Custom Apps Data Processing Addendum (DPA)
Agreement on the processing of personal data ordered pursuant to Article 28 paragraph 3 General Data Protection Regulation (hereinafter “GDPR”) between the Customer (hereinafter referred to as the “Controller”) and Scandio GmbH, Fritz-Schäffer-Str. 2, 81737 München, Germany (hereinafter referred to as the “Processor”) – with Controller und Processor together referred to as the “Parties” .
§1 Scope of the Agreement
(1) Within the framework of performance of the Main Agreement (Annex 1), it is necessary for the Processor to deal with personal data for which the Customer is the Controller, as defined by Article 4 paragraph 7 GDPR (hereinafter referred to as “Customer Data”). This Agreement contains the provisions, in particular the data protection rights and obligations of the Parties, concerning the Processor’s handling of Customer Data for performance under the Main Agreement.
The order covers the service described in the Main Agreement.
(2) Without prejudice to (3) below, the Processor shall process the personal data exclusively in a Member State of the European Union or in a state that is a party to the Agreement on the European Economic Area.
(3) If the Processor has the processing of personal data handled in a third country (i.e. outside the European Union or a state that is a party to the Agreement on the European Economic Area), it shall require the Controller’s prior written or electronically documented consent and shall only occur to the extent that the special requirements of Article 44 et seq . of the GDPR are met.
§2 Nature, scope and purpose of the order processing
(1) The Processor shall process Customer Data only on behalf of (§1 (1) hereof) and upon documented instructions from the Controller as defined by Article 28 paragraph 3(a) GDPR. The respective Main Agreement is the basis of the processing operations to be carried out by the Processor. By installing the respective product, the Processor issues the instructions for data processing. Additional instructions are sent via the communication channel in Annex 3.
(2) The Processor shall exclusively process the Customer Data as described in Annex 2 hereto, in terms of nature, scope and purpose. The processing of Customer Data by the Processor relates exclusively to the categories of data subjects subsequently described in Annex 2 hereto. The Processor is prohibited from any Customer Data processing that deviates from or extends beyond this, in particular use of the Customer Data for its own purposes. In view of the nature of the Agreement, the Controller acknowledges that the Processor can neither maintain nor review the table referred to in Annex 2. The Controller is obliged to notify the Processor of all required changes to the list in Annex 2 via the specified communication channel (Annex 3). The Controller is also obliged not to provide the Processor any personal data not covered by Annex 2 until the table has been updated accordingly.
§3 Authority of the Controller
(1) The Processor shall exclusively process the Customer Data in accordance with the provisions contained in this Agreement and other instructions from the Controller.
(2) The Controller shall issue all instructions and orders in writing or documented electronic format.
(3) The Controller is obliged to confidentially treat all knowledge of the Processor’s business secrets and data security measures acquired within the framework of the contractual relationship. This obligation shall remain in force even after termination of this Agreement.
(4) Those authorized and entitled by the Controller are specified in Annex 3. For the issuance of instructions, the communication channel specified in Annex 3 shall be used.
(5) As a rule, instructions are to be issued by the Controller’s authorized representative or substitute. The Controller shall notify the Processor of any change in those authorized to act or their substitutes, naming a representative as soon as possible via the communication channel specified in Annex 3. Until such notification has been received by the Processor, those specified in Annex 3 shall continue to be authorized to issue instructions.
(6) The Processor is to notify the Controller of any change in those entitled, their substitutes, or of the permanent prevention of the latter, with a representative named via the communication channel specified in Annex 3. Until such notification has been received by the Controller, those specified shall continue to be considered as entitled to receive instructions from the Controller.
(7) If the Processor is reasonably of the opinion that an instruction from the Controller infringes this Agreement or the applicable data protection law (see Article 28 paragraph 3 sentence 2 GDPR), it must notify the Controller immediately. After timely prior notification to the Controller of at least a 14-day period, the Processor is to suspend implementation of the instruction pending confirmation or change of instruction by the Controller. If the Controller confirms the instructions with a brief justification in writing, the Processor is obliged to follow them. In this case, the Parties agree that the Controller alone shall be liable for the lawfulness of the processing.
