Data Processing Agreement

Pursuant to Art. 28 (3) p. 1 GDPR

– hereinafter referred to as the DPA –

between

– hereinafter referred to as Controller –

and

– hereinafter referred to as Processor –

– The Processor and the Controller are hereinafter referred to as (contractual) Parties. –

Annexes

• Annex 1 – Technical and Organisational Measures (TOMs).
• Annex 2 – Subprocessors.

The Subject-Matter of the Contract, Categories of Data, Data Subjects, Nature, Scope and Purpose of the Processing (Art. 28 (3), 30 (2) GDPR)

1. The subject of the DPA, the personal data processed within the scope of the assignment (Art, 4 Nos. 1 and 2 GDPR; hereinafter referred to as "Data"), the data subjects concerned and the nature, scope and purposes of the processing, are determined by the following legal relationship(s) between the contractual Parties (hereinafter referred to as the "Principal Agreement"):

   Agreement on the use of Fanpage Karma and the websites, tools, functions and services associated with the services of Fanpage Karma.

   The provisions of this DPA take precedence over the Principal Agreement.

2. The Principal Agreement includes the following basic features and special features and services provided by Fanpage Karma:

2. Controller and right of Instruction

1. As the person responsible pursuant to Art. 4 No. 7 GDPR, the Controller is responsible for compliance with data protection regulations, in particular the selection of the Processor, the Data transmitted to him and the instructions issued (Art. 28 (3) a, 29 and 32 (4) GDPR).
2. Where the Customer is itself a Processor and subcontracts the Processing to the Processor, the provisions of this DPA shall apply mutatis mutandis and the Controller of the Processing may, on the basis of this DPA, directly invoke the rights of the Customer towards the Processor.
3. The Processor may process Data only within the framework of the Principal Agreement and the instructions of the Controller (including in particular the modification, erasure or restriction of the Data) and only to the extent that the processing is necessary for the agreed purpose, unless the Processor is required to process Data for another purpose by Union or Member State law to which the Processor is subject; in such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest (Art. 28 (3) p. 2 a GDPR).
4. The Controller has the right to issue additional instructions at any time with regard to the processing of the Data and the security measures.
5. If the Processor is of the opinion that an instruction by the Controller violates applicable data protection law, he will immediately point this out to the Controller. If the Processor is of the opinion that an instruction of the Controller violates applicable data protection law, then the Processor is entitled to suspend the execution of the instruction until the Controller confirms the instruction or to reject the instruction in the case of an obviously illegal instruction.
6. The Processor may refuse instructions if they are not possible or unreasonable for the Processor (in particular because compliance with them would impose disproportionate effort or due to a lack of technical possibilities of the Processor). The rejection is only admissible under appropriate consideration of the protection of the Data of the data subjects concerned and entitles the Controller to a termination without notice for a compelling reason of the Principal Agreement, if its continuation is unreasonable for the Controller.
7. If additional instructions of the Controller go beyond the contractual duty of the Processor under the Principal Agreement and are not based on misconduct on the part of the Processor, then the Controller shall reimburse the Processor separately for the additional time and effort arising therefrom.
8. The contracting Parties may appoint persons entitled to issue and receive instructions (in particular, if the responsible persons do not already follow from the Principal Agreement) and are obliged to notify the contractual Parties of any changes without delay.
9. Responsible on the part of the Processor:
   Nicolas Graf von Kanitz
   Tel: +49 30 55656912, Fax: +49 30 577095069, E-Mail: .

