Data Processing Agreement
as of: 01.11.2019
With your registration to etracker.com or signalize.com you consent to the following data processing agreement (DPA), presented to you here by etracker for your acceptance:
Erste Brunnenstraße 1
This agreement sets out the contracting parties’ data protection obligations resulting from the activities undertaken by the Contractor for the Client in accordance with the General Data Protection Regulation (EU GDPR). It applies to all activities in which the Contractor or its agents process personally identifiable information for the Client.
From the effective date, this agreement replaces any previous agreements between the Client and the Contractor for order data processing in connection with the use of etracker services.
If the Client uses the etracker services in the name of or on behalf of a third party, it shall ensure and be responsible for its being fully entitled to act in the name of and on behalf of the third party and that pursuant to this contract, it shall commit the third party to compliance with all obligations of the Client under the processing relationship and especially compliance with all obligations of the Client under this contract. In this case, the Client further confirms that it possesses all rights, consent and approvals that may be required for the agreed-upon data processing. Prohibitions, restrictions and approval requirements in relation to the use of the Contractor’s services for third parties remain unaffected, as do the consequences of a related breach of contract.
1. Object and duration of the agreement
The object and duration of the data processing are specified in the contract on the use of etracker services by the customer (hereafter: main contract).
The Contractor processes personally identifiable information for the Client pursuant to Art. 4 (2) and Art. 28 EU GDPR on the basis of this contract.
The contractually agreed service is provided exclusively in a member state of the European Union or in a state party to the Agreement on the European Economic Area. Any transfer of the service or partial work to a third country requires the prior consent of the Client and may only take place if the special conditions of Art. 44 (ff.) EU GDPR are fulfilled (e.g. adequacy decision by the Commission, standard data protection clauses, approved rules of conduct).
In view of the contractual order processing, the Client may terminate the contract at any time without observing a period of notice if the contracting party has violated data protection regulations or the terms of this contract, if the Contractor cannot or does not intend to execute a contractual instruction of the Client, or if the Contractor refuses the Client’s inspection rights. In particular, non-compliance with the obligations agreed in this contract and derived from Art. 28 EU GDPR constitutes a serious infringement.
2. Nature and purpose of data processing, type of personally identifiable information, and categories of data subjects
With the help of the utilised etracker services, data, properties and activities of users with regard to the use of websites, applications or other media products and services offered by the Client are recorded, processed or stored in accordance with the main contract.
Types of personally identifiable information (according to the definition in Art. 4 (1), (13), (14) and (15) EU GDPR):
- Pseudonymous User ID: a randomly generated value (example: 108bf9a85547edb1108bf9a85547edb1) stored in a tracking cookie ID
- Pseudonymous digital fingerprints
- Pseudonymized mobile device codes
- Pseudonymous Cross-Device Identifiers, provided they are handed over across multiple devices for anonymous visitor reunification
- E-mail addresses as part of overlay newsletter opt-in dialogs, if the function is used in the etracker Optimiser
Categories of data subjects (according to the definition of Art. 4 (1) EU GDPR):
- Users of the Clients’ products and services for which the etracker services are utilised
3. The Client’s rights, obligations and powers to give instructions
The Client alone is responsible (“responsible person” pursuant to EU GDPR Art. 4 (7)) for assessing the admissibility of the data processing in accordance with Art. 6 (1) EU GDPR as well as for the protection of data subjects’ rights pursuant to Art. 12 to 22 EU GDPR.
The Client is obliged to transmit to etracker or record only such data that are lawfully collected in accordance with Art. 6 (1) EU GDPR and further processed appropriately. The Client is also obliged to preserve the rights of the persons concerned and to meet in particular duties to inform and to allow the persons concerned to exercise their rights of objection.
Changes of the subject of the data processing must be jointly agreed between Client and Contractor and documented in writing or in an electronic format.
The Client usually issues all orders, partial orders and instructions in writing or in a documented electronic format. Oral instructions must be confirmed by the Client immediately in writing or in a documented electronic format.
