1.1 The subject matter of the Agreement is the rights and obligations of the parties in the context of the provision of services in accordance with the service description and general terms and conditions (hereinafter referred to as the main contract), insofar as easyqrcodes.net (hereinafter referred to as the processor) processes personal data on behalf of the client as controller (hereinafter referred to as the client) according to Art. 28 GDPR. This includes all activities that the processor performs to fulfill the contract and that represent a data processing on behalf of the controller. This also applies if the order does not explicitly refer to this Data Processing Agreement.
1.2 The duration of the processing corresponds to the term agreed in the contract.
2.1 The nature of the processing includes all types of processing as defined by the GDPR to fulfill the main contract.
2.2 Purposes of processing are all purposes required to provide the contracted services (see also Appendix 1 service description) in particular in terms of QR code generation, the provision of QR code images, client support, payment processing and invoicing.
3.1 The type of processed data is determined by the client via the product selection, the uses of the services, and the transmission of data. See also the service description and the general terms and conditions.
3.2 The categories of data subjects are determined by the client via the product selection, the uses of the services, and the transmission of data. See also the service description and the general terms and conditions.
4.1 The client is solely responsible for complying with the legal requirements of data protection laws, in particular, the legality of the transfer of data to the processor and the legality of data processing under this Agreement ('Controller' in the sense of Art. 4 no. 7 GDPR). This also applies to the purposes and means of processing set out in this Agreement.
4.2 The instructions are initially determined by the main contract and can then be changed by the client in writing or in an electronic format (text form) by individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. In the event of proposed changes, the processor shall inform the client of the effects that this will have on the agreed services, in particular, the possibility of providing services, deadlines, and remuneration. If the implementation of the instruction is not reasonable to the processor, the processor is entitled to terminate the processing. Unacceptability exists in particular if the services are provided in an infrastructure that is used by several clients/customers to the processor (shared services), and a change in the processing for individual clients is not possible or is unreasonable.
4.3 The contractually agreed data processing takes place as a rule mainly in a Member State of the European Union or in another contracting state of the Agreement via the European Economic Area, unless the event that a transfer to a third country takes place, the processor shall ensure the requirements pursuant to Art. 44 ff. GDPR are fulfilled.
5.1 The processor may process data of data subjects only within the framework of the order and the documented instructions of the client, unless there is an exceptional case within the meaning of Article 28 (3) (a) GDPR (obligation under the law of the European Union or of a Member State). This also refers to transfers of personal data to third countries or international organisation. If there is a processing obligation contrary to an instruction, the processor shall inform the client of the relevant legal requirement before processing. Unless the law in question prohibits such information due to an important public interest. The processor shall inform the client without delay if it considers that an instruction violates applicable laws. The processor may suspend the implementation of the instruction until it has been confirmed or modified by the client. The instructions shall be documented by the Client and kept for at least the duration of the contractual relationship.
5.2 In the light of the nature of the processing, the processor shall, as far as possible, assist the client with appropriate technical and organisational measures in order to fulfill the rights of the data subjects laid down in Chapter III of the GDPR. The processor is entitled to demand appropriate compensation from the client for these services. The processor shall provide the client with cost information in advance, insofar as the support was not required due to a breach of law or contract by the processor.
5.3 The processor shall assist the client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR taking into account the nature of processing and the information available to the processor. The processor is entitled to demand appropriate compensation from the client for these services, insofar as the support was not required due to a breach of law or contract by the processor. The processor shall provide the client wih cost information in advance.
5.4 The processor ensures that the employees involved in the processing of the data of the client and other persons acting on behalf of the processor are prohibited from processing the data outside the instruction issued. Furthermore, the processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The same applies to the social secrecy, secrecy of telecommunications according to § 3 TTDSG (German Telecommunications and Telemedia Data Protection Act) and – in knowledge of criminal liability – for the preservation of secrets of professional secrecy according to § 203 StGB (German Penal Code). The obligation of confidentiality/secrecy persists even after the order has been completed.
5.5 The processor shall inform the client immediately if it becomes aware of violations of the protection of personal data of the client. The processor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the data subjects.
5.6 The processor guarantees the written appointment of a Data Protection Officer, who shall carry out his/her activity in accordance with Art. 38 and 39 GDPR. A contact option will be published on the website of the processor.
5.7 At the end of the provision of the processing services, the processor will, at the choice of the client, either delete or return the personal data, unless there is an obligation under European Union or nationl law to retain the personal data, or something else results under any other contractual arrangements. If the client does not exercise this option, deletion is deemed agreed. If the client chooses to return, the processor can demand a reasonalbe compensation. The processor shall provide the client with cost information in advance.
5.8 If a data subject asserts claims for compensation according to Art. 82 GDPR, the processor shall support the client in defending the claims within the scope of its possibilities. The processor may require an appropriate remuneration for this.
6.1 The client muss immediately and completely inform the processor if it identifies errors or irregularities with regard to data protection regulations when carrying out the order.
6.2 In the event of termination, the client undertakes to delete personal data which it has stored during its service, before the termination of the Contract.
6.3 At the request of the processor, the client appoints a contact person for data protection matters.
If the data subject approaches the processor with requests for correction, deletion or information, the processor shall refer the data subject to the Client, provided that an assignment to the Client is possible according to the information of the data subject. The processor shall immediately forward the request of a data subject to the client. The processor shall support the client within the scope of its possibilities. The processor shall not be liable if the request of the data subject is not answered by the client, not answered correctly or not answered in due time.
