Data Processing Agreement

Stand: June 18th, 2024

Agreement on Data Processing pursuant to Art. 28 GDPR

  1. Object and duration of the agreement
    1. Item
      • This Data Processing Agreement (“DPA”) is concluded between Smoobu GmbH (“Smoobu”, “Processor”, “Contractor”) and a company as a user of the Smoobu Platform and its services (“User”, “Client”, “Controller”), whereby the details of the parties are set out in the Main Agreement and the applicable T&C for the SaaS Platform Agreement for the provision of digital services (“T&C”) by Smoobu. This DPA is a supplement to the Main Agreement, as it is incorporated into it by reference, defines the rights and obligations of the Client and Smoobu and applies to all services performed and described in the Main Agreement and provided by Smoobu to the Client.
      • This DPA applies insofar as the Client uses digital services (including the websites and mobile applications) of Smoobu on the Platform or Smoobu processes personal data in accordance with the instructions of the Client, including personal data provided to the Contractor by or on behalf of the Client, for the purpose of providing services under the Main Agreement. If none of the above conditions apply, this DPA shall not apply.
      • In the event that other local laws to which the Client is subject require additional precautions with regard to data protection-related matters in connection with the fulfilment of the Main Agreement, which are not mentioned or sufficiently described here in the DPA, the parties shall make such precautions, provided that the Client informs the Contractor sufficiently in advance and the Contractor can implement them economically and technically after examination.
    2. Duration
      • The duration of this DPA (“Term”) corresponds to the term of the Main Agreement. The Contractor shall process the Client’s personal data for the duration of the provision of the Services and thereafter until the data is deleted or returned in accordance with a corresponding instruction. Cancellation or other termination of the main contractual relationship shall simultaneously terminate this DPA.
      • Notwithstanding the preceding paragraph, this DPA shall apply for as long as the Contractor processes the Client’s personal data (including backups, etc.). As a necessary measure to ensure data integrity and availability, the Contractor may retain backup copies of the Client’s personal data even after the end of the provision of the Services. The Contractor shall ensure that such personal data is not actively used and that access to it is strictly limited.
    3. Cancellation
      • The Client may terminate this DPA with immediate effect if the Contractor or one of its sub-processors violates the provisions of this DPA or relevant data protection laws.
      • The Contractor may terminate this DPA if the Client objects to a sub-processor that the Contractor deems necessary for the provision of the services or if the Client issues an instruction that the Contractor deems impracticable to implement.
    4. Definitions
      • For the purposes of this DPA, the terms “appropriate technical and organisational measures“, “controller“, “personal data“, “personal data breach“, “processing“, “processor” and “supervisory authority” (or appropriately equivalent terms) shall each have the meaning given to them in applicable data protection law.
      • Relevant data protection laws are (i) Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”); (ii) Regulation (EU) 2016/679 of the United Kingdom (“GDPR UK”), whereby references to the GDPR are to be understood as references to the corresponding provisions of the GDPR UK; (iii) national legislation that supplements the GDPR and regulates the processing of personal data.
      • Client Personal Data includes all personal data, incl. data of the Client and its customers, using Client´s services (“Customer”) processed by the Contractor in accordance with the Instructions for the purpose of providing the Services, including personal data provided to the Contractor by or on behalf of the Client. For the avoidance of doubt, Client Personal Data does not include (i) the personal data that the Contractor would have independently of the Client’s use of the Services, in particular traffic data from third parties, such as linked technical information on devices used (IP address, cookie IDs, other metadata) (where relevant) and (ii) aggregated statistical information that does not constitute personal data.
      • Instruction / Instruction means an instruction regarding the scope and manner of the processing of the Client’s personal data that the Client gives to the Contractor in any form, such as, but not limited to, selected provisions of the Main Agreement and this DPA, written orders from the Client, emails or settings on the Platform provided to the Client by the Contractor.
      • A Sub-processor is a third-party data processor commissioned by the Contractor who has access to the Client’s data as a processor or will process it in accordance with the instructions issued.
      • Standard Contractual Clauses/ SCC are the Standard Contractual Clauses approved by the European Commission for the transfer of personal data from the European Union to third countries, as amended, replaced, supplemented or superseded from time to time, and the full current version of which can be found at the following link: https://commission.europa.eu/law/law-topic/data-protection/international-dimension-data-protection/standard-contractual-clauses-scc_en.
      • DPF means the EU-U.S. Data Privacy Framework and/or the Swiss-U.S. Data Privacy Framework or any successor self-certification program operated by the U.S. Department of Commerce and approved by the European Commission from time to time that has not been invalidated (and in each case includes the U.K. extension of the EU-U.S. Data Privacy Framework and any other country extension of that framework that extends the application of the EU-U.S. Data Privacy Framework to that country)
  2. Specification of the content of the DPA
    1. The user as Client and Controller commissions Smoobu as Contractor to process the personal data of the Client as processor in accordance with the documented instructions.
    2. As part of the general obligations, the Client shall ensure and document that the Contractor may, for the purpose of providing the Services, process the personal data provided by the Client, including its customer Personal Data used by the Client, in accordance with the Client’s instructions and in compliance with the laws applicable to such processing. The Client shall ensure an appropriate legal basis for the processing of Customer Personal Data and shall provide accurate and comprehensive information to the data subjects about the processing of Customer Personal Data as required by the Data Protection Laws. Accordingly, the Client shall inform its Customers transparently in accordance with the relevant legal requirements.