The Client is entitled, at its own expense as described under Point 5 of this contract, to seek assurances prior to the commencement of data processing and subsequently on a regular basis of the Contractor’s compliance with the technical and organisational measures and the obligations laid down in this contract.
The Client shall inform the Contractor immediately if it finds errors or irregularities when performing audits of order outcomes.
The Client is obliged to treat confidentially all knowledge acquired within the framework of the contractual relationship of the Contractor’s business secrets and data security measures. This applies in particular to the representation of the security measures in Annex 1. This obligation remains even after the end of this contract.
4. The Client’s authorised persons, the Contractor’s instruction recipients
The Client shall specify a person authorised to issue instructions. The person authorised by the Client to issue instructions shall be specified in the etracker user account as the main user. The person authorised to issue instructions is entitled to exercise the Client’s rights under this contract to issue instructions. These instructions are attributable to the Client.
The Contractor’s instruction recipients are:
Given name, family name: Elke Hollensteiner
Position: Data Protection Coordinator
Phone: +49 40 55 56 59 52
Given name, family name: Olaf Brandt
Position: Managing Director
Phone: +49 40 55 56 59 50
Communication channels to be used for instructions:
Erste Brunnenstraße 1
In the event of a change or a longer-term absence or inability of the counterpart to carry out their duties, the contracting partner shall be informed immediately, in writing or electronically, about their successors or deputies. The current contact details for the Contractor’s data protection officer are readily available on the Contractor’s website (www.etracker.com/en/). The instructions are to be kept for their period of validity and subsequently for three full calendar years.
5. The Contractor’s obligations
The Contractor shall process personally identifiable information exclusively within the framework of the agreements met and pursuant to instructions given by the Client, unless it is obliged to any other data processing by the law of the Union or of the Member States to which the data processor is subject (e.g. investigations by law enforcement or state protection authorities); in such a case, the order processor shall before processing inform the party responsible of these legal requirements, unless the law in question prohibits such communication because of substantial public interest (Art. 28 (3), clause 2, lit. a EU GDPR).
Copies or duplicates of the personally identifiable information thus processed shall not be created by the Contractor without the knowledge of the Client. This does not include backup copies, to the extent necessary to ensure proper data processing, or data required to comply with statutory retention requirements.
The Contractor assures the contractual processing of all agreed measures for order-based processing of personally identifiable information. It warrants that the data processed for the Client shall be strictly separated from other databases both technologically and organisationally.
In the compliance with the rights of data subjects under Art. 12 to 22 EU GDPR by the Client, in the preparation of directories of processing activities, and for required data protection impact assessments by the Client, the Contractor must cooperate to the extent necessary and the Client must provide support as far as reasonably possible (Art. 28 (3), clause 2, lit. e and f EU GDPR). It shall forward the information required to that end to a European Union-based body designated by the Client.
The Contractor shall inform the Client without delay if, in its opinion, an instruction issued by the Client violates statutory provisions (Art. 28 (3), clause 3 EU GDPR). The Contractor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Client’s officer subsequent to audit. The Client is responsible for the legal admissibility of it instructions. The Contractor is not subject to an obligation to perform audits.
The Contractor shall correct, delete or limit the processing of personally identifiable information resulting from the contractual relationship if the Client so requests by means of a directive and the legitimate interests of the Contractor do not conflict with this. Should such an instruction lead to additional expenses beyond the service contract, the Client bears the costs.
The Contractor may only disclose personally identifiable information relating to the contract to third parties or to the data subjects subject to prior instruction or approval by the Client.
The Contractor agrees that the Client is entitled to audit in the appropriate and necessary scope compliance with the regulations on data protection and data security and with the contractual agreements, in particular by obtaining information and inspecting the stored data and the computer programs and by performing audits and on-site inspections (Art. 28 (3), clause 2, lit. h EU GDPR). The audit rights are exercised by appointment and with a lead time of at least ten working days. The efforts for an inspection are generally limited to one day per calendar year for the Contractor.
