Data progressing agreement

Agreement on the data processing agreement in accordance with Art. 28 of the GDPR

This agreement is in electronic form in accordance with Art. 28 (9) of the GDPR. If you would like to receive an DPA agreement in paper form, please contact

1. Subject and duration of the contract

  1. Subject: The subject matter of the order results from the registration and the participation on the platform erhebung.de and the services available to it, to which reference is made here (in the following performance agreement).
  2. Duration: The duration of this contract (term) is the duration of the service agreement.

2. Specification of the content of the order

  1. Nature and purpose of the intended processing of data
    The nature and purpose of the processing of personal data by the contractor for the client are determined by the client in the preparation and conduct of the survey. The respective survey and the data collected are referred to. The customer is solely responsible for this.
  2. Type of data
    The type of personal data used is determined by the client during the preparation of the survey itself. Each survey consists of different input fields and the associated questions - these questions provide information about the type of data collected.
  3. Categories of affected persons
    The categories of persons affected by the processing will be determined by the client during the preparation of the respective survey. In particular, it depends on which participants are invited and whether access to the survey is public or private.

3. Technical-organizational activities

  1. The contractor must document the implementation of the technical and organizational measures set out prior to the award of the contract prior to the start of processing, in particular with regard to the specific execution of the order, and hand them over to the client for review. If accepted by the client, the documented measures become the basis of the order. Insofar as the inspection / audit of the client results in a need for adjustment, this must be implemented by mutual agreement.
  2. The contractor has the security gem. Arts. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Article 5 (1) (2) GDPR. Overall, the actions to be taken are data security measures and to ensure a level of protection appropriate to the level of risk with regard to the confidentiality, integrity, availability and resilience of the systems. In this context, the state of the art, the implementation costs and the type, scope and purpose of the processing as well as the different probability and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR must be taken into account. Details in point 11.].
  3. The technical and organizational measures are subject to technical progress and further development. In that regard, the contractor is allowed to implement alternative adequate measures. At the same time, the safety level of the specified measures must not be undershot. Significant changes must be documented.

4. Confirmation, restriction and deletion of data

  1. The contractor may not correct, delete or limit the processing of the data processed on behalf of the contract, but only on the basis of documented instructions from the client. Insofar as an affected person directly addresses the contractor in this regard, the contractor will immediately forward this request to the client.
  2. Insofar as included in the scope of services, the cancellation concept, right to be forgotten, rectification, data portability and information according to the client's documented instructions are to be ensured by the contractor directly.

5. Quality assurance and other obligations of the contractor

In addition to compliance with the provisions of this order, the contractor has statutory obligations under Art. 28 to 33 GDPR; In particular, it ensures compliance with the following requirements:
  1. The contractor is not obliged to appoint a data protection officer. As contact person at contractor named as follows:
  2. The preservation of confidentiality according Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. The contractor will use only employees who are committed to confidentiality and have been previously familiarized with the data protection regulations that are relevant to them. The Contractor and any person subordinated to the Contractor who has access to personal data may process such data only in accordance with the instructions of the Principal, including the powers granted in this Contract, unless they are required by law to process.
  3. The implementation and compliance with all technical and organizational measures required for this contract in accordance with art. 28 para. 3 sentence 2 lit. c, 32 GDPR according to point 11.
  4. The client and the contractor work together with the supervisory authority on request to fulfill their duties.
  5. Immediate information of the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This shall also apply if a competent authority investigates the processing of personal data during the processing of the contract by the Contractor in the context of an administrative or criminal procedure.
  6. Insofar as the client himself is subject to inspection by the supervisory authority, an administrative offense or criminal procedure, the liability claim of a data subject or a third party or any other claim in connection with order processing by the contractor, the contractor must support him to the best of his ability.
  7. The contractor will regularly review internal processes and technical and organizational measures to ensure that processing within his area of responsibility complies with the requirements of applicable data protection law and ensures the protection of the data subject's rights.
  8. Verifiability of the technical and organizational measures taken towards the client within the scope of his control powers pursuant to Section 7 of this contract.

6. Subcontraction

  1. For the purposes of this regulation, subcontracting means such services that directly relate to the provision of the main service. This does not include ancillary services provided by the contractor, e.g. as a telecommunications services, postal / transport services, maintenance and user service or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment claims. However, the contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the privacy and data security of the data of the client, even with outsourced ancillary services.
  2. The contractor may only commission subcontractors (other processors) after prior express written or documented consent of the client. The outsourcing to subcontractors or the replacement of the existing subcontractor are permissible insofar as:
    • the contractor such outsourcing to subcontractors the client a reasonable time in advance in writing or in writing and displays
    • the client does not object to the planned outsourcing in writing or in text form until the date of transfer of the data to the contractor; and
    • a contractual agreement in accordance with Art. 28 para. 2-4 GDPR is used.
  3. The transfer of personal data of the client to the subcontractor and its initial action are only permitted if all conditions for subcontracting are met.
  4. If the subcontractor provides the agreed service outside the EU / EEA, the contractor will ensure that the data protection law is admissible by taking appropriate measures. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.
  5. Further outsourcing by the subcontractor is not permitted;