3. Security of Processing and Related Obligations

1. The Processor shall structure the internal organisation in his area of responsibility in accordance with the legal requirements and shall in particular take technical and organisational measures for appropriate security, in particular the confidentiality, integrity and availability of the Controller's Data, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects and ensuring their safeguarding (Art. 28 (3) and 32 - 39 in conjunction with Art 5 GDPR). Technical and organisational measures include in particular physical access control, access to processing systems, control of access to Data and input of Data, Data transfer control, control of orders and assignments, availability and integrity control, guarantee of the principle of purpose/ segregation of data and securing the rights of the affected data subjects.
2. The technical and organisational measures on which this DPA is based are set out in Annex 1 "Technical and Organisational Measures (TOMs)". They may be further improved in the light of technical progress and replaced by adequate protective measures, provided that they do not fall below the safety level of the measures laid down and provided that the Controller is notified of any significant changes.
3. The Processor shall keep a record of all categories of processing activities carried out on behalf of the Customer according to Article 30 (2) GDPR.
4. The Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality (Art. 28 (3) S. 2 b. and 29, 32 (4) GDPR) and have been instructed in the data protection regulations of the GDPR or are subject to an appropriate statutory obligation of confidentiality.
5. The Data and data carriers and all copies made of them within the scope of the DPA shall remain the property of the Controller, shall be carefully stored by the Processor, protected from access by unauthorized third parties and may only be deleted with the consent of the Controller, and then only in accordance with data protection law. Copies of Data may only be made if they are necessary to fulfil the main and secondary contractual obligations of the Processor towards the Controller (e.g. backups).
6. If specified by the GDPR or supplementary regulations, in particular national regulations, the Processor shall appoint a data protection officer in accordance with legal requirements and inform the Controller accordingly (Art. 37 to 39 GDPR).
7. Data protection officer of the Processor:
   Dr. Thomas Schwenke, Paul-Lincke-Ufer 42/43, 10999 Berlin
   E-Mail:

4. Information Duties and Duties to Cooperate

1. The rights of the data subjects are to be fulfilled by the Controller, whereby the Processor supports the Controller according to Art. 28 (3) S. 2 e. GDPR and informs him in particular about the enquiries of the data subjects received by the Processor.
2. The Controller must inform the Processor immediately and completely if he detects errors or irregularities with regard to the processing of the Data or with regard to compliance with the provisions of this DPA or relevant data protection regulations.
3. In the event that the Processor ascertains facts which justify the assumption that the protection of the Data processed for the Controller has been breached, the Processor must immediately and completely inform the Controller, take the necessary protective measures without delay and assist in the fulfilment of the obligations incumbent on the Controller pursuant to Articles 33 and 34 GDPR.
4. Should the security of the Controller's Data be endangered by third-party actions (e.g. creditors, authorities, courts with seizure, confiscation, insolvency proceedings, etc.) the Processor will immediately inform the third parties that the sovereignty and ownership of the Data lies exclusively with the Controller and, after consultation with the Controller, will, if necessary, take appropriate protective measures (e.g. file objections, applications, etc.).
5. The Processor shall inform the Controller without delay if a supervisory authority takes action against the Processor and its activities may affect the Data processed for the Controller. The Processor supports the Controller in the performance of his duties (in particular the provision of information and toleration of inspections) towards supervisory authorities (Art. 31 GDPR).
6. The Processor shall provide the Controller with the information necessary for the fulfilment of legal obligations (which may include, in particular, inquiries from data subjects or authorities and compliance with his accountability duties pursuant to Art. 5 (2) GDPR, as well as the carrying out of a data protection impact assessment pursuant to Art. 35 GDPR) and shall provide the necessary information regarding the processing of Data within the scope of this DPA, if the Controller cannot acquire this information himself. The information must be accessible to the Processor and does not have to be obtained from third parties, whereby employees, agents and subprocessors of the Controller are not considered as third parties.

5. Audits and Inspections

1. The Controller has the right to audit the Processor's compliance with the legal requirements and the regulations of this DPA, in particular the technical and organisational measures, at any time to the required extent (Art. 28 (3) h. GDPR).
2. On-site inspections are carried out within normal business hours, must be announced by the Controller within a reasonable period (at least 14 days, except in emergencies) and have to be supported by the Processor (e.g. by the provision of the necessary personnel).
3. The inspections are limited to the necessary scope and must take into account the Processor's trade and business secrets as well as the protection of personal data of third parties (e.g. other Controllers or employees of the Processor). Only qualified inspectors are permitted to carry out the inspection who must be able to prove their identity with regard to their person and the mandate by submitting official proofs of identity and, if no such proof exists, proof of the assignment, and who are bound to confidentiality with regard to the trade and business secrets as well as processes of the Processor and personal data of third parties.
4. Instead of audits and on-site inspections, the Processor may refer the Controller to an equivalent inspection or audit by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct (Art. 40 GDPR) or suitable data protection or IT security certifications in accordance with Art. 42 GDPR. This applies in particular if business and trade secrets of the Processor or personal data or other confidential information of third parties would be at risk due to the audits or inspections.
5. The Processor shall ensure that the Controller can ascertain compliance with the obligations of the Processor in accordance with Art. 28 GDPR. The Controller shall provide the Controller with the necessary information upon request and, in particular, prove that the technical and organisational measures have been implemented. The proof of such measures, which do not concern only the specific assignment, can be provided by:
   • compliance with approved codes of conduct pursuant to Art. 40 GDPR;
   • certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR;
   • current certificates, reports or report extracts from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors, quality auditors);
   • a suitable certification through an IT security or data protection audit (e.g. according to the guidelines and standards of the German Federal Office for Information Security).

