Data Processing Agreement

in accordance with Art. 28 GDPR

Save as PDF

Introductory provisions

Pursuant to Art. 28 GDPR, the client or user, as the data controller under data protection law, is obliged to conclude a so-called data processing agreement (hereinafter referred to as DPA) with Invitario, which defines the subject matter of the processing, the type and purpose of the processing, the type of personal data, the categories of data subjects and the obligations and rights of the contracting parties. If no individual DPA is concluded between the contractor and Invitario in an individual case, the provisions of the following standard DPA are expressly agreed.

Data processing agreement (DPA) pursuant to Art. 28 GDPR

Data Processing Agreement (DPA) pursuant to Art. 28 GDPR between the client or user of the Invitario internet service as the controller – hereinafter referred to as the client – and Invitario GmbH, Lerchenfelder Straße 74/1/6, 1080 Vienna, Austria as the processor – hereinafter referred to as the contractor.

1. object and duration of the order

a. Object of the order

The Contractor is a provider of software for participant management (hereinafter referred to as Invitario), which is used by the Client as an Internet service. The parties have concluded a contract for the use of the software and any additional services, which are described in detail in the respective order confirmation by the Contractor. In order for the contractor to provide the services, personal data is processed on behalf of the client.
This processor agreement is part of the contract and sets out the obligations of both parties that are required to comply with the applicable data protection law, in particular the EU General Data Protection Regulation (GDPR).

b. Duration of the order
The duration of this order (term) corresponds to the term stated in the order confirmation.

2. specification of the order content

The processing of personal data carried out on behalf of the client is carried out for the organization and implementation of events, in particular for inviting, registering, managing, billing and recording participation.

The client is solely responsible for the legality of the data, the obtaining of any consents and the use of the functions provided by Invitario.
The scope, type and purpose of the processing of personal data by the contractor for the client are specifically described in the order confirmation. The contractor does not collect or process any other data of the participants.

The contractually agreed data processing takes place exclusively in the territory of the Federal Republic of Germany, the Republic of Austria, in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 ff GDPR are fulfilled.

a. Type of data

The following types of data are subject to the processing of personal data:

  • Personal master data (e.g. name, title, address). Which data is requested from participants is determined by the client.
  • Communication data (e.g. telephone, e-mail). Which data is requested from participants is determined by the client.
  • Reaction behavior of participants when using Invitario: Recording of registration and deregistration for the event.
  • Data of participants at events: Recording of check-in (time) or interactions and, if applicable, personal data. Which data is requested from participants is determined by the client.
  • Contract billing and payment data (only for chargeable events).
  • Other data imported into Invitario by the client or requested by the participant when registering for an event.
  • Usage data of the licensed users, e.g: Login/logout to the software, access and actions on data in the Invitario software, etc.
  • The contractor is entitled to carry out evaluations of the processed data in anonymized form and to use the results of these evaluations for its own purposes.

b. Categories of data subjects

The group of persons affected by the handling of their personal data within the scope of this contract includes

 

  • The data imported into Invitario by the client of his contacts who are invited to one or more events.
  • Participants in events who have either registered for an event themselves via the Invitario software or have been registered by the client.
  • The client’s employees who use the Invitario software as licensed users.

3. technical and organizational measures (TOM)

The contractor must document the implementation of the TOM set out in the run-up to the award of the contract before the start of processing, in particular with regard to the specific execution of the contract, and submit it to the client for review. If accepted by the client, the documented measures become the basis of the order. If the client’s review reveals a need for adjustment, this must be implemented by mutual agreement.

The Contractor shall provide security in accordance with. Artt. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR must be established. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the costs of implementation and the nature, scope and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR are taken into account. 1 GDPR must be taken into account.

TOMs are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the defined measures must not be undercut. Significant changes must be documented. The TOM applicable at the time of conclusion of the contract are attached as Annex 1 to this GCU. The Contractor is entitled and obliged to adapt the TOM to the current state of the art. He can prove the suitability of the TOM to the client, in particular by means of test reports.

