Data Processing Addendum
This Data Processing Addendum supplements the Userlane Master Subscription Agreement / Terms of Service concluded by and between the Customer (referred to as “Customer” or “Controller” hereinafter) and Userlane GmbH, Rosenheimer Str. 143c (10th floor), 81671 Munich, Germany (referred to as “Processor” hereinafter).
This document can be printed for reference by using the print command in the settings of any browser.
This Data Processing Addendum (hereinafter: ”Agreement” or “DPA”) specifies the contractual parties’ obligations under data protection law resulting from the Processor’s data processing on behalf of the Customer based on Userlane Master Subscription Agreement / Terms of Service (hereinafter: “Main Contract”) concluded between the parties.
Section 1 Object of the DPA; Controller Instructions
1) The Processor processes the Customer’s personal data. Type and purpose of this data processing can be consulted in Schedule 1 of this Agreement and in the Main Contract.
2) The Customer is authorised to issue instructions to the Processor regarding the data processing. In principle, instructions are to be issued in text form. If, on an exceptional basis, instructions are given verbally, they are to be subsequently documented in writing in text form without delay by the Customer. The Processor and all the Processor’s subordinates with access to personal data may only process the data that are the object of this Agreement further to the Customer’s instruction, including the powers granted in this Agreement, unless they are legally obliged to do the processing. The Processor shall inform the Customer without delay if they believe that an instruction violates data protection regulations. The Processor shall be entitled to defer the execution of the instruction in question until such time as it is confirmed or changed by the Customer.
Section 2 Obligations of the Processor
1) The Processor shall structure in-house organisation in a manner complying with data protection requirements. Processor shall enact technical and organisational measures that meet the requirements of the General Data Protection Regulation (Art. 32 GDPR).
2) In executing the work, the Processor shall only use employees that have been familiarised with the relevant data protection regulations and properly obligated to maintain secrecy (Art. 28 Para. 3 Clause 2 lit. b and Art. 29 GDRP).
3) In Schedule 2, the Processor has documented the implementation of the technical and organisational measures needed for the specific performance of this Agreement. The Customer is familiar with these technical and organisational measures and is responsible to evaluate that these measures are offering adequate risk protection for the data to be processed.
4) The technical and organisational measures are subject to technical progress and development. The Processor is permitted to implement adequate alternative measures assuming that the security level of the measures according to Schedule 2 may not be undercut. Important changes are to be documented.
5) The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III GDPR. This includes responding to data subjects’ inquiries concerning either the Controller’s information obligation, their right of access, their right of rectification, erasure, restriction of processing, data portability and related communication obligations of the Controller, or the right to object to automated decisions, including profiling, if the data subject asserts any such rights. Furthermore, the Processor will assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 taking into account the nature of processing and the information available to the Processor.
6) Where a data subject contacts the Processor with one of his rights under Chapter III GDPR, Processor may only provide information about personal data from the contractual relationship after prior instruction in accordance with Section 1 of this Agreement or upon prior approval by the Controller.
7) Contact details of the Processor s data protection officer and the internal representative are mentioned in Schedule 3.
Section 3 Customer and Supervisory Authority Controls
1) If, on a case-by-case basis, it should become necessary for the Customer to inspect the technical organisational measures, such inspections will be conducted during normal working hours, without disturbance to operations, further to prior notification and allowing for an appropriate lead time.
2) The Processor may make inspection contingent upon the signing of a confidentiality agreement regarding the data of other customers, and the technical and organisational measures established, if the Customer does not commission an investigator who is under a secrecy obligation for legal reasons and/or for reasons of professional law.
3) If the investigator commissioned by the Customer is in competition with the Processor, the Processor shall have veto power.
4) If a data protection supervisory authority or another of the Customer’s sovereign supervisory authorities wants to inspect the data processing, the Processor will support the Customer. The above paragraphs apply accordingly.
Section 4 Correction, Restriction, and Deletion of Data
1) The Processor may only delete or restrict the processing of the data to be processed under the terms of this Agreement if this is provided for in the Main Contract or in this Agreement or if the Customer issues a corresponding instruction. If a data subject addresses the Processor directly with a wish for deletion, this request shall be transmitted without delay to the Customer by the Processor.
2) After the end of this DPA, all personal data that are the object of this Agreement shall either be deleted or returned by the Processor, at the Customer’s request, to the extent that there are no obligations for storage of the personal data under applicable statutory provisions.
3) Copies or duplicates of the data will not be issued without the Customer’s knowledge. Processor is entitled to create backups, to the extent needed to ensure proper data processing. Processor is also entitled to process data needed to meet statutory retention requirements.
Section 5 Subcontractors
1) In terms of this provision, sub-contractual relations entail those services that relate directly to provision of the main service. This does not include ancillary services availed of by the Processor, e.g., as telecommunications services, postal/transport services, maintenance and user service, or disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and capacity of the hardware and software of the data processing equipment. However, in order to ensure the protection and safety of the Customer’s data in outsourced ancillary services as well, the Processor is bound to conclude appropriate and legally compliant contractual agreements and to take control measures.
2) The Processor may only commission sub-contractors (additional contract processors) with the prior approval of the Customer, or pursuant to information from the Customer that corresponds to the requirements of Art. 28 Para. 2 s.2 GDPR. Consent shall be deemed to have been granted and the new subcontractors shall be deemed to have been approved if the Customer does not object either in writing or by e-mail within one month of receipt of the notice of amendment. The Customer will be particularly informed of this consequence by the Processor as part of the notification of amendment. The Customer hereby approves the subcontractors named in www.userlane.com/subprocessors.
3) If the Customer objects against any new subcontractor, the Processor is not allowed to include this subcontractor in processing Customer’s data. As a consequence of Customer’s objection Parties shall be entitled to terminate the Main Contract with a one-month notice period without Processor being obliged to refund any paid license fees.
Section 6 Remuneration
Remuneration for all of the Processor’s activities is not part of this Agreement but is based solely on the Main Contract.
Section 7 Term
This Agreement shall apply in this form upon signature of the Main Contract. This Agreement shall end upon the full implementation of the measures described in Schedule 1, without requiring a notice of termination by one of the parties, or with the end of the Main Contract.
Section 8 Final provisions
1) Changes and supplements to this DPA require written form or text form. This shall also apply to a waiver of this form requirement.
2) This Agreement shall also apply if and insofar as authorities or courts deviate mutatis mutandis from a joint responsibility of the contracting parties pursuant to Art. 26 GDPR.
Subject Matter, Type, and Scope of Data
Technical and organizational measures
Data Protection Contact Details
Data Protection Coordinator: Marina Hoffmann – Information Security Officer
Data Protection Officer: DataCo GmbH