Data Processing Agreement (DPA) pursuant to Art. 28 GDPR
Between
Fitness Nation GmbH
Bergstr. 18
59394 Nordkirchen, Germany
– hereinafter referred to as “ Data Processor ” –
and
the company named in the main contract
– hereinafter referred to as “ Controller ” –
The Data Processor and the Controller are hereinafter referred to individually as the “ Party ” or jointly as the “ Parties ”.
§ 1 Subject of the contract
(1) This Data Processing Agreement (“ DPA ”) is concluded between the parties with regard to the processing of personal data under the main contract existing between the parties (hereinafter referred to as the “ Main Contract ”). The provision of services under the Main Contract (“ Services ”) requires the processing of data. If and to the extent that this data is or contains personal data within the meaning of the GDPR, the Data Processor acts as a Data Processor within the meaning of Article 28 GDPR with respect to this data, while the Controller remains the Controller within the meaning of the GDPR.
(2) The services are provided by the Data Processor in such a way that the controller provides its own data, controls its transmission to the Data Processor, and – in the case of Software-as-a-Service models – controls the handling of such data uploaded to the services. The controller agrees and understands that the Data Processor does not monitor the controller's data or the controller's handling of such data unless the controller expressly requests access to such data from the Data Processor.
Therefore, it is the sole responsibility and obligation of the controller to ensure that personal data is collected and transmitted to the Data Processor in accordance with applicable data protection laws, and in particular that there is a legal basis for this and that the data subjects are properly informed about the collection and processing of their personal data.
(3) The Data Processor shall process the controller’s personal data exclusively in accordance with the provisions of this DPA and the controller’s documented instructions .
If the Data Processor is required by Union or Member State law to which it is subject to process data beyond the instructions of the controller, the Data Processor shall inform the controller of these legal requirements before processing, unless the relevant law prohibits such notification on grounds of important public interest. In this case, the Data Processor shall inform the controller of the processing as soon as it is legally permissible to do so.
(4) The Data Processor shall ensure and regularly verify that the processing of personal data within the Data Processor’s area of ​​responsibility, including any sub-processors involved, is carried out in accordance with this DPA, the applicable data protection laws and in particular the GDPR.
§ 2 Details of processing (Art. 28 para. 3 GDPR)
(1) The subject of the processing is the provision of the services agreed in the main contract (in particular the provision/hosting/support of software and/or hardware-related services), in which personal data are processed on behalf of the controller.
(2) Duration of processing : Processing generally takes place for the duration of the main contract and this data processing agreement, unless otherwise agreed in writing. After termination, the provisions in Section 9 apply.
(3) The type and purpose of the processing are set out in the main contract. Typically, the processing includes, in particular: storing, organizing, structuring, querying, transmitting, deleting, and other processing operations necessary for the performance of the contract.
(4) Types of personal data : Depending on the use of the services, the following data may be processed in particular:
- Master data (e.g. name, address)
- Contact details (e.g. email, phone number)
- Contract and usage data
- Communication content, insofar as it has been contributed to the services by the responsible party.
- Technical usage data (e.g. log data), if necessary
(5) Categories of data subjects : Depending on the use of the services, the following categories in particular may be affected:
- Customers/Members/Interested Parties of the Responsible Party
- Employees/representatives of the responsible party
- other persons whose data the controller processes within the scope of the services
(6) Duties and rights of the controller : The controller is in particular responsible for:
- the lawfulness of data processing, including legal bases and information obligations,
- the issuing and documentation of instructions,
- the exercise of the rights of data subjects,
- the performance of any necessary data protection impact assessments,
- Compliance with reporting obligations to supervisory authorities and data subjects.
§ 3 Place of data processing; transfer to third countries
(1) The Data Processor shall generally process personal data in the European Union (EU) or in another State which is a Contracting Party to the Agreement on the European Economic Area (EEA).
(2) Any processing of personal data outside the EU/EEA is only permitted with prior agreement between the parties and only if the requirements of Articles 44 et seq. GDPR are met.
§ 4 Instructions of the person in charge
(1) The parties agree that this DPA contains the general instructions of the controller regarding the processing of personal data on behalf of the controller.
(2) The controller is entitled to issue specific instructions regarding the processing of personal data by the data processor. Specific instructions that deviate from this data processing agreement or impose new, additional obligations on the data processor require the data processor's consent to be effective. For such instructions, the parties will apply the change procedure agreed upon in the main contract, if applicable. This does not apply if specific instructions are necessary to prevent or remedy legal violations within the data processor's area of ​​responsibility.
(3) The controller shall ensure that instructions comply with applicable data protection laws and can be implemented by the data processor without infringing applicable laws. If the data processor considers an instruction to be unlawful, it shall inform the controller. The data processor is entitled to suspend the execution of the instruction until it is confirmed or amended.
(4) Specific instructions shall be given in writing or at least in text form. Oral instructions must be confirmed immediately, at least in text form. All instructions must be documented.
§ 5 Assurances of the Data Processor
(1) Employees of the Data Processor who are authorized to process personal data,
(i) are bound to confidentiality or are subject to an appropriate statutory duty of confidentiality,
(ii) process personal data exclusively in accordance with this DPA and the instructions of the controller, unless there is a legal obligation to process it otherwise, and
(iii) shall be regularly informed of the obligations arising from this DPA and the applicable data protection laws.
(2) The Data Processor may not make copies or duplicates of the personal data processed on behalf of the controller without the prior consent of the controller. This excludes copies necessary for proper data processing and service provision (including data backup), as well as copies required for compliance with statutory retention obligations.
