Data Processing Agreement (DPA)
qibb Data Processing Agreement pursuant to Art. 28 GDPR
Between the Customer (Controller as defined by the GDPR hereinafter referred to as “the Controller”) and Techtriq (Processor as defined by the GDPR)
Subject of this DPA
The Processor processes Personal Data within the meaning of Article 4 (1) GDPR on behalf of the Controller according to Article 5 GDPR. This includes activities specified in the Order Form and its Annexes, entered on Effective Date between the Parties (hereinafter referred to as the “Agreement”) and specified in the terms of reference contained therein.
In particular, the following data are part of the data processing:
Type of data
Categories of data subjects
Purpose of data processing
Circle of the affected data subjects
The Controller determines the type of data through its selection of the services to be provided, the configuration of the services, the utilization of the services and the submission of the personal data. While the services are provided personal data such as customer data and customer related information is processed, in particular:
The categories of persons affected by processing include:
The Processor processes the personal data to the extent required to provide the services. The purposes are, in particular:
The Controller determines the circle of affected data subjects through its selection of the services to be provided, the configuration of the services, the utilization of the services and the submission of the personal data.
Pursuant to Article 4 (7) GDPR, the Controller is that party which, on its own or together with other controllers, decides on the purposes and means of processing Personal Data.
According to Article 4 (8) GDPR, the Processor is a natural or legal person, public authority, institution or other body that processes Personal Data on behalf of the Controller.
Personal Data, pursuant to Article 4 (1) GDPR, is any information relating to an identified or identifiable natural person (hereinafter referred to as “Data Subject”). A natural person is considered to be identifiable if they can be directly or indirectly identified, in particular by means of an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics expressing the physical, physiological, genetic, mental, economic, cultural or social identity of this natural person.
Processing, pursuant to Article 4 (2) GDPR, means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
A Supervisory Authority, within the meaning of Article 4 (21) GDPR, is an independent public authority established by any one of the Member States, in accordance with Article 51 GDPR.
Within the framework of this DPA, the Controller is responsible for compliance with the statutory provisions, in particular for the lawfulness of data transmission to the Processor and the legality of the data responsibility (“Controller” within the meaning of Article 4 No. 7 GDPR).
The Controller and the Processor ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality or are subject to an appropriate statutory confidentiality obligation. For this purpose, all persons who are able to access the Controller’s Personal Data for handling of the DPA must be obligated to maintain data confidentiality and be informed about their data protection obligations. Each Party is responsible for the obligation of its own personnel. Furthermore, the personal deployed must be informed that the data confidentiality obligation shall continue even after the activity has been completed.
The Processor and the Controller are responsible for complying with the relevant data protection laws with regard to the data to be processed.
Duration of the Agreement
The DPA becomes effective upon signing. The term corresponds to the Term or Renewal Term (if any) of the Agreement.
The Parties are always aware that no (further) data processing may be carried out without the existence of a valid data processing agreement, for example, when the present DPA has expired.
The right to terminate without notice for good cause remains unaffected.
Terminations must be in writing to be effective.
Authority of the Controller
The data shall exclusively be handled within the framework of the agreements made and according to documented instructions of the Controller. This obligation excludes circumstances under which the Processor has to process the data based on mandatory legal provisions. In such situations, the Processor shall, as far as possible, inform the Controller about the corresponding legal requirements prior to commencement of processing. The Controller reserves the right to give instructions regarding the type, scope and procedure of the data processing within the context of this DPA and may specify these instructions further on by issuing individual instructions.
The instructions of the Controller are documented by the Processor and made available to the Controller as a signed copy immediately after the documentation has been completed.
Place of Performance
The Processor shall provide the contractual services in the European Union (EU) or in the European Economic Area (EEA). Any transfer to a third country requires the prior approval by Controller and may only take place if the specific requirements of Art. 44 subsequent GDPR and regulatory requirements are met.
If the data processing under this DPA and the legal requirements for the processing of Personal Data as part of this agreement or for the transmission of Personal Data abroad are permissible, the Processor shall guarantee compliance with and implementation of legal requirements to ensure an adequate level of data protection in case of change of service location and in cross-border data transfers.
Obligations of the Processor
The Processor may only collect, process or use data within the scope of this agreement and according to the instructions of the Controller.
