Data Processing Agreement pursuant to Art. 28 GDPR
Version 1.1.5 published on Oct 16, 2024
Back to oveviewTable of Contents
This data processing agreement is only available in English and German. The English translation is an non-binding, convenience translation.
The German original is legally binding.
These are the Data Processing Agreement pursuant to Art. 28 GDPR of SeaTable GmbH, 117er Ehrenhof 5, 55118 Mainz, Germany.
Here you can create your own agreement (German Language only).
1. Subject Matter of the Agreement; Subject Matter of this Data Processing Agreement
1.1
The subject matter of this agreement is the provision of the online service for one or more users managed by the controller and the provision of related services. Under this agreement, depending on the subscribed plan or chosen deployment option, the controller may use a browser and the application programming interface (API) of the service to process data (to collect, store, modify, share, and delete it).
1.2
The subject matter of the agreement is not the processor’s own use or processing of personal data. However, in the course of providing services as the operator of the online service and fulfilling obligations regarding support, maintenance, data backup, and administration, access to personal data cannot be entirely ruled out.
1.3
The details are set out in the contract summarized under the customer number specified above. This Data Processing Agreement applies to the entire service relationship, insofar as the services described in section 1.1 are concerned.
1.4
Whenever “data” is referred to below, this exclusively means personal data within the meaning of the GDPR. The following data protection and data security provisions apply to all processing activities within the meaning of Art. 28(1) GDPR that the processor performs for the controller and to all activities in which employees of the processor or third parties engaged by the processor may come into contact with the controller’s personal data.
1.5
In addition to the contract concluded between the parties, this Data Processing Agreement specifies the mutual obligations regarding the general handling of the controller’s data.
2. Term, Termination, Deletion of Data
2.1
The term of this agreement depends on the duration of the provision of the online services by the processor on behalf of the controller. The engagement ends when the controller no longer uses any services of the processor in accordance with the service agreements / offers of the individual order confirmations.
2.2
Data subjects whose data are processed by the processor must assert their rights, in particular to rectification, deletion, and blocking, against the controller. The controller alone is responsible for safeguarding these rights.
2.3
After termination of the engagement or upon written request by the controller, the processor must delete all of the controller’s data in full, in compliance with data protection requirements and within a reasonable period (including technically or security‑related necessary copies), or return it to the controller. The same applies to test and discarded material, which must be securely stored until deletion or return. This does not apply to documentation required as evidence of proper and contract‑compliant data processing or where legal provisions, statutory obligations, or court orders prevent deletion. Any additional costs incurred by deletion prior to the end of the contract are borne by the controller.
2.4
In the course of its activities for the controller, the processor must promptly forward to the controller any data subject requests addressed to the processor for proper handling. The processor is not entitled to respond to such requests independently without prior coordination with the controller.
2.5
The processor must assist the controller, within the bounds of technical feasibility and taking into account the nature of the contracted services, in fulfilling data subjects’ rights under Chapter III of the GDPR, in particular with regard to rectification, blocking and deletion, notification, and the provision of information.
3. Scope, Nature, and Purpose of the Intended Collection, Processing, and/or Use of Data
3.1
The scope, nature, and purpose of the intended collection, processing, and/or use of data arise from the contract in place between the parties. The processor must use the personal data provided to it solely for the performance of the contractually agreed services. The processor may create interim, temporary, or duplicate files required for operational and security purposes for the proper collection, processing, and/or use of personal data, provided that this does not lead to any change in content. The processor is not permitted to create unauthorized copies of personal data. The controller must promptly inform the processor if it identifies any errors or irregularities when reviewing the processing results.
3.2
Any collection, processing, and/or use of data by the processor takes place exclusively within the territory of the Federal Republic of Germany, a Member State of the European Union, or another Contracting State to the Agreement on the European Economic Area. Any transfer to another third country requires the prior consent of the controller and may only take place if the specific requirements of Art. 44 GDPR are met.
