Data Processing Agreement According to Art. 28 (3) General Data Protection Regulation (GDPR)

Please note that in case of doubt, the German version takes precedence over the English version.
1. Subject and duration of processing
1.1 The subject matter of the Agreement is the rights and obligations of the parties in the context of the provision of services in accordance with the service description and general terms and conditions (hereinafter referred to as the main contract), insofar as STRATO AG (hereinafter referred to as the processor) processes personal data on behalf of the client as controller (hereinafter referred to as the client) according to Art. 28 GDPR. This includes all activities that the processor performs to fulfill the contract and that represent a data processing on behalf of the controller. This also applies if the order does not explicitly refer to this Data Processing Agreement.

1.2 The duration of the processing depends on the actual processing of personal data of the controller by the processor.
2. Nature and purpose of the processing
2.1 The nature of the processing includes all types of processing as defined by the GDPR to fulfill the contract.

2.2 Purposes of processing are all purposes required to provide the contracted services (see also Appendix 1 service description) in particular in terms of cloud services, hosting, Software as a Service (SaaS), and IT support.
3. Type of personal data and categories of data subjects
3.1 The type of processed data is determined by the client by the product selection, the configuration, the use of the services, and the transmission of data. See also the service description in Appendix 1.

3.2 The categories of data subjects are determined by the client via product selection, configuration, the use of the services, and the transmission of data. See also the service description in Appendix 1.
4. Responsibility and processing on documented instructions
4.1 The client is solely responsible for complying with the legal requirements of data protection laws, in particular, the legality of the transfer of data to the processor and the legality of data processing under this Agreement ( "Controller" in the sense of Art. 4 no. 7 GDPR). This also applies to the purposes and means of processing set out in this Agreement.

4.2 The instructions are initially determined by the main contract and can then be changed by the client in writing or in an electronic format (text form) by individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. In the event of proposed changes, the processor shall inform the client of the effects that this will have on the agreed services, in particular, the possibility of providing services, deadlines, and remuneration. If the implementation of the instruction is not reasonable to the processor, the processor is entitled to terminate the processing and give extraordinary notice of termination of the contract.The controller's obligation to pay shall cease upon the processor's termination of the service. Unacceptability exists in particular if the services are provided in an infrastructure that is used by several clients/customers of the processor (shared services), and a change in the processing for individual clients is not possible or is unreasonable.

4.3 The contractually agreed data processing takes place in a Member State of the European Union or in another contracting state of the Agreement via the European Economic Area, unless the transfer of data to third countries becomes necessary in order to provide the service. In the event that a transfer to a third country takes place, the processor shall ensure that the requirements pursuant to Art. 44 ff. GDPR are fulfilled.
5. Rights of the client, obligations of the processor
5.1 The processor may only process data of data subjects on the basis of documented instructions of the controller within the scope of the order. The instructions shall be specified in the contract at the beginning, however, there shall be no obligation to issue instructions unless there is an exceptional case within the meaning of Article 28 (3) a) of the GDPR. (obligation under the law of the European Union or of a Member State). This also refers to transfers of personal data to third countries or international organisations. If there is a processing obligation contrary to an instruction, the processor shall inform the client of the relevant legal requirement before processing. Unless the law in question prohibits such information due to an important public interest.The processor shall inform the client without delay if it considers that an instruction violates applicable laws. The processor may suspend the implementation of the instruction until it has been confirmed or modified by the client. The instructions shall be documented by the Client and kept for at least the duration of the contractual relationship.

5.2 In the light of the nature of the processing, the processor shall, as far as possible, assist the client with appropriate technical and organisational measures in order to fulfill the rights of the data subjects laid down in Chapter III of the GDPR. The processor is entitled to demand appropriate compensation from the client for these services. The processor shall provide the client with cost information in advance, insofar as the support was not required due to a breach of law or contract by the processor.

5.3 The processor shall assist the client in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GPDR taking into account the nature of processing and the information available to the processor. The processor is entitled to demand appropriate compensation from the client for these services, insofar as the support was not required due to a breach of law or contract by the processor. The processor shall provide the client with cost information in advance.

5.4 The processor ensures that the employees involved in the processing of the data of the client and other persons acting on behalf of the processor are prohibited from processing the data outside the instruction issued. Furthermore, the processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality/secrecy persists even after the order has been completed.