§4 Rights and duties of the Controller
(1) Externally, in particular to third parties and data subjects, the Controller is solely liable for the assessment of the lawfulness of the personal data processing pursuant to Article 6 paragraph 1 GDPR and for the protection of the rights of data subjects pursuant to Articles 12-22 GDPR. Nevertheless, as far as legally permissible, the Processor is obliged to forward all requests by data subjects to the Controller, as far as these are recognizably directed to the Controller. The Processor shall assist the Controller appropriately in answering requests from data subjects (such as rectification, erasure and restriction of processing) and is entitled to charge reasonable compensation for this.
(2) The Controller is the owner of the Customer Data and, in the relationship of the parties to each other, holder of any rights to the Customer Data.
(3) The Controller shall be responsible for providing the Customer Data to the Processor in good time for contractual performance under the Main Agreement. Further, the Controller shall be liable for the quality and lawfulness of collection of the Customer Data. The Controller must notify the Processor immediately and fully if it finds errors or irregularities regarding data protection regulations or its instructions when examining the results contracted.
(4) In the event that a third party or data subject brings a claim directly against the Processor for violations of rights and/or related claims, the Controller undertakes to indemnify the Processor for all damages, costs/fees, including legal or other expenses or losses arising from the claim, to the extent that the Processor has notified the Controller of the assertion of the claim and has given it the opportunity to cooperate with the Processor in defending against the claim.
§5 Rights and duties of the Processor
(1) The Processor is obliged to process personal data exclusively within the framework of the Agreements made pursuant to the instruction of the Controller. This shall not apply if the Processor is obliged to perform other processing under the law of the EU or of Member States to which the Processor is subject (e.g. investigations by state authorities or law enforcement agencies). In this case, the Processor shall notify the Controller of these legal requirements prior to processing, unless the law in question prohibits such notification due to a significant public interest (see Article 28 paragraph 3 (a) GDPR).
(2) The Processor shall not use the Customer Data provided by the Controller for processing for any other purpose, in particular for its own purposes. The Processor shall not make copies or duplicates of the Customer Data without the Controller’s prior written consent, to the extent and as long as not required to ensure proper data processing and performance of the services under the Main Agreement (including data backup) or compliance with statutory retention requirements.
(3) The Processor shall not hand Customer Data over to third parties or other recipients without the Controller’s prior written consent. Exceptions to this include data transfers to subcontrollers whose assignment the Controller has accepted pursuant to §10 (5).
(4) The Processor shall only provide third parties or authorities with information about personal Controller Data from this contractual relationship, to the extent legally permissible, after prior written or electronically documented instructions or approval by the Controller.
(5) If the Controller is obliged to provide information about the Controller Data or the processing thereof to a governmental body, data subject or another person, the Processor is obliged to assist the Controller in the provision of such information, at first request, in particular by immediately providing all information and documents concerning the contractual processing of the Customer Data, including the technical/organisational measures taken by the Processor, the technical procedure in using the Customer Data, the locations where the Customer Data is used and the employees involved in the processing.
(6) The Processor undertakes to:
fulfil the rights of the data subjects under Article 12-22 GDPR,
fulfil the obligation under Article 32-36 GDPR,
prepare directories of processing activities,
the required data protection impact assessments of the Controller,
as well as comply with the Controller’s obligations regarding to the security of the processing
The Processor undertakes to cooperate to the extent necessary and adequately assisting the Controller as far as possible (see Article 28 paragraph 3 (e) and (f) GDPR). The respective information required for this shall be forwarded to the Controller entity specified in Annex 3.
(7) The Processor shall be obliged to rectify, erase or restrict the processing of personal data resulting from this contractual relationship if the Controller so requests by means of a written or electronically documented instruction and this does not conflict with the Processor’s legitimate interests, in particular the observance of statutory provisions.
(8) Both Controller and Processor shall agree on making any change in the processing subject matter or procedure. This change shall be recorded in writing or in a documented electronic format.
(9) For these support actions under §5, the Processor is entitled to a charge reasonable fee.
(10) The Processor confirms that it has appointed a qualified company Data Protection Officer (hereinafter “DPO”), with specialist knowledge in particular, pursuant to Article 37 et seq. GDPR. The DPO named for the Processor is provided in Annex 4. If this changes, the system shall be updated immediately and the Controller notified in writing or electronically via the communication channel specified in Annex 3.
