Data Processing Agreement (DPA) according to Art. 28 EU DSGVO
1. General rules
1.1. Introduction, scope, definitions
1.1.1. This Agreement governs the rights and obligations of the Client and the Recipient(hereinafter collectively "Parties") in the context of a processing of personal data on behalf of the Client (hereinafter "DPA"). This DPA is designed to comply with the provisions of the applicable EU General Data Protection Regulation (herein after "GDPR"), the Federal Data Protection Act and the relevant state data protection laws.
1.1.2. Where the term "Service Agreement" is used in this DPA, it shall be understood tomean the separate conclusion of an agreement with the Client, which arisesthrough the conclusion of a free and/or chargeable usage agreement - inaccordance with the General Terms and Conditions ("T&C") of the Contractor or aseparately concluded usage agreement.
1.1.3. Where the term "Dealcode" or "Software" is used in this DPA, this is understood to mean the web-based AI Guided Selling Software and the associated training area, in particular for the analysis and optimisation of sales processes, which is the subject of the Service Agreement.
1.1.4. This DPA applies to those activities in which the Contractor, employees of the Contractor or subcontractors engaged by the Contractor (subcontractors) process personal data of the Client pursuant to the Service Agreement within the meaning of Art. 28 GDPR.1.1.5. Terms used in this DPA are to be understood according to their definition in the GDPR.
1.2. Subject of the processing, categories of data and data subjects
1.2.1. The subject matter, scope, nature and purpose of data processing are set out inthis DPA and the Service Agreement.
1.2.2. The subject of this DPA is the performance of the following tasks by the Contractor:
● Company data: In order to identify potential customers, the Contractor processes company data such as company name, company address, company website, company sector.
● Contact data: To contact potential customers, the Contractor processes contact data such as e-mail addresses, title, first name, last name, job title.
1.2.3. The following types/categories of data are regularly the subject of processing: Dealcode GmbH - DPA - Version 2024-06-14
● Customer data (including company name, company address, employee andsales figures, contact data such as e-mail addresses and telephonenumbers, names of contact persons including job title, e-mail addressesand telephone numbers)
● Employee data (including name, email, job title, job profile and company affiliation)
● Activity data (including telephone calls, e-mails, video calls and other formsof communication between employees and customers recorded in CRM
● Customer contract data (including contract date, term, contract value, billing and payment data, termination date)
1.2.4. The categories of persons concerned by the processing regularly includes:
● employees - freelancers and salaried employees - of the client or, if applicable, of a company affiliated with the client
● Former employees - freelance and salaried - of the principal or, if applicable, of a company affiliated with the principal
● employees of clients - freelancers and salaried employees - of the client, or, if applicable, of a company affiliated with the client
1.2.5. The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union, another contracting state ofthe Agreement on the European Economic Area or a state with an adequate level ofdata protection in accordance with Art. 45 DSGVO, as determined by the EuropeanCommission.1.2.6. The relocation of the service to a third country - country outside point 1.2.4- requires the prior consent of the client and may only take place if the specialrequirements of Art. 44 et seq. DSGVO are fulfilled. Should these requirements bemet, however, there must be important reasons under data protection law to refuseconsent.
1.2.7. In the event of contradictions between the Service Agreement or the T&C and these DPA, the DPA shall take precedence as the more specific regulation in data protection matters.1.3. Duration of processing The duration of this contract (term) corresponds to the term of the service agreement, provided that the provisions of this DPA do not result in obligations that go beyond this.In the latter case, this DPA shall end with the discontinuation of the obligations existing beyond the service agreement.
2. Confidentiality
The Contractor shall ensure that confidentiality is maintained in accordance with Art. 28 3sentence 2 lit. b, 29 and 32 4 DSGVO. When carrying out the work required for the commissioned processing, the Contractor shall only use employees who have been obliged to maintain confidentiality and who have been familiarised in advance with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process such data in accordance with the Client's instructions, the Service Agreement and the powers granted in this DPA, unless they are legally obliged to process it.