The Client is obliged to keep confidential the information of the Contractor, in particular details of the technical and organisational measures that it has come to know in the context of or on occasion of such an audit and not to disclose said information to third parties or to make it accessible to third parties if this does not occur as part of the contractual service relationship between the Client and the Contractor.
The Client shall have the right to have an inspection carried out by an auditor it nominates in writing on a one-off basis at least ten days before the inspection, if the Contractor agrees to such an external audit. The Contractor shall not unreasonably refuse its consent. In particular, the Contractor is entitled to refuse the auditor if the auditor is in a competitive relationship with the Contractor. External auditors are obliged to conclude a written confidentiality agreement with the Contractor and to only then carry out the audit. The Client’s authorisation to conduct audit remains unaffected.
The Contractor shall ensure that, where necessary, it assists in these audits. For this purpose, the following is agreed until further notice:
The processing of data in private homes (telework or home work by the Contractor’s employees) is permitted only with the consent of the Client. As far as the data are processed in a private dwelling, access to the employee’s home must be contractually secured for the employer’s audit purposes. Measures according to Art. 32 EU GDPR are to be ensured also in this case.
The Contractor confirms that it is familiar with the data protection regulations of EU GDPR relevant for order processing. It undertakes to observe other secrecy protection rules relevant to this order and as are also the responsibility of the Client (e.g. bank secrecy, telecommunications secrecy, social secrecy, professional secrets according to Art. 203 of the German Criminal Code, etc.), if and to the extent that this is agreed at the time of or subsequent to conclusion of the contract. The Client shall inform itself about the special secrecy rules to which it is subject and is responsible for their inclusion in the contractual obligations.
The Contractor undertakes to maintain confidentiality in the orderly processing of the Client’s personally identifiable information. This shall continue after the end of the contract.
Prior to commencement of the activities, the Contractor warrants that it shall familiarise the employees entrusted with the work with the data protection provisions relevant to them. It shall also bind them to secrecy in an appropriate manner for the duration of their activity, as well as after the end of the employment relationship (Art. 28 (3), clause 2, lit. b and Art. 29 EU GDPR). The Contractor monitors compliance with the data protection regulations within its company.
The Contractor’s designated data protection officer upon conclusion of the contract is RA Thomas Brehm: firstname.lastname@example.org or etracker GmbH, Erste Brunnenstraße 1, 20459 Hamburg, Germany with the addition “Data Protection Officer”.
The current contact details for the Contractor’s data protection officer are readily available on the Contractor’s website (www.etracker.com/en/).
6. The Contractor’s notification obligations in case of processing disruptions and violation to the protection of personally identifiable information
The Contractor shall immediately notify the Client of any disruptions or violations committed by the Contractor or persons it employs or against data protection provisions or the stipulations made in the order, as well as of any suspicion of data breaches or irregularities in the processing of personally identifiable information. This applies in particular with regard to any reporting and notification obligations to which the Client is subject pursuant to Art. 33 and 34 EU GDPR. The Contractor undertakes to provide the Client with appropriate support in its duties pursuant to Art. 33 and 34 EU GDPR (Art. 28 (3) , clause 2, lit. f EU GDPR). Notifications according to Art. 33 or 34 EU GDPR for the Client may only be carried out by the Contractor subject to prior instructions pursuant to Point 4 of this contract.
7. Data subjects’ rights
The rights of persons affected by the data processing must be asserted against the Client. If a data subject contacts the Contractor directly for information, rectification, deletion or blocking of the data concerning them, the Contractor shall forward this request to the Client in a timely manner.
In the event that a data subject asserts their data protection rights, the Contractor shall support the Client with appropriate technical and organisational measures in the fulfilment of these claims to the extent reasonable and necessary for the Client, insofar as the Client cannot respond to these claims without cooperation of the Contractor.
