Data Processing Addendum
as of April 20, 2021
This Data Processing Addendum regulates data processing on behalf of the Customer by autoRetouch GmbH as the Contractor. It is part of the Service Agreement on the provision of the autoRetouch Platform to the Customer. It is incorporated into and shall be part of the contract between Customer and Contractor.
The Contractor is the provider of an automated image processing platform as Software as a Service (“Software”). The parties have concluded a contract for the usage of the Software together with supplementary services (“Service Agreement”). The performance of the services of the Contractor according to the service agreement might also include the processing of personal data on behalf of the Customer.
This DPA specifies, as part of the Service Agreement, the obligations of both parties to comply with the applicable data protection law, in particular the requirements of the General Data Protection Regulation (GDPR).
2. Scope of Application
The Contractor shall process personal data on behalf of the Customer. The parties agree that for the purposes of this DPA the Customer shall be the Controller and the Contractor shall be the Processor (“Controller” and “Processor” shall have the meaning as defined by the GDPR). The subject-matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in the Service Agreement and in Annex 1 to this DPA. The term of this DPA and the duration of the processing depends on the term of the Service Agreement.
3. Compliance with Instructions
- The Contractor may only process personal data within the scope of the order and the documented instructions of the Customer. The instructions shall initially be specified in the Service Agreement and may then be changed, supplemented or replaced by the Customer in text form. Verbal instructions are to be confirmed by the Customer immediately in text form.
- If the Contractor is obliged to process personal data in accordance with the law of the Union or the Member State to which the Contractor is subject, the Contractor shall inform the Customer thereof in writing prior to the respective processing, unless the law prohibits such information for important reasons of public interest. In the latter case, the Contractor shall inform the Customer immediately as soon as this is legally possible.
- The Contractor shall inform the Customer without delay if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Customer.
- The Contractor may use data concerning the use of the software by the Customer in anonymized form for the purposes of optimizing the software, user experience and for security-relevant evaluations. The Customer hereby issues a corresponding instruction for the corresponding anonymization.
4. Technical and Organisational Measures
According to Art. 32 GDPR, the Contractor undertakes towards the Customer to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk of the processing, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural person.
5. Data Subject Rights
The Contractor shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the data subject’s rights laid down in Chapter III (in particular access, correction, blocking or deletion). To the extent that the assistance of the Contractor is necessary for the protection of rights of data subjects by the Customer, the Contractor shall take the necessary measures according to the instructions of the Customer.
The Contractor may only provide information to third parties or to data subjects with the prior consent of the Customer. It shall forward requests addressed directly to the Contractor to the Customer without undue delay.
6. Other Obligations of the Contractor
The Contractor shall inform the customer immediately, at the latest within 48 hours, if it becomes aware of violations of the protection of personal data processed on behalf of the Customer.
The Contractor shall support the Customer in preparing and updating the records of processing activities with regard to the data processing performed by the Contractor on behalf of the Customer, and, if necessary, in carrying out a data protection impact assessment. All necessary information and documentation must be made available to the Customer immediately upon request.
If the Customer is subject to inspection by a supervisory authority or if data subjects assert rights against the Contractor, the Contractor undertakes to support the Customer to the necessary extent insofar as the personal data processed on behalf of the Customer is affected.
The persons employed by the Contractor for the processing have committed themselves in writing to confidentiality, have been made familiar with the relevant provisions of all relevant data protection laws and are continuously appropriately instructed and monitored with regard to the fulfillment of data protection requirements.
The Contractor shall support the Customer in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the type of processing and the information available to the Contractor.
The Contractor has appointed a competent and reliable person as a data protection officer. The Customer may contact the data protection officer directly (email@example.com) for any questions with regard to data processing.
7. Rights and Obligations of the Customer
The Customer shall be responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects.
The Customer shall be entitled to monitor and audit compliance with the provisions on data protection and the contractual agreements at the Contractor to a reasonable extent itself or by third parties, in particular by obtaining information and inspecting the stored data and data processing programs. The Contractor shall, as far as necessary and possible, provide access and insight to the persons entrusted with the inspection. The Contractor is obliged to provide necessary information, to demonstrate procedures and to provide evidence which is necessary for the performance of an inspection. Inspections at the Contractor’s premises shall be carried out without avoidable disruptions to its business operations. Unless otherwise indicated for urgent reasons to be documented by the Customer, inspections shall take place after reasonable advance notice and during business hours of the Contractor and not more frequently than every 12 months.
