Data Processing Terms

These Data Processing Terms and its DPA Appendix apply to the GROUP MEMBER's processing of personal data acting as "Processor" on behalf of the Client, and jointly form the Data Processing Agreement under Art 28 GDPR ("DPA"). The DPA is subject to the terms of the Agreement. Unless explicitly stated otherwise, the order of precedence is: 1. DPA Appendix, 2. these Data Processing Terms, 3. the Agreement. Capitalized terms under data protection law used and not defined herein (e.g. “Processing”, “Data Subject”) have the meanings given to them in the GDPR.

1. Processing

Subject matter, nature and purpose of the Processing are determined by Processor's Deliverables as described in the Order Document including any applicable SOW and as supplemented in the DPA Appendix ("Services"). Unless otherwise provided for in the Order Document or in the DPA Appendix, the duration of the Processing is linked to the duration of the Agreement as defined in the Order Document and ends simultaneously.

2. Rights and obligations of the Processor towards the Controller


Client confirms to be the sole Controller in the meaning of Art 4 lit 7 GDPR with respect to any kind of information relating to Data Subjects who are identified or identifiable as defined in Art 4 lit 1 GDPR that is Processed by Processor in order to provide the Services. If further Controllers exist, or if Client itself acts as Processor of Controllers, such Controllers have instructed and authorised Client to agree to the Processor's processing activity. In the following, the term “Controller” refers to Client.


Controller has the right and obligation to make decisions about the purposes and means of the Processing. Processor is obliged to process personal data only on documented instructions from the Controller. Changes to the agreed Processing shall be settled between the parties (particularly as set forth in an applicable change request procedure). To the extent such changes require significant increases in Processor's Processing, Sec 2.12 applies.


Controller is responsible for the lawfulness of the Processing in compliance with the GDPR, the applicable EU or Member States data protection provisions and this DPA. If in Processor's opinion, irrespective of the foregoing, an instruction infringes the said provisions, it will inform Controller without undue delay and may suspend the performance of the instruction until Controller has modified or confirmed its lawfulness via email to [email protected]. Processor is entitled to conduct non-personal and statistical evaluations based on the personal data provided by the Controller for the own purposes of the Processor as well as for the purposes of third parties.


Processor confirms that persons authorised to Process Personal Data are granted access only on a need to know basis and have committed themselves to confidentiality pursuant to Sec 6 DSG 2018 and Art 28 Para 3 lit b GDPR prior to accessing the data or are under an appropriate statutory obligation of confidentiality


Processor declares that preventive measures in particular as prescribed in Art 32 GDPR appropriate to the risk for Processor’s scope of responsibility have been implemented, particularly to prevent data from being used unlawfully or that data is disclosed to third parties without Controller’s prior written authorization. Processor has implemented and maintains technical and organizational security measures ("TOMs") in its scope of responsibility. However, the specific data security measures may - depending on the processing activity - be adapted and updated by the Processor on its own behalf and in line with the applicable statutory provisions provided that the security and functionality of the processing are not degraded. Controller can request the current TOMs from the Processor at any time via email to [email protected].

Controller confirms to have implemented and to maintain appropriate TOMs in its own scope of responsibility.


Hereby Controller provides Processor a general written authorization in accordance with Art 28 Para 2 GDPR to engage third parties for processing ("Subprocessors"). Processor shall inform Controller in due time of any intended changes concerning the addition or replacement of a Subprocessor in order to enable Controller to object to such changes pursuant to Art 28 Para 2 GDPR via email to [email protected]. Controller shall, but is not obliged to, include its legitimate grounds for the objection together with any options to mitigate. Processor shall enter into a written agreement with Subprocessor pursuant to Art 28 Para 4 GDPR and shall impose on each Subcontractor substantially similar data protection obligations as set out in the DPA.


Upon Controller's request via email to [email protected], Processor assists Controller by technical and organisational measures, insofar as this is possible, enabling it to secure the Data Subject's rights (e.g. right of access, to rectification, erasure or to object), by providing the functionality of the Service and by providing information required for the request. In case Processor is directly contacted by Data Subjects concerning their rights resulting from data protection laws, it will forward the respective request to Controller without undue delay. Controller is responsible for answering the request. Processor will handle requests of Data Subjects only upon Controller's prior documented instruction via email to [email protected].


If a Data Subject brings a claim directly against Processor for a violation of its Data Subject Rights which is not solely in Processor's responsibility, Controller shall indemnify Processor for any damages, particularly cost, charge, expenses or loss, arising in connection with such a claim. Corresponding to Processor's part of responsibility for a damage and subject to the terms of the Agreement including its limitations of liability, Controller may claim back from Processor compensation paid to a Data Subject for a violation of their Data Subject rights caused by Processor’s breach of its obligations under GDPR.

Claims for reimbursement under this Section require that the party against which the Data Subject's claim is brought has informed the other party of the claim and given it the opportunity to cooperate in its defense and settlement.


Processor shall assist Controller in ensuring compliance with the obligations pursuant to Art 32 to 36 GDPR to a reasonable extent taking into account the nature of the Processing and the information available to Processor.

In particular, Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach with respect to the Processing, for which Processor has implemented a data breach notification management system. Controller shall remain solely responsible towards Supervisory Authorities and Data Subjects under Art 33, 34 GDPR and, based on the information provided by Processor, shall decide at its sole discretion whether a notification to a Supervisory Authority and/or Data Subjects is required. Any liability of Processor is excluded if Controller fails to submit (in due time) a legally required notification despite Processor's timely information.


After termination of the Services, Processor shall, in principle, delete all respective personal data in its possession. At Controller’s choice and upon its timely instruction, Processor will return a copy of such personal data in a reasonable format. However, subject to prior anonymization, Processor is entitled to conduct non-personal evaluations concerning the data provided by the Controller for the own purposes of the Processor or third parties.


Pursuant to Art 28 Para 3 lit h GDPR, Processor assists Controller and provides it or another auditor mandated by Controller (if under an appropriate statutory or contractual obligation of confidentiality towards Processor) with any information necessary to control the adherence to the duties under the DPA as follows:

(i) Processor primarily provides Controller or its auditor with the most recent security documentation, certifications and/or summary third party audit reports conducted to assess and evaluate the effectiveness of the TOMs and, if requested by Controller, will further cooperate by providing additional information for Controller’s better understanding of such documentation.

(ii) If necessary for Controller's compliance with its own audit obligations or with a competent Supervisory Authority’s request, Processor will, upon Controller’s written notification of such necessity, undertake all efforts to provide Controller with such further information.

(iii) Insofar as it is impossible to comply with mandatory audit obligations by all other means, Controller or its mandated auditor may conduct an onsite visit restricted to the facilities used to provide the Service, during Processor’s ordinary business hours and in a manner that causes minimal disruption to Processor’s business. In advance of such visit, the Parties shall coordinate a reasonable date as well as security and confidentiality measures in order to reduce any risk to Processor's other contractual partners. For that purpose, Processor reserves the right to impose reasonable limitations and/or require additional assurances from Controller on a case-by-case basis.

The Parties will bear their own costs with regards to subparagraph (i) above. Sec 2.12 applies to any further assistance under subparagraphs (ii) and (iii).


Processor is entitled to an appropriate remuneration for any assistance and rendering of services under the DPA based on the hourly rates most recently agreed upon. Controller shall submit all instructions, requests for assistance, enquiries and other communication towards Processor under the DPA via email to [email protected].


The DPA shall be governed by the laws of the Republic of Austria to the exclusion of its conflict of law rules.

Version: 02.03.2020