3. Obligations of the principal
3.1. Within the scope of this DPA, the Client shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness oft he transfer of data to the Contractor as well as for the lawfulness of the processing("Controller" within the meaning of Art. 4 No. 7 DSGVO. This shall also apply with regard to the subject matter, scope, nature and purpose of the data processing regulated in this Agreement, the description of the data concerned pursuant to Section 1.2 and the safeguarding of the rights of the data subjects.
3.2. In particular, the Client shall be responsible for ensuring that the contractually agreed technical and organisational measures (hereinafter "TOM") drawn up by the Contractor for this processing and currently applicable in each case provide an adequate level of protection for the risks of the processed data. For its part, the Contractor is responsible for complying with these TOMs: TOM Dealcode GmbH Version20240614 EN
3.3. The Client shall inform the Contractor immediately and in full if it discovers errors or irregularities with regard to the processing with respect to data protection provisions.
3.4. If required, the Client shall inform the Contractor of the contact person for data protection issues arising within the scope of these DPA.
3.5. Further rights and obligations of the Client arise from the following provisions of this DPA and the GDPR as well as the associated statutory provisions.
4. Instructions
4.1. The Contractor - and any person subordinate to it - may only process the personal data within the scope of the Client's instructions, unless there is an exceptional case within the meaning of Article 28 para. 3 sentence2 lit. a DSGVO or another overriding legal provision. The Service Agreement and the DPA constitute the final instructions of the Principal (with regard to data processing) at the time of the conclusion of these DPA. The Client reserves the right to issue further instructions, but these shall be dealt with in accordance with Section 4.3. The Contractor shall accept instructions from the Customer in written form as well as via the electronic formats offered by the Contractor for this purpose. Verbal instructions shall only be permitted in urgent cases and shall be confirmed by the Principal without delay in writing or in an electronic format offered by the Contractor for this purpose.
4.2. The Contractor shall inform the Client without delay if it is of the opinion that an instruction violates relevant laws. The Contractor may suspend the implementation oft he instruction until it has been confirmed or amended by the Client after review. The Client shall be fully liable to the Contractor internally for damages of any kind arising from confirmed instructions and shall indemnify the Contractor against claims of third parties upon first demand. In the event of continuing disagreement, the parties agree to consult the supervisory authority responsible for the contractor for a decision.
4.3. If the Client's instructions are not included in the contractually agreed scope of services, they shall be treated as a request for a change in services. In the case of proposed changes, the Contractor shall inform the Client of the effects on the agreed services, in particular the possibility of providing the services, deadlines and remuneration. If the Contractor cannot reasonably be expected to implement the instructions, the Contractor shall be entitled to reject the instructions. In the event that the Client nevertheless insists on the instruction, the Contractor shall have a special right of termination and may terminate the processing and cancel the service Dealcode GmbH - DPA - Version 2024-06-14agreement at any time with immediate effect.
4.4. The Principal shall name the persons exclusively authorized to issue instructions within Dealcode or, if this is not possible within Dealcode, by e-mail to the following address:privacy@dealcode.ai. In the event that no person authorized to issue instructions is named, only natural persons of the Principal authorized to represent the Principal are authorized to issue instructions. The Contractor may suspend the execution of instructions until the Client has provided proof of the right of representation.
5. Obligations of the Contractor
5.1 General Obligations of the Contractor
5.1.1. In addition to compliance with the provisions of these DPA, the Contractor shall have statutory obligations pursuant to Articles 28 to 33 of the GDPR; in this respect, the Contractor shall in particular ensure compliance with the following requirements.
5.1.2. The Contractor shall ensure the written appointment of a data protection officer who shall carry out his activities in accordance with Art. 38 and 39 DSGVO. The current contact details of the data protection officer are easily accessible on the homepage or within Dealcode.
5.1.3. The contracting authority and the contractor shall cooperate, on request, with the supervisory authority in the performance of its duties.