The Contractor shall enable the Client to correct, delete or block the personally identifiable information processed in the order or, at the request of the Client, to rectify, erase or block the request itself, if and to the extent that this is impossible for the Client.
Costs incurred by the Contractor in compliance the obligations under this Section 7, which go beyond the scope of services agreed upon in accordance with the main contract, shall be paid by the Client appropriately and in accordance with the Contractor’s usual remuneration rates.
8. Subcontracting with subcontractors (Art. 28 (3), clause 2, lit. d EU GDPR)
The Contractor is only permitted to commission subcontractors with the processing of Client data subject to the Client’s consent, Art. 28 (2) EU GDPR, which must take place by means of one of the above named communication channels (Point 4), with the exception of verbal permission. Approval can only be granted if the Contractor informs the Client of the name, address and intended activity of the subcontractor. In addition, the Contractor must ensure that it selects the subcontractor carefully with due regard to the suitability of the technical and organisational measures taken by the subcontractor pursuant to Art. 32 EU GDPR. The relevant test documents are to be made available to the Client on request.
Commissioning of subcontractors in a third country may only take place if the special requirements under Art. 44 (ff) EU GDPR are fulfilled (e.g. adequacy decision by the Commission, standard data protection clauses, approved rules of conduct).
The Contractor must ensure by contract that the regulations agreed between Client and Contractor also apply to subcontractors. In the contract with the subcontractor, the details must be specified in such a way that the responsibilities of the Contractor and the subcontractor are clearly distinguished from each other. If several subcontractors are employed, this also applies to the responsibilities between these subcontractors. In particular, the Client must be entitled, if necessary, to carry out appropriate checks and inspections (including on site) at subcontractors or have them carried out by third parties instructed by it.
The contract with the subcontractor must be in writing. This can also be done in an electronic format (Art. 28 (4) and (9) EU GDPR).
The transfer of data to the subcontractor is only permitted if the subcontractor has fulfilled its obligations under Art. 29 and Art. 32 (4) EU GDPR with regard to its employees.
The Contractor must verify compliance with the obligations on the part of the subcontractor(s). The results of the verifications shall be documented and made available to the Client on request.
The Contractor shall be liable to the Client for ensuring that the subcontractor complies with the data protection obligations contractually imposed by the Contractor in accordance with this section of the contract.
Third-party services which the Contractor makes use of as an ancillary service to assist in the execution of the order are not to be understood as subcontracting within the meaning of this agreement. This includes, for example, telecommunications services, cleaning staff, auditors and the disposal of data media – if they do not contain personally identifiable information.
The processor shall inform the person responsible of any intended change in relation to the addition or replacement of existing subcontractors, thereby giving the Client the opportunity to object to such changes (Art. 28 (2), clause 2 EU GDPR).
9. Technical and organisational measures pursuant to Art. 32 EG GPDR (Art. 28 (3), clause 2, lit. c EU GDPR)
Prior to commencing the order processing, the Contractor shall document the implementation of the necessary technical and organisational measures set out prior to the award of contract, in particular with regard to the concrete implementation of the order, and pass this to the Client for inspection upon request.
The Contractor must ensure security pursuant to Art. 28 (3), lit. c, 32 EU GDPR, especially in connection with Art. 5 (1), (2) EU GDPR. Overall, the actions to be taken are data security measures to ensure a level of protection appropriate to the level of risk with regard to the confidentiality, integrity, availability and resilience of the systems. In this context, the state of technology, the implementation costs and the nature, scope and purpose of the processing as well as the varying probability and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 (1) EU GDPR must be taken into consideration. Details of the measures taken can be found in Annex 1.
The technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In so doing, the security level of the measures set out may not be breached. Significant changes must be documented.
