller shall, on an ongoing basis, monitor and control its Sub-processors/contractors compliance with the Applicable Law.
7.2.3 The Data Controller is accountable for any action(s) of the Sub processor/contractor in the same way as for its own acts and/or omissions.
7.2.4 The Data Controller is, at the time of entering into this DPA using the Sub processors/contractors listed in Appendix A.
The data Controller can be contacted at firstname.lastname@example.org
9. Governing Law and Jurisdiction
9.1. This DPA shall be governed and interpreted in accordance with the laws of Germany and the European Union. The Bfdi (Der Bundesbeauftragte für den Datenschutz und die Informationsfreiheit) is the governing body in Germany.
10. Miscellaneous Provisions
10.1. Nothing in this DPA shall in any way reduce the obligations directly applicable to the Data Controller under the GDPR and the applicable law.
10.2. Data Controller’s liability under this DPA is not subject to any limitations of liability.
1.1 The following Sub-processors are used by the Data Controller
Amazon Web Services (Server hosting)
Google Cloud Services (Google Workspace inc emails, google drive)
App for Slack (App for Slack service)
Wix Website Services (Cookies etc)