7. Control rights of the client

  1. The client has the right to carry out inspections in consultation with the contractor or to have them carried out by examiners appointed in individual cases. He has the right to satisfy himself of the compliance of this agreement by the contractor in his business through spot checks, which are usually to be registered in good time.
  2. The contractor shall ensure that the client can satisfy himself of the compliance with the obligations of the contractor in accordance with Art. 28 GDPR. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to prove the implementation of the technical and organizational measures.
  3. The proof of such measures, which concern not only the concrete order, can be carried out by
    • compliance with approved codes of conduct pursuant to Art. 40 GDPR;
    • the certification according to an approved certification procedure according to Art. 42 GDPR;
    • up-to-date certificates, reports or extracts from independent bodies (eg auditors, auditors, data protection officers, IT security departments, privacy auditors, quality auditors);
    • appropriate certification by IT security or privacy audit (for example, according to BSI basic protection).
  4. The contractor may assert a claim for remuneration in order to enable controls by the client.

8. Notification in case of violations of the contractor

  1. The contractor shall assist the contracting authority in complying with the obligations on security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as referred to in Articles 32 to 36 of the GDPR. These include u.a.
    • ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing and the predicted likelihood and severity of a possible breach of rights due to security breaches, and enable the immediate detection of relevant injury events
    • the obligation to report violations of personal data immediately to the client
    • the obligation to support the client as part of his obligation to inform the person concerned and to provide him with all relevant information without delay in this connection
    • the client's support for their privacy impact assessment
    • the support of the client in the context of prior consultations with the supervisory authority
  2. For services that are not included in the terms of reference or are not the result of a wrongdoing by the contractor, the contractor may claim a fee.

9. Authority to direct of the client

  1. Verbal instructions are confirmed by the client immediately (at least in text form).
  2. The contractor must inform the client immediately if he believes that an instruction violates data protection regulations. The contractor is entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the client.

10. Deletion and return of personal data

  1. Copies or duplicates of the data are not created without the client's knowledge. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required for compliance with statutory retention requirements.
  2. After conclusion of the contractually agreed work or sooner upon request by the client - at the latest upon termination of the service agreement - the contractor has to hand over to the client all documents, processing and utilization results as well as data stocks that are in the context of the contract to be destroyed in accordance with data protection after prior consent. The same applies to test and scrap material. The log of the deletion must be submitted on request.
  3. Documentations serving as evidence of orderly and proper data processing shall be retained by the contractor in accordance with the respective retention periods beyond the end of the contract. He can hand them over to the client for discharge at the end of the contract.

11. Technical-organizational activities

11.1. Confidentiality (Article 32 line 1 a.f. GDPR)

  1. Entry control
    No unauthorized access to data processing systems: Our server racks are protected by double door protection. Access to the server room is only permitted for administrators and technicians. After passing the first door, it requires legitimization by the gatekeeper.
  2. Access control
    No unauthorized system usage: access to in-house systems is secured by SSL. Repeated incorrect entry (3x) of the access data leads to the immediate and permanent blocking of the IP address of the person concerned and can only be lifted by a system administrator.
  3. Data access control
    No unauthorized reading, copying, modification or removal within the system: each administrator only gets as much access privileges as his job requires. Furthermore, every administrative access to in-house systems is logged.
  4. Separation control
    Separate processing of data: Data records are always logically separated from each other and only accessible through an authorization with access rights. In this case, a process does not get more access than it needs.
  5. Pseudonymization (Article 25 & 32 line 1 a.f. GDPR)
    All surveys are either pseudonymized or completely anonymized. The client has the option to specify appropriate options when creating a survey. The pseudonymization takes place via an association with a hashed key.

11.2. Integrity (Article 32 line 1 a.f. b GDPR)

  1. Transfer control
    No unauthorized reading, copying, modification or removal during electronic transmission or transport: Any type of data transmission, in particular between the user and the web platform as well as the administrator and the application, is fully encrypted (SSL). Implementation of features is only possible within the private network.
  2. Input control
    Determining if and by whom personal data has been entered into, altered or removed from any data processing system: any creation or modification of an entry is logged in our databases. This characteristic includes all existing data records.

11.3. Availability and resilience (Article 32 line 1 a.f. b GDPR)

  1. Availability control
    Protection against accidental or willful destruction or loss: Regular health checks of all services provide information about the current status of the web application as a whole. In addition, our firewall guarantees deliberate attacks from the Internet to block.
  2. Rapid recoverability (Article 32 line 1 a.f. c GDPR)
    All personal and non-personal information is stored periodically as a backup on a separate medium. Access to this medium is not possible from the internet. In the event of unpredictable data loss, the maximum time to complete recovery is 24 hours.

11.4. Procedures for periodic review, evaluation and evaluation (Article 32 line 1 a.f. d GDPR & Article 25 line 1 a.f. GDPR)

  1. Privacy management;
  2. Incident-Response-Management;
  3. Privacy-friendly presets (Article 25 line 2 GDPR);
  4. assignment control
    No order data processing within the meaning of article 28 GDPR without corresponding instructions of the client, for example: Clear contract design, formalized order management, strict selection of the service provider, compulsory pre-compilation, follow-up checks.