Data Processing Agreement
Provisions on data protection and data security for commissioned data processing
concluded by and between
– Controller –
(hereinafter referred to as “the Controller”)
c/o trivago N.V.
– Processor –
(hereinafter referred to as “the Processor”)
(Both jointly hereinafter referred to as “Parties”)
In order to specify the rights and obligations arising from the contractual data processing relationship in accordance with the statutory obligation under Art. 28 of the GDPR, the contracting Parties conclude the following agreement.
1. Subject matter, nature and purpose of processing
- the subject matter of the processing arises from the Terms and Conditions (hereinafter referred to as “Main Agreement”), to which this refers to. An additional processing of personal data of the Controller by the Processor is not intended.
- The processing of personal data takes place exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union, in Switzerland or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires the prior documented instruction of the Controller (Art. 28 para. 3 lit. a GDPR) and may only take place if the special requirements of Art. 44 – 49 GDPR are fulfilled.
2. Type of personal data, categories of data subjects
(1) Type of data:
☒ Personal master data
☒ Communications data (e.g. telephone, e-mail)
☒ Contract data (contractual relationship, product or contractual interests)
☒ Customer/client history
☒ Contract billing information and payment information
☒ Information provided by third parties (e.g. credit agencies or public directories)
(2) Categories of data subjects:
☒ Customers (business customer)
☒ Customers (consumer)
☒ Prospective Customers
3. Duration of the commission
- The duration of this commission (“Term“) corresponds to the duration of the Main Agreement.
- Irrespective of the provisions of the Main Agreement, the Controller may terminate this Agreement at any time without notice if the Processor has committed a serious breach of the provisions of this Agreement, if the Processor cannot or does not wish to carry out instructions from the Controller, or if the Processor refuses to provide information or to grant the Controller access within the context of inspections, contrary to the contract. After termination, the Processor may no longer process any personal data of the Controller.
4. Responsibility and authority to issue instructions
- The Controller is responsible for compliance with data protection regulations, in particular for the lawfulness of data transfer to the Processor and for the lawfulness of data processing (Art. 4 no. 7 GDPR). The Processor shall not use the data for any other purpose and in particular shall not be entitled to pass them on to third parties. Copies and duplicates will not be made without the Controller’s knowledge. Exceptions shall apply only to the extent specified in paragraph 2 of this clause.
- The Processor processes personal data only on documented instruction from the Controller, unless otherwise required under Union law or the law of the Member State to which the Processor is subject. In the event of any contrary obligation, the Processor shall immediately inform the Controller of the corresponding legal requirements before processing.
- If the Processor is of the opinion that an instruction infringes data protection regulations, the Processor shall inform the Controller without delay in accordance with Article 28 para. 3 sentence 3 GDPR. The Processor shall be entitled to suspend the execution of the instruction until such instruction has been confirmed or changed.
The Processor shall only employ persons for the execution of the work who have committed themselves to confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b GDPR and who have previously been acquainted with the data protection provisions relevant to them. The Processor and any person under the Processor’s control who has access to personal data may process such data exclusively in accordance with the instructions of the Controller, including the powers conferred in this Agreement, unless they are under a statutory obligation to process the data.
6. Data Security
- The Processor shall take appropriate technical and organisational measures for the appropriate protection of personal data, in accordance with Art. 28 para. 3 lit. c GDPR in conjunction with Art. 32 para. 1 GDPR, in order to guarantee the security of the processing by the Processor. For this purpose, the Processor shall
- ensure the confidentiality, integrity, availability and resilience of systems and services in connection with processing in the long term,
- ensure the ability to quickly restore the availability of and access to personal data in the event of a physical or technical incident; and
- maintain a procedure for the regular review, assessment and evaluation of the effectiveness of technical and organisational measures to ensure the safety of processing.
The state of the art, the costs of implementation and the nature, scope and purpose of processing, as well as the risk of varying likelihood and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account.
- The contracting Parties agree on the data security measures laid down in Attachment 1 “Technical and organisational measures” to this Agreement.
- The technical and organisational measures are subject to technical progress and further development. In this respect, the Processor is permitted to implement alternative adequate measures. The safety level may not fall below the specified measures. Significant changes must be documented and communicated to the Controller in writing.
7. Engagement of other processors (subcontractors)
- For the purposes of this provision, subcontractors shall be processors commissioned by the Processor whose services relate directly to the provision of the main service. This does not include ancillary services used by the Processor, for example, telecommunication services, postal/transport services and cleaning. However, the Processor is obliged to take appropriate and legally compliant contractual agreements and control measures to guarantee data protection and data security of the Controller’s data, even in the case of outsourced ancillary services.
- The outsourcing to subcontractors or the change of the existing subcontractor is permitted, as far as:
- the Processor notifies the Controller in advance with a reasonable period of time in writing or in text form of such outsourcing to subcontractors, and
- the Controller does not raise an objection against the planned outsourcing in writing or in text form until the date of handover of the data to the Processor.
- A contractual agreement is to be concluded with the subcontractor in accordance with Art. 28 para. 3 and 4 GDPR, which meets the requirements for confidentiality, data protection and data security of this Agreement. The Controller shall be entitled to inspect the Processor’s contracts with subcontractors and to demand that the Processor send a copy of these contracts.
- If the subcontractor provides the agreed service outside the EU/EEA, the Processor shall ensure the admissibility with regard to data protection law by means of appropriate measures.
- Further outsourcing by the subcontractor requires the express consent of the Controller (at least in text form). All contractual provisions in the contract chain must also be imposed on the other subcontractors.
8. Support in protecting the rights of data subjects
- The Processor is obliged to support the Controller with appropriate technical and organisational measures to protect the rights of the data subjects as specified in Art. 12 to 22 GDPR (Art. 28 para. 3 sentence 2 lit. e GDPR). In particular, the Processor shall support the Controller in fulfilling the claims of data subjects for deletion of their personal data in accordance with Article 17 GDPR.
