Data Processing Agreement

According to Art. 28 (3) General Data Protection Regulation (GDPR)

version 3.3
status: 18.07.2022

  • 1. Subject-matter and duration of the processing

    • 1.1. The subject matter of the Agreement is the rights and obligations of the parties in the context of the provision of services in accordance with the order, service description and general terms and conditions (hereinafter referred to as the main contract), insofar as STRATO AG (hereinafter referred to as the processor) processes personal data on behalf of the client as controller (hereinafter referred to as the client) according to Art. 28 GDPR. This includes all activities that the processor performs to fulfil the contract and that represent a data processing on behalf of the controller. This also applies if the order does not explicitly refer to this Data Processing Agreement.
    • 1.2. The duration of the processing corresponds to the term agreed in the order.
  • 2. Nature and purpose of the processing

    • 2.1. The nature of the processing includes all types of processing as defined by the GDPR to fulfil the contract.
    • 2.2. Purposes of processing are all purposes required to provide the contracted services in particular in terms of cloud services, hosting, Software as a Service (SaaS), and IT support.
  • 3. Type of personal data and categories of data subjects

    • 3.1. The type of processed data is determined by the client by the product selection, the configuration, the use of the services, and the transmission of data.
    • 3.2. The categories of data subjects are determined by the client via product selection, configuration, the use of the services, and the transmission of data.
  • 4. Responsibility and processing on documented instructions

    • 4.1. The client is solely responsible for complying with the legal requirements of data protection laws, in particular, the legality of the transfer of data to the processor and the legality of data processing under this Agreement ( "Controller" in the sense of Art. 4 no. 7 GDPR). This also applies to the purposes and means of processing set out in this Agreement.
    • 4.2. The instructions are initially determined by the main contract and can then be changed by the client in writing or in an electronic format (text form) by individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. Instructions that are not provided for in the contract are treated as an application for a change in performance. In the event of proposed changes, the processor shall inform the client of the effects that this will have on the agreed services, in particular, the possibility of providing services, deadlines, and remuneration. If the implementation of the instruction is not reasonable to the processor, the processor is entitled to terminate the processing. Unacceptability exists in particular if the services are provided in an infrastructure that is used by several clients/customers of the processor (shared services), and a change in the processing for individual clients is not possible or is unreasonable.
    • 4.3. The contractually agreed data processing takes place as a rule mainly in a Member State of the European Union or in another contracting state of the Agreement via the European Economic Area, unless the transfer of data to third countries becomes necessary in order to provide the service. In the event that a transfer to a third country takes place, the processor shall ensure that the requirements pursuant to Art. 44 ff. GDPR are fulfilled.
  • 5. Rights of the client, obligations of the processor

    • 5.1. The processor may process data of data subjects only within the framework of the order and the documented instructions of the client, unless there is an exceptional case within the meaning of Article 28 (3) (a) GDPR (obligation under the law of the European Union or of a Member State). The processor shall inform the client without delay if it considers that an instruction violates applicable laws. The processor may suspend the implementation of the instruction until it has been confirmed or modified by the client.
    • 5.2. In the light of the nature of the processing, the processor shall, as far as possible, assist the client with appropriate technical and organisational measures in order to fulfil the rights of the data subjects laid down in Chapter III of the GDPR. The processor is entitled to demand appropriate compensation from the client for these services. The processor shall provide the client with cost information in advance.
    • 5.3. The processor shall assist the client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GPDR taking into account the nature of processing and the information available to the processor The processor is entitled to demand appropriate compensation from the client for these services.
    • 5.4. The processor ensures that the employees involved in the processing of the data of the client and other persons acting on behalf of the processor are prohibited from processing the data outside the instruction issued. Furthermore, the processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The same applies to the social secrecy, secrecy of telecommunications according to § 3 TTDSG (German Telecommunications and Telemedia Data Protection Act)and - in knowledge of criminal liability - for the preservation of secrets of professional secrecy according to § 203 StGB (German Penal Code). The obligation of confidentiality/secrecy persists even after the order has been completed.
    • 5.5. The processor shall inform the client immediately if it becomes aware of violations of the protection of personal data of the client. The processor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the data subjects.
    • 5.6. The processor guarantees the written appointment of a Data Protection Officer, who shall carry out his/her activity in accordance with Art. 38 and 39 GDPR. A contact option will be published on the website of the processor.
    • 5.7. At the end of the provision of the processing services, the processor will, at the choice of the client, either delete or return the personal data, unless there is an obligation under European Union or national law to retain the personal data, or something else results under any other contractual arrangements. If the client does not exercise this option, deletion is deemed agreed. If the client chooses to return, the processor can demand a reasonable compensation. The processor shall provide the client with cost information in advance.
    • 5.8. If a data subject asserts claims for compensation according to Art. 82 GDPR, the processor shall support the client in defending the claims within the scope of its possibilities. The processor may require an appropriate remuneration for this.
  • 6. Obligations of the client

    • 6.1. The client must immediately and completely inform the processor if it identifies errors or irregularities with regard to data protection regulations when carrying out the order.
    • 6.2. In the event of termination, the client undertakes to delete personal data which it has stored during its service, before the termination of the Contract.
    • 6.3. At the request of the processor, the client appoints a contact person for data protection matters.
  • 7. Requests from the data subjects

    If the data subject approaches the processor with requests for correction deletion or information, the processor shall refer the data subject to the Client, provided that an assignment to the Client is possible according to the information of the data subject. The processor shall immediately forward the request of the data subject to the client. The processor shall support the client within the scope of its possibilities. The processor shall not be liable if the request of the data subject is not answered by the client, not answered correctly or not answered in due time.

