Data Processing Agreement

of Wick Creative, hereinafter referred to as vendor .

1. Data processing.

1.1. Scope of application. This Framework Agreement will enter into force automatically if vendor qualifies as processor in relation to the controller. 

1.2. Processing, data, data subjects. The subject-matter (e.g. sending of newsletters), purpose (e.g. sending of e-mails), type (using a sending tool) and duration (limited, indefinite) of processing, the type of personal data (e.g. contact details ) and the categories of data subjects (e.g. employees, prospective buyers, customers, suppliers, website visitors ) are defined in the written specifications of vendor.

1.3. Standard processing operations. Standard processing operations are carried out if the contractual processing operations 

• include only an insignificant level of personal data on criminal data and criminal convictions or special categories of personal data, and  
• involve no or only a low risk, and 
• vendor has defined technical and organizational standard measures for the relevant processing operation.

The standard processing operations are governed by the technical and organizational standard measures; the currently valid version is available at https://www.wickcreative.com/pages/dpa 

1.4. Special processing operations. Special technical and organizational measures shall be agreed for all other processing operations to appropriately guarantee the protection of data. 

1.5. Controller. As the controller under data protection law, the customer shall define the content of the contractual processing of personal data, the resulting risks, the commissioned processing operations, and the required level of protection.

1.6. Sufficient guarantees. The controller was informed of and examined the technical and organizational measures and confirmed these to constitute sufficient guarantees.  

1.7. Evaluation and updates. Where agreed in writing, for example in a maintenance agreement, vendor shall reasonably evaluate and update these measures. Otherwise, the controller is responsible for the evaluation and updating of the measures.

The current technical and organizational standard measures can be found on vendor’s website. The controller shall review and confirm these measures at regular intervals.

The controller will be informed of any other special measures that are updated later on at least once a year for review and confirmation.

2. Special provisions

2.1. Conformity with the law. Article 28 (2), (3) and (4) GDPR and the provisions incorporated by reference therein shall be applicable.

2.2. Requirement to observe instructions. vendor processes personal data only on documented instruction of the controller, also in respect of the transmission of personal data to a third country or to an international organization, unless it has such an obligation according to Union law or the laws of the Member States to which vendor is subject; in such a case, vendor will inform the controller of these legal obligations prior to processing, unless the law prohibits such information on important grounds of public interest.

2.3. Involvement of employees. vendor guarantees that the persons authorized to process personal data have accepted an obligation of confidentiality or are subject to an appropriate legal obligation of confidentiality.

2.4. Technical and organizational measures. vendor will take all necessary measures according to Article 32 GDPR.

2.5. Rights of data subjects. In view of the type of processing, vendor takes appropriate technical and organizational measures to assist the controller in its obligation to address requests to exercise the rights of data subjects according to Chapter III GDPR.

2.6. Security of processing. In consideration of the type of processing operations and the information available to it, vendor will assist the controller in the fulfilment of the obligations laid down in Articles 32 to 36 GDPR.

2.7. Completion of processing operations. After completion of the processing operations, vendor shall either erase or return all personal data at the controller’s election, unless there is an obligation under Union law or the laws of the Member States to store the personal data.

2.8. Obligation to provide evidence and information. vendor provides the controller with all necessary information to prove the fulfilment of the obligations set out in this paragraph and allows and assists in examinations - including inspections - which are carried out by the controller or by another inspector appointed by it. vendor will immediately inform the controller if he considers that any instruction infringes the GDPR or other data protection provisions of the European Union or the Member States. 

2.9. Other processors. vendor may generally engage other subcontractors as processors to process personal data. However, in each particular case, the appointment of other processors must be notified to the controller in due time to allow the controller to object. If vendor appoints another processor to carry out certain processing activities on behalf of the controller, the same data protection obligations defined in the contract between the controller and vendor will be imposed on that other processor by way of a contract, and sufficient guarantees must be provided that appropriate technical and organizational measures are taken to ensure that the processing operations are carried out in accordance with the requirements of GDPR. If the other processor fails to fulfil its data protection obligations, vendor shall be liable to the controller for the discharge of the other processor’s obligations.

3. Final provisions.

3.1. Terms and conditions. The terms and conditions of vendor are applicable.