10. Post-contractual obligations of the Contractor pursuant to Art. 28 (3), clause 2, lit. g EU GDPR
Upon completion of the order processing (or sooner at the request of the Client), the Contractor must immediately delete the personally identifiable information it has processed on behalf of the Client. The cancellation is to be confirmed to the Client upon request. Impossibility or restriction of the service due to a deletion requested by the Client prior to the end of the contract does not affect the claims and rights of the Contractor arising from the order relationship.
For the processing activities carried out under this contract, the Contractor shall receive remuneration in accordance with the main contract. subject to the following provisions, no separate remuneration is due for compliance with the obligations arising from this agreement. However, the Contractor is entitled to demand reasonable compensation in accordance its usual rates for expenses arising from the implementation of instructions or other measures requested by the Client, insofar as such measures go beyond the scope of services agreed in the main contract or contain activities deviating from those in the main contract. Any additional efforts shall be notified to the Client in advance, subject to the deadlines set by the Client.
Attention is drawn to Art. 82 EU GDPR. Liability limitations and exclusions of the main contract shall apply in the relationship between the parties in accordance with the contractual agreements.
The Client is obliged to reimburse the Contractor for damages and expenses incurred as a result of violations of data protection law for which the Client is responsible, in particular non-compliance with data protection requirements by the Client or the contractual implementation of the Client’s instructions.
This agreement ends automatically with the end of the contractual relationship between the parties resulting from the main contract, without the need for termination. An isolated orderly termination of this agreement by the Contractor is excluded.
The Client and the Contractor have the right to demand the amendment of this agreement to the applicable legal provisions, provided that their further development or application justifies such a requirement. The right of termination for important reasons remains unaffected.
Ancillary agreements must be in written form or a documented electronic format. This agreement as to the format cannot be waived orally.
This agreement does not affect the existence of the other agreements concluded by the parties. However, the provisions of this agreement shall take precedence over any conflicting provisions and requirements of all other agreements concluded by the parties.
Should individual parts of this agreement become ineffective, this shall not affect the validity of the remainder of the agreement.
This agreement becomes effective upon confirmation by the Client and is binding for both parties.
Annex 1 – Technical and organisational measures
A comprehensive data backup concept was implemented at the contractor’s (etracker GmbH) that takes the required precautions from a structural, personnel-related, organisational and technical standpoint to ensure the security of buildings and databases, to guarantee secure operation with regard to data protection and data security, and to protect the rights of affected individuals in an optimal manner.
The computer centre of etracker GmbH is run on behalf of etracker by IPHH Internet Port Hamburg GmbH, a company based at Wendenstrasse 408, Hamburg, Germany 20537. IPHH provides access to the Internet and to etracker servers that are physically stored in racks (server racks). The racks are kept on the premises of IPHH and are rented by etracker. The server hardware is procured, configured, installed in racks, maintained and disposed of solely by etracker. As a result, housing is the only service from IPHH that etracker uses.
The etracker services and their configurations conform with data protection objectives and the relevant provisions and guidelines of statutory regulations:
- The contractor shortens the IP addresses provided as part of the services to make personal identification as difficult as possible.
- To ensure that processing is as anonymous as possible, the client is obligated not to allow any additional personal data to be transferred to etracker when etracker solutions are used.
The following technical and organisational measures are taken by etracker to protect personal data processed within the scope of etracker services:
1. Pseudonymisation (Art. 32 (1)(a) EU GDPR; Art. 25 (1) EU GDPR)
The processing of personal data in such a way that the personal data can no longer be associated with the specific person to which it relates without additional information, provided this additional information is specially protected and subject to technical and organisational measures.
2. Confidentiality (Art. 32.1(b) EU GDPR)
Physical entry control
Measures that prevent unauthorised persons from accessing data processing systems that are used to process personal data:
- Guidelines and regulations for access control.
- Secured areas are clearly defined and few access channels are available.
- Access to sensitive areas is secured by an electronic access control system with multifactor authentication and logging.
- Measures for securing buildings are suitably designed; entry doors, window screens, etc. are burglar-resistant for example.