- If data subjects are able to exercise the right to data portability against the Controller, the Processor shall ensure that they can receive the data, which they have provided to the Controller, in a structured, commonly used and machine-readable format.
- The Processor may only correct, delete or restrict the processing of personal data in accordance with documented instructions from the Controller (Art. 28 para. 3 sentence 2 lit. g GDPR). The Contractor may only provide information to third parties or the persons concerned after prior written consent by the Controller.
- If a data subject contacts the Processor directly in order to assert his rights in accordance with Articles 12 to 22 of the GDPR, the Processor will forward the request to the Controller without delay.
9. Support with documentation and reporting obligations
- If, according to Art. 37 GDPR, Section 37 BDSG-new, the Processor is legally obliged to appoint a data protection officer, the Processor shall inform the Controller of the data protection officer’s contact details for the purpose of direct contact. A change of the data protection officer must be reported to the Controller immediately.
As data protection officer for the Processor,
Mr. Felix Hudy, intersoft consulting services AG, Beim Strohhause 17, 20097 Hamburg, Phone: +49 40 790 235 – 278 | Mobile: +49 151 619 419 76 | E-Mail: FHudy@intersoft-consulting.de
has been appointed. The contact person for data protection issues must be in a position, upon the Controller’s request, to provide proof that the Processor complies with the requirements of international and national data protection laws.
- If the Processor becomes aware of a violation of the protection of personal data, he shall immediately notify the Controller of this violation pursuant to Art. 28 para. 3 lit. f, Art. 33 para. 2 GDPR. The same applies if persons employed by the contractor violate this Agreement.
- After consultation with the Controller, the Processor shall immediately take the necessary measures to secure the data and to minimise any possible adverse consequences for the data subjects.
- The Processor shall support the Controller with all information at his disposal in fulfilling the information obligations in relation to the competent supervisory authority in accordance with Art. 33 GDPR and, if applicable, in relation to the data subjects affected by the violation of the protection of personal data in accordance with Art. 34 GDPR.
- The Processor shall support the Controller with all information at his disposal in the data protection impact assessment pursuant to Art. 35 GDPR and, if necessary, in a prior consultation with the competent supervisory authority pursuant to Art. 36 GDPR.
- The Processor shall inform the Controller without delay of any checks and measures taken by the supervisory authority insofar as they relate to this Agreement.
10. Termination of the commission
- At the choice of the controller, the Processor deletes or returns all the personal data to the Controller after the end of the provision of services relating to processing, and deletes existing copies unless Union or Member State law requires storage of the personal data;
- The Processor shall, without explicit request, prove to the Controller in text form with date indication that he has returned all data carriers and other documents to the Controller or that he has destroyed or deleted them in accordance with data protection regulations and has therefore not retained any of the Controller’s data.
- The Processor shall keep any and all documentation which serves as evidence of the orderly and lawful data processing for the Controller beyond the end of the contract. The Processor can return them to the Controller at the end of the contract for his discharge.
11. Control rights of the Controller
- The Controller is entitled to regularly check the technical and organisational measures as well as compliance with this Agreement and data protection regulations before and during the provision of services relating to processing. For this purpose, the Controller or an authorized auditor may inspect the data processing equipment and the data processing systems of the Processor.
- For this purpose, the Processor shall be obliged to grant the Controller, during normal business hours and with a reasonable prior notification period, access to the premises where the Controller’s data are physically or electronically processed. The Controller coordinates the inspections with the Processor in such a way that the operating procedures of the Processor are affected as little as possible.
- The Processor shall provide the Controller with all necessary information to prove the technical and organisational measures as well as compliance with this Agreement and data protection regulations. This information especially includes current attestations, reports or report extracts from independent bodies (e. g. financial auditors, external experts, IT security or data protection auditors) and suitable certification (e. g. according to the Basic Protection of the BSI – German Federal Office for Information Security). The contractor provides immediately the Controller with specific information on a case-by-case basis.
- Pursuant to Art. 82 para. 1 GDPR, the Controller and the Processor are liable in their external relationship for material and immaterial damage suffered by a person due to an infringement of the GDPR. If both the Controller and the Processor are responsible for such damage in accordance with Art. 82 para. 2 GDPR, the Parties shall be liable internally for such damage in proportion to their share of responsibility. If, in such a case, a person asserts a claim for damages in whole or in part against one of the Parties, the other party may demand indemnification or indemnity from the other party to the extent that this is in proportion to their share of responsibility.
- The Processor is also liable to the Controller for compliance with data protection regulations by the subcontractors, which he uses to fulfil his tasks. The fault of subcontractors shall be attributed to the Processor as if it were his own fault.
- The Processor shall assist the Controller with all information at its disposal if the Controller is subject to administrative or criminal proceedings, to the liability of an affected person or a third party or to any other claim in connection with the processing of data with the Processor.
13. Final provisions
- Data carriers and data records provided to the Processor remain the property of the Controller.
- If individual or several clauses of this Agreement should be ineffective, the effectiveness of the remaining agreement is not affected. In the event that individual or several provisions of the contract are invalid, the Parties shall immediately replace the invalid provision with a provision which most closely resembles the invalid provision in terms of commercial interests and data protection.
- In the event of a contradiction between the Main Agreement and this Agreement, this Agreement shall take precedence in so far as the contradiction concerns the processing of personal data.
- All services provided by the Processor in connection with the fulfilment of his obligations under this Agreement shall be settled with the remuneration from the Main Agreement.
- The following Attachments form an integral part of this Agreement
- Attachment 1 “Technical and organisational measures”
- Attachment 2 “Approved subcontractors”