6. Engagement of Subprocessors

1. If the Processor uses the services of a subprocessor in order to carry out specific processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA or other legal act between the Controller and the Processor shall be imposed on the subprocessor by way of a contract or other legal act under Union or Member State law, in particular providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this DPA and the applicable data protection law (in particular with regard to compliance with instructions off the Controller, compliance with technical and organisational measures, provision of information and the toleration of inspections). In particular, the processor shall ensure that the Controller's designated control rights can also be exercised directly and to the same extent by the Controller at the Processor's sub-processors. Furthermore, the Processor must carefully select the subprocessor, check its reliability and monitor its compliance with the requirements of this DPA and the data protection law (Art. 28 2 to 4 GDPR).
2. Without prejudice to any restrictions by the Principal Agreement, the Controller generally agrees that the Processor may engage subprocessors for the processing of the Data.
3. The subprocessing relationships already in existence at the time of the conclusion of this DPA are listed by the Processor in Annex 2 "Subprocessors" and are considered authorized by the Processor.
4. The Processor shall inform the Controller of any changes to the subprocessors that are relevant to the processing of the Data within a reasonable advance period, which as a rule shall be 14 days, via the contact channel provided by the Controller (generally via e-mail). In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative further subprocessor and coordinate this with the Controller. Insofar as the provision of the service without the intended change is not reasonable for the Controller - for example due to associated disproportionate expenses for the Processor - or the coordination of a further subprocessor fails, the Controller and the Processor may terminate this Agreement as well as the Principal Agreement with a notice period of one month to the end of the month. The termination shall be deemed to have taken place at the next possible ordinary time of termination with regard to the payment of the agreed fees if the objection was made without a legitimate interest.
5. Contractual relationships in which the Processor uses the services of third parties as a purely ancillary service in order to carry out his business activities (e.g. cleaning, security or transport services) do not constitute subprocessing within the meaning of the above provisions of this DPA. Nevertheless, the Processor must ensure, e.g. through contractual agreements or information and instructions, that the security of the Data is not endangered and that the requirements of this DPA and the data protection laws are complied with.

7. Processing in Third Countries

1. The processing of Data as contractually specified is carried out only in a Member State of the European Union or in another state party to the Agreement on the European Economic Area (EEA).
2. Processing in a third country, including by subprocessors, shall require the prior consent of the Controller and may only be carried out if the specific requirements of Article 44 et seq. of the GDPR are met, taking into account the most recent case law of the highest courts (in particular the judgment of the European Court of Justice of 16 July 2020 in Case C-311/18, "Schrems II"), unless the Processor is obliged to carry out processing in the third country by the law of the Union or the Member States to which the Processor is subject, in which case the Processor shall notify the Controller of these legal requirements before processing, unless the law prohibits such an information on important grounds of public interest (Article 28 (3) S. 2 a. GDPR).
3. The authorisation of the Controller for processing in the third country shall be considered to have been given in respect of the processes listed in Annex 2 "Subprocessors".

8. Duration of the Processing, Termination of Contract and Deletion of Data

1. This DPA becomes valid upon its conclusion, is concluded for an indefinite period and ends at the latest with the term of the main agreement.
2. The right to termination without notice for a compelling reason is available to the contracting Parties, in particular in the event of a serious breach of the provisions of this DPA and applicable data protection law. The extraordinary termination must in general be preceded by a warning of the infringements with a reasonable period of notice, whereby the warning is not necessary if it is unlikely that the objected infringements will be remedied or if they are so severe that it is unreasonable to expect the terminating contracting party to adhere to this DPA.
3. After completion of the processing services under this DPA, the Processor will either delete or return all personal data and copies thereof (as well as all documents obtained in connection with the contractual relationship, processing and processing results obtained and datasets), at the choice of the Controller, unless an obligation to store the personal data exists under Union law or the law of the Member States (Art. 28 (3) S. 2 g. GDPR). The right of retention is excluded with regard to the processed Data and the associated data carriers. With regard to the cancellation or return of the Data, the Controller's rights of information, documentation and inspection shall apply in accordance with this DPA.
4. In accordance with the main contract, the Processor shall be entitled to collect data which it has collected from generally accessible sources and which the Processor would have obtained even without authorisation/instruction from the Controller (e.g. data transmitted via an interface from Facebook which is accessible to everyone since this data is used by other customers of the Processor ) or not to delete data which is anonymised and thus not personalised (e.g. aggregated data). The Controller profiles are suspended after deactivation, subject to an explicit deletion request, and are only used for reactivation. In the case of test users, only the name and Facebook ID will be stored for multiple sign-in recognition, and the email address will be deleted.
5. In any case, the obligations arising from this DPA with regard to the Data processed in the assignment shall remain in force even after termination of the DPA.