The Contractor may only use sub-processors with the consent of the Customer. The Customer consents to the usage of sub-processors according to the List of Sub-processors in Annex 2. The List of Sub-processors also defines the process for future changes of sub-processors.
The Contractor must carefully select its sub-processors and check before using them that they can comply with the agreements made between the Customer and the Contractor. In particular, the Contractor shall check that all sub-processors have taken the necessary technical and organisational measures to protect personal data in accordance with Art. 32 GDPR.
Services which the Contractor uses with third parties as a pure ancillary service in order to carry out its business activities shall not be considered sub-processing in the context of this DPA. This includes, for example, cleaning services, pure telecommunications services without concrete reference to services provided by the Contractor for the Customer, postal and courier services, transport services and security services.
The usage of sub-processors shall not affect the Contractor’s contractual and data protection obligations towards the Customer. The Contractor shall be liable for any acts or omissions of its sub-processors as if they were its own acts or omissions.
9. Data Transfer to Third Countries
Data is also processed by the Contractor in third countries (outside of the EEA). The transfer of personal data to a third country by the Contractor is carried out on the basis of an adequacy decision in accordance with Art. 45 GDPR (e.g. EU – US Privacy Shield) and/or on the basis of suitable guarantees in accordance with Art. 46 GDPR (e.g. Standard Contract Clauses issued by the Commission and concluded between the Contractor and the subprocessor in a third country).
10. Deletion and Return of Personal Data
Copies of the personal data processed on behalf of the Customer shall not be made without the knowledge of the Customer. Excluded from this are backup copies insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with statutory retention obligations.
Upon termination of the Service Agreement or earlier upon request by the Customer, the Contractor shall hand over the data to the Customer or delete such data in accordance with the requirements of applicable data protection laws and regulations.
Documentations which serve as proof of the orderly and proper data processing shall be stored by the Contractor beyond the end of the contract in accordance with the respective retention periods.
Annex 1: Description of the Data Processing
The Customer named above is the controller and uses the Contractor’s automated image processing platform.
The Contractor provides its automated image processing platform to the Customer as Software as a Service (SaaS).
Types of Personal Data
The personal data that might be processed in the context of the usage of the automated image processing processed concern pictures of data subjects uploaded to the Software for image processing.
Categories of Data
The personal data processed belong to the following categories of data:
Special Categories of Data
The personal data processed on behalf of the Customer might include special categories of data, if such special categories of data can be derived from the pictures uploaded to the Software (e.g. racial or ethnical origin, data concerning health).
Subject-matter of Processing
The personal data processed is processed for the performance of automated image processing.
Annex 2: List of Sub-Processors
autoRetouch uses the following sub-processors:
The Contractor may replace sub-processors or appoint additional sub-processors. The Contractor will inform the Customer by electronic means at least 30 days prior to the use of the new sub-processor about the planned use of the new sub-processor. Emergency replacements as defined below are excluded. Should the Customer have a material reason to object to the use of the new sub-processor, the Customer will notify the Contractor in writing at the latest 15 days after the information about the planned use of the new sub-processor, explaining the material reason.
If the Customer does not object within this period, the use of the new sub-processor shall be deemed to have been approved by the Customer.
Should the Customer object, the Contractor can remedy the objection as follows: (1.) The Contractor will not use the new sub-processor for the processing of personal data of the Customer; or (2.) the Contractor will take corrective measures requested by the Customer in its objection to remove the material reason for the objection; or (3.) the Contractor can temporarily or permanently suspend the performance of the part of the service towards the Customer affected by the use of the new sub-processor and refund the Customer for the performance of the part of the service paid in advance. If none of these three options is feasible and the objection has not been remedied within 15 days of receipt of the objection, either party may terminate the contract with reasonable notice.
Emergency replacements of a sub-processor may become necessary, if the necessity of the immediate employment of an additional sub-processor lies outside the control of the Contractor, for example if a sub-processor surprisingly ceases its business operations or violates its substantial contract obligations towards the Contractor, so that it is no longer possible for the Contractor to perform its services to the Customer. In such a case the Contractor will immediately notify the customer of the additional subcontractor and the objection process, as defined above, will be initiated with the notification of the Customer.