Fair Analytics data processing agreement (DPA)
1 Introduction, Scope, Definitions
(1) This Agreement governs the rights and obligations of the Client and the Contractor (hereinafter referred to as the "Parties") in the context of processing personal data on behalf of the Client.
(2) This agreement shall apply to all activities in which employees of the Contractor or subcontractors engaged by the Contractor (subcontractors) process personal data of the Client on behalf of the Client.
(3) Terms used in this Agreement shall be understood in accordance with their definition in the EU General Data Protection Regulation. In this sense, the client is the "responsible party", the contractor is the "data processor". Insofar as declarations in the following are to be made "in writing", the written form pursuant to Section 126 BGB is meant. Otherwise, declarations may also be made in another form, provided that appropriate verifiability is ensured.
2 Subject matter and duration of processing
2.1 Subject matter
The Contractor shall undertake the following processing activities:
- Provision and maintenance of the tracking tool "Fair Analytics", with the help of which the use of the Client's website is analyzed.
During the performance of the assignment, the Contractor may come into contact with personal data for which the Client is responsible.
This agreement regulates the data protection aspects of the business relationship between the parties. In all other respects, the main contract, if any, or the general terms and conditions of the contractor shall apply.
Processing shall commence on the date of signing of this Agreement and shall continue for an indefinite period until termination of this Agreement or the business relationship by either party.
2.3 Nature, purpose and data subjects of processing
The processing is of the following nature: collection, organization, modification, interrogation, use, analysis.
2.4 Purpose of the processing
The processing serves the following purpose:
- The purpose of the assignment is to provide the Fair Analytics tracking tool, with the help of which the Client can analyze the use of its website, and the maintenance of data processing equipment necessary for this purpose, whereby access to personal data cannot be excluded.
2.5 Type of data
The following data are processed:
- IP address,
- Data about the terminal device and browser (e.g. device type, operating system, screen resolution of the terminal device, etc.),
- time zone,
- Web page accessed,
- Data on user behavior (e.g. length of stay on the website, scroll position, clicks),
2.6 Categories of data subjects
Data subjects of the processing are:
- Website visitors of the client.
3. Obligations of the contractor
(1) The Contractor shall process personal data exclusively as contractually agreed or as instructed by the Client, unless the Contractor is legally obligated to perform a specific processing. If such obligations exist for him, the Contractor shall notify the Client thereof prior to the processing, unless the notification is prohibited by law. Furthermore, the Contractor shall not use the data provided for processing for any other purposes, in particular not for its own purposes.
(2) The Contractor confirms that it is aware of the relevant general data protection regulations. It shall observe the principles of proper data processing.
(3) The Contractor undertakes to strictly maintain confidentiality during processing.
(4) Persons who may obtain knowledge of the data processed in the order shall undertake in writing to maintain confidentiality, unless they are already subject to a relevant confidentiality obligation by law.
(5) The Contractor warrants that the persons employed by it for processing have been familiarized with the relevant provisions of data protection and this Agreement prior to the start of processing. Corresponding training and awareness-raising measures shall be repeated on an appropriate regular basis. The Contractor shall ensure that persons deployed for data processing are appropriately instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.
(6) In connection with the commissioned processing, the Contractor shall support the Client to the extent necessary in fulfilling its obligations under data protection law, in particular in creating and updating the list of processing activities, in conducting the data protection impact assessment and any necessary consultation with the supervisor authority. The required information and documentation shall be kept available and forwarded to the Client without delay upon request.
(7) If the Client is subject to an inspection by supervisor authorities or other bodies or if data subjects assert rights against the Client, the Contractor undertakes to support the Client to the extent necessary, insofar as the Processing under the contract is affected.
(8) The Contractor may only provide information to third parties or the data subject with the prior consent of the Client. The Contractor shall immediately forward any inquiries addressed directly to it to the Client.
(9) The commissioned processing currently takes place exclusively within the EU or the EEA. Any relocation to a third country may only take place with the consent of the Client and under the conditions contained in Chapter V of the General Data Protection Regulation and in compliance with the provisions of this Agreement.
4 Technical and organizational measures
(1) The data security measures described in Annex 1 are determined to be binding.
