According to Art. 28 Para. 3 of the General Data Protection Regulation (GDPR).
Version 3.5
between
Mohsen Ahmed Elbeyaly , Sobh / Imexador
Happoldstrasse . 31
70469 Stuttgart
as Client
– hereinafter Client –
and
STRATO AG Otto-Ostrowski-Straße 710249 Berlin
as Contractor – hereinafter Contractor –
1.1. The subject matter of the agreement are the rights and obligations of the parties within the framework of the provision of services in accordance with the service description and general terms and conditions (hereinafter referred to as the main contract), insofar as personal data is processed by STRATO AG (hereinafter referred to as the contractor) as the processor for the customer as the controller (hereinafter referred to as the client) in accordance with Art. 28 GDPR. This includes all activities that the contractor carries out to fulfil the order and which constitute order processing. This also applies if the order does not expressly refer to this agreement on order processing.1.2. The duration of processing depends on the actual processing of the client’s personal data by the contractor.
2.1. The type of processing includes all types of processing within the meaning of the GDPR to fulfil the order.2.2. The purposes of processing are all purposes necessary to provide the contractually agreed service (see also Appendix 1 Service Description), particularly in the area of cloud services, hosting, software as a service (SaaS) and IT support.
3.1. The type of data processed is determined by the client through the product selection, configuration, use of the services and transmission of data. See also theservice description in Appendix 1.3.2. The client determines the categories of data subjects through the product selection, configuration, use of the services and transmission of data. See also the service description in Appendix 1.
4.1. Within the scope of this contract, the client is solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the legality of the data transfer to the contractor and for the legality of the data processing (“controller” within the meaning of Art. 4 No. 7 GDPR). This also applies with regard to the purposes and means of processing regulated in this agreement. 4.2. The instructions are initially specified by the main contract and can then be changed by the client in written form or in an electronic format (text form) by means of individual instructions (individual instructions). Verbal instructions must be confirmed immediately in writing or in text form. If changes are proposed, the contractor will inform the client of the effects this will have on the agreed services, in particular the possibility of providing the service, deadlines and remuneration. If it is unreasonable for the contractor to implement the instructions, the contractor is entitled to terminate the processing and terminate the contract extraordinarily. The client’s obligation to pay ceases when the contractor stops providing the service. Unreasonableness exists in particular if the services are provided in an infrastructure that is used by several of the contractor’s clients/customers ( shared services), and a change in the processing is not possible or unreasonable for individual clients.
4.3. The contractually agreed data processing takes place in a member state of the European Union or in another contracting state to the Agreement on the European Economic Area, unless the data transfer to third countries is necessary to provide the service. In the event that data is transferred to a third country, the contractor ensures that the requirements of Art. 44 ff. GDPR are met.
5.1. The contractor may only process data of data subjects based on documented instructions from the client. The instructions are specified at the beginning of the contract. However, there is no obligation to follow instructions if an exceptional case within the meaning of Article 28 paragraph 3 a) GDPR applies ( obligation under the law of the European Union or a member state). This also applies to the transfer of personal data to third countries or international organizations. If there is an obligation to process data contrary to an instruction, the contractor shall inform the client of the corresponding legal requirement before processing. Unless the law in question prohibits such information due to an important public interest. The contractor shall inform the client immediately if he believes that an instruction violates applicable laws. The contractor may suspend implementation of the instruction until it has been confirmed or amended by the client. The instructions must be documented by the client and kept for at least the duration of the contractual relationship.