(3) The Data Processor shall appoint a Data Protection Officer if and as long as the legal requirements for doing so exist and shall provide the Controller with the contact details of the Data Processor upon request.
§ 6 Technical and organizational measures
(1) The Data Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk within the meaning of Article 32 GDPR, in particular to ensure the confidentiality, integrity, availability and resilience of the systems.
(2) The Data Processor is entitled to adapt technical and organizational measures to the state of the art, provided that this does not result in a lower level of security.
§ 7 Use of sub-processors
(1) The Data Processor may only engage sub-processors with the prior consent of the Controller. The Controller grants its consent to the sub-processors engaged at the time of conclusion of the contract by separate notification or provision in the main contract.
(2) The Data Processor shall contractually oblige sub-processors to comply with data protection, confidentiality and data security obligations that are at least equivalent to the obligations set out in this DPA.
(3) The Data Processor shall notify the Controller in writing in advance of the intended use or change of a sub-processor. The Controller may object for a valid reason within thirty (30) days of receiving the notification. In this case, the parties shall seek an amicable solution. If no solution is reached within two (2) months, the Controller shall be entitled to terminate the main contract with respect to the services for which the use of the sub-processor is necessary.
(4) Providers of mere ancillary services are not considered sub-processors within the meaning of data protection laws (e.g., postal/courier services, telecommunications services, security and cleaning services). Notwithstanding this, the data processor shall enter into industry-standard confidentiality agreements.
§ 8 Duty to provide support to the responsible party
(1) The Data Processor shall provide the Controller with all necessary information to demonstrate compliance with the obligations set out in this Data Processing Agreement. Upon request, the Data Processor shall provide the Controller with reasonable assistance in the event of inquiries or investigations by data protection supervisory authorities relating to the Services.
(2) The Data Processor shall inform the Controller without undue delay if it discovers a personal data breach in connection with processing under this Data Processing Agreement. The Data Processor shall provide reasonable assistance to the Controller in fulfilling its notification obligations pursuant to Articles 33 and 34 of the GDPR.
Provided that the Data Processor is not at fault for a reportable data protection incident, the Data Processor is entitled to charge for support services according to the rates of remuneration agreed in the main contract.
(3) The Data Processor shall, taking into account the nature of the processing and the information available to it, provide reasonable support to the controller in carrying out data protection impact assessments and, where appropriate, consultations pursuant to Articles 35 and 36 GDPR. The Data Processor is entitled to charge for its services in accordance with the rates of remuneration agreed in the main contract.
(4) If a data subject contacts the Data Processor directly with a request to exercise their rights, the Data Processor shall inform the Controller without undue delay. The Data Processor shall not respond to such requests themselves unless expressly instructed to do so by the Controller. The Data Processor shall provide reasonable assistance to the Controller in fulfilling the data subject rights.
The Data Processor is entitled to charge for support services in accordance with the remuneration rates agreed in the main contract.
§ 9 Return or deletion of personal data
(1) Upon instruction from the controller during the term of this DPA or after its termination or after the processing of personal data under the main contract has ended, the Data Processor shall either delete/destroy the personal data processed on behalf of the controller or return it to the controller.
If applicable laws prohibit the Data Processor from deleting, destroying or returning the data, the Data Processor will no longer actively process the data, but will only store it to comply with legal requirements, in particular retention obligations, and will delete/destroy or return it in accordance with the original instruction once the obstacle has been removed.
(2) The Data Processor shall create a log of deletions or destructions that have taken place and shall make this log available to the controller upon request.
§ 10 Audit rights
(1) The controller is entitled, during normal business hours (Monday to Friday from 9:00 a.m. to 5:00 p.m.), to enter the premises of the data processor where the controller's data is processed, at its own expense and without undue disruption to operations, in order to verify compliance with this Data Processing Agreement. The controller shall generally give at least two weeks' notice of an on-site inspection.
(2) As a rule, the person responsible is entitled to one on-site inspection per calendar year. The right to carry out further inspections in the event of special incidents remains unaffected.
(3) If the controller engages a third party, they must commit that third party in writing to at least the same confidentiality and data protection obligations as under this DPA. The controller may not engage a direct competitor of the data processor to perform the control function.
(4) To demonstrate compliance with this DPA, approved codes of conduct (Art. 40 GDPR), certifications (Art. 42 GDPR) or suitable, up-to-date audit reports from independent bodies (e.g., auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) may also be used, provided that these enable the controller to carry out a verification in an appropriate manner.
(5) If and to the extent that an on-site inspection has not been necessitated by misconduct on the part of the Data Processor, the Data Processor shall be entitled to charge for the expenses incurred in accompanying the on-site inspection in accordance with the rates of remuneration agreed in the main contract.
§ 11 Other provisions
(1) This General Terms and Conditions shall be governed by the same law as the main contract. Any disputes arising out of or in connection with this General Terms and Conditions shall be subject to the exclusive jurisdiction of the courts to which the parties have agreed in the main contract.
(2) Amendments or additions to this General Terms and Conditions shall only be effective if they are made in writing.
(3) Should any provision of these General Terms and Conditions be or become invalid or unenforceable, the remaining provisions shall remain unaffected. The parties shall replace the invalid provision with a valid one that most closely approximates its intended economic purpose.
(4) This Data Processing Agreement (DPA) enters into force upon conclusion of the main contract as an integral part thereof. It shall remain in effect, irrespective of the termination of the main contract, until all personal data processed under this DPA has been deleted or returned by the Data Processor and any sub-processors used.