5.1.4. The Contractor shall inform the Client without undue delay about control actions and measures of the supervisory authority, insofar as they relate to this order. This shall also apply insofar as a competent authority investigates the Contractor in the context of administrative offence or criminal proceedings with regard to the processing of personal data from this commissioned processing, unless the Contractor is legally or officially obliged to refrain from notification.
5.1.5. Insofar as the Client, for its part, is exposed to an inspection by the supervisory authority, administrative offence or criminal proceedings, the liability claim of a data subject or a third party, or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support it to the best of its ability upon request.
5.1.6. The Contractor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
5.1.7. Upon request, the Contractor shall provide the Client with documents proving the technical and organisational measures taken in accordance with section 6.2.
5.2 Control Cooperation Obligations
5.2.1. The Customer is entitled to check compliance with the obligations arising from the AV agreement, the technical and organisational measures, and the data protection regulations by agreement with the Contractor during their normal business hours—taking into account a minimum of 14 days' notice—or to have them checked by auditors to be named in the individual case. For this purpose, the Customer may, among other things, inspect the relevant buildings and facilities of the Contractor, obtain information, or inspect its own data, taking into account the justified interests of the Contractor.
For inspections that become necessary due to a security incident or a more than insignificant breach of the regulations on the protection of personal data or stipulations of these DPA (hereinafter "event-related on-site inspection"), the notification period from sentence 1 is shortened to a reasonable period of time. Furthermore, incidental on-site inspections are not subject to the restrictions of Sections 5.2.3–5.2.4 of these GC.
5.2.2. The Contractor may make the approval of the audit conditional upon the auditor submitting to an appropriate confidentiality agreement. If the auditor commissioned by the Client is in a competitive relationship with the Contractor or if another justified case exists, the Contractor shall have a right of objection to this.
5.2.3. Within the scope of this clause, the Contractor shall only be obliged to tolerate and cooperate in one unprovoked on-site inspection per calendar year. The expense of an unprovoked on-site inspection is limited for the Contractor to one day per calendar year.
5.2.4. The Contractor shall have the right to refuse the random on-site inspection of this section if and as long as it provides evidence of the fulfilment of its obligations, in particular the implementation of the TOM and its effectiveness, by means of suitable evidence.
Appropriate evidence may, in particular, be approved codes of conduct within the meaning of Art. 40 GDPR or an approved certification procedure within the meaning of Art. 42 GDPR. Both parties agree that the submission of test certificates or reports by independent bodies (e.g., IT security officer, data protection officer), a coherent data security concept, or a suitable certification by an IT security and data protection audit shall also be recognised as suitable evidence.
6. Technical and organisational measures
6.1 The Contractor shall document the implementation of the TOM set out and required in the run-up to the conclusion of the contract before the start of the Processing, in particular with regard to the specific commissioned Processing, and shall keep it available for the Client for inspection.
6.2 The Contractor shall establish the security of the processing in accordance with Art.28 (3) lit. c and 32 DSGVO, in particular in connection with Art. 5 (1), (2) DSGVO. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. In this context, the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR shall be taken into account.
6.3 The TOM are subject to technical progress and further development. The contractor reserves the right to change the security measures taken, but it must be ensured that the contractually agreed level of protection is not undercut. Significant changes are to be documented.
7. Subcontracting relationships
7.1. Subcontracting relationships within the meaning of this contract are only those services that have a direct connection with the provision of the main service. Ancillary services, such as transport, maintenance and cleaning, the use of telecommunications services, user service or customer relationship management as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems, are not covered. The Contractor's obligation to ensure compliance with data protection and data security in accordance with the relevant legal provisions also in these cases shall remain unaffected.
7.2. The commissioning of subcontractors for the processing or use of personal data is generally only permitted with the approval of the Principal. For the subcontractors listed within Dealcode at the time of the conclusion of the contract (listing: Subcontractors Dealcode.pdf), this approval shall be deemed granted.