      Further details can be found in the Main Agreement and Annex 1.
  3. Technical and organizational measures
    1. The Contractor shall take all necessary technical and organisational measures in its area of responsibility in accordance with Art. 32 GDPR to protect personal data and shall provide the Client with the documentation for review, attached as Annex 2. The Client may request additional information on the technical and organisational measures implemented by the Contractor from time to time.

      If accepted by the Client, the documented measures shall form the basis of the DPA. The Contractor shall implement and maintain the measures, including appropriate security measures, necessary to protect the Client’s personal data from unauthorized or accidental access, loss, alteration, disclosure or destruction, and shall assist the Client in ensuring compliance with the Client’s obligations in this regard, taking into account the nature of the processing and the information available. The Contractor must establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the costs of implementation and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons must be taken into account.
    2. If the inspection/audit of the Client reveals a need for adjustment, this shall be implemented by mutual agreement.
    3. The agreed technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor shall be permitted to implement alternative adequate measures in the future. In doing so, the security level of the specified measures may not be undercut. The Client must be informed immediately of any significant changes, which must be documented by the Contractor.
  4. Rights of data subjects
    1. The Contractor shall support the Client in its area of responsibility and as far as possible by means of suitable technical and organisational measures in responding to and implementing requests from data subjects with regard to their data protection rights. It may not provide information on, port, correct, delete or restrict the processing of the data processed on behalf of the Client without authorization, but only in accordance with documented instructions from the Client. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay. The Client shall receive support from the Contractor in responding to requests from data subjects and shall then reimburse the costs incurred by the Contractor as a result.
    2. If covered by the scope of services, the rights to information, rectification, restriction of processing, erasure, and data portability shall be ensured directly by the Contractor in accordance with the documented instructions of the Client.
  5. Quality assurance and other obligations of the Contractor
    1. In addition to compliance with the provisions of this DPA, the Contractor has its own legal obligations under the GDPR; in this respect, it guarantees compliance with the following requirements in particular:
      • Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor shall only use employees, staff, representatives, service providers and Sub-contractors who have been obliged to maintain confidentiality and who have been familiarised with the data protection provisions relevant to them in advance. The Contractor and any person subordinate to the Contractor who has authorized access to personal data may only process this data in accordance with the Client’s instructions, including the authorizations granted in this DPA, unless they are legally obliged to process it.
      • The Client and the Contractor shall cooperate with the supervisory authority in the fulfilment of their tasks upon request.
      • Immediately informing the Client of any inspections and measures taken by the supervisory authority insofar as they relate to this DPA. This also applies if a competent authority investigates the processing of personal data in the context of administrative offense or criminal proceedings relating to the processing of personal data by the Contractor.
      • If the Client is subject to an inspection by the supervisory authority, administrative offence or criminal proceedings, a liability claim by a data subject or a third party, another claim or a request for information in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.
      • The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
      • Verifiability of the technical and organizational measures taken vis-à-vis the Client within the scope of its control powers in accordance with Section 8 of this DPA.
      • Taking into account the type of processing and the information available, the Contractor shall notify the Client immediately of any breaches of personal data protection in such a way that the Client can fulfill its legal obligations, in particular in accordance with Art. 33, 34 GDPR. He shall prepare documentation on the entire process, which he shall make available to the Client for further measures.
      • The Contractor shall support the Client in its area of responsibility and as far as possible within the scope of existing information obligations towards supervisory authorities and data subjects and shall provide it with all relevant information in this context without delay.
      • The Contractor shall not communicate with supervisory authorities, data subjects or the media about data breaches, responses to requests to exercise data protection rights or other incidents relating to the Client’s personal data without the Client’s instructions, unless this is required by data protection laws.
      • Insofar as the Client is obliged to carry out a data protection impact assessment in accordance with Art. 35 GDPR, the Contractor shall support it, taking into account the type of processing and the information available to it. The same applies to any existing obligation to consult the competent data protection supervisory authority.
    2. This DPA does not release the Contractor from compliance with other provisions of the GDPR.
  6. Subcontracting relationships
    1. Subcontracting relationships within the meaning of this provision shall be understood as those services that relate directly to the provision of the main service. This does not include ancillary services that the Contractor utilizes, e.g. telecommunications services, postal/transport services, cleaning services or security services. Maintenance and testing services shall constitute a subcontracting relationship if they are provided for IT systems that are provided in connection with a service provided by the Contractor under this DPA. However, the Contractor is obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the data protection and data security of the Client’s data, even in the case of outsourced ancillary services.