8.1 The processor will take appropriate technical and organizational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and ensure the protection of the rights and freedoms of the data subjects. In accordance with Art. 32 GDPR, the processor shall take appropriate technical and organisation measures to ensure the confidentiality, integrity, availability and resilience of the processing systems and services in the long run.
8.2 The current technical and organizational measures of the processor will be provided to the client upon request.
9.1 The processor shall provide the client with all the information necessary to prove compliance with the obligations laid down in Art. 28 GDPR and shall allow and contribute to audits, including inspections, carried out by the client or another auditor appointed by the client. The processor is entitled to demand a declaration of confidentiality from the client and its appointed auditor, which shall not, however, prevent the client from providing evidence of the supervisory authority responsible for him. The Processor may reject direct competitors of the Client or persons who work for direkt competitors of the Client as auditors.
9.2 The processor may require reasonable compensation for information and assistance, insofar as the audit and/or inspection was not required because of a breach of law or contract by the processor. The processor shall provide the client with cost information in advance.
10.1 The client grants the processor the general permission to use other processors within the meaning of Art. 28 GDPR for the fulfilment of the contract.
10.2 The processors currently used are listed in the attachment. The Client agrees to their use.
10.3 The processor shall inform the client if it intends to withdraw or replace other processors. The client may object to such changes.
10.4. The objection to the proposed change can only be raised against the processor for a factual reason within 14 days of receipt of the information about the change. In the event of an objection, the processor may choose to provide the service without the intended change or, if the performance of the service without the intended change is not reasonable to the processor, stop providing its service affected by the change to the client within a reasonable time (at least 14 days) after receipt of the objection.
10.5 If the processor places orders with other processors, it is the processor’s responsibility to impose its data protection obligations under this Contract to the other processor. The processor shall ensure, in particular through regular checks, that the other processors comply with the technical and organisational measures.
11.1 In the case of assertion of a claim for compensation by a data subject person pursuant to Art. 82 GDPR, the parties undertake to support each other and to contribute to the clarification of the underlying facts.
11.2 The liability regulation agreed between the parties in the main contract for the provision of services shall also apply to claims arising from this Data Processing Agreement and the internal relationship between the parties for claims of third parties under Art. 82 GDPR, unless expressly agreed otherwise.
12.1 The agreement begins with the initiation by the client by using any of the services listed in Appendix 1. It ends with the cease of the use of any of the services listed in Appendix 1. If any data processing on behalf of the client still takes place after termination of this contract, the regulations of these agreements are valid until the actual end of the processing.
12.2 The processor may amend the Agreement at its reasonable discretion. In particular, the processor expressly reserves the right to unilaterally amend this agreement if major legal changes in relation to this agreement occur. The processor shall inform the client of the changes by highlighting the changes to this Agreement and providing an actual „last updated“ date.
12.3 The client acknowledges this agreement as part of the general terms and conditions concerning the services used by him. In the event of any contradictions, the provisions of this Agreement for data processing shall prevail to the provisions of the main contract. Should individual parts of this Agreement be ineffective, this does not affect the validity of the remaining agreements.
12.4 The exclusive place of jurisdiction for all disputes arising from and in connection with this contract is the registered office of the processor. This applies subject to any exclusively legal place of jurisdiction. This Contract is subject to the statuary provisions of the Federal Republic of Germany.
12.5 If the data of the client is endangered by seizure or confiscation, by a bankruptcy or settlement procedure, or by events or measures of third parties, the processor shall inform the client immediately. The processor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data lie exclusively with the client as the ‚Controller‘ within the meaning of the GDPR.
Service description: The client may enter any text into the provided input area(s). The client can generate QR codes, i.e. convert the entered text into QR code images via the website of the processor. The client can download the QR code images in .png-format.
Type of personal data: The client may enter any data into the provided input area(s). It is not the responsibility of the processor to check the content of the data.
Categories of data subjects: It is not the responsibility of the processor to check the content of the data and which data subjects might be affected by the data entered by the client.
Service description: The client can contact the processor via the email addresses provided on the website. The processor will answer the client’s questions and try to help with any problems.
Type of personal data: The client may include any data into the email sent to the processor. It is not the responsibility of the processor to check the content of the data.
Categories of data subjects: It is not the responsibility of the processor to check the content of the data included in the client's email and which data subjects might be affected by the data included in the client's email.
Service description: Prior to downloading the QR code images, the client will pay for the service provided by the processor. The client can choose between different payment methods offered by Paypal. After the payment has been processed, the client can download the QR code images. For the payment process, the client will be redirected to the website of Paypal. Paypal will process the payment and provide the processor with the payment status. This status will be used to determine if the payment was successful. Paypal will provide the processor with personal data of the client, such as the name, email address, payment status, amount paid and address. This data provided by Paypal will be used by the processor to determine due taxes.
Type of personal data: The client will have to enter personal data into the payment form provided by Paypal. The data entered by the client will be processed by Paypal and be used to process the payment. Paypal will provide the processor with personal data of the client, such as the name, email address, payment status, amount paid and address.
Categories of data subjects: customers
| Subprocessor | Address | Brief description of the service |
|---|---|---|
| Paypal | 22-24 Boulevard Royal, L-2449 Luxembourg | Payment processing |
| Heroku | SALESFORCE, 415 Mission Street, Suite 300, San Francisco, CA, 94105, USA | Hosting of the website |
| STRATO AG | Otto-Ostrowski-Strasse 7, 10249 Berlin, Germany | Mail Server services |
| Microsoft Central and Eastern Europe Headquarters | Konrad-Zuse-Str. 1, 85716 Unterschleissheim, Germany | OneDrive Cloud-Hosting for Office365 files |