Terms & Legal Notices
Terms of serviceData Processing Agreement (DPA)Privacy Policy
Archived version – no longer in effect

Data Processing Agreement

Version 1.0

1. Subject Matter 

As part of the provision of services under the User Agreement for the Langdock Platform (hereinafter referred to as the "Main Contract"), it is necessary for the Processor to process personal data for which the Controller acts as the data controller within the meaning of data protection regulations (hereinafter referred to as "Controller Data"). This Agreement specifies the rights and obligations of the Parties under data protection law in connection with the Processor's processing of Controller Data for the performance of the Main Contract.

2. Scope of Data Processing 

  1. The Processor shall process Controller Data on behalf of and in accordance with the instructions of the Controller within the meaning of Art. 28 GDPR. The Controller shall remain the controller within the meaning of data protection law.
  2. The processing of Controller Data by the Processor shall be carried out in the manner, to the extent and for the purpose specified in Appendix 1 to this Agreement; the processing concerns the types of personal data and categories of data subjects specified therein. The duration of the processing corresponds to the term of the Main Contract. 
  3. The processing of Controller Data by the Processor shall generally take place within the European Union or in another state party to the Agreement on the European Economic Area (EEA). The Processor is nevertheless permitted to process Controller Data outside the EEA in compliance with the provisions of this Agreement if Processor informs the Controller in advance of the place of data processing and the requirements of Art. 44-48 GDPR are met or an exception pursuant to Art. 49 GDPR applies.

3. Instructions by the Controller 

  1. The Processor shall process the Controller Data in accordance with the Controller's instructions, unless the Processor is legally obliged to process the data otherwise. In the latter case, the Processor shall notify the Controller of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.
  2. The Controller's instructions are in general conclusively defined and documented in the provisions of this Agreement. Individual instructions that deviate from the provisions of this Agreement or impose additional requirements shall require the prior consent of the Processor and shall be made in accordance with the amendment procedure set out in the Main Contract, in which the instruction shall be documented and the assumption of any additional costs incurred by the Processor as a result shall be governed. 
  3. The Processor warrants that it processes the Controller Data in accordance with the Controller's instructions. If the Processor is of the opinion that an instruction of the Controller violates this Agreement or the applicable data protection law, the Processor shall be entitled, after notifying the Controller accordingly, to suspend the execution of the instruction until the Controller confirms the instruction. The Parties agree that the sole responsibility for processing the Controller data in accordance with the instructions lies with the Controller.

4. Responsibility of the Controller

  1. The Controller is solely responsible for the lawfulness of the processing of the Controller Data and, between the Parties, for safeguarding the rights of the data subjects. Should any third parties assert claims against the Processor due to the processing of Controller Data in accordance with this Agreement, the Controller shall indemnify the Processor against all such claims upon first request, insofar as these claims are not based on intentional or grossly negligent conduct on the part of the Processor. For additional processors pursuant to Clause 7, Langdock shall be liable in accordance with Clause 13 as if for its own fault. 
  2. The Controller shall be responsible for making the Controller Data available to the Processor in good time for the provision of services under the Main Contract and shall be responsible for the quality of the Controller Data. The Controller shall inform the Processor immediately and in full if Controller discovers errors or irregularities with regard to data protection regulations or its instructions when reviewing the results of Processor’s data processing.
  3. Upon request, the Controller shall provide the Processor with the information specified in Art. 30 (2) GDPR, unless this information is already available to the Processor. 
  4. If the Processor is obliged towards a government agency or a person to provide information about the processing of Controller Data or to cooperate with such bodies in any other way, the Controller shall support the Processor upon first request in providing such information or fulfilling other obligations to cooperate. 

5. Requirements for Personnel

The Processor shall oblige all persons who process Controller data to maintain confidentiality with regard to the processing of Controller data.

6. Security of Processing

  1. The Processor shall take appropriate technical and organizational measures in accordance with Art. 32 GDPR, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing of the Controller Data as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, to ensure a level of security for the Controller Data appropriate to the risk.
  1. The Processor shall be permitted to change or adapt technical and organizational measures during the term of the contract as long as such measures continue to meet the statutory requirements.

7. Use of Sub-Processors

  1. The Controller hereby grants the Processor general permission to engage sub-processors with regard to the processing of Controller Data. The sub-processors engaged at the time of the conclusion of the Agreement are set out in Appendix 2. In general, contractual relationships with service providers that involve the testing or maintenance of data processing procedures or equipment or other ancillary services are not subject to approval, even if access to Controller Data cannot be excluded in the process, provided the Processor takes appropriate measures to protect the confidentiality of Controller Data.
  2. The Processor shall inform the Controller of any intended changes with regard to the involvement or replacement of sub-processors. The Controller shall have the right to object to the engagement of a potential sub-processor. An objection may only be raised by the Controller for good cause to be proven to the Processor. If the Controller does not raise an objection within 14 days of receipt of the notification, its right of objection to the corresponding assignment shall expire. If the Controller raises an objection, the Processor shall be entitled to terminate the Main Contract and this Agreement with a notice period of 30 days. 
  3. The contract between the Processor and the sub-processor shall impose the same obligations on the sub-processor as are imposed on the Processor under this Agreement.
  4. Subject to compliance with the requirements of Section 2 (5) of this Agreement, the provisions of this Section 7 shall also apply if a sub-processor in a third country is involved. In this case, the Processor shall agree with the sub-processor the EU standard contractual clauses for the transfer of personal data to processors in third countries of June 4, 2021, Module 3. 