      The Client authorizes the Contractor to appoint sub-processors within the scope of the data processing specified in this DPA and agrees that these sub-processors may commission other processors with the processing of the Client’s personal data. The Client consents to the commissioning of the sub-processors specified in Annex 3 subject to the condition of a contractual agreement with the sub-processors in accordance with Art. 28 (2-4) GDPR.

      The contractual agreement shall be presented to the Client upon request, with the exception of business clauses not related to data protection law.
    2. Outsourcing to Sub-contractors or changing the existing Sub-contractor in accordance with Appendix 3 is permitted, provided that:
      • the Contractor notifies the Client of such outsourcing to or change of Sub-contractors in advance in an appropriate manner in digital or other form in accordance with Annex 3 within a reasonable period of time, which may not be less than 14 days, and
      • the Client does not object to the planned outsourcing in writing or in text form to the Contractor by the time the data is handed over, and
      • is based on a contractual agreement in accordance with Art. 28 (2-4) GDPR.
      • For this purpose, the Client shall inquire about changes at irregular intervals on the website on which the Contractor duly informs about the identity and scope of the order.
    3. The transfer of personal data of the Client to the Sub-contractor and the Sub-contractor’s initial activities are only permitted once all requirements for subcontracting have been met. Compliance with and implementation of the Sub-contractor’s technical and organizational measures shall be checked in advance of the processing of personal data, taking into account the Sub-contractor’s risk, and then regularly by the Contractor.
    4. If the Subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure that the service is permissible under data protection law by taking appropriate measures.
  7. International data transfers
    1. Any transfer of personal data to a third country or to an international organization requires documented instructions from the Client and requires compliance with the requirements for the transfer of personal data to third countries in accordance with Chapter V of the GDPR.  The Client authorizes the transfer of data to a third country to the recipients listed in Annex 3. The measures authorized by the Client to ensure an adequate level of protection under Art. 44 et seq. GDPR in the context of subcontracting. These measures may include, in particular, the implementation of the standard data protection clauses (SCC) referred to in Article 46(2)(c) of the GDPR or, as in the case of a transfer to a provider in the USA, in accordance with the rules of the DPF.
    2. If the Client instructs the transfer of data to third parties in a third country, the Client shall be responsible for compliance with Chapter V of the GDPR.
  8. Control rights of the Client
    1. The Client shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by independent auditors to be appointed in individual cases. It shall have the right to satisfy itself of the Contractor’s compliance with this DPA in its business operations during normal business hours by means of random checks, which must generally be notified in good time. The Client shall notify the Contractor in writing (e-mail is sufficient) in advance of any inspection to be carried out in accordance with this section, stating the scope, form and desired contribution of the cooperation of the Contractor. Depending on the work involved, the costs incurred and the degree of disruption to ongoing business operations, the Contractor shall send the Client a suitable remuneration arrangement in advance and invoice it later.
    2. The Contractor shall ensure that the Client can satisfy itself of the Contractor’s compliance with its obligations under Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