4. correction, blocking and deletion of data

The contractor may not correct, delete or restrict the processing of data processed on behalf of the client without authorization, but only in accordance with documented instructions from the client. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay.

If included in the scope of services, the erasure concept, right to be forgotten, rectification, data portability and thus information shall only be ensured directly by the contractor in accordance with documented instructions from the client. The obligation to provide a data protection-compliant SaaS solution in accordance with the principles of privacy by design and privacy by default as a performance obligation remains unaffected by this.

5. quality assurance and other obligations of the contractor

In addition to complying with the provisions of this contract, the Contractor shall have statutory obligations pursuant to Art. 28 to 33 GDPR; in this respect, it ensures compliance with the following requirements in particular:

  • Mr. Stefan Grossek, +43-1-3613610, datenschutz@invitario.com, is designated as the contact person for data protection at the contractor. The protection of confidentiality pursuant to Artt. 28 para. 3 S. 2 lit. b, 29, 32 para. 4 GDPR is guaranteed.
    When carrying out the work, the Contractor shall only deploy employees who are bound to confidentiality and who have been familiarized with the relevant data protection provisions. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the powers granted in this contract, unless they are legally obliged to process it. In such cases, the Contractor shall inform the Client unless it is legally obliged to maintain confidentiality vis-à-vis the Client.
  • The implementation of and compliance with all technical and organizational measures required for this order in accordance with Artt. 28 para. 3 S. 2 lit. c, 32 GDPR.
  • The Client and the Contractor shall cooperate with the supervisory authority in the performance of their tasks upon request. It is agreed that the client shall be informed immediately of any inspection activities and measures taken by the supervisory authority insofar as they relate to this order. Dies gilt auch, soweit eine zuständige Behörde im Rahmen eines Ordnungswidrigkeits- oder Strafverfahrens in Bezug auf die Verarbeitung personenbezogener Daten bei der Auftragsverarbeitung beim Auftragnehmer ermittelt.
  • If the Client is subject to an inspection by the supervisory authority, administrative offense or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.
  • The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
    Verifiability of the technical and organizational measures taken vis-à-vis the client within the scope of its control powers in accordance with Section 7 of this contract.

6. subcontracting relationships

The Contractor may commission subcontractors (further processors), whereby it must select these carefully. The Client agrees to the commissioning of those subcontractors (hereinafter referred to as sub-processors) of the Contractor that are available at the following URL: https://support.invitario.com/portal/kb/articles/sub-auftragsverarbeiter

The Contractor shall inform its Clients of any intended change with regard to the involvement or replacement of other processors or sub-processors (hereinafter collectively referred to as “Sub-Processors”) by electronic means at least 14 days before the change, giving the Client the opportunity to object to such changes by electronic means within 14 days, otherwise the involvement shall be deemed approved.

If the Contractor uses another sub-processor to carry out certain processing activities on behalf of the Client, the same data protection obligations shall be imposed on this sub-processor by way of a processor agreement (DPA), whereby in particular sufficient guarantees must be provided that the appropriate technical and organizational measures (TOM) are implemented in such a way that the processing is carried out in accordance with the requirements of the applicable data protection law.

If a client objects within 14 days of notification, the contractor can resolve the objection by taking the following measures: (a) The Contractor shall not use the Sub-Processor for the processing of the Client’s personal data, (b) or measures are taken to eliminate the essential reason for the client’s objection, (c) or the service provided via the sub-processor concerned is not provided, which will be refunded in the case of remuneration already paid in advance. If none of these options is accepted by the client and the objection has not been remedied within 14 days of receipt of the objection, either party may terminate the contract for cause with reasonable notice. Personal data of the client will not be processed by the sub-processor covered by the objection.

Services that the contractor uses from third parties as an ancillary service to support the execution of the order are not to be understood as subcontracting relationships within the meaning of this provision. These include, for example, telecommunications services, maintenance and user services, cleaning staff or inspectors.

