Data Processing Agreement pursuant to Art. 28 GDPR
Version 1.1.2 published on Jul 1, 2022
Back to oveviewTable of Contents
This data processing agreement is only available in English and German. The English translation is an non-binding, convenience translation.
This version is no longer current. Click here for the current version .
These are the Data Processing Agreement pursuant to Art. 28 GDPR of SeaTable GmbH, 117er Ehrenhof 5, 55118 Mainz.
1. Subject Matter of the Agreement
1.1 Subject Matter of the Data Processing Agreement
The subject matter of this agreement is the provision of the online database service SeaTable (online service) for one or more users managed by the controller and the provision of related services. Under this agreement, depending on the subscribed plan or chosen deployment option, the controller may use a browser and the service’s API to process data (to collect, store, modify, share, and delete it).
1.2
The subject of the agreement is not the processor’s own use or processing of personal data. However, in the course of providing the online service and fulfilling obligations regarding support, maintenance, data backup, and administration, access to personal data cannot be entirely excluded.
1.3
Details are specified in the agreement summarized under the customer number mentioned above. This Data Processing Agreement applies to the entire contractual relationship, insofar as the services described in section 1.1 are concerned.
1.4
Whenever “data” is referred to below, this exclusively means personal data within the meaning of the GDPR. The following data protection and data security provisions apply to all data processing services within the meaning of Art. 28(1) GDPR performed by the processor for the controller and to all activities where employees or subcontractors of the processor may come into contact with the controller’s personal data.
1.5
In addition to the contract concluded between the parties, this Data Processing Agreement specifies the mutual obligations for handling the controller’s data.
2. Term, Termination, Deletion of Data
2.1
The term of this agreement depends on the duration of IT support services provided by the processor on behalf of the controller. The agreement ends when the controller no longer makes use of the processor’s services in accordance with the relevant service agreements or offers.
2.2
Data subjects whose data are processed by the processor must assert their rights, in particular to rectification, deletion, and blocking, against the controller. The controller alone is responsible for safeguarding these rights.
2.3
After termination of the agreement or upon written request by the controller, the processor must delete all of the controller’s data in full, in compliance with data protection requirements, within a reasonable period (including backup or security copies) or return it to the controller. The same applies to test or discarded material, which must be securely stored until deletion or return. This does not apply to documentation required as evidence of proper data processing or where legal or regulatory obligations prevent deletion. Any additional costs incurred by premature deletion before contract termination are borne by the controller.
2.4
The processor must promptly forward to the controller any data subject requests received directly, without processing them independently, unless agreed otherwise with the controller.
2.5
The processor must assist the controller, within technical and practical means, in fulfilling data subjects’ rights under Chapter III of the GDPR—particularly for rectification, blocking, deletion, notification, and information requests.
2.6
There is no physical data carrier exchange pursuant to Art. 28(3)(g) GDPR between the parties to this Data Processing Agreement; therefore, no return needs to be regulated.
3. Scope, Nature, and Purpose of Data Processing
3.1
The scope, nature, and purpose of data collection, processing, and/or use result from the agreement between the parties. The processor must use the provided personal data solely for the agreed contractual purpose. The processor may create temporary, intermediary, or duplicate files necessary for proper processing as long as this does not modify the content. Unauthorized copies of personal data are prohibited. The controller must promptly notify the processor of any errors or irregularities detected during verification of processing results.
3.2
Any collection, processing, and/or use of data by the processor takes place exclusively within the territory of the Federal Republic of Germany, a Member State of the European Union, or a Contracting State of the Agreement on the European Economic Area. Any transfer to a third country requires prior written consent from the controller.
4. Type of Data and Categories of Data Subjects
4.1
The types of data collected, processed, and/or used by the processor pursuant to section 1.2, sentence 2, include:
- Basic personal data
- Communication data (e.g. telephone, email)
- Contractual data (contract relationship, product or service interest)
- Customer history
- Billing and payment data
- Information from third parties or public directories
- Other data:
4.2
The categories of data subjects whose data are processed pursuant to section 1.2, sentence 2, include:
- Customers
- Prospective customers
- Subscribers
- Employees
- Suppliers
- Contact persons
- Other data subjects:
5. General Obligations of the Processor (Art. 28–33 GDPR)
5.1
Any collection, processing, and/or use of personal data by the processor is permitted only within the scope of the contract with the controller. If the processor gains access to data belonging to the controller, such data must not be used for non-contractual purposes or disclosed to third parties unless required by law.
5.2
The processor ensures confidentiality in accordance with Art. 28(3)(b), 29, and 32(4) GDPR. All persons authorized to access the controller’s data listed in section 4.1 must be bound by confidentiality and informed about their special data protection obligations and the purpose limitation of processing.
5.3
The processor ensures the implementation and maintenance of all necessary technical and organizational measures pursuant to Art. 32 GDPR.
5.4
The processor must promptly notify the controller of any violations of data protection provisions committed by itself or its employees.
5.5
A Data Protection Officer under Art. 38 and 39 GDPR has not been appointed, as no statutory requirement exists. The contact person is Dr. Ralf Dyllick-Brenzinger (rdb@seatable.io ).
6. Obligations Regarding Technical and Organizational Measures (Art. 32 GDPR)
6.1
The processor must design its internal organization to meet the requirements of data protection.
6.2
The parties agree that technical and organizational measures are subject to technical progress and development.
7. Subprocessing (Art. 28(2) and (4) GDPR)
7.1
The controller agrees that the processor may engage subprocessors to fulfill its contractual obligations.
7.2
The processor must ensure that the controller always has access to an up-to-date list of engaged subprocessors.
7.3
When the processor commissions subprocessors, it must ensure that the obligations contained in this Data Processing Agreement are contractually passed on to them.
8. Obligations of the Controller (Art. 24 and Arts. 13–14 GDPR)
8.1
The controller is responsible for complying with the data protection regulations applicable to it.
9. Instructions, Correction, Deletion, Blocking, and Data Subject Rights
9.1
The controller has full access to the data at all times and retains full authority to issue binding instructions regarding the type, scope, and procedures of data processing, in accordance with Art. 29 in conjunction with Art. 28 GDPR.
10. Audit Rights of the Controller
10.1
The controller has the right to verify, prior to the start of processing and regularly thereafter, the technical and organizational measures implemented by the processor.
11. Remote Maintenance
11.1
If the processor carries out maintenance or servicing of IT systems by means of remote access, it must ensure the controller can effectively monitor such remote activities.
12. Severability and Jurisdiction
12.1
If any provision of this agreement is or becomes invalid or unenforceable, the remaining provisions shall remain unaffected.
12.2
The place of jurisdiction is Mainz.