The Processor shall design the in-house organization in his area of responsibility in such a way that it meets the special requirements of data protection. The Processor shall take technical and organizational measures to adequately safeguard the Controller’s data against misuse and loss that meet the requirements of the relevant data protection regulations. Upon request, the Processor must show proof of these measures to the Controller and, if necessary, to the Supervisory Authority. This proof particularly includes the implementation of the measures resulting from Article 32 GDPR.
The technical and organizational measures are subject to technical progress and further development. In that regard, the Processor is permitted to implement alternative, demonstrably adequate measures. It must be ensured that the contractually agreed level of protection is met. Significant changes must be documented.
The Processor himself maintains a record of processing activities within the meaning of Article 30 GDPR. On request, the Processor shall provide the Controller with the information required for the overview pursuant to Article 30 GDPR. Furthermore, the Processor shall make the record available to the supervisory authority upon request.
The Processor shall assist the Controller with any necessary data protection impact assessment by providing all information available to him. In the event prior consultation of the competent authority is required, the Processor shall also support the Controller in this respect.
If required by applicable law the Processor shall appoint a data protection officer. If the data protection officer changes, the Controller must be informed immediately in writing. The Processor guarantees that the requirements with regard to the data protection officer and the data protection officer’s activities are fulfilled in accordance with Article 38 GDPR. If the Processor does not have an appointed data protection officer, the Processor shall appoint a contact person for the Controller.
The Processor shall inform the Controller immediately in case of violations of regulations regarding the protection of the Controller’s Personal Data or the stipulations made in the DPA committed by the Processor or the persons employed by the Processor within the scope of this Agreement. The Processor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the persons concerned and shall immediately discuss them with the Controller. The Processor assists the Controller in fulfilling the Controller’s duty to inform the relevant Supervisory Authority or the Data Subject about any infringement of the protection of Personal Data pursuant to Article 33, 34 GDPR.
Insofar as a Data Subject should contact the Processor directly for the purpose of rectification or deletion of their data, the Processor shall immediately forward this request to the Controller.
Transferred data carriers as well as all copies or reproductions made thereof remain the property of the Controller. The Processor must keep these safe so that they are not accessible to third parties. The Processor is obliged to provide the Controller with information at any time as far as the Controller’s data and documents are concerned.
If the Controller is obligated by data protection laws to give information to a Data Subject concerning the collection, processing or use of data on that person, the Processor shall assist the Controller in providing this information, provided the Controller has requested the Processor to do so in writing.
The Processor shall inform the Controller immediately about any controls and measures taken by the supervisory authorities or if a supervisory authority investigates the Processor.
The Processor shall inform the Controller immediately if, in the Processor’s opinion, an instruction issued by the Controller violates statutory provisions. The Processor is entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the Controller.
If the data of the Controller are endangered by assignment or seizure, a bankruptcy or settlement procedure, or by other events or measures of third parties, the Processor shall inform the Controller immediately. The Processor shall immediately inform all those responsible in this context that the sovereignty and the ownership of the data are exclusively with the Controller as Controller as defined by the GDPR.
The Processor shall not use the data provided for any purpose other than the performance of the DPA and shall not use any means of processing that have not been previously approved by the Controller.
The Processor shall not store data that is subject to special secrecy on systems that are beyond the control of the Controller or that are not subject to seizure protection.
If the Processor is required by law of the Union or Member States to process the data in other ways, the Processor shall inform the Controller of these legal requirements prior to processing.
The fulfilment of the aforementioned obligations shall be verified by the Processor, as well as documented and proven to the Controller in a suitable manner upon request.
Obligations of the Controller
The Controller alone is responsible for the assessment of the admissibility of the data processing and for the protection of the rights of the persons concerned. The Controller shall ensure within his area of responsibility that the legally required conditions (such as by obtaining consent for the processing of the data) are maintained so that the Processor can provide the agreed services without violating the law.
The Controller bears responsibility under data protection law with regard to the procedure for automated processing of Personal Data used by the Processor and approved by the Controller and is also obliged to keep a log of processing activities in addition to the Processor’s obligation to keep such a log.
The Controller is responsible for the information obligations resulting from Article 33, 34 GDPR to the supervisory authority or those affected by an infringement of the protection of Personal Data.