7.3. The contracting authority shall also grant the contractor general authorisation to subcontract further work, taking into account clause1.2.4 to make use of. The Contractor shall inform the Customer in text form by active notification - e.g. by e-mail, within Dealcode or via the link provided above - if it intends to involve further subcontractors or to replace them. The client may object to such changes, whereby this may not be done without an important data protection reason. The objection to the intended change must be made in text form to the Contractor within 14 days of the provision of the information about the change to: privacy@dealcode.ai. In the event of an objection, the Contractor may, at its own discretion, provide the service without the intended change or - insofar as the provision of the service without the intended change is not reasonable for the Contractor - discontinue the service vis-à-vis the Client within 4 weeks of receipt of the objection and terminate the service agreement without notice and with immediate effect.
7.4. If the Contractor places orders with subcontractors, it shall be incumbent on the Contractor to transfer its data protection obligations under this Agreement to the subcontractors and to conclude a contractual agreement with them in accordance with Article 28 (2-4) of the GDPR. In particular, the Contractor shall ensure that the TOM of the subcontractor meet the level of protection of the TOM from Section 6 of these DPA.
7.5. An on-site inspection of the subcontractor shall be carried out exclusively by the contractor and at most at annual intervals. Under the same conditions as in Section5.2.4 of this DPA, an on-site inspection may be replaced by proof of data protection-compliant processing. The Contractor shall grant the Client the right to obtain information about the essential content of the contract and the implementation of the obligations of this contract, whereby the Contractor may make this dependent on the subcontractors enabling this - for example by concluding a confidentiality agreement.
8. Data subject rights
8.1. If a data subject addresses the contractor with a request from Chapter III of the GDPR with regard to the rights of data subjects, then the contractor will refer the data subject to the client, provided that an assignment to the client is possible after the data subjects have been identified. Furthermore, the contractor shall forward the request of the data subject to the contracting authority without delay.
8.2. Without prejudice to clause 8.1, Dealcode shall allow comprehensive self-management of the data as well as autonomous access, processing and verification of the processed data by any employee or administrator of the Principal, within the scope of the assigned access rights. Therefore, insofar as it is a matter of safeguarding the data subject rights from Chapter III of the GDPR, the Principal is primarily able and responsible to comply with the request of a data subject.
8.3. If, despite the possibility of such self-management, additional assistance from the Contractor is required, then the Contractor shall, where possible, assist the Client in the obligation to respond to requests to exercise the rights of the data subject referred to in Chapter III of the GDPR.
8.4. The Contractor shall not be liable if the request of the person concerned is not
answered, not answered correctly or not answered in time by the Client and this is solely the fault of the Client.
9. Information and notification requirements
9.1. The Contractor shall support the Client in complying with the obligations regarding the security of personal data, notification obligations in the event of data breaches and prior consultations, if necessary, as set out in Articles 32 to 36 of the GDPR. This includes, among other things
9.1.1. the obligation to report personal data breaches by the contractor, employees of the contractor or subcontractors engaged by the contractor without undue delay to the contracting authority within the meaning of Article 332 of the GDPR.
9.1.2. the support of the contracting authority for its data protection impact assessment, if necessary. The Contractor may comply with this by providing the Client with the necessary information and documentation upon request.
9.1.3. assisting the client in consultations with the supervisory authority prior to the processing operation.
9.2. The Contractor may demand reasonable remuneration for support services in accordance with Clauses 9.1.2. and 9.1.3.
10. Release and deletion of data
10.1. Upon termination of the commissioned processing, the Contractor shall surrender the personal data introduced in accordance with the following clauses. As a rule, commissioned processing shall be terminated at the end of the service agreement.
10.2. The contractor is obliged to store the personal data provided for a period of 30 days after the end of the contract. The client is entitled to demand at any time in text form until the expiry of this period the surrender in a machine-readable format or deletion of the stored personal data or, if possible, to download them directly from the software.