5.5 The processor shall inform the client immediately if it becomes aware of violations of the protection of personal data of the client. The processor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the data subjects.

5.6 The processor guarantees the written appointment of a Data Protection Officer, who shall carry out his/her activity in accordance with Art. 38 and 39 GDPR. A contact option will be published on the website of the processor.

5.7 At the end of the provision of the processing services, the processor will, at the choice of the client, either delete or return the personal data, unless there is an obligation under European Union or national law to retain the personal data.If the client does not exercise this option, deletion is deemed agreed. If the client chooses to return, the processor can demand a reasonable compensation. The processor shall provide the client with cost information in advance.

5.8 If a data subject asserts claims for compensation according to Art. 82 GDPR, the processor shall support the client in defending the claims within the scope of its possibilities. The processor may demand reasonable compensation for this, insofar as the claims for damages are not based on a breach of law or contract by the processor.
6. Obligations of the client
6.1 The client must immediately and completely inform the processor if it identifies errors or irregularities with regard to data protection regulations when carrying out the order.

6.2 In the event of termination, the client undertakes to delete personal data which it has stored during its service, before the termination of the Contract.

6.3 At the request of the processor, the client appoints a contact person for data protection matters.
7. Requests from the data subjects
The processor shall immediately inform the controller of any request received from the data subject. He shall not respond to the request himself, unless he has been authorized to do so by the controller. Taking into account the nature of the processing, the processor shall assist the controller in fulfilling the controller's obligation to respond to requests from data subjects to exercise their rights. In fulfilling its duties, the processor shall follow the instructions of the controller.The processor shall not be liable if the request of the data subject is not answered by the client, not answered correctly or not answered in due time.
8. Measures for the security of processing according to Art. 32 GDPR
8.1 The processor will take appropriate technical and organisational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and ensure the protection of the rights and freedoms of the data subjects. In accordance with Art. 32 GDPR, the processor shall take appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of the processing systems and services in the long term.

8.2 The current technical and organisational measures of the processor can be viewed at the following link. The Processor clarifies that the technical and organisational measures listed under the link are merely descriptions of a technical nature which are not to be regarded as part of this Agreement.

8.3 The processor will operate a procedure for the regular review of the effectiveness of the technical and organisational measures to ensure the security of processing in accordance with Art. 32 (1) lit. d) GDPR.

8.4 Over time, the processor will adapt the measures taken to developments in the state of the art and the risk situation. A change in the technical and organisational measures taken is reserved to the processor, provided that the level of protection under Art. 32 GDPR is not fallen short of.
9. Proof and verification
9.1 The processor shall provide the client with all the information necessary to prove compliance with the obligations laid down in Art. 28 GDPR and shall allow and contribute to audits, including inspections, carried out by the client or another auditor appointed by the client. The processor is entitled to demand a declaration of confidentiality from the client and its appointed auditor, which shall not, however, prevent the client from providing evidence to the supervisory authority responsible for him. The Processor may reject direct competitors of the Client or persons who work for direct competitors of the Client as auditors.

9.2 The processor may require reasonable compensation for information and assistance, insofar as the inspection was not required because of a breach of law or contract by the processor. The processor shall provide the client with cost information in advance.
10. Subprocessors (other processors)
10.1 The client grants the processor the general permission to use other processors within the meaning of Art. 28 GDPR for the fulfillment of the contract.

10.2 The processors currently used are listed in Appendix 2. The Client agrees to their use.

10.3 The processor shall inform the client if it intends to withdraw or replace other processors. The client may object to such changes.

10.4 The objection to the proposed change can only be raised against the processor for a factual reason within 14 days after receipt of the information about the change. In the event of an objection, the processor may choose to provide the service without the intended change or, if the performance of the service without the intended change is not reasonable to the processor, stop providing the service affected by the change to the client within a reasonable time (at least 14 days) after receipt of the objection. The controller`s obligation to pay shall cease at the time the processor ceases to perform the service.

10.5 If the processor places orders with other processors, it is the processor's responsibility to impose its data protection obligations under this Contract to the other processor. The processor shall ensure, in particular through regular checks, that the other processors comply with the technical and organisational measures.
11. Liability and compensation
11.1 In the case of assertion of a claim for compensation by a data subject person pursuant to Art. 82 GDPR, the parties undertake to support each other and to contribute to the clarification of the underlying facts.