4. Type of Data and Categories of Data Subjects
4.1
The following types of data of the controller are subject to collection, processing, and/or use in accordance with section 1.2 sentence 2:
- Master data
- Contact data (e.g. telephone, email)
- Contract data (contractual relationship, product or contract interest)
- Customer history
- Contract billing and payment data
- Information from third parties (e.g. credit agencies) or from public directories
- Other data:
(To be fully and accurately checked/completed by the controller.)
4.2
The following categories of data subjects are affected by the handling of data in accordance with section 1.2 sentence 2:
- Customers
- Prospective customers
- Subscribers
- Employees
- Suppliers
- Contact persons
- Other data subjects:
(To be fully and accurately checked/completed by the controller.)
5. General Obligations of the Processor (Art. 28–33 GDPR)
5.1
Any collection, processing, and/or use of data by the processor is only permitted within the framework of the contractual agreements between controller and processor. If the processor has access to the controller’s data, it must not use such data for non‑contractual purposes and may only disclose it to third parties where there is a legal obligation to do so. Copies of data may only be created with the controller’s consent. This excludes backup copies, to the extent they are required to ensure proper data processing or to fulfill contractual or legal obligations.
5.2
The processor ensures confidentiality in accordance with Art. 28(3) sentence 2(b), 29, and 32(4) GDPR. All persons who may have access, within the scope of this engagement, to the controller’s data listed in section 4.1 must be bound by confidentiality and informed of the specific data protection obligations arising from this engagement as well as the existing instruction and purpose limitation.
5.3
The processor ensures the implementation and observance of all technical and organizational measures necessary for this engagement in accordance with Art. 32 GDPR.
5.4
The processor must promptly notify the controller of any breaches of data protection provisions committed by the processor or its employees. The same applies in the event of serious disruptions to business operations or other irregularities in the handling of the controller’s data. Where the controller is subject to obligations under Art. 32 and 33 GDPR, the processor must support the controller in complying with these obligations. Where the controller is subject to obligations under Art. 32–36 GDPR, for example in the event of loss, unlawful transmission, or unauthorized access to personal data by third parties, the processor must provide support to the extent appropriate given the nature of the services it provides.
5.5
A Data Protection Officer under Art. 38 and 39 GDPR has not been appointed by the processor, as there is no statutory requirement to do so. The designated point of contact is Dr. Ralf Dyllick‑Brenzinger (rdb@seatable.io ).
6. Obligations of the Processor Regarding Technical and Organizational Measures (Art. 32 GDPR)
6.1
Within its area of responsibility, the processor structures its internal organization in such a way that it meets data protection requirements. In doing so, the processor implements technical and organizational measures to adequately protect data against misuse and loss in order to comply with the requirements of the GDPR.
6.2
The parties agree that the technical and organizational measures are subject to technical progress and further development. The processor is therefore permitted to implement alternative, adequate measures. The processor must inform the controller of such changes upon request and ensure that the level of security of the defined measures is not reduced. The processor must ensure security in accordance with Art. 28(3)(c) and Art. 32 GDPR, in particular in conjunction with Art. 5(1) and (2) GDPR. Overall, the measures to be taken are measures of data security to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the systems. Material changes must be documented.
7. Subprocessing (Art. 28(2) and (4) GDPR)
7.1
The controller agrees that the processor may engage affiliated companies of the processor and other companies as subprocessors to perform its contractually agreed services, in particular, but not limited to, in the areas of maintenance and installation of data center infrastructure, telecommunications services, and user support. The processor reserves the right, in accordance with section 3.2 of this agreement, to use subprocessors in the regions specified therein.
7.2
The processor ensures that an up‑to‑date list of engaged subprocessors is always available to the controller for retrieval and inspection via the customer portal, as an appendix to this agreement, or in another suitable form; this list forms an integral part of this agreement. The controller agrees to the use of the subprocessors named there. If this list is changed with regard to the addition or replacement of subprocessors, the controller will be informed accordingly. The changes are deemed accepted by the controller if the controller does not object within 4 weeks of publication.
7.3
If the processor commissions subprocessors, the processor is responsible for contractually passing on its obligations under this Data Processing Agreement to the subprocessors.