10.3. If the Client issues a binding deletion instruction to the Contractor in text form, the Contractor shall be entitled to delete the data even before the expiry of the retention period pursuant to Section 10.2. The only exception to this is the data in respect of which the Contractor is legally obliged to retain.
10.4. If the Client has neither requested the data to be surrendered nor demanded the deletion of such data by the expiry of the deadline pursuant to Section 10.2, the Contractor shall be obliged to delete such data.
11. Anonymization
10.1. The Contractor shall have the right to anonymise and aggregate the personal data covered by this Agreement and to carry out the processing steps required for anonymisation and aggregation. While maintaining anonymity, the Contractor
may process and use all data thus created for its own purposes, such as statistical evaluations, industry comparisons, benchmarking, product improvements, new product developments and other comparable purposes
10.2. The original dataset is not affected by the anonymization.
10.3. Anonymised or aggregated data within the meaning of Clause 11.1 shall no longer be deemed personal data and shall not be covered by the obligation to surrender or delete data under Clause 10. The Contractor shall be entitled to use and store such data for its own purposes beyond the end of the contract.
12. Liability
12.1. If damage has arisen because the Contractor has not complied with its specifically imposed obligations under the GDPR or has arisen in non-compliance with the lawfully issued instructions of the Data Controller or because the Contractor has acted contrary to such instructions, the Contractor shall be liable for the damage incurred pursuant to Article 82(2) GDPR.
12.2. In all other cases, the Client shall be fully liable for the damage in the internal relationship and shall indemnify the Contractor against any claims of the data subject or third parties on first demand which are raised against the Contractor in connection with the commissioned processing. This shall also apply in particular insofar as a claim as joint and several debtor exceeds the share of fault attributable to the Contractor in total.
12.3. The client bears the burden of proof that damage is not the result of a circumstance for which he is responsible.
12.4. Any exclusion of liability in this contract shall not apply in the case of intent and gross negligence as well as in the case of damages resulting from injury to life, body or health.
12.5. Otherwise, liability is governed by the service agreement.
13. Final determination
13.1. The acceptance/confirmation of the conclusion of the contract by the contractor may be made in an electronic format within the meaning of Article 28(9) of the GDPR.
13.2. Both parties are obliged to treat all knowledge of business secrets and data security measures of the other party obtained within the framework of the contractual relationship confidential, even after the termination of the This shall also apply in particular to the contents of these GCS as well as all documents, evidence, etc. made available within the scope of the data protection review. If there is any doubt as to whether information is subject to the obligation of confidentiality, it shall be treated as confidential until it has been released in writing by the other party.
13.3. Amendments and supplements to these DPA and all of its components - including any assurances by the Contractor - must be made in writing in accordance with the GDPR, which may also be in an electronic format, and of the express reference to the fact that it is an amendment or supplement to these terms and conditions. This also applies to the waiver of this formal requirement. The parties agree that adaptations of the contract or new contracts shall be concluded in an electronic format within the meaning of Article 289 GDPR.
13.4. Should the Client's data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client thereof without undue delay. The Contractor shall immediately inform all parties involved in this context that the sovereignty and ownership of the data lies exclusively with the Client as the "responsible party" within the meaning of the GDPR.
13.5. The defence of the right of retention within the meaning of §273 of the German Civil Code BGB is excluded with regard to the data processed in the order.
13.6. The law of the Federal Republic of Germany shall apply. The application of the UN Convention on Contracts for the International Sale of Goods CISG is excluded.
13.7. For all disputes in connection with this GCS, the Contractor's registered office isagreed as the exclusive place of jurisdiction, insofar as this is permissible.
13.8. This GC replaces all prior or contemporaneous representations, understandings,agreements, contracts or communications between the Client and the Contractor,whether written or oral, relating to the subject matter of this GC. The respectiveservice agreements concluded shall remain unaffected.
13.9. Should individual parts of this agreement be invalid, this shall not affect the validity ofthe remainder of the agreement.