11.2 The liability regulation agreed between the parties in the main contract for the provision of services shall also apply to claims arising from this Data Processing Agreement and in the internal relationship between the parties for claims of third parties under Art. 82 GDPR, unless expressly agreed otherwise.
12. Contract period, miscellaneous
12.1 The agreement begins with the conclusion by the client. It ends with the end of the last Contract under the respective client number. If any data processing on behalf of the client still takes place after termination of this contract, the regulations of these agreements are valid until the actual end of the processing.

12.2 The processor may amend the Agreement at its reasonable discretion with reasonable notice. In particular, the processor expressly reserves the right to unilaterally amend this agreement if major legal changes in relation to this agreement occur. The processor shall separately inform the client of the significance of the planned amendment and shall furthermore grant the client a reasonable period of time to declare an objection. The processor shall inform the client in the notice of amendment that the amendment will become effective if the client does not object within the set period. In the event of an objection by the client, the processor shall have an extraordinary right of termination.

12.3 The client accepts this agreement as part of the general terms and conditions for the product(s) booked by him. In the event of any contradictions, the provisions of this Agreement for data processing shall prevail to the provisions of the main contract. Should individual parts of this Agreement be ineffective, this does not affect the validity of the remaining agreements.

12.4 The exclusive place of jurisdiction for all disputes arising from and in connection with this contract is the registered office of the processor. This applies subject to any exclusively legal place of jurisdiction. This Contract is subject to the statutory provisions of the Federal Republic of Austria.

12.5 If the data of the client is endangered by seizure or confiscation, by a bankruptcy or settlement procedure, or by other events or measures of third parties, the processor shall inform the client immediately. The processor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data lie exclusively with the client as the "Controller" within the meaning of the GDPR.
Appendix 1 to the World4You data processing contract - service description
Domain service description:
If you order a domain from us, we will take care of connecting and registering your domain with the responsible registry. In addition, maintaining registration, domain transfers and deregistration are part of the contract. The same applies to SSL certificates based on your domains.

Type of personal data: domain, master data (name, address, email, telephone number)
Categories of data subjects: Customers
Email service description:
When you order an email product from us, you will receive one or more email addresses. We create the appropriate mailboxes for you, which you can access via the web or which you can integrate into various clients. You can also create appointments and tasks and manage contacts in the web client according to the booked service. The product also includes a configurable spam filter.
Type of personal data: emails, contacts, appointments, domain
Categories of data subjects: Employees
Cloud storage service description:
Our cloud storage World4You-Cloud allows you to store your data in our data center, so you can access the data from anywhere and at any time. You can grant shares to specific folders and manage them.

Type of personal data: Data you store in the cloud
Categories of data subjects: Employees
Hosting service description:
If you order a hosting package from us, our service includes registering and connecting the domain as well as making the web space and databases available. Included services are SSL certificates and email. Using an SSL certificate, the data is transmitted encrypted between your website and the web server. With the Easy.Install Apps you can use various applications to build and manage websites. You also get access to the marketingRadar tool, which you can use to check and optimize the visibility and ranking of your website in search engines.

Type of personal data: content data of the website, domain, email data (see under mail product), data of your website visitors
Kategorien betroffener Personen: Mitarbeiter, Besucher der Webseite
WordPress & WooCommerce Hosting
If you order one of our web hosting packages, which are specifically designed for use with the CMS WordPress or WordPress with the WooCommerce plug-in, you will receive the registration and connection of the domain, as well as the provision of the web space with directly installed databases for WordPress or WordPress including WooCommerce. Additionally included are SSL certificates that transmit encrypted data between your website and the web server, the online marketing tool marketingRadar, several email addresses with corresponding mailboxes and access to the World4You Cloud.

Type of personal data: content data of the website, domain, email data (see under mail product), data of your website visitors
Categories of data subjects: employees, visitors to the website
Server service description:
You can order virtual servers from us. We provide you with shared storage space on a server for this purpose.

Type of data processed: Data that you store on the server
Categories of data subjects: employees, visitors to the website
other SaaS products:
We also offer other Software-as-a-Service products. These include, for example - but not exclusively - online marketing tools, the possibility of creating a website using a homepage builder or the distribution of Office applications.

Type of data processed: Data you store on the Services Categories of data subjects: employees, customers, website visitors
We'll be back in a moment!