5.2. Given the nature of the processing, the Contractor will, where possible, support the Client with suitable technical and organizational measures in meeting theclaims of the data subjects in accordance with Chapter III of the GDPR. The Contractor is entitled to demand appropriate remuneration from the Client for these services, provided that the support was not required due to a breach of law or contract by the Contractor. The Contractor will provide the Client with cost information in advance.5.3. The Contractor will support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to him. The Contractor is entitled to demand appropriate remuneration from the Client for these services, provided that the support was not required due to a breach of law or contract by the Contractor. The Contractor will provide the Client with cost information in advance.5.4. The Contractor guarantees that the employees involved in processing the Client’s data and other persons working for the Contractor are prohibited from processing the data outside of the instructions. Furthermore, the contractor guarantees that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The same applies to social secrecy, telecommunications secrecy according to Section 3 TDDSG and – with knowledge of the criminal liability – to the protection of secrets of those who hold professional secrets according to Section 203 StGB. The confidentiality/secrecy obligation continues even after the contract has been terminated.5.5. The contractor will inform the client immediately if he is aware of any violations of the protection of the client’s personal data. The contractor will take the necessary measures to secure the data and to reduce possible adverse consequences for the persons concerned.5.6. The contractor guarantees the written appointment of a data protection officer who carries out his activities in accordance with Art. 38 and 39 GDPR. A contact option will be published on the contractor’s website.5.7. After completion of the processing services, the contractor will, at the client’s discretion, either delete all personal data or return it to the client, unless there is an obligation to store the personal data under Union law or the applicable law of a member state. If the client does not exercise this right of choice, deletion is deemed to have been agreed. If the client chooses to return the data, the contractor can demand appropriate compensation. The contractor will provide the client with information about the costs in advance.
5.8. If data subjects assert claims for damages in accordance with Art. 82 GDPR, the contractor will support the client in defending the claims to the best of its ability. The contractor can demand appropriate compensation for this, provided that the claims for damages are not based on a breach of law or contract by the contractor.
6.1. The client must inform the contractor immediately and fully if he discovers any errors or irregularities regarding data protection regulations when carrying out the order.6.2. In the event of termination, the Client undertakes to delete the personal data that it has stored in the services before the contract is terminated.6.3. At the request of the Contractor, the Client will appoint a contact person for data protection matters.
The Contractor will inform the Client immediately of any request it has received from the data subject. It will not respond to the request itself unless it has been authorized to do so by the Client. Taking into account the nature of the processing, the Contractor will support the Client in fulfilling its obligation to respond to requests from data subjects to exercise their rights. When fulfilling its obligations, the Contractor will follow the Client’s instructions. The Contractor is not liable if the Client does not respond to the data subject’s request, does not respond correctly or does not respond on time.
8.1. The Contractor takes appropriate technical and organizational measures within its area of responsibility to ensure that processing is carried out in accordance with the requirements of the GDPR and guarantees protection for the rights and freedoms of the data subject. The client takes suitable technical and organizational measures within his area of responsibility in accordance with Art. 32 GDPR to ensure the long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing.8.2. The contractor’s current technical and organizational measures can be viewed at the following link: https://www.strato.de/agb/tom/. The contractor makes it clear that the technical and organizational measures listed under the link are merely descriptions of a technical nature, which are not to be regarded as part of this agreement.
8.3. The contractor operates a procedure for regularly checking the effectiveness of the technical and organizational measures to ensure the security of processing in accordance with Art. 32 Para. 1 lit. d) GDPR.
8.4. The contractor adapts the measures taken over time to developments in the state of the art and the risk situation. The contractor reserves the right to change the technical and organizational measures taken, provided that the level of protection in accordance with Art. 32 GDPR is not undercut.
9.1. The contractor provides the client with all the information required to prove compliance with the obligations set out in Art. 28 GDPR and, in individual cases, enables checks – including inspections – to be carried out by the client or another auditor commissioned by the client. The contractor is entitled to demand a confidentiality agreement from the client and its appointed auditor, but this should not prevent the client from providing evidence to the supervisory authority responsible for it. The contractor can reject direct competitors of the client or persons who work for direct competitors of the client as auditors.9.2. As proof of compliance with the obligations set out in Art. 28 GDPR, the existing certification according to ISO 27001 is usually sufficient for the client. The contractor makes the current certificate available on its website.9.3. If the client has reasonable doubts on the basis of actual evidence that the aforementioned certifications are sufficient or correct, or if special incidents within the meaning of Art. 33 Para. 1 GDPR in connection with the execution of the order processing for the client justify this, the client can carry out on-site inspections. These can be carried out during normal business hours without undue disruption to operations, usually after registration (unless an inspection without registration appears necessary because otherwise the purpose of the inspection would be jeopardized). The client’s right of inspection is intended to check compliance with the obligations incumbent upon a processor in accordance with the GDPR and this contract. The contractor will actively participate in the implementation of the inspection.9.4. The contractor can demand appropriate remuneration for information and support actions, provided that the inspection was not necessary due to a breach of law or contract by the contractor. The contractor will provide the client with cost information in advance.