9. Expense Allowance

1. Services provided by the Processor on the basis of this DPA, in particular the provision of the necessary information and the cooperation, deletion or return of the data as well as acceptance of and cooperation in the inspections or adequate alternative measures shall not be remunerated separately by the Controller. The services shall only be invoiced if they are not required by law or if they exceed an amount customary in the industry due to circumstances attributable to the Controller.
2. If a calculation of ancillary contractual services should be made, it shall include compensation for the working time of the personnel claimed by the Processor as well as necessary expenses (e.g. travel or material costs). The Processor shall inform the Controller of the amount of the remuneration in advance by means of an appropriate estimate, unless this is not possible or reasonable (e.g. in the case of any obligation to take immediate action in emergencies). The above-mentioned costs shall be charged at an hourly rate of EUR 120.00 net. The Processor retains the right to prove higher expenses and the Controller retains the right to prove lower expenses.

10. Liability

1. The Controller and the Processor are jointly liable for the damage caused by processing that does not comply with the DSPR in an external relationship with the respective affected party.
2. The Processor shall be exclusively liable for damage resulting from processing carried out by him or by a third party commissioned by him in which he
   • has not complied with the obligations resulting from the GDPR and imposed specifically on processors, or
   • acted in breach of the lawful instructions given by the Controller, or
   • acted contrary to the lawful instructions given by the Controller.
3. Insofar as the Controller is obliged to pay damages to the affected parties, the Controller reserves the right to take recourse to the Processor.
4. In the internal relationship between the Controller and the Processor, the Processor shall only be liable for any damage caused if it is
   • has not complied with its obligations specifically imposed on it by the GDPR, or
   • acted or acted contrary to the instructions lawfully given by the Controller.
5. Further liability claims according to the general laws remain unaffected.

11. Final Provisions, Amendments, Form of Communication, Choice of Law, Place of Jurisdiction

1. Amendments, additional agreements and addenda to this DPA and its annexes require a written agreement and an express note that this is an amendment or addition to this DPA. This also applies to the waiver of this formal requirement.
2. This DPA shall only oblige the Processor in so far as this is necessary to fulfil the statutory obligations, in particular in accordance with Art. 28 ff. GDPR and does not impose any further duties on the Processor.
3. Unless otherwise stipulated in this DPA and in the main agreement, communication between the Processor and the Controller within the framework of this DPA (in particular with regard to instructions and provision of information) shall at least be in text form (e.g. e-mail). A lesser form (e.g. oral) may be permissible under the circumstances instead of the text form (e.g. in an emergency situation) but must be confirmed immediately at least in text form. If the written form is required, the written form is understood in the meaning of the GDPR.
4. The law of the Federal Republic of Germany shall apply. The exclusive place of jurisdiction for all disputes arising from or in connection with this DPA shall be the Processor's registered office, provided that the Controller is a merchant, a legal entity under public law or a public law fund or the Controller has no place of jurisdiction in the Federal Republic of Germany. The Processor reserves the right to bring his claims to the legal place of jurisdiction.

................................................................................................................

Place, date, signature of Controller

Berlin, May 22, 2022

................................................................................................................

Place, date, signature of Processor

Data Processing Agreement

Annex 1 – Technical and Organisational Measures (TOMs)

The current list of technical and organisational measures is published at: https://www.fanpagekarma.com/privacy/toms.

Data Processing Agreement

Annex 2 – “Subprocessors”

The current list of subprocessing relationships is published at: https://www.fanpagekarma.com/privacy/subprocessors.

As of: April 2020