    3. Proof of the technical and organizational measures for compliance with the special requirements of data protection in general as well as those relating to the order can be provided at the express written request of the Client by sending corresponding reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors) on the basis of the currently recognized IT and data protection standards and economically proportionate measures.
  9. Authorization of the Client to issue instructions
    1. During the term of this DPA, the Client may issue instructions to Smoobu as Contractor. The Contractor shall process personal data only on the basis of documented instructions from the Client, unless it is obliged to do so under the law of the Member State or under Union law. The Client shall confirm verbal instructions without delay (at least in text form). The Client’s initial instructions shall be determined by this DPA. If the Client issues additional instructions to the Contractor, the Client shall reimburse the Contractor for any costs incurred as a result of these instructions.
    2. The Contractor shall inform the Client immediately if it is of the opinion that an instruction violates data protection regulations or is of the opinion that a specific instruction leads to a violation. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.
    3. Upon termination of the term and provision of services under the Main Agreement and without prejudice to the applicable statutory retention and deletion periods for the Client’s data, the Client hereby instructs the Contractor to delete or anonymize the personal data of the Client’s customers in its possession within 120 days of termination, unless an instruction or data protection laws require otherwise.
  10. Deletion and return of personal data
    1. Copies or duplicates of the data shall not be created without the Client’s knowledge. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that is required in order to comply with statutory retention obligations.
    2. After completion of the contractually agreed work or earlier at the request of the Client – but at the latest upon termination of the Main Agreement – the Contractor shall hand over to the Client all documents, processing and utilization results and data pertaining to the contractual relationship that has come into its possession or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion log must be submitted on request.
  11. Liability
    1. The Contractor shall indemnify the Client for any direct damage suffered by the Client as a result of a breach of this DPA, including the accidental loss, disclosure, destruction or damage of personal data of the Client by the Contractor or any of its sub-processors unless any of the above is due to compliance with the Client’s instructions. For the avoidance of doubt, the limitations of the Contractor’s liability set out in the Main Agreement shall not apply to this section.
  12. Final Provisions
    1. Insofar as other agreements on the protection of personal data arise from other agreements between the Client and the Contractor, this DPA on commissioned processing shall take precedence, unless the parties expressly agree otherwise.
    2. If any part of this DPA is held to be invalid or unenforceable, the remainder of this DPA shall be construed so as to preserve the intentions of the parties to the greatest extent possible.
    3. Either party may propose amendments to this DPA that it deems necessary due to data protection laws or other regulations, interpretations, decisions or guidelines. In such cases, the parties shall cooperate to amend this DPA accordingly.
    4. Unless disputes between the parties are settled amicably, this DPA shall be interpreted, construed and enforced in accordance with the law and by the courts of the Federal Republic of Germany as provided in the Main Agreement.
    5. For all inquiries regarding the processing of the Client’s personal data, the Client should contact the Contractor at [email protected].

Version: June 2024

Appendix 1 – Scope of processing

Controller☒  Client
Processors☒  Contractor – Smoobu

Description of the processing:

