Version
Last update: 25 August 2021

Supplemental agreement for contract data processing pursuant to Article 28 GDPR

Between

Name: ____________________________
Street: ________________________________
Post code/City: ________________________________
Country: ________________________________

– Controller within the meaning of Art. 4(7) GDPR, hereinafter referred to as the “Controller” –

and

Team Space Europe SRL

Reconstructiei, 2A, 550129, Sibiu, Romania

– Processor within the meaning of Art. 4(8) GDPR, hereinafter referred to as the “Processor” –

Preamble

This contract data processing agreement governs the obligations of the contracting parties with regard to data protection arising under the service agreement, including product descriptions.

Product: Cloud Edition – refer as “Cloud Services” in this document
Customer number: ________________________
Contract number (URL): ___________________
Contract date: ____________________________

This agreement applies to all activities related to the primary contract in which employees of the Processor or agents of the Processor may come into contact with personal data of the Controller. The Processor will collect, process and otherwise use personal data for the Controller exclusively within the scope of this contract data processing agreement in accordance with Art. 28 GDPR.

1.  Scope and Responsibilities

1. The subject, type and purpose of the contract are activities whose specification is based on the service contract referred to above and the associated product
2. The Processor shall not use data provided to them for processing for any other purposes. Copies and/or duplicates may not be made without the knowledge of the Controller. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required to comply with the statutory retention
3. The Controller is solely responsible for assessing the lawfulness of the collection, processing and use of personal data by the Processor within the framework of their contractual relationship with regard to the provisions of the European General Data Protection Regulation (GDPR) and other relevant laws and regulations concerning data
4. Processing operations. The personal data transferred will be subject to the following basic processing activities: Storage for the purpose of authentication and authorization.

2. Location of the Intended Data Processing

The contractually agreed upon data processing shall take place exclusively within a Member State of the European Union or in another state that is party to the Agreement on the European Economic Area (EEA). The transfer of personal data to entities domiciled neither in a Member State of the European Union nor any other contracting state to the Agreement on the European Economic Area (so-called “third country”) requires the consent of the Controller and may only take place if the special requirements of Art. 44 ff. GDPR have been satisfied.

3. Type of Data Processed and Categories of Data Subjects

1. The personal data undergoing processing pursuant to this agreement includes the following data types/categories (list/description of data categories):

• First and last name
• E-mail address
• Phone number (optionally)
• Profile picture (avatar image)

2. The categories of data subjects affected by the processing include:

• Employees of the Controller
• Customers of the Controller
• Suppliers of the Controller

3. For billing purposes, the Processor collects the following information from the Controller:
4. 3. • Company name
      • Billing address
      • Bank details
      • VAT ID

4. Technical and Organizational Measures

The Processor shall structure their internal organization in such a way that they will meet the special requirements applicable to data protection. The measures implemented by the Processor are set out in Annex 1 to this contract data processing agreement. The Processor shall keep their documentation of technical and organizational measures up to date at all times.

5. Rectification, Restriction and Erasure of Data

The Processor may only rectify, erase or restrict the processing of data as processed pursuant to this contract if instructed to do so by the Controller. If a data subject contacts the Processor directly in this context, the Processor shall forward this request to the Controller.

6. Obligations of the Controller

1. The Controller is responsible for all data, automated procedures and data processing equipment within their area of responsibility as well as for safeguarding the rights of data
2. The Controller shall arrange for the technical and organizational measures necessary to ensure data protection and data security in connection with the contract data The nature and scope of the work and the powers of the staff employed by the Processor must be specified in sufficient detail. The costs of such technical and organizational measures, which must be implemented at the Processor’s business owing to special requirements of the Controller, shall be borne by the Controller.
3. The Controller has the right to issue instructions concerning the type, scope and sequence of the work. All such instructions must be issued in writing. Oral instructions must be confirmed by the Controller in writing without undue
4. Persons who are authorized to issue instructions, take receipt of consignments and perform monitoring must be named in writing. They must identify themselves when performing their

7. Duties of the Processor

1. In addition to complying with the provisions of this agreement, the Processor shall comply with the statutory obligations set out in Articles 28 to 33 GDPR. Without limitation, the Processor shall ensure compliance with the following requirements:

• Written appointment of a data protection officer who will perform their duties in accordance with Articles 38 and 39 GDPR. The contact details for the data protection officer are set out in Annex
• Maintaining confidentiality in accordance with Articles 28(3)(b), 29, 32(4) GDPR. In carrying out their work, the Processor shall exclusively use employees who are bound to maintain confidentiality and who have previously been familiarized with the relevant data protection provisions. The Processor and any person under their authority who has access to personal data of the Controller may only process such data exclusively in accordance with instructions from the Controller, including the authority granted in this agreement, unless they are legally obliged to process such
• The implementation and compliance with all technical and organizational measures required for the respective contract data processing in accordance with Articles 28(3)(c), 32 GDPR. The technical and organizational measures are documented in Annex 1 to this
• Notification of the Controller regarding control procedures and measures taken by the supervisory authority in so far as they relate to the underlying contractual
• The Processor may only provide information to data subjects or third parties concerning the underlying contractual relationship with the consent of the Controller unless they are legally obliged to do

