Data Processing Agreement (“DPA”) for supplier+s
between
ctrl+s GmbH
Lohmühlenstr. 65, 12435 Berlin
(“ctrl+s”)
and
Customer
This DPA supplements the Agreement governing the provision of SaaS cloud-based services in conjunction with the supplier+s platform if and to the extent that ctrl+s processes personal data on behalf of Customer in the course of performance of the Agreement. To the extent not specifically provided for in the DPA, the provisions of the Agreement shall apply.
1. Scope, role of parties
1.1. This DPA applies to the processing of personal data by ctrl+s to provide the services as defined in the Agreement.
1.2. For the purposes of this DPA, Customer is the data controller and ctrl+s is the data processor, processing personal data on Customer’s behalf.
1.3. Customer is responsible for compliance with its obligations as data controller under the applicable privacy and data protection requirements, in particular for justification of any transmission of personal data to ctrl+s and for its decisions concerning the processing and use of personal data.
2. Instructions for processing, categories of personal data, data subjects
2.1. ctrl+s shall process personal data in accordance with and only to the extent required by Customer’s instructions. ctrl+s shall (i) process personal data solely for the provision of the services, or (ii) as instructed by Customer. Any processed personal data shall be disclosed to third parties other than a sub processor only to the extent required to fulfil the services or as required by law. Customer may provide additional instructions to ctrl+s to the extent such instructions are consistent with the terms and scope of the services and this DPA.
2.2. The data subjects subject to this DPA include employees and staff (including applicants, regular, temporary, part-time, trainees, contractors and agents) as well as contact persons at business partners, suppliers, vendors and other cooperation partners.
2.3. The categories of personal data that are processed under this DPA include contact information (such as name, address, phone or fax number, email address) and organizational information (such as job position, department).
3. Sub processors, transfer to third countries
3.1. Customer acknowledges and agrees that ctrl+s may utilize sub processors in processing personal data. Any such sub processor will be permitted to process personal data only to deliver the services ctrl+s has retained it to provide, and ctrl+s shall prohibit the sub processor from processing personal data for any other purpose. Prior to giving any sub processor access to personal data, ctrl+s shall ensure that such sub processor has entered into a written agreement with ctrl+s requiring that the sub processor abide by terms no less protective than those provided in this DPA.
3.2. Customer agrees to the sub processors that are listed on page: https://supplier-s.io/subprocessors/
3.3. ctrl+s shall inform Customer of any intended change with regard to sub processors or the replacement of existing sub processors in text form with appropriate advance notice, which will enable the possibility to object to such changes for legitimate reasons. If ctrl+s is unable to perform the contract without the indicated change, ctrl+s may terminate the Agreement for cause following an objection by Customer.
3.4. ctrl+s may transfer personal data processed on behalf of Customer to third countries only if and to the extent that an adequate level of data protection can be guaranteed there.
4. Rights of data subjects, legally required disclosures
4.1. Unless otherwise required by law, ctrl+s will follow Customer’s detailed written instructions to correct, delete or block access to personal data.
4.2. For the avoidance of doubt, Customer is responsible for responding to data subject requests for access, correction, deletion or blocking of that person’s personal data. If ctrl+s receives a data subject request, ctrl+s shall promptly redirect the data subject to Customer.
4.3. Unless prohibited by applicable law or a legally-binding request of law enforcement, ctrl+s will promptly notify Customer of any request by government official, data protection supervisory authority or law enforcement for access to or seizure of personal data.
5. Data security
5.1. ctrl+s shall promptly inform Customer if ctrl+s determines that personal data has been subject to a security breach or any other circumstance in which Customer may be required to provide a notification under applicable law.
5.2. ctrl+s shall promptly investigate any security breach and take reasonable measures to identify its root cause(s) and prevent a recurrence. As information is collected or otherwise becomes available, unless prohibited by law, ctrl+s will provide Customer with a description of the security breach, the type of personal data that was the subject of the security breach, and other information Customer may reasonably request concerning the affected persons. The Parties agree to coordinate in good faith on developing the content of any related public statements or any required notices for the affected persons.
5.3. ctrl+s maintains a security program described on page: https://supplier-s.io/tom/
6. Termination, return and deletion of personal data
6.1. The term of this DPA corresponds to the term of the Agreement.
6.2. Upon termination of this DPA, ctrl+s will promptly make Customer’s personal data available for export. Following return of the personal data and at Customer’s request, ctrl+s will promptly delete or otherwise render inaccessible all copies of personal data, except as may be required by law or as may be contained on ctrl+s’s back-up media which shall be retained in accordance with ctrl+s’s retention policies.
Last update: 21 May 2024