The contractor is obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the client’s data, even in the case of ancillary services outsourced.

In particular, the Contractor shall ensure that the Artt. 45ff. GDPR are complied with.

7. control rights of the client

The client alone is responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.

The Client has the right to carry out inspections by mutual agreement with the Contractor or to have them carried out by inspectors to be named in individual cases. It shall have the right to satisfy itself of the Contractor’s compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time.

The Contractor shall ensure that the Client can satisfy itself of the Contractor’s compliance with its obligations under Art. 28 GDPR, where necessary and possible. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

The Contractor may claim remuneration for enabling the Client to carry out inspections. Inspections shall take place after reasonable advance notice and during the Contractor’s business hours and, as a rule, not more frequently than every 12 months.

8. notification of violations by the contractor

The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. These include, among others:

a) ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential breach through security vulnerabilities and allow for the immediate detection of relevant breach events.

b) the obligation to report personal data breaches to the client without delay.

c) the obligation to support the client within the scope of his duty to inform the data subject and to provide him with all relevant information in this context without delay.

d) the support of the client for its data protection impact assessment.

e) supporting the client in the context of prior consultations with the supervisory authority.
The Contractor may claim remuneration for support services that are not included in the service description or are attributable to misconduct on the part of the Contractor.

9. authority of the client to issue instructions

The client shall confirm verbal instructions without delay (at least in text form).

The contractor must inform the client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the execution of the corresponding instruction until it is confirmed or amended by the Client.

10 Obligations of the client

The Client shall be liable to the Contractor for ensuring that the data provided for processing by the Contractor has been collected lawfully and that the Contractor is authorized to process data in accordance with this Agreement and the Service Agreement. If claims are made by third parties in this respect (e.g. by affected persons), the Client shall indemnify and hold the Contractor harmless in this respect.

Furthermore, as the controller within the meaning of the GDPR, the client undertakes to safeguard all data subject rights such as the right of access, the right to rectification, the right to erasure (“right to be forgotten”), the right to restriction of processing, the right to data portability and the right to object and to take immediate action if the contractor forwards requests in this regard.

In the event that the client uses “third party apps”, it must ensure on its own responsibility that the providers of the applications used by it fulfill all the necessary requirements under data protection law and that all agreements under data protection law, such as the so-called data processing agreement (“DPA”), are concluded by the client with the respective provider.

Third-party apps” are third-party software integrated by Invitario itself or on its behalf exclusively at the instigation of the client on its event website(s), which may also gain access to the personal data of website visitors. This may involve, for example, embedding content from platforms such as YouTube or Vimeo, using tools such as Zoom or Microsoft Teams, using Google Tag Manager to manage cookies and any HTML/JS code.

The end customer must be informed clearly and transparently by the client about the use of “third-party apps” and the end customer must also be informed that the third-party apps integrated on event websites are processors of the respective client, so that the contractor is neither the controller nor the processor in this respect. The Client shall indemnify and hold the Contractor harmless in the event of a breach of these obligations.

The client is therefore solely liable to the end customer for all claims arising from the use of the third-party apps and shall indemnify and hold the contractor harmless in the event of a claim based on a breach of these obligations.

11. deletion of data

Copies or duplicates of the data will not be created without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data required to comply with statutory retention obligations.

After completion of the contractually agreed work or earlier at the request of the Client – at the latest upon termination of the service agreement – the Contractor shall destroy all documents, processing and usage results and data pertaining to the contractual relationship that have come into its possession, subject to prior consent and taking into account statutory or legal retention obligations in accordance with data protection regulations. The same applies to test and scrap material.

Documentation on the events processed via the Contractor’s Internet service, any fee-based transactions processed via this service and guest data which serve the Client as proof of proper data processing in accordance with the order shall be stored exclusively by the Client beyond the end of the contract in accordance with the respective retention periods.

Documentation of the business relationship between the Client and the Contractor, which serves as proof of proper data processing in accordance with the order, shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. He may hand them over to the client at the end of the contract to discharge him.