between

Customer (who created a customer account with Flea Software UG)

- Principal -

and

Flea Software UG (limited liability)
Winterfeldtstraße 21, 10781 Berlin

- Contractor -

1. General

(1) The contractor processes personal data on behalf of the client in the sense of Art. 4 No. 8 and Art. 28 of the General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.

(2) If the term "data processing" or "processing" (of data) is used in this contract, the definition of "processing" in the sense of Art. 4 No. 2 GDPR is used as a basis.

2. Subject Matter of the Contract

The subject matter of the processing, nature and purpose of the processing, the type of personal data and the categories of data subjects are defined in Appendix 1 to this contract.

3. Rights and Obligations of the Client

(1) The client is the data controller in the sense of Art. 4 No. 7 GDPR for the processing of data on behalf of the contractor. Pursuant to Section 4 (3), the contractor has the right to inform the client if, in its opinion, a processing of data that it deems legally impermissible is the subject of the contract and/or a directive.

(2) The client is responsible as the data controller for the protection of the rights of the data subjects. The contractor will inform the client immediately if data subjects assert their rights against the contractor.

(3) The client has the right to issue additional instructions on the nature, scope and procedure of the data processing to the contractor at any time. Instructions must be given in writing (e.g. by e-mail).

(4) Provisions on any remuneration for additional expenses arising from additional instructions from the client to the contractor remain unaffected.

(5) The client may designate persons authorized to issue instructions. If persons authorized to issue instructions are to be designated, these shall be named in Appendix 1. In the event that the persons authorized to issue instructions change at the client, the client shall notify the contractor of this in writing.

(6) The client shall inform the contractor immediately if it detects errors or irregularities in connection with the processing of personal data by the contractor.

(7) In the event that there is an obligation to inform third parties in accordance with Art. 33, 34 GDPR or any other legal obligation applicable to the client, the client is responsible for compliance with them.

4. General Obligations of the Contractor

(1) The contractor processes personal data exclusively within the framework of the agreements made and/or in compliance with any additional instructions issued by the client. This shall not apply to legal regulations that may require the contractor to process data in a different manner. In such a case, the contractor shall inform the client of these legal requirements prior to processing, provided that the relevant law does not prohibit such notification on the grounds of important public interest. The purpose, nature and scope of the data processing shall otherwise be based exclusively on this contract and/or the client's instructions. The contractor is prohibited from processing data in a manner that deviates from this, unless the client has expressly consented to this in writing.

(2) As a general rule, the contractor will process data on behalf of the client in Member States of the European Union (EU) or the European Economic Area (EEA). The contractor may also process data outside the EU or EEA if subcontractors in a third country are used in compliance with the conditions of Section 9 and the requirements of Articles 44-48 GDPR are met, or if an exception in the sense of Article 49 GDPR applies.

(3) The contractor shall inform the client immediately if a directive issued by the client, in its opinion, violates legal regulations. The contractor is entitled to suspend the implementation of the directive in question until it is confirmed or amended by the client. If the contractor can demonstrate that processing in accordance with the client's directive may lead to liability on the part of the contractor in accordance with Article 82 GDPR, the contractor is free to suspend further processing in this respect until liability between the parties is clarified.

(4) The contractor may designate the person(s) authorized to receive the client's instructions. If persons authorized to receive instructions are to be designated, these shall be named in Appendix 1. If persons authorized to receive instructions change at the contractor, the contractor shall notify the client of this in writing.

5. Data Protection Officer of the Contractor

(1) The contractor confirms that it has appointed a data protection officer in accordance with Article 37 GDPR. The contractor will ensure that the data protection officer has the necessary qualifications and expertise. The contractor will separately notify the client of the name and contact details of its data protection officer in writing.

(2) The obligation to appoint a data protection officer pursuant to paragraph 1 may be dispensed with at the discretion of the client if the contractor can prove that it is not required by law to appoint a data protection officer and that the contractor can demonstrate that there are operational arrangements that ensure the processing of personal data in compliance with legal regulations, the provisions of this contract, as well as any further instructions from the client.

6. Reporting Obligations of the Contractor

(1) The contractor is obliged to immediately notify the client of any breaches of data protection regulations or of the contractual agreements and/or instructions issued by the client, which have occurred in the course of the processing of data by the contractor or by other persons involved in the processing. The same applies to any violation of the protection of personal data processed by the contractor on behalf of the client.

(2) Furthermore, the contractor will immediately inform the client if a supervisory authority takes action against the contractor in accordance with Article 58 GDPR, and this may also concern a review of the processing performed by the contractor on behalf of the client.

(3) The contractor is aware that there may be an obligation for the client to report to the supervisory authority in accordance with Article 33, 34 GDPR, which provides for a report to be made to the supervisory authority within 72 hours of becoming known. The contractor will support the client in fulfilling the reporting obligations. In particular, the contractor will immediately notify the client of any unauthorized access to personal data processed by the contractor on behalf of the client as soon as the access is known. The notification from the contractor to the client must include the following information in particular:

• a description of the nature of the breach of the protection of personal data, if possible with details of the categories and approximate number of data subjects affected, the affected categories and the approximate number of personal data records affected;

• a description of the measures taken or proposed by the contractor to remedy the breach of the protection of personal data and, if applicable, measures to mitigate their potential adverse effects.