10.1. The client grants the contractor general permission to use additional processors within the meaning of Art. 28 GDPR to fulfill the contract.10.2. The other processors currently used are listed in Appendix 2. The client agrees to their use.10.3. The contractor will inform the client if he intends to make a change with regard to the addition or replacement of additional processors. The client can object to such changes.10.4. An objection to the intended change can only be raised to the contractor for an objective reason within 14 days of receipt of information about the change. In the event of an objection, the contractor can, at its own discretion, provide the service without the intended change or – if the provision of the service without the intended change is unreasonable for the contractor – discontinue the service affected by the change to the client within a reasonable period of time (at least 14 days) after receipt of the objection. The client’s obligation to pay fees ceases at the time the contractor discontinues the service.
10.5. If the Contractor places orders with other processors, it is the Contractor’s responsibility to transfer its data protection obligations under this contract to the other processor. The contractor ensures, in particular through regular checks, that the other processors comply with the technical and organizational measures.
11.1. In the event of a claim for damages being asserted by a data subject in accordance with Art. 82 GDPR, the parties undertake to support one another and to contribute to clarifying the underlying facts.11.2. The liability regulation agreed between the parties in the main contract for the provision of services also applies to claims arising from this contract for order processing and in the internal relationship between the parties for claims by third parties in accordance with Art. 82 GDPR, unless expressly agreed otherwise.
12.1. The agreement begins when it is concluded by the client. It ends with the end of the last contract under the respective customer number. If order processing takes place after termination of this contract, the provisions of these agreements apply until the actual end of the processing.12.2. The contractor can change the agreement at its reasonable discretion with an appropriate period of notice. In particular, the contractor reserves the express right to unilaterally change this agreement if there are significant legal changes in relation to this agreement. The contractor will separately inform the client of the significance of the planned change and also grant the client a reasonable period of time to declare an objection. In the change notification, the contractor will inform the client that the change will take effect if he does not object within the set period. In the event of an objection by the client, the contractor has the right to terminate the contract with immediate effect.
12.3. The client recognizes this agreement as part of the general terms and conditions https://www.strato.de/agb/ for the product(s) he has booked. In the event of any contradictions, the provisions of this agreement on order processing take precedence over the provisions of the main contract. Should individual parts of this agreement be invalid, this does not affect the validity of the agreements in other respects.12.4. The sole place of jurisdiction for all disputes arising from and in connection with this contract is the registered office of the contractor. This applies subject to any exclusive statutory place of jurisdiction. This contract is subject to the legal provisions of the Federal Republic of Germany.12.5. Should the client’s data be endangered by the contractor through seizure or confiscation, through insolvency or composition proceedings or through other events or measures by third parties, the contractor must inform the client immediately.The contractor will immediately inform all those responsible in this context that sovereignty and ownership of the data lies exclusively with the client as the “responsible party” within the meaning of the GDPR.
Domain
service description: If you order a domain from us, we will take care of the connection and registration of your domain with the responsible registry. In addition, maintaining the registration, domain transfers and deregistration are part of the contract. The same applies to the SSL certificates based on your domains.
Purpose of processing: Registration, transfer, configuration and administration of the domain name
Type of personal data: Domain name and contact details (name, address, e-mail, telephone number, company if applicable)
Categories of persons affected: Customers
Deletion periods: Storage of changes to the domain for 12 months. Otherwise, the duration of processing corresponds to the term agreed in the contract. Data that must be retained is stored for up to 10 years after the end of the contract.
E-mail products (E-mail Basic, E-mail Business, E-mail Plus, Microsoft Mail & Office, e-mail archiving)
Service description: If you have an e-mail product from us, you can create e-mail addresses for your domains and manage and use the associated services. We will set up an email inbox for you as per your order, which you can access using the STRATO webmailer and email clients. Depending on the scope of services and the order, we will carry out forwarding, notifications, autoresponders , mailing lists and virus protection for you. A configurable spam filter is also part of the product. You can manage contacts, appointments and tasks in the STRATO webmailer according to the service booked . You also have the option of purchasing the email archiving product and thus storing your emails in an audit-