(2) The data security measures may be adapted in accordance with further technical and organizational development as long as the level agreed herein is not undercut.
(3) The Contractor shall ensure that the data processed in the order are strictly separated from other data files.
(4) Copies or duplicates shall not be made without the knowledge of the Client. Technically necessary, temporary duplications are excepted, insofar as an impairment of the level of data protection agreed here is excluded.
(5) Subject to compliance with the following regulations, the Contractor shall be permitted to allow employees who are commissioned to process personal data for the Client to process personal data in private residences. The Contractor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed in the private residences of the Contractor's employees. The Contractor shall contractually ensure access to private residences for monitoring purposes insofar as there is an urgent reason for such monitoring to be substantiated by the Client. In particular, such a reason shall not be deemed to exist if the Contractor verifiably proves compliance with the agreed regulations.
(6) The Contractor shall ensure a procedure for the regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the Processing pursuant to Art. 32 (1) lit. d GDPR.
5. Regulations on the correction, deletion and blocking of data
(1) The Contractor shall only correct, delete or block data processed within the scope of the order in accordance with the contractual agreement reached or in accordance with the Client's instructions.
(2) The Contractor shall comply with the Client's instructions to this effect at any time and also beyond the termination of this Agreement.
6. Subcontracting relationships
(1) The Client agrees that the Contractor may engage subcontractors. The Contractor shall inform the Client before calling in or replacing the subcontractor. The Client shall have the right to object to the use of the subcontractor in writing to the Contractor for good cause within two weeks of becoming aware of the information about the subcontractor. If no objection is raised within the aforementioned period, this shall be deemed to be the Client's consent to the use of this subcontractor.
(2) The Contractor shall be entitled to terminate the Agreement for cause if the Client objects to the assignment of a subcontractor pursuant to Chapter 6 (1) of this Agreement and no agreement can be reached.
(3) Subcontractors shall be contractually bound to at least those data protection obligations which are comparable to those agreed in this Agreement. The Client shall be given access to the relevant agreements between the Contractor and the subcontractor upon request.
(4) The rights of the Client must also be able to be effectively exercised against the subcontractor. In particular, the client must be entitled to carry out inspections also at subcontractors or to have them carried out by third parties at any time to the extent stipulated herein.
(5) The responsibilities of the contractor and the subcontractor shall be clearly demarcated.
(6) The Contractor shall carefully select the subcontractor, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.
(7) The commissioning of subcontractors who perform processing operations on behalf of the Contractor not exclusively from the territory of the EU or the EEA shall only be possible if the conditions set out in Chapter 3 (9) of this Agreement are observed. In particular, it is only permissible to the extent and as long as the subcontractor provides adequate data protection guarantees. The Contractor shall inform the Client which specific data protection guarantees the subcontractor offers and how proof thereof can be obtained.
(8) At present, the subcontractors designated in Annex 2 with name, address and order content are engaged in the processing of personal data to the extent specified therein and approved by the Client. The other obligations of the Contractor towards subcontractors set forth herein shall remain unaffected.
(9) Subcontracting relationships within the meaning of this Agreement are only those services that are directly related to the provision of the main service. Ancillary services such as transport, maintenance and cleaning as well as the use of telecommunication services or user services are not covered. The Contractor's obligation to ensure compliance with data protection and data security in these cases shall remain unaffected.
7. Rights and obligations of the client
(1) The client alone shall be responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
(2) The client shall issue all orders, partial orders or instructions in documented form. In urgent cases, instructions may be issued verbally. The client shall immediately confirm such instructions in a documented manner.
(3) The Client shall inform the Contractor without delay if it discovers errors or irregularities in the examination of the order results.
(4) The Client shall be entitled to monitor compliance with the regulations on data protection and the contractual agreements at the Contractor to a reasonable extent itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks. The persons entrusted with the control shall be given access and insight by the Contractor as far as necessary. The Contractor shall be obliged to provide the necessary information, demonstrate processes and provide evidence required to carry out a control. The Contractor shall be entitled to refuse inspections by third parties if they are in a competitive relationship with the Contractor or if there are similar weighty reasons.
