Data Processing Agreement (DPA)

1.1: The processor processes personal data exclusively for the provision of contractually agreed services upon documented instruction of the controller in accordance with this contract and applicable data protection law, in particular Art. 28 GDPR, and only makes corrections to unlawful instructions after consultation.

1.2: The purpose of processing is the provision and management of the cloud-based e-learning platform including user management, course delivery, certificate issuance, support, operational security, error analysis, and logging, insofar as required for service provision.

1.3: Contract commencement is the conclusion of the main contract; contract termination corresponds to its termination.

1.4: After termination of the main contract, the processor deletes all personal data processed under this contract, unless there is a legal retention obligation; prior to deletion, a return in a common, machine-readable format is made upon documented instruction of the controller, and data backups are overwritten in the regular rotation cycle without restoration for other purposes.

1.5: The processor immediately informs the controller if, in its opinion, an instruction violates data protection law and suspends implementation until confirmation or adjustment.

2.1: Type/Purpose of processing includes in particular: management of user accounts, delivery of e-learning measures, recording and documentation of course and certificate data, operational security, support, error analysis, and logging to the extent required for the service.

2.2: Data subjects: employees and administrators of the controller as well as other natural persons who access or use the platform, insofar as provided by the controller.

2.3: Data categories: identity and contact data (e.g., name, email), course assignment, learning progress, certificate status, organizational assignment (if transmitted), support/ticket data, technical log data, usage metadata (timestamps, success/error), only insofar as required for service provision.

2.4: Processing of special categories of personal data is generally not intended within the scope of service provision; processing only occurs exceptionally upon express, documented instruction of the controller and with appropriate additional protective measures.

3.1: The processor processes personal data exclusively upon documented instructions of the controller, as they result from the main contract and this DPA, as well as within the scope of mandatory legal obligations.

3.2: The processor ensures that only authorized persons have access to personal data and that these persons are bound to confidentiality and only process data upon instruction.

3.3: The processor implements and maintains appropriate technical and organizational measures (TOM) pursuant to Art. 32 GDPR to ensure a level of protection appropriate to the risk. The current TOM can be viewed under Annex 1. The processor is entitled to adapt the TOM provided that the overall security level is not reduced thereby.

3.4: The processor considers data protection by design and by data protection-friendly default settings and maintains a record of processing activities if required by law.

3.5: In case of imminent threat to confidentiality, integrity, or availability, the processor may take immediate, purely technical-organizational emergency measures to prevent/limit the risk without changing purposes or essential means of processing and without involving new recipients, and immediately informs the controller about the incident and measures.

4.1: The controller is responsible for the lawfulness of processing, fulfillment of information obligations, and safeguarding of data subject rights and ensures the accuracy and currency of transmitted data.

4.2: The controller designates authorized instruction givers in text form and ensures clear, documented instructions.

4.3: Each party designates a contact person who is authorized to respond to requests regarding personal data and processes corresponding requests immediately.

5.1: General Authorization and List: The controller hereby grants general authorization for the engagement of subprocessors. The processor maintains in Annex 2 an always current list of employed subprocessors ("List of Subprocessors"). The controller is advised to regularly review this list.

5.2: New Subprocessors and Right to Object: The processor informs the controller in text form (e.g., by email) about any intended addition or replacement of a subprocessor by updating the list of subprocessors and pointing out the change. The controller may object to the change within fourteen (14) days after receipt of the notification for an important, data protection-related reason. If no objection is made within the deadline, the change is deemed approved.

5.3: Procedure in Case of Objection: In case of a justified objection, the parties will cooperate to find a solution acceptable to both sides. If no agreement is reached within a reasonable period, the controller is entitled to terminate the affected service with immediate effect.

5.4: Contractual Obligations and Liability: The processor concludes with each subprocessor a contract that essentially imposes the same data protection obligations that also apply to the processor under this DPA. The processor remains fully responsible for the actions and omissions of its subprocessors.

6.1: The processor supports the controller, insofar as possible and appropriate, in fulfilling requests of data subjects for information, rectification, deletion, restriction, objection, and data portability.

6.2: Taking into account the nature of processing and available information, the processor supports the controller in data protection impact assessments, in notifications to supervisory authorities and communications to data subjects in case of a personal data breach, as well as in compliance with security requirements.

6.3: Reasonable, verifiable additional costs for support services that go beyond usual support are borne by the controller, insofar as legally permissible.

7.1: The processor immediately informs the controller upon becoming aware of any breach of personal data protection that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, and provides appropriate information as soon as it becomes available.

7.2: The notification includes after availability in particular: possible causes and consequences, categories of affected personal data, possible impacts on data subjects, a summary of unauthorized recipients, and measures taken to limit damage.

7.3: Public Disclosure: The processor does not make any public disclosure of a personal data breach without prior written consent of the controller, unless this is legally required.

8.1: After contract termination, the processor deletes all personal data that it has processed under this contract, unless there is a legal retention obligation; upon documented instruction, it provides a return in a common, machine-readable format beforehand.

8.2: Data backups are overwritten within the regular rotation cycle; restoration for other purposes is excluded, and the processor confirms deletion upon request to an appropriate extent.

9.1: The processor provides the controller upon written request at reasonable intervals with the necessary information to demonstrate compliance with its obligations under this DPA. This demonstration is primarily made by presenting suitable, current certifications or independent audit reports.

9.2: The controller is entitled to verify compliance with this DPA by the processor. Should the processor not comply with a reasonable and justified instruction of the controller regarding a more extensive review or inspection, the controller is entitled to extraordinarily terminate this DPA and the underlying main contract with a notice period of thirty (30) days. Further claims of the controller due to the rejection of the instruction are excluded.

9.3: Each party bears its own costs; extraordinary additional effort of the processor may be charged after prior announcement to an appropriate extent.

10.1: Legal liability regulations, in particular Art. 82 GDPR, remain unaffected; claims of data subjects under Art. 82 GDPR are neither excluded nor limited, nor is liability for intent, gross negligence, or violation of life, body, or health.

10.2: Otherwise, the amount-based liability limitation agreed in the main contract applies between the parties for contractual and pre-/collateral contractual claims; it does not cover official fines insofar as indemnification is legally impermissible.

10.3: Liability for data loss is limited to the typical recovery effort that would have arisen with proper data backup, insofar as mandatory law does not oppose this.

11.1: Changes and additions to this contract require text form; this also applies to the change of this form requirement.

11.2: Place of jurisdiction and performance is Rüsselsheim am Main, insofar as legally permissible.

11.3: Contact person for data protection at the processor: datenschutz@conformitas.legal; insofar as there is an obligation to designate a data protection officer, his contact details will be communicated upon request.

11.4: In case of contradictions between this DPA and the main contract, the regulations of this DPA take precedence regarding data protection obligations.

11.5: No Own Purposes/No Sale: The processor does not sell personal data and does not store, use, or disclose them for any purpose other than the provision of contractually agreed services, unless this is legally required.

11.6: No Third-Party Rights: This DPA does not establish rights of third parties as beneficiaries and is intended exclusively for the benefit of the parties and their permissible legal successors and assignees.

11.7: Third-Party Requests: If the processor receives a request from a government or law enforcement authority regarding the controller's personal data, it will refer the requesting party to the controller. If such referral is legally impermissible or fails, the processor will, insofar as legally permissible, immediately inform the controller about the request to give it the opportunity to take legal action. If the processor is legally obligated to disclose, it will only disclose the data absolutely necessary for fulfilling the legal obligation.