(11) The Processor is entitled to process data outside the office premises (e.g. with the Processor’s employees working from home.
§6 Confidentiality obligation and observance of secrecy rules
(1) The Processor confirms that it is familiar with the relevant GDPR data protection regulations, in particular with regard to order processing (Article 28 GDPR).
(2) The Processor undertakes to maintain confidentiality in the orderly processing of the Controller’s personal data. This shall continue after the end of the Agreement.
(3) The Processor warrants that it shall familiarize those employed in carrying out the data processing, prior to commencing the activity, with the data protection provisions relevant to them. For the term of their employment and also after termination of employment, these employees have undertaken to maintain the appropriate confidentiality (Articles 28 paragraph 3 (b) and 29 GDPR).
(4) The Processor shall document these obligations. At the Controller’s request, the Processor shall prove compliance with this provision by providing the respective undertakings, or by any other appropriate means.
§7 Technical and organisational measures under Article 32 GDPR (Article 28 paragraph 3 (c) GDPR)
(1) The Processor shall take all technical and organisational measures required to maintain the necessary processing levels during the contractual period to ensure that the level of protection of the rights and freedoms of individuals affected by the processing is appropriate for the specific processing agreed. The protection objectives of Article 32 paragraph 1 GDPR, such as confidentiality, integrity and availability of systems and services, as well as resilience in terms of the nature, scope, circumstances and purpose of the processing shall be taken into account in order to minimize risk during the contract period.
(2) The Processor shall undertake a review, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure processing security at a set time, but at least once a year (Article 32 paragraph 1 (d) GDPR). The results concerning contractual data as well as the complete audit report shall be made available to the Controller, upon written request, for a reasonable fee.
(3) The Processor shall notify the Controller if the measures taken by the Processor do not meet the Controller’s requirements.
(4) During the contractual relationship, the Processor is entitled to adapt measures to technical and organisational developments, provided that these do not fall below the standards agreed.
§8 Notification obligations of the Processor in case of processing disruptions and breaches in personal data protection
(1) With regard to Customer Data processing, the Processor is obliged to notify the Controller of any disruptions or breaches of data protection regulations or the provisions hereof by the Processor (or those with access to Customer Data employed by the latter).
(2) The Processor is further obliged to notify the Controller immediately of any data breaches or major irregularities in the processing of the Controller’s personal data, in particular if there is evidence - for whatever reason - that a third party may have obtained unlawful knowledge of the Customer Data or if the integrity or confidentiality of the Controller’s data is endangered in any other.
(3) The notification obligations of (1) and (2) exist in particular with regard to any Controller reporting and notification obligations pursuant to Articles 33 and 34 GDPR.
(4) If necessary, the Processor shall assist the Controller in the fulfilment of its obligations pursuant to Articles 33 and 34 GDPR (see Article 28 paragraph 3 (f) GDPR).
(5) Notifications pursuant to Articles 33 and 34 GDPR may only be made by the Processor to the Controller upon prior written or electronically documented instructions.
(6) For these support actions under §8, the Processor is entitled to charge a reasonable fee.
§9 Control rights of the Controller
(1) Before starting processing and regularly thereupon, the Controller is entitled to satisfy itself, in an appropriate way, with the compliance of the technical and organisational measures taken by the Processor and the obligations set out herein, as well as with the relevant legal data protection provisions (see Article 28 paragraph 3 (h) GDPR). If the Controller ascertains errors or irregularities in this or in any other examination of the agreed outcomes, the Processor shall be notified immediately thereof.
(2) To carry out the checks as defined by (1), the Controller is entitled to enter the Processor’s business premises where the Customer Data is processed during normal business hours (Monday to Friday, according to Marketplace Listing of the product at marketplace.atlassian.com) at its own expense, without disrupting operations, and strictly maintaining the secrecy of the Processor’s business- and trade secrets.
(3) The Controller shall notify the Processor in due time (usually at least two weeks in advance) of all circumstances related to carrying out the inspection. As a rule, the Controller may carry out one inspection per calendar year. Notwithstanding this, the Controller’s right remains to carry out further checks in the event of special occurrences.