8. Rights of the Data Subject

  1. The Processor shall support the Controller with technical and organizational measures to the extent reasonable to comply with Controller’s obligation to respond to requests to exercise the rights of data subjects.
  2. If a data subject makes a request directly to the Processor to exercise their rights, the Processor shall forward this request to the Controller in a timely manner.
  3. The Processor shall provide the Controller with information about the stored Controller Data, the recipients of Controller Data to whom the Processor transfers Controller Data in accordance with this Agreement and the purpose of the storage, unless such information is available to the Controller.
  4. The Processor shall enable the Controller to correct, delete or restrict the processing of Controller Data within the scope of what is reasonable and necessary or to carry out the correction, deletion or restriction of processing itself at the request of the Controller if and to the extent that this is impossible for the Controller itself. 
  5. Insofar as the data subject has a right to data portability vis-à-vis the Controller with regard to the Controller Data in accordance with Art. 20 GDPR, the Processor shall support the Controller in providing the Controller Data in a common and machine-readable format within the scope of what is reasonable and necessary, if the Controller cannot obtain the data in any other way.
  6. Insofar as the Processor incurs costs as a result of supporting the Controller in fulfilling its obligations towards data subjects in accordance with this section that exceed usual and reasonable expenses, the Controller shall reimburse the Processor for these additional costs.

9. Notification and Support Obligations of the Processor

  1. If the Controller is subject to a statutory reporting or notification obligation due to a breach of the protection of Principal Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Controller immediately after becoming aware of any reportable events in its area of responsibility. The Processor shall support the Controller in complying with the reporting and notification obligations at the Controller’s request within the scope of what is reasonable and necessary. Section 8.6 shall apply accordingly.
  2. The Processor shall support the Controller, to the extent reasonable and necessary, in any data protection impact assessments to be carried out by the Controller and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 GDPR in return for reimbursement of the expenses and costs incurred by the Processor as a result.

10. Data Deletion 

  1. The Processor shall delete or return the Controller Data after termination of this Agreement, unless the Processor is legally obliged to continue storing the Controller Data. 
  1. Documentation that serves as proof of the proper processing of Controller Data in accordance with this Agreement may be retained by the Processor after expiry of the Agreement.

11. Verifications and Inspections 

  1. The Processor shall provide the Controller, at the Controller's request, with all information necessary and available to the Processor to verify compliance with its obligations under this Agreement. 
  2. The Controller shall be entitled to review the Processor with regard of the compliance with the provisions of this Agreement, in particular the implementation of the technical and organizational measures, including by means of inspections.
  3. In order to carry out inspections in accordance with Section 11 (2), the Controller shall be entitled to enter the Processor's business premises where Controller Data is processed during normal business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) at its own expense, without disrupting business operations and subject to strict confidentiality of the Processor's business and trade secrets, after giving timely advance notice in accordance with Section 11 (5).
  4. The Processor shall be entitled, at its own discretion, taking into account the Controller's legal obligations, not to disclose information that is sensitive with regard to the Processor's business or if the Processor would violate legal or other contractual regulations by disclosing such information. The Controller shall not be entitled to access data or information about other clients of the Processor, to information regarding costs, to quality inspection and contract management reports and to any other confidential data of the Processor that is not directly relevant to the agreed review purposes. 
  5. The Controller shall inform the Processor in good time (in general at least two weeks in advance) of all circumstances relating to the performance of the inspection. The Controller may carry out one inspection per calendar year. Further inspections shall be carried out against reimbursement of costs and after consultation with the Processor.
  6. If the Controller commissions a third party to carry out the inspection, the Controller shall oblige the third party in writing in the same way as the Controller is obliged to the Processor under this Section 11. In addition, the Controller shall oblige the third party to maintain confidentiality and secrecy, unless the third party is subject to a professional obligation of confidentiality. At the request of the Processor, the Controller shall immediately submit to the Processor the obligation agreements with the third party. The Controller shall not commission a competitor of the Processor with the inspection.
  7. At the Processor's discretion, proof of compliance with the obligations under this Agreement may also be provided by means of submitting a suitable, current certificate or report from an independent body (e.g. auditor, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g. in accordance with BSI basic protection - ("Audit Report") instead of an inspection, if the Audit Report reasonably enables the Controller to verify compliance with the contractual obligations.

12. Term and Termination

The term and termination of this Agreement shall be governed by the provisions on the term and termination of the Main Contract. Termination of the Main Contract shall automatically result in termination of this Agreement. An individual termination of this Agreement is excluded. 

13. Liability 

  1. The exclusions and limitations of liability under the Main Contract shall apply to the Processor's liability under this Agreement. To the extent that third parties assert claims against the Processor which have their cause in a culpable breach by the Controller of this Agreement or of any of its obligations as the controller under data protection law, the Controller shall indemnify the Processor against such claims upon first request, insofar as these claims are not based on intentional or grossly negligent conduct on the part of the Processor. 
  2. The Controller shall indemnify the Processor upon first request against any fines imposed on the Processor to the extent that the Controller is responsible for the breach sanctioned by the fine.. 

14. Final Provisions

  1. Should individual provisions of this Agreement be or become invalid or contain a gap, the remaining provisions shall remain unaffected. The Parties shall replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and meets the requirements of Art. 28 GDPR.
  2. In the event of contradictions between this Agreements and other agreements between the Parties, in particular the Main Contract, the provisions of this Agreement shall take precedence.
  3. Only the German version of this Agreement shall be legally binding. The English translation is provided for information purposes only.