- All areas are secured with a burglar alarm (VdS approved) and are redundantly connected to a permanently manned location; alarm notifications are also sent to IPHH security.
- All critical areas are monitored using vandalism-resistant video cameras.
- Individuals are only provided with access to areas that they have to enter to do their jobs.
- Guidelines regulating the chaperoning and identification of guests throughout the building.
- Access to the office’s internal server room is secured by a PIN.
- A keycard, a PIN and a biometric feature (fingerprint) are required to access the computer centre; access points may only be managed by employees who are part of the on-call service.
- The system racks located in the server room are locked individually using locking cylinders.
- Secured entry for deliveries and supplies (monitoring of entry to the access points).
Digital entry control
Measures that prevent unauthorised persons from using data processing systems and procedures:
- Regulation of user authorisations (administration, including assignment of rights, assignment of special rights, withdrawal of authorisations, periodic reviews).
- Password guidelines (secure passwords, periodic changes, periodic reviews).
- Differentiated access regulations.
- Assignment of identification keys (SSH keys).
- Use of encryption routines.
- Use of encryption routines for mobile data carriers (for example, laptops, mobile telephones).
- Authentication of users with remote access (cryptographic techniques, VPN solutions).
- Commitment to data confidentiality in accordance with Art. 28.3(b) EU GDPR.
- Controlled destruction of data carriers.
- Two-factor authentication (VPN)
Measures ensuring that individuals authorised to use data processing procedures can only access personal data in accordance with their access authorisations, and that personal data cannot be read, copied, modified or deleted by unauthorised persons when being processed or used or after being stored.
- Regulation of access authorisations in the etracker back office (differentiated authorisations via profiles, roles).
- The front end can only be accessed at the client’s premises with authentication (user name/password).
- Suitable functions provided for authentication.
- Recording and evaluation of logs (successful and unsuccessful authentication attempts in the application).
- Guidelines for pseudonymisation of personal data.
Measures ensuring that data collected for different purposes can be processed separately:
- Data collected for different purposes is stored separately in the data processing system.
- Data is processed on dedicated systems belonging to etracker GmbH.
3. Integrity (Art. 32 (1) (b) EU GDPR)
Measures ensuring that personal data cannot be read, copied, modified or deleted by unauthorised persons when it is transported, transferred electronically or stored on data carriers.
- All data remains within the data processing system and is not transferred to third parties.
- Data transfer between the etracker and the computer centre takes place solely via encrypted channels.
- The client’s front-end websites are made available via an encrypted connection.
Measures ensuring it is possible to subsequently check and determine whether and by whom personal data was entered, modified or deleted in data processing systems.
- User-defined assignment of rights.
- Logging of entries (in etracker back office).
- Logging of data usage (in etracker back office).
- Commitment on the part of all employees involved in data processing to maintain confidentiality and to process data as directed (data confidentiality).
4. Availability and capacity (Art. 32 (1)(b) EU GDPR)
Measures ensuring that personal data is protected against accidental destruction or loss:
- Regulated process for safeguarding the business operations.
- Comprehensive monitoring of all services.
- Emergency plans.
- Regular backups in accordance with a backup plan.
- Protection of the systems against database malfunctions, service-level agreements with IT service providers.
- Mirroring of data.
- Virus protection/firewall.
- Redundant hardware.
- Uninterruptible power supply (UPS)
Rapid recoverability (Art. 32 (1) (c) EU GDPR);
- Recovery/back-up systems
5. Procedures for periodic inspections, assessments and evaluations (Art. 32 (1) (d) EU GDPR; Art. 25 (1) EU GDPR)
- Data protection management.
- Incident response management.
- Default settings that enhance privacy (Art. 25 (2) EU GDPR)
- Order control: No processing of order data as defined in Art. 28 EU GDPR unless authorised by the client.
- Clearly worded contracts.
- Formalised order management.
- Rigorous selection of service provider.
- Impartiality obligation.
- Follow-up inspections.