(4) The Processor shall grant the Controller all rights of access, information and inspection required by the Processor to carry out the inspection. In particular, the Processor undertakes to grant the Controller access to the data processing equipment, files and other documents to enable the monitoring and verification of the relevant data processing equipment, files and other documentation related to Customer Data processing. The Processor shall provide the Controller with all information required for the inspection. The Controller hereby takes due consideration of the Processor’s operating procedures and legitimate confidentiality interests.
(5) The Processor shall receive a reasonable lump-sum allowance from the Controller for each of its inspections within the scope of these checks.
(6) If the Controller commissions a third party to carry out the inspection, the Controller must oblige the third party, in writing, as the Controller is also obliged to the Processor on the basis of §9 hereof. In addition, the Controller must oblige the third party to confidentiality and compliance with rules to protect confidential information, unless the third party is already subject to a professional confidentiality obligation. At the Processor’s request, the Controller must immediately provide it with the confidentiality agreements with the third party. The Controller undertakes not to entrust the inspection to any competitor of the Processor.
(7) Upon written request, the Processor shall provide the Controller with the current certifications, if and insofar as such certification exists, and/or test reports, if and insofar as the Controller has commissioned a test report in order to regularly review the effectiveness of the technical and organisational measures.
§10 Subcontracting relationships (Article 28 paragraph 3 (d) GDPR)
(1) The Processor is only permitted to commission subcontractors for the Controller’s data processing with the Controller’s prior written consent (Article 28 paragraph 2 GDPR). This approval shall be given by the authorized person or representative (see §3(5)) in writing or electronically, but not verbally.
(2) The Processor shall only appoint a third country subcontractor if the special requirements of Article 44 et seq. GDPR are met (e.g. adequacy decision of the Commission, standard data protection clauses, approved codes of conduct).
(3) The Processor shall conclude subcontracting agreements in writing. This form requirement (Article 28 paragraph 9 GDPR) is also met if in electronic format.
(4) The Processor shall ensure that subcontractor(s) are obliged in the subcontracting agreement, in writing, to provide a standard that does not fall short of the standard agreed herein. Furthermore, the Processor ensures that the responsibilities between Processor and subcontractor and possibly also between multiple subcontractors are clearly delineated. The Processor shall ensure that the Controller is entitled to carry out an appropriate evaluation and inspection with subcontractors, also on site, if necessary, or have these carried out by third parties commissioned by it, unless proof of GDPR compliance can be provided by certification or approval pursuant to Article 43 GDPR.
(5) The Controller hereby agrees to the substantiation of the subcontracting conditions according to Annex 5. Alterations to the subcontracting conditions shall be disclosed by the Processor in Annex 5.
(6) Pursuant to Annex 3, the Processor shall notify the Controller in a timely manner of any intended change regarding the addition of new or replacement of previous subcontractors. The Controller shall have the opportunity to object to these changes for good cause within 30 days (Article 28 paragraph 2 GDPR). This objection must be in writing and substantiated. Unless approved or objected to within the 30-day period, the relevant subcontractor shall be deemed approved. If the Controller lawfully objects and the Processor cannot comply with the objection, the Processor shall immediately notify the Controller thereof. Within one month of notification by the Processor, the Controller shall be entitled to terminate the Main Agreement in writing.
§11 Data return and deletion (Article 28 paragraph 3 (g) GDPR)
(1) The Processor is prohibited from actively processing Customer Data after termination of this Agreement; further storage of the Customer Data only remains permitted until the Processor has provided this Customer Data to the Controller as intended, or deleted or destroyed it; in this case, the provisions of this Agreement shall continue to apply even after termination of the Agreement, until such time as the Processor no longer has any Customer Data.
(2) The Controller may delete its personal data and/or create a copy until expiration of the contractual relationship. After the end of the Agreement, the Processor shall delete all personal Customer Data unless legal requirements require a longer retention period. The data shall then be deleted, no later than 6 months after the end of the Agreement, earlier upon corresponding instructions.
(3) The Processor is entitled to charge a reasonable fee for cancellation and destruction under §11.
§12 Entry into force; contract duration and termination
(1) This Agreement shall enter into force with effect from 25 May 2018.
(2) The duration of this Agreement corresponds to the duration of the Main Agreement. The regulations on the normal termination of the Main Agreement apply accordingly. Termination of the Main Agreement automatically causes termination of this Agreement. Termination of this Agreement in isolation is excluded.