(5) Inspections of the Contractor shall be carried out without any avoidable disturbance of its business operations. Unless otherwise indicated for urgent reasons to be substantiated by the Client, inspections shall take place after reasonable advance notice and during the Contractor's business hours, and not more frequently than every 12 months.
8. Notification obligations
(1) The Contractor shall notify the Client without undue delay of any violations of the protection of personal data processed on behalf of the Client. Reasonable suspicions shall also be notified. The notification shall contain at least the information pursuant to Article 33 (3) of the General Data Protection Regulation.
(2) The Contractor shall inform the Client without undue delay of controls or measures by supervisor authorities or other third parties, insofar as these relate to the Data Processing.
(3) The Contractor warrants to support the Client in its obligations pursuant to Art. 33 and 34 of the General Data Protection Regulation to the extent necessary.
(1) The Client reserves a comprehensive right to issue instructions with regard to the processing on behalf of the Client.
(2) The Contractor shall notify the Client without delay if, in its opinion, an instruction issued by the Client violates statutory provisions. The Contractor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or changed by the responsible person at the Client.
(3) The Contractor shall document instructions issued to it and their implementation.
10 Termination of the Order
(1) Upon termination of the contractual relationship or at any time upon request of the Client, the Contractor shall, at the Client's option, either destroy the data processed in the order or hand it over to the Client and then destroy it. However, the Client shall be primarily responsible for the destruction of data upon termination of the order and may delete the data processed under the order from its user account.
(2) The Contractor shall be obligated to cause the immediate return or deletion also of subcontractors.
(3) The Contractor shall provide proof of proper destruction and submit it to the Client without delay.
(4) Documentation which serves as proof of proper data processing shall be retained by the Contractor in accordance with the respective retention periods even beyond the end of the contract. The Contractor may hand them over to the Client at the end of the contract for the purpose of discharging the Contractor.
The remuneration of the Contractor is conclusively regulated in the main contract, if any, or in the General Terms and Conditions of the Contractor. There shall be no separate remuneration or reimbursement of costs within the scope of this agreement.
(1) The Client and the Contractor shall be jointly and severally liable for compensation of damage suffered by a person due to unauthorized or incorrect data processing within the scope of the contractual relationship.
(2) Insofar as the damage was caused by the correct implementation of the commissioned service or an instruction issued by the Client, the Client shall indemnify the Contractor upon first request against all claims of third parties raised against the Contractor in connection with the commissioned processing.
(3) The Contractor shall only be liable to the Client in the event of gross negligence or intent.
(4) Both parties are obliged to keep confidential all knowledge of business secrets and data security measures of the other party obtained within the scope of the agreement, even after the termination of the agreement. If there is any doubt as to whether information is subject to the obligation of confidentiality, it shall be treated as confidential until it has been released in writing by the other party.
(5) If property of the Client with the Contractor is endangered by measures of third parties (such as seizure or attachment), by insolvency or composition proceedings or by other events, the Contractor shall notify the Client without delay.
(6) Ancillary agreements must be made in writing or in a documented electronic format and must expressly refer to this agreement.
(7) The defense of the right of retention within the meaning of Section 273 of the German Civil Code (BGB) shall be excluded with respect to the data processed in the order and the associated data carriers.
(8) Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.
Appendix 1 - Technical and organizational measures
The following sets out the technical and organizational measures to ensure data protection and data security which the Contractor must at least set up and maintain on an ongoing basis. The aim is to guarantee in particular the confidentiality, integrity and availability of the information processed under the contract.
Kolb & Neuhauser GbR
Untere Laube 45
- hereinafter referred to as the data processor -
Hetzner Online GmbH
- hereinafter referred to as sub-processors -
The Fair Analytics service is a tracking service that fully protects the privacy of the user to be recorded. It is not possible to precisely assign the collected data after it has been stored (prior alienation/pseudonymization of the data). All analyses carried out by the data processor are therefore not person-related but session-related. This means that it is not possible to trace the different data back to a person according to the current state of the art.
The hard drives of the data processor's work computers used are encrypted.
Connections to the server/data transfer
Connections to the servers used are made via VPN and are only possible by means of a user name in combination with an SSH key (public/private) and password combination (see also Access control " Access to servers "). Data is always exchanged via a secure https connection.
