Data Processing Agreement (DPA)

↓ Download as PDF

This agreement specifies the data-protection obligations under Art 28 GDPR for the processing of personal data carried out by the Provider on the customer’s behalf within website maintenance. It forms part of the maintenance contract. This is a convenience translation; the German version is legally binding.

§ 1 Parties & roles

The controller within the meaning of Art 4(7) GDPR is the customer. The processor within the meaning of Art 4(8) GDPR is Christopher Rapp (Werbung Wien), Hohenfelsplatz 5, Tür 7, 1120 Wien, Österreich · christopherrapp.online@gmail.com (the “Processor”).

Insofar as the Processor accesses personal data for which the customer is responsible (e.g. database content, backups, hosting access) in order to provide maintenance, it processes such data solely on behalf of and on the instructions of the customer. Data the Processor processes for its own purposes (e.g. contract and billing data) are not subject to this agreement but to its Privacy Policy.

§ 2 Subject matter, nature, purpose & duration

The subject of the processing is the ongoing technical maintenance and care of the customer’s website. Nature and purpose comprise monitoring, backing up, updating and restoring the website and related support activities. Processing takes place for the duration of the maintenance contract.

Categories of data subjects

In particular: website visitors and registered users of the customer, the customer’s clients and prospects, and the customer’s staff — depending on the content of the maintained website.

Categories of personal data

In particular: master, contact and login data, content and communication data, usage and log data, and any other personal data contained in the website’s database or backups. Processing of special categories (Art 9 GDPR) is not envisaged; if the website contains such data, the customer informs the Processor in advance.

§ 3 Controller’s instructions

The Processor processes the data only on documented instructions from the customer, including with regard to transfers to third countries, unless required to process otherwise by Union or national law. The maintenance contract together with this DPA constitutes the basic instruction. The Processor informs the customer immediately if it considers that an instruction infringes data-protection law.

§ 4 Confidentiality

The Processor processes the data confidentially and ensures that persons authorised to process are committed to confidentiality or are under an appropriate statutory obligation of confidentiality. As the Processor operates as a sole proprietor without further staff, this currently concerns the Processor himself.

§ 5 Technical & organisational measures (Art 32 GDPR)

The Processor implements appropriate technical and organisational measures according to the state of the art, in particular:

• encrypted data transfer (TLS) and encrypted storage of sensitive credentials (AES-256-GCM);
• access control based on least-privilege, individual accounts and — where available — multi-factor authentication;
• regular, off-site, encrypted backups including restoration capability (availability/resilience);
• logging of essential processing and administration operations (activity log);
• separation of customer and own environments and limitation of processing to the maintenance purpose;
• a procedure for deletion or return of the data after the end of the engagement.

The measures are adapted to technical developments as needed, without falling below the agreed level of protection.

§ 6 Use of sub-processors

The customer grants the Processor general authorisation to engage the further processors (sub-processors) listed below. The Processor informs the customer in advance of intended changes (addition/replacement); the customer may object to a change for an important data-protection reason within 14 days. The Processor contractually binds sub-processors to the same data-protection obligations and remains responsible towards the customer.

The payment service provider Stripe (Stripe Payments Europe, Ltd., Ireland) processes payment data largely as its own controller; to that extent there is no processing on behalf.

§ 7 Support for the controller

The Processor supports the customer with appropriate measures in responding to data-subject requests (Art 12–23 GDPR) and in complying with the obligations under Art 32–36 GDPR (security of processing, breach notification, data-protection impact assessment). If the Processor becomes aware of a personal-data breach, it notifies the customer without undue delay (generally within 24 hours) so that the customer can meet its notification duties (Art 33/34 GDPR, 72 hours).

§ 8 Deletion & return

After the maintenance ends, the Processor deletes all data processed on behalf or, at the customer’s choice, returns it, unless a statutory retention obligation exists. Backups are overwritten on a rolling basis within the agreed retention periods.

§ 9 Evidence & audits

The Processor makes available to the customer all information necessary to demonstrate compliance with the obligations under Art 28 GDPR and allows for reasonable reviews. Audits are carried out with reasonable prior notice and without disproportionate disruption to operations.

§ 10 Final provisions

Austrian law applies; the supervisory authority is the Austrian Data Protection Authority. In the event of conflicts between this DPA and the maintenance contract, the provisions of this DPA prevail on data-protection matters. Otherwise the provisions of the GDPR apply directly.