The Controller shall stipulate the procedure for the return of provided data media and/or deletion of the stored data after completion of the order by contract or by instruction.
Auditing Rights of the Controller
The Controller has the right to inspect the compliance with the provisions laid down in this agreement as well the technical and organizational measures specified in Appendix 1 or have them inspected by a commissioned inspector.
For this purpose, the Controller may for instance:
consider privacy-related certifications or privacy seals and marks,
obtain self-disclosure in writing from the Processor,
receive an attestation by an expert or
have a competent third Party, who is not a competitor of the Processor, verify compliance with regulations after timely registration during normal business hours without disturbing business operations.
If, in the context of this agreement the Processor or the Processor’s employees have breached the provisions for the protection of the Controller’s Personal Data or the stipulations made in this agreement, an appropriate inspection can also be conducted without timely registration. A disruption of the operations of the Processor should be avoided as much as possible.
The execution of the order verification by means of regular inspections with regard to the execution or fulfillment of this agreement, in particular, compliance and possibly necessary adaptation of regulations and measures for the execution of the order shall be supported by the Processor. In particular, the Processor undertakes to provide the Controller, upon written request, with all information necessary to carry out an inspection within a reasonable period of time.
Correction and Limitation on Processing, Deletion, and Return of Data Media
During the current commissioning, the Processor corrects, deletes, or blocks the contractual data only based on instructions from the Controller.
If destruction of data carriers and other materials is to be carried out during the ongoing commissioning, the Processor shall carry out such destruction in a manner demonstrably compliant with the data protection regulations and based solely on the respective individual instruction by the Controller. This does not apply if a corresponding provision has already been made in the Service Agreement.
In certain cases which are explicitly defined by the Controller storage or handover to the Controller shall be carried out.
Upon completion of the provision of the processing services, the Processor shall either delete or return any Personal Data at the sole discretion of the Controller, unless there is an obligation to store the Personal Data under union law or national law applicable to the Processor. The same applies to all data containing business or trade secrets of the Controller. The log pertaining to the deletion must be submitted upon request.
Documentation serving as proof of orderly and proper data processing must be kept by the Processor according to the respective retention periods beyond the expiration of the DPA. The Processor can hand them over to the Controller for his relief at the end of this agreement.
The Controller may at any time, i.e. during the term of the agreement as well as after the termination of the agreement, request the correction, deletion, processing restriction (blocking), and publication of data by the Processor as long as the Processor has the ability to comply with this request.
The Processor shall correct, delete, or block the contractual data if instructed by the Controller. The Processor is responsible for the destruction of data media and other materials in accordance with data protection based on a specific order by the Controller, unless otherwise agreed in individual cases. In special cases to be determined by the Controller, the data shall be stored or transferred. Insofar as a Data Subject should contact the Processor directly for the purpose of rectification or deletion of their data, the Processor shall immediately forward this request to the Controller.
Should the Controller not be able to take back the data, the Controller shall inform the Processor in writing in good time. The Processor is then entitled to delete Personal Data on behalf of the Controller.
The Processor is only entitled to engage subcontractors with the explicit prior consent of the Controller. The Controller gives its explicit consent to the engagement of the following Subcontractors:
Data collected or shared
Amazon Web Services EMEA SARL
Technical customer data
Data storage and data processing required for the use of the services
Atlassian. Pty Ltd
Customer name, project details, etc,
Platform for customer
Customer name, contact details, address and billing information
Quote, order and subscription management including billing, invoicing, dunning and reporting
HubSpot, Inc. 25 First Street, 2nd Floor
Customer name and contact details
Platform for inbound
ORACLE CORPORATION UK LIMITED
Customer name, address and billing information
Order and subscription management including billing, invoicing, dunning and reporting
Qvest Group GmbH
Customer name, address and billing information
Accounting services including bookkeeping, reporting and year end reports, payments
Customer name, address and billing information
Accounting services including bookkeeping, reporting and year end reports
Notwithstanding the obligation in 1. the Processor must engage any subcontractors in accordance with the provisions of this DPA and thereby ensure that the Controller is also able to exercise his rights under this agreement (in particular his inspection and verification rights) directly with the subcontractors. The Processor shall provide proof to the Controller on request concerning the conclusion of the aforementioned agreements with his subcontractors.