(3) The right of the Parties to extraordinary termination of this Agreement and of the Main Agreement for good cause remains unaffected.
(4) In the event of termination of this Agreement, the main Agreement may only be continued if the Processor is excluded from processing the Customer Data. In case of doubt, a termination of the Main Agreement also applies as a termination of this Agreement and a termination of this Agreement also applies as a termination of the main Agreement.
§13 Final Provisions
(1) Amendments, additions to and the termination of this Agreement must be in writing or agreed in a documented electronic format. This also applies to a change or cancellation of the written form requirement.
(2) Agreements on technical and organisational measures as well as monitoring and supervision documents (including of subcontractors) must be retained by both Parties for their validity term and for three full calendar years thereafter.
(3) If individual provisions of this Agreement are or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The parties undertake to replace the ineffective provision with a legally permissible provision that comes closest to the purpose of the invalid provision and best meets the requirements of Article 28 GDPR.
(4) In case of contradictions between this Agreement and other agreements between the parties, in particular the Main Agreement, the provisions of this Agreement shall prevail.
Annex 1 - Main agreement
Customer Agreement: EULA
Annex 2 - Purpose, nature of processing and categories of data subjects
The below tables describe the nature of personal data and categories of data subjects of the Controller that can generally be processed as part of the Processor’s service list.
In view of the nature of the service, the Controller acknowledges that the Processor can neither review nor maintain the below table. The Controller undertakes to notify the Processor of any changes to the table below (via the communication channel specified in Annex 3).
The following processes are available no matter which app or apps you use and regardless of whether you use Cloud or Server apps.
Purposes of processing
Categories of processing
Categories of personal data
Categories of data subjects
Help users from the Controller's organisation to resolve usage problems or error situations and thus contribute to the value of the app for the Controller and improvement of the apps and documentation.
In customer support usage problems or error situations are reported by users from the Controller's organisation via the mechanism described in Annex 3. In the course of the support process reporters might be asked to provide
Data is provided through the support tool (Jira Service Desk, see Annex 5), or in cases where the data provided is too large for that mechanism, reporters can choose to provide their own mechanism of data transfer. The received data is then analysed manually or automatically for causes or indicators of reported usage problems or error situations.
The process is agnostic of any data supplied to it. For reporting a problem or error situations the
will be stored. Example categories of personal data are:
The ControlIer must inform the Processor if he processes additional categories of personal data inside Confluence, JIRA or the app.
The Controller must inform the Processor if he processes data of additional categories of data subjects inside Confluence, JIRA or the app.
The apps are only usable with valid licenses. Licenses; i.e. commercial, evaluation and community or academic licenses; are distributed through the Atlassian Marketplace.
my.atlassian.com is transferred to the Processor. The Processor will send informational email when evaluating or using a new app via sub-processor (MailChimp, see Annex 5). The Processor might also send transactional email informing receivers about their licenses via sub-processor (MailChimp, see Annex 5)
Data for a license includes:
The Processor’s Server apps do not process data at the Processor or one of its sub-processors other than other than for the processes described above.
Annex 3 - Authorized persons, entitled persons, Communication channel
Authorized persons under this Agreements are the contacts listed at my.atlassian.com for the respective product identified by the SEN (Service Entitlement Number).
Instructions are to be transmitted by the following communication channel:
Email to firstname.lastname@example.org
Annex 4 - Data Protection Officer
The Processor confirms that it has appointed a qualified company Data Protection Officer, with specialist knowledge in particular and capable in the sense of Article 37 et seq. GDPR.
Data Protection Officer:
Proliance GmbH / www.datenschutzexperte.de
Any change in Data Protection Officer shall be communicated to the Controller in writing or electronically (pursuant to Annex 3).
Annex 5 - Sub-processors
The controller approves the following sub-processors to be used for the described purposes by the processor:
Atlassian, Atlassian Pty Ltd., Australia: We use Jira ServiceDesk tool for the creation, tracking and administration of support tickets. The Atlassian privacy statement can be found here.
Google, Inc., USA: We use the Google Analytics tool to track usage from visitors and users on our website. The Google privacy statement can be found here.