All data to be processed is hosted by the subcontracted processor within the Falkenstein (Germany) data center on dedicated servers and processed by the data processor. Physical security measures (e.g. access controls) are covered by the sub-processor (see TOM/AV agreement between data processor and sub-processor). These include, for example, an electronic access control system with logging, a high-security fence around the entire data center park, documented key allocation to employees, video surveillance at entrances and exits, security gates and server rooms.There is no dedicated access control in the data processor's residential units. The usual access control measures are nevertheless applied; in particular, attention is paid to the closing of the front door and windows. Due to the nature of the processing and the general location of the data - at the sub-processor - as well as the fact that the data can only be accessed from sufficiently secured work computers, no further security measures are provided for in the residential units.
Access to the servers
Access to the servers is by user name in combination with SSH key (public/private) and password combination. All authorized access persons (namely: Michael Neuhauser and Martin Kolb) of the data processor have a personalized public/private SSH key + password. The password consists of at least 16 characters and includes upper/lower case letters, numbers and special characters. All login operations are automatically logged by the server.
Access to the databases
Access to the databases is granted by a user name and a 72-character password.
Access to the workstations
The access to the workstations is done with a password consisting of at least 16 characters (upper/lower case letters, numbers and special characters). The screen is automatically locked with a password after 5 minutes of inactivity. There is also a view protection filter for the respective screen workstation by means of an attached film.
Password policy with minimum requirements for password complexity
Each password used consists of at least 16 characters. Each password consists of upper/lower case letters, numbers and special characters. For the central administration of all passwords, a password manager is used, which stores the passwords in encrypted form. Thus, the majority of passwords within the infrastructure of the data processor are even longer than 16 characters.
All persons working for the data processor (namely: Michael Neuhauser and Martin Kolb) are obliged to maintain confidentiality and to handle personal data in accordance with data protection regulations. This obligation naturally also applies to the sub-processor - insofar as the sub-processor comes into contact with corresponding data at all.
Virus scanners are installed on the data processor's work computers and a firewall is activated. There is also a server-side SPAM filter for the e-mail server. Firewalls that filter incoming IPv4 packets are also active on the servers used by the data processor.
The development, test and production environments are physically and logically separated from each other. Logical separation of customer data also occurs. No production data is used within the development and/or test environment at any time.
Changes/updates to the code are logged using a versioning system.
Availability and resilience
By means of the subcontracted processor, an uninterruptible power supply and a backup power system are provided. In addition, air conditioning (e.g., an energy-efficient direct free cooling redundancy N+2, an underfloor air conditioning system and temperature monitoring of the room air and in server/distribution cabinets) and fire protection measures (e.g., modern early fire detection system: area-wide, automatic fire alarm system based on a smoke aspiration system, separation of the various fire protection areas by fire doors and connection of the fire alarm system to the rescue control center including fault monitoring) are provided. Likewise, permanent active DDoS protection is active for the entire infrastructure and thus also for the servers of the data processor.The systems used or the data stored there are completely saved at least once a day on a physically separate additional storage medium (storage box) within the infrastructure of the subcontracted processor by the data processor.All backups are kept for at least 3 days retrospectively. This ensures that - if necessary - a data restore can be performed.
Monitoring of all relevant systems is active.
Likewise, updates and/or patches are regularly performed on all computers/servers.
At no time will stored productive data be passed on to third parties. Mobile data carriers (e.g. USB sticks, external hard drives) are not used.
Each customer of the data processor can actively and independently initiate the deletion of data (e.g. domain, tracking and customer data) within the customer account. The data from the productive database will be deleted immediately. The data still stored within the backups will be deleted at the latest and completely automatically after 4 weeks. Customer data that must be kept for legal or tax reasons will only be deleted after the legal retention periods.
Annex 2 - Approved subcontractors
Hetzner Online GmbH
ISO 27001 certified data center (hosting)
Annex 3 - Persons authorized to issue instructions, address for reporting data protection violations
The following persons are authorized to issue instructions:
See client on page 1.
The following persons are authorized to receive instructions:
Name: Martin Kolb, Michael Neuhauser
Instructions will be accepted from the email address stored with your user account. The contact address of Fair Analytics is: firstname.lastname@example.org.
Contact for personal data breach notifications:
Email address provided during registration.