  • 8. Measures for the security of processing according to Art. 32 GDPR

    • 8.1. The processor will take appropriate technical and organisational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and ensure the protection of the rights and freedoms of the data subjects. In accordance with Art. 32 GDPR, the processor shall take appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of the processing systems and services in the long term.
    • 8.2. The current technical and organisational measures of the processor can be viewed at the following link: The Contractor clarifies that the technical and organisational measures listed under the link are merely descriptions of a technical nature which are not to be regarded as part of this Agreement.
    • 8.3. The processor will operate a procedure for the regular review of the effectiveness of the technical and organisational measures to ensure the security of processing in accordance with Art. 32 (1) lit. d) GDPR.
    • 8.4. Over time, the processor will adapt the measures taken to developments in the state of the art and the risk situation. A change in the technical and organisational measures taken is reserved to the processor, provided that the level of protection under Art. 32 GDPR is not fallen short of.
  • 9. Proof and verification

    • 9.1. As evidence of compliance with the obligations set out in Art. 28 GDPR, the client is required to obtain a ISO 27001 certification. The current certificate is provided by the processor on its website.
    • 9.2. Insofar as the client asserts legitimate doubts on the basis of factual indications that these certifications are sufficient or appropriate, or if special incidents within the meaning of Art. 33 (1) GDPR in connection with the execution of the data processing on behalf of the client justify this for the client, it may perform inspections. These can be carried out during normal business hours without disruption to the operation after registration, taking into account a reasonable lead time.
      The client's inspection right has the objective of verifying compliance with the obligations incumbent on a processor in accordance with the GDPR and this Contract.
    • 9.3. The processor shall provide the client with all the information necessary to prove compliance with the obligations laid down in Art. 28 GDPR and shall allow and contribute to audits, including inspections, carried out by the client or another inspector appointed by the client. The processor is entitled to demand a declaration of confidentiality from the client and its appointed auditor. The processor agrees to the designation of an independent external auditor by the client, if the client provides the processor with a copy of the audit report. The processor may refuse competitors of the client or persons working for competitors of the client as investigators.
    • 9.4. The processor may require reasonable compensation for information and assistance. The processor shall provide the client with cost information in advance. The cost for the processor through an inspection is always limited to one day per calendar year.
  • 10. Subprocessors (other processors)

    • 10.1. The client grants the processor the general permission to use other processors within the meaning of Art. 28 GDPR for the fulfilment of the Contract.
    • 10.2. The processors currently used can be accessed via the following link: The Client shall regularly inform itself about changes there. The Client agrees to their use.
    • 10.3. The processor shall inform the client if it intends to withdraw or replace other processors. The client may object to such changes.
    • 10.4. The objection to the proposed change can only be raised against the processor for a reason related to a material data protection right within a reasonable time after receipt of the information about the change. In the event of an objection, the processor may choose to provide the service without the intended change or, if the performance of the service without the intended change is not reasonable to the processor, stop providing the service affected by the change to the client within a reasonable time after receipt of the objection.
    • 10.5. If the processor places orders with other processors, it is the processor's responsibility to impose its data protection obligations under this Contract to the other processor.
    • 10.6. Additional processors within the meaning of this regulation are only those other processors who provide services directly related to the provision of the main service. It does not cover ancillary services related to telecommunications, printing/postal/transport services, maintenance and service, user services or the disposal of data media and other measures to ensure the confidentiality, availability, integrity and resilience of personal data, networks, services, data processing systems and other IT systems. However, in order to ensure data protection and data security with respect to the data of the client, the processor is obliged to take appropriate and legally compliant contractual agreements as well as control measures for such ancillary services.
  • 11. Liability and compensation

    • 11.1. In the case of assertion of a claim for compensation by a data subject person pursuant to Art. 82 GDPR, the parties undertake to support each other and to contribute to the clarification of the underlying facts.
    • 11.2. The liability regulation agreed between the parties in the main contract for the provision of services shall also apply to claims arising from this Data Processing Agreement and in the internal relationship between the parties for claims of third parties under Art. 82 GDPR, unless expressly agreed otherwise.
  • 12. Contract period, miscellaneous

    • 12.1. The agreement begins with the conclusion by the customer. It ends with the end of the last Contract under the respective customer number. If any data processing on behalf of the client still takes place after termination of this contract, the regulations of these agreements are valid until the actual end of the processing.
    • 12.2. The processor may amend the Agreement at its reasonable discretion with reasonable notice. In particular, the processor expressly reserves the right to unilaterally amend this agreement if major legal changes in relation to this agreement occur. The processor shall separately inform the customer of the significance of the planned amendment and shall furthermore grant the customer a reasonable period of time to declare an objection. The processor shall inform the customer in the notice of amendment that the amendment will become effective if the customer does not object within the set period. In the event of an objection by the customer, the processor shall have an extraordinary right of termination.
    • 12.3. The client acknowledges this agreement as part of the general terms and conditions: concerning the product(s) booked by him.
      In the event of any contradictions, the provisions of this Agreement for data processing shall prevail to the provisions of the main contract. Should individual parts of this Agreement be ineffective, this does not affect the validity of the remaining agreements.
    • 12.4. The exclusive place of jurisdiction for all disputes arising from and in connection with this contract is the registered office of the processor. This applies subject to any exclusively legal place of jurisdiction. This Contract is subject to the statutory provisions of the Federal Republic of Germany.
    • 12.5. If the data of the client is endangered by seizure or confiscation, by a bankruptcy or settlement procedure, or by other events or measures of third parties, the processor shall inform the client immediately. The processor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data lie exclusively with the client as the "Controller" within the meaning of the GDPR.