8. Obligations of the Controller (Art. 24 GDPR and Arts. 13 and 14 GDPR)
8.1
The controller is responsible for complying with the data protection regulations applicable to it.
8.2
The controller must promptly and fully inform the processor if it identifies any breaches of data protection provisions by the processor.
8.3
The controller is subject to the information obligations arising from Art. 24 GDPR and Arts. 13 and 14 GDPR.
9. Instructions, Rectification, Deletion and Blocking, and Data Subject Rights (Art. 29 in conjunction with Art. 28 GDPR and Chapter III GDPR)
9.1
The controller has full access to the data at all times, so that the processor’s involvement, in particular for rectification, blocking, and deletion, is generally not required. Where the processor’s involvement is necessary, the processor is obliged to cooperate. The controller reimburses the processor for efforts related to cooperation that is not necessary but requested by the controller. In this context, the controller has a comprehensive right to issue instructions regarding the type, scope, and procedures of data processing in accordance with Art. 29 in conjunction with Art. 28 GDPR. The processor must promptly inform the controller if it believes that an instruction violates data protection provisions. The processor is entitled to suspend execution of the relevant instruction until it has been confirmed or amended by the person responsible at the controller.
9.2
If a data subject contacts the processor directly to request rectification or deletion of their data, the processor will forward this request to the controller. If the controller is required under applicable data protection law to provide information about the collection, processing, and/or use of data, the processor will support the controller as necessary in providing such information. The controller must submit any such request to the processor in writing and reimburse the processor for the costs incurred.
10. Audit Rights of the Controller
10.1
The controller has the right, prior to the start of data processing and thereafter on a regular basis, to verify compliance with the technical and organizational measures implemented by the processor.
10.2
For this purpose, the controller may rely on the documentation of the existing technical and organizational measures prepared by the processor’s designated contact person in accordance with section 5.5, which is regularly updated and complies with legal requirements.
10.3
The controller has the right to conduct audits of the processing or to have them conducted by auditors designated on a case‑by‑case basis, in coordination with the processor. The controller has the right, by means of spot checks, after timely prior notice (3 weeks) during normal business hours and without disrupting business operations, to verify in the processor’s business premises that this agreement is being complied with. The processor undertakes, upon request, to provide the controller with all information necessary to fulfill its audit obligations and to make appropriate evidence available. Any costs incurred by the processor in connection with its support must be reimbursed by the controller to a reasonable extent.
10.4
With regard to the controller’s audit obligations under Art. 28(1) GDPR prior to the start of data processing and during the term of the engagement, the processor ensures that the controller can verify compliance with the implemented technical and organizational measures.
10.5
The processor undertakes, upon request, to provide the controller with the information required to fulfill the controller’s audit obligations relating to the processing of the above‑mentioned data and to furnish appropriate evidence. This also applies where the processor carries out audits of its subprocessors on behalf of the controller.
11. Remote Maintenance
11.1
If the processor performs maintenance and/or servicing of IT systems by means of remote access, the processor must enable the controller to effectively monitor the remote maintenance activities. This may, for example, be achieved through the use of technology that allows the controller to follow the work carried out by the processor on a monitor or similar device. The processor is obliged to use technologies that not only allow the controller to observe the activities on the screen but also provide the controller with the ability to terminate the remote maintenance activities at any time.
11.2
If the controller is subject to a professional duty of confidentiality within the meaning of section 203 of the German Criminal Code (StGB), the controller must ensure that no unauthorized disclosure within the meaning of section 203 StGB occurs due to remote maintenance.
11.3
If the controller does not wish to observe the activities on a monitor or similar device during remote maintenance, the processor will document the work performed in an appropriate manner.
12. Severability; Place of Jurisdiction
12.1
If any provision of this agreement is or becomes invalid or unenforceable, the remaining provisions of this agreement will remain unaffected. The parties agree to replace the invalid or unenforceable provision with a valid and enforceable provision that most closely reflects the parties’ original intent. The same applies in the event of any contractual gaps.
12.2
The place of jurisdiction is Mainz.