  1. Nature and purpose of the intended processing of data
    The nature and purpose of the processing of personal data by the Contractor for the Client are specifically described in the service agreement (Main Agreement). The Contractor shall process the Client’s personal data in electronic form on an ongoing basis and may carry out the following operations on it on instruction: Collection, recording, organization, structuring, storage, use, disclosure and deletion.
  2. Type of data
    The subject of the processing of personal data in accordance with the Main Agreement are the following types of data and concern both the Client and the Client’s Customers with whom the Client has a legal relationship:
    • Personal master data
    • Communication data (e.g. telephone, e-mail)
    • Activities of the data subjects on the services specified by the Client
    • Contract master data (contractual relationship, product or contractual interest) 
    • Client history 
    • Contract billing data
    • No special categories of personal data are processed.
  3. Categories of data subjects
    The categories of data subjects affected by the processing include in accordance with the main contract:
    • Client
    • Customers of the Client
    • Employees of the Client
    • Providers of integration services and their contact persons

Appendix 2 – Technical and organizational measures

Description of the technical and organizational measures taken by the Contractor, taking into account the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects.

Measures for pseudonymisation and encryption of personal data:

Depending on the type of data to be processed, different security requirements apply to each category.

Personal data of the Client (and its employees) shall be pseudonymized (and anonymized if necessary) by the Contractor, if possible and as required in accordance with the standard defined by the Contractor.

The Contractor uses encrypted connections via VPN for remote access, SSL etc. and uses mechanisms for multi-level authentication where possible. It also ensures that there is no unauthorized use of the system by setting up the use of secure passwords, automatic locking mechanisms after a period of time, encryption of data carriers, use of a firewall, encryption of notebooks, management of user authorizations, creation of user-profiles and general guidelines on data protection and password assignment.

Description of measures to ensure continuous confidentiality, integrity, availability and resilience of systems and services related to processing

The Contractor shall maintain responsibilities and procedures for the management and operation of all information processing facilities to ensure complete, valid and accurate processing of data.

The Contractor shall ensure that there is no unauthorized access to data processing systems by securing the system with an alarm system with transponder system or code blocking, security locks, key allocation regulations and a regulation for visitors only when accompanied by employees.

Description of measures to ensure the availability of personal data and rapid access to data in the event of a physical or technical incident

The Contractor’s systems are designed to defend against or prevent common attacks and ensure availability for operation, monitoring and maintenance. To this end, the Contractor shall conduct regular simulated tests and audits to confirm that its systems remain available.

Availability and reliability is monitored to ensure that the Contractor’s Platform remains online with minimal service disruption.

Description of measures to ensure a process for regularly reviewing, assessing and evaluating the effectiveness of technical and organizational measures to ensure the security of processing

The technical and organizational measures, applicable instructions and relevant guidelines are regularly reviewed by external service providers and through internal tests.

The Contractor carries out regular risk assessments, including vulnerability tests, internal and external penetration tests, network, system and firewall scans and checks. 

Description of measures for the identification and authentication of users

The Contractor’s systems are aligned with recognized industry standards and practices and have communication procedures in place to identify users, as well as robust password and authentication controls. Access to the system is logged and administrators can manage user rights.

Description of measures to protect personal data during transmission and storage

The Contractor shall maintain procedures to prevent unauthorized access or misuse of information and use industry best practices where necessary, such as unique IDs for authentication and for the purpose of secure mapping when transferring and storing in production systems.

Description of measures to ensure the physical security of places where personal data is processed

The Contractor’s premises are protected on site by video surveillance of the entrance areas and a personalized access system to prevent third parties from entering.  

The data centers used employ strict administration rights and have clear database structures so that each customer can only access data records that are assigned to this user ID.

Only persons who are expressly authorized and require information for their work have access to personal data.

Description of event logging requirements (e.g. for authentication of the Client or data entry, modification or deletion)

The Contractor’s data retention policy provides for different retention periods and backup copies depending on the category of data, including legal obligations or other exceptions that require the retention of such data until the expiry of certain legal obligations, e.g. for tax and accounting purposes. If it is not possible to destroy the personal data, the relevant protection provisions governing this personal data will continue to apply and any further processing will cease.

Appendix 3 – Authorised subcontracting relationships

A list of sub-processors that process personal data is set out on the following sub-processor website (and will be updated from time to time) and the Client hereby confirms consent to the sub-processors in place at the conclusion of the Contract. The Sub-Processors website includes a process for Clients to sign up for notifications of new Sub-Processors or changes to the list of Sub-Processors. To receive updates or changes to this list, you must register via the mechanism provided.