7. Cooperation Obligations of the Contractor

(1) The contractor supports the client in its obligation to respond to requests to exercise data subject rights in accordance with Articles 12-23 GDPR. The provisions of Section 12 of this contract shall apply.

(2) The contractor participates in the creation of records of processing activities by the client. The contractor shall provide the client with the information required in each case in an appropriate manner.

(3) Taking into account the nature of the processing and the information available to it, the contractor supports the client in complying with the obligations mentioned in Articles 32-36 GDPR.

8. Regulation on Mobile Workplaces

(1) The contractor may allow its employees, who are entrusted with the processing of personal data for the client, to process personal data at mobile workplaces outside the business premises of the contractor.

(2)  The contractor must ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed when the employees of the contractor use mobile workplaces. Deviations from individual contractually agreed technical and organizational measures must be coordinated in advance with the client and approved by the client in writing.

(3) In particular, the contractor ensures that when processing personal data at mobile workplaces, the storage locations are configured in such a way that local storage of data on IT systems is precluded. If this is not possible, the contractor shall ensure that local storage takes place exclusively in encrypted form, and that other persons at the location of the respective mobile workplace do not have access to this data.

(4) The contractor is obliged to ensure that effective control of the processing of personal data on behalf of the client at mobile workplaces is possible. The personal rights of the employees are to be appropriately taken into account in this context.

9. Supervisory Powers

(1) The client has the right to inspect the compliance with data protection regulations and/or compliance with the contractual agreements made between the parties and/or the compliance with the instructions of the client by the contractor to the necessary extent.

(2) The contractor is obligated to provide the client with information as far as this is necessary for the performance of the inspection pursuant to paragraph 1.

(3) Prior to any on-site inspection in the contractor's place of business, after giving reasonable notice, the client can carry out the inspection as required during the usual business hours. The client shall ensure that the inspections are carried out only to the extent necessary, so as not to disproportionately disrupt the contractor's business operations. The parties assume that an inspection is required at most once a year. Further inspections must be justified by the client indicating the reason. In the case of on-site inspections, the client will reimburse the contractor for the expenses incurred, including the personnel costs for the care and accompaniment of the inspection personnel on site, to an appropriate extent. The basis for the cost calculation will be communicated to the client by the contractor before the inspection is carried out.

(4) At the option of the contractor, proof of compliance with the technical and organizational measures instead of an on-site inspection can also be provided by presenting a suitable, current test report, reports or report excerpts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or appropriate certification, if the audit report enables the client to be convinced of compliance with the technical and organizational measures in accordance with Appendix 3 to this contract in an appropriate manner. If the client has justified doubts about the suitability of the audit document within the meaning of the sentence 1, an on-site inspection by the client can be carried out. The client is aware that an on-site inspection in data centers is not possible or is only possible in exceptional cases.

(5) In the event of measures by the supervisory authority against the client pursuant to Article 58 GDPR, particularly with regard to disclosure and control obligations, the contractor is obliged to provide the necessary information to the client and to enable the supervisory authority concerned to carry out an on-site inspection. The client is to be informed by the contractor of any planned measures.

(6) The parties agree that control measures for the processing of personal data at mobile workplaces to protect the personal rights of other persons at these mobile workplaces primarily take place by controlling the implementation of the measures to be taken by the contractor in accordance with Section 8 (2) and (3). An inspection of the mobile workplace of employees by the contractor is to be made possible for the client based on specific occasions.

10. Subcontracting Arrangements

(1) The contractor is entitled to use the subcontractors specified in Annex 2 to this contract for the processing of data on behalf of the client. Changing subcontractors or engaging additional subcontractors is permissible under the conditions set out in paragraph 2.

(2) The contractor must carefully select and review the subcontractor before engaging them to ensure they can comply with the agreements made between the client and the contractor. The contractor must particularly ensure, before and regularly during the contract term, that the subcontractor has implemented the technical and organizational measures required under Art. 32 GDPR to protect personal data. The contractor must inform the client in text form in the event of a planned change of subcontractor or engagement of a new subcontractor at least 4 weeks before the change or new engagement (“Notification”). The client has the right to object to the change or new engagement of the subcontractor in text form within four weeks of receiving the “Notification,” providing a reason. The client may withdraw the objection in text form at any time. If an objection is raised, the contractor may terminate the contract with the client with a notice period of at least 14 days at the end of a calendar month, considering the client’s interests. If no objection is raised by the client within three weeks of receiving the “Notification,” this will be deemed as the client’s consent to the change or new engagement of the relevant subcontractor.