8. Subcontractors

1. Subcontracting relationships within the meaning of this provision shall be understood to mean those services which relate directly to the provision of the principal service. This does not include ancillary services used by the Processor, g. telecommunications services, postal/transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software used in data processing systems. However, the Processor shall be obliged to undertake appropriate and legally binding contractual agreements and control measures to ensure the data protection and the data security of the Controller’s data, including in relation to outsourced ancillary services.
2. The Processor may only engage subcontractors to process personal data of the Controller if they are in a Member State of the European Union or in another country which is a signatory to the Agreement on the European Economic Area (EEA). Forwarding, storing and processing data using automated data processing systems outside the EU or the EEA is not
3. The Controller agrees to the engagement of the subcontractors named by the Processor in Annex 2 to this agreement on condition of a contractual agreement in accordance with Art. 28(2)-(4)
4. Outsourcing to further subcontractors or the change of an existing subcontractor is permissible provided that:

• The Processor will notify the Controller in writing or in text form of outsourcing to such subcontractors prior to the start of processing by the respective subcontractor. The Controller’s right of objection extends for two weeks after notification, and notice must likewise be given in writing or in text form.
• A contractual agreement in accordance with Art. 28(2)-(4) GDPR serves as the basis for the engagement.

5. The Processor shall regularly check the subcontractor’s compliance with data protection.
6. The transfer of personal data from the Controller to the subcontractor, and their commencement of work, are only permitted if all requirements for subcontracting are met.

9. Control Rights of the Controller

1. Upon appropriate advance notice, the Controller is entitled to have inspections performed by auditors to be appointed on a case-by-case basis. The Processor shall ensure that the Controller can satisfy themselves of the Processor’s compliance with the obligations in accordance with Art. 28 GDPR. The Processor shall grant the Controller access to the Processor’s property and business premises upon prior arrangement of an appointment during normal local operating and business hours. The Processor is required to furnish the necessary information to the Controller on request and to demonstrate, in particular, the implementation of the technical and organizational
2. Proof of such measures, which do not only relate to a specific engagement, may be provided in the form of compliance with approved rules of conduct in accordance with Art. 40 GDPR; certification according to an approved certification procedure pursuant to Art. 42 GDPR; current certificates, reports or report extracts from independent bodies (e.g. auditor, internal audit department, data protection officer); suitable certification by IT security or data protection audit (e.g. according to BSI Basic Protection).

10. Notification of breaches by the Processor

1. The Processor shall inform the Controller of violations of the protection of personal data, disturbances, breaches of data protection regulations or the specifications made in a specific agreement by the Processor or persons employed by them or engaged by them. This is especially the case with regard to any legal obligations of the Controller to notify data subjects or the supervisory
2. To the extent possible, the Processor shall assist the Controller in complying with the obligations set out in Articles 30 to 36 GDPR concerning the security of personal data, notification obligations in the event of personal data breaches, data protection impact assessments and prior This includes, in particular:

• Subdivision of the facility into individual security areas;
• Ensuring an adequate level of protection by means of technical and organizational measures that con- sider the circumstances and purposes of the processing, as well as the predicted likelihood and severity of a possible infringement due to vulnerabilities and that make immediate identification of relevant violations possible;
• The obligation to report personal data breaches to the Controller;
• The obligation to support the Controller in connection with their duty to inform data subjects; Supporting the Controller in connection with their obligations to carry out data protection impact assessments;
• Supporting the Controller in connection with prior consultations with the supervisory authority.

11. Confidentiality Obligations

1. Both parties agree that all information obtained in the course of executing this contract shall be treated as confidential for an indefinite period and shall be used exclusively to perform the tasks agreed herein. Neither party is entitled to use this information in whole or in part for any other purposes other than those referred to above or to disclose such information to third
2. The foregoing obligation does not apply to information which one of the parties has demonstrably received from third parties without being bound to maintain confidentiality or which is publicly

12. Contract Term

1. The validity of this agreement for contract data processing (“term”) corresponds to the term of the service  agreement referred to in section 1. The confidentiality obligation survives the term of this contract.
2. A violation of legal or contractual data protection provisions by the Processor represents good cause for the Controller to exercise their right of extraordinary termination as reserved in the service agreement referred to in section 1.

13. Severability

1. Should one or more provisions of this agreement be or become invalid or unenforceable, this shall not affect the validity of the remaining provisions of this agreement.

14. Final Provisions

1. Amendments or supplements to this agreement must be made in writing and must be signed by both parties. This also applies to the amendment of this written form clause. E-mail does not satisfy the written form requirement.
2. This agreement is governed exclusively by the laws of the ROMANIA. The place of jurisdiction for all disputes arising under or in connection with this contract is

15. Effective Date

This agreement is effective upon its signing.

16. Annexes 

The following Annexes are appended to this contract data processing agreement:

• Annex 1: Technical and organizational data security measures
• Annex 2: List of subcontractors in use

17. Signatures

Controller: ____________________________
Place: ________________________________
Date: ________________________________

Processor (Ropardo SRL): _________________
Place: ________________________________
Date: ________________________________