Data Processing Agreement (DPA)

pursuant to art. 28 General Data Protection Regulation (GDPR)

between you, as a user of the heylogin service

  • the Controller –

and

heylogin GmbH
Sophienstr. 40
38118 Braunschweig
Germany

legal representative, Dr. Dominik Schürmann

  • the Processor -

1. Subject matter, main contract and term

The subject matter of the DPA results from the main contract signed by the parties for the provision of the heylogin service (“Contract”). The Processor shall carry out the processing activities described therein

  • with respect to the following categories of personal data:
  • key personal data, contact and communication data
  • payment-related data for invoicing purposes
  • data referring to the use of heylogin such as data relating to support, analytics etc.
  • referring to the following categories of data subjects:
  • clients
  • clients' key officers, employees
  • third parties acting on the clients' behalf
  • clients' customers

The term of this DPA corresponds to the term of the main contract.

2. Processing on instruction

Processing activities shall take place only on documented instructions by the Controller. Such instructions are included in the Contract and in this Agreement. Data processing activities under this DPA shall be performed within the European Union (EU) or the European Economic Area (EEA). In case any transfer of data outside of the EU or EEA should take place, it shall be performed in accordance with the conditions set forth in art. 44 et seq. GDPR.

3. Technical and organisational measures

The Processor has adopted technical and organizational measures in order to ensure that processing activities under this DPA are carried out in compliance with applicable data protection provisions.

The Processor has in particular adopted security measures to guarantee protection standards adequate to the risks to confidentiality, integrity, availability, and resilience of the systems, taking into account the likelihood of data breaches and the severity of risk to the rights and freedoms of natural persons possibly resulting thereof.

Technical and organizational measures shall always be monitored and updated according to the technical progress and development in order to maintain or increase the data protection standards.

4. Rectification, restriction, and erasure of data

The Processor shall not rectify or erase data or restrict the processing of data covered by this agreement unless instructed to do so by the Controller. Should a data subject contact the Processor concerning a data processing activity under this agreement, the Processor shall forward such inquiry directly to the Controller.

5. Quality assurance and other duties of the Processor

The Processor shall comply with the provisions of this DPA and with all applicable statutory requirements, in particular those resulting from art. 28-33 GDPR. In particular, the Processor guarantees that

  • persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  • security measures pursuant to art. 32 GDPR have been adopted;
  • taking into account the nature of the processing, it will assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subjects' rights;
  • it will assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor;
  • it will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in art. 28 GDPR and allow for and contribute to audits, including inspections, as set forth in art. 7 of this agreement.

6. Subcontracting

The Processor has subcontracted part of its services to third parties, that - as far as required by statutory law - have been subjected to the same obligations and guarantees provided by this DPA and by applicable data protection law. The Controller may request the list of the current sub-processors employed by the Processor. Any change in such list shall be notified to the Controller without undue delay, giving the Controller the option to object. In case of objection, the Processor retains the right to terminate the Contract with the Controller without notice.

7. Audits

If there is a compelling reason, the Controller may request that an inspection or audit of the data processing activities performed by the Processor under this agreement are carried out by an independent and recognized third party. Inspections and audits shall be agreed upon in advance with the Processor and take place without impairing the Processor's regular business operations. The Processor may charge the costs of such audits or inspections to the Controller.

Compliance with the obligations pursuant to art. 32-36 GDPR may also be proven through evidence of

  • compliance with approved Codes of Conduct pursuant to art. 40 GDPR;
  • a certification according to an approved certification procedure as of art. 42 GDPR;
  • current Processor's auditor’s certificates, reports or excerpts from reports provided by independent bodies;
  • a suitable certification by IT security or data protection auditing.

8. Data breaches

The Processor shall assist the Controller in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR, including

  • ensuring adequate protection standards through technical and organizational measures, taking into account the type, circumstances, and purposes of processing, the likelihood of data breaches and the severity of the risk to natural persons possibly resulting thereof
  • ensuring immediate detection of infringements
  • reporting data breaches without undue delay to the Controller
  • assisting the Controller in answering to data subjects' requests or the exercise of their rights

9. Strict compliance

In case the Controller should require any change in the processing of personal data set forth by the documented instructions mentioned at no. 2, the Processor shall immediately inform the Controller if it considers such changes to result in infringements to data protection provisions. The Processor may refrain from carrying out any activity that may result in any such infringement.

10. Termination, deletion, and return of personal data

After the end of the provision of services, the Processor shall, at the choice of the controller, delete or return to the Controller all the personal data collected and processed under this agreement, unless any applicable legal provision which the Processor is subject to, requires storage of the personal data.

In any case, the Processor may retain all information necessary to demonstrate orderly and compliant processing activities beyond termination of the Contract, in accordance with the statutory retention periods.

Latest update: Feb 07, 2022