(3) The contractor must confirm that the subcontractor has appointed a Data Protection Officer in accordance with Art. 37 GDPR if the subcontractor is legally required to do so.

(4) The contractor must ensure that the provisions agreed in this contract and any supplementary instructions from the client also apply to the subcontractor.

(5) The contractor must enter into a data processing agreement with the subcontractor that meets the requirements of Art. 28 GDPR. Additionally, the contractor must impose the same obligations on the subcontractor regarding the protection of personal data as those agreed between the client and the contractor. The contractor must provide the client with a copy of the data processing agreement upon request.

(6) The contractor must ensure, through contractual agreements, that the client’s and supervisory authorities’ control rights (Section 9 of this contract) also apply to the subcontractor and that appropriate control rights are agreed. It must also be contractually agreed that the subcontractor must tolerate these control measures and any on-site inspections.

(7) Services that the contractor obtains from third parties as pure ancillary services to perform its business activities, such as cleaning services, telecommunications services without a specific relation to services provided to the client, postal and courier services, and transportation services, are not considered subcontracting relationships as per paragraphs 1 to 6. However, the contractor is obliged to ensure that appropriate precautions and technical and organizational measures have been taken to protect personal data even for ancillary services provided by third parties. Maintenance and servicing of IT systems or applications constitute a subcontracting relationship requiring consent and data processing as per Art. 28 GDPR if they involve accessing personal data processed on behalf of the client.

11. Confidentiality Obligation

(1) The contractor is obliged to maintain confidentiality regarding any data they receive or become aware of in connection with the contract when processing data for the client.

(2) The contractor must familiarize their employees with the relevant data protection regulations and commit them to confidentiality.

(3)The contractor must provide proof of their employees’ confidentiality obligation to the client upon request.

12. Safeguarding Data Subject Rights

(1) The client is solely responsible for safeguarding data subject rights. The contractor is obliged to assist the client in processing requests from data subjects under Art. 12-23 GDPR. The contractor must promptly provide the necessary information to the client to enable them to fulfill their obligations under Art. 12(3) GDPR.

(2) If the contractor’s involvement is necessary to safeguard data subject rights, particularly regarding access, rectification, restriction, or deletion, the contractor will take the required measures as instructed by the client. The contractor will support the client with suitable technical and organizational measures in responding to data subject rights requests.

(3) Regulations regarding possible remuneration for additional work resulting from assisting the client in safeguarding data subject rights remain unaffected.

13. Confidentiality Obligations

(1) Both parties agree to treat all information received in connection with this contract as confidential and only use it for contract execution. Neither party is entitled to use this information for any other purposes or disclose it to third parties.

(2) This obligation does not apply to information that either party has received from third parties without a confidentiality obligation or that is publicly known.

14. Remuneration

Any regulations regarding remuneration for services must be agreed upon separately between the parties.

15. Technical and Organizational Data Security Measures

(1) The contractor commits to complying with the technical and organizational measures necessary to adhere to applicable data protection regulations, including the requirements of Art. 32 GDPR.

(2) The current state of technical and organizational measures at the time of contract signing is attached as Annex 3 to this contract. The parties agree that changes to these measures may be necessary to adapt to technical and legal developments. Significant changes that may impact the integrity, confidentiality, or availability of personal data must be coordinated with the client in advance. Minor technical or organizational changes that do not negatively affect the integrity, confidentiality, and availability of personal data can be implemented by the contractor without prior coordination with the client. The client may request an updated version of the technical and organizational measures once a year or on justified occasions.

(3) The contractor will regularly and on an ad-hoc basis review the effectiveness of the technical and organizational measures they have implemented.

16. Duration of the Contract

(1) The contract is an appendix to the main contract and begins upon its signing. It continues for the duration of the main contract between the parties regarding the use of the contractor’s services by the client.

(2) The client may terminate the contract without notice if the contractor commits a serious breach of applicable data protection regulations or the obligations under this contract, if the contractor is unable or unwilling to follow the client’s instructions, or if the contractor unlawfully refuses access to the client or the competent supervisory authority.

17. Termination

(1) Upon termination of the contract, the contractor must return or delete all documents, data, and created processing or usage results that have come into their possession in connection with the contractual relationship, as chosen by the client. The deletion must be appropriately documented.

(2)The contractor may retain personal data processed in connection with the contract beyond the contract term if they are legally required to do so. In such cases, the data may only be processed for the purposes of fulfilling the legal retention obligations. The data must be deleted immediately after the retention period ends.

18. Right of Retention

The parties agree that the contractor cannot assert the right of retention under § 273 BGB concerning the processed data and associated data carriers.

19. Final Provisions

(1) If the client’s property at the contractor is endangered by third-party measures (e.g., seizure or confiscation), insolvency proceedings, or other events, the contractor must inform the client immediately. The contractor must inform creditors promptly that the data is processed on behalf of the client.

(2) Any side agreements require the written form.

(3) Should any parts of this contract be invalid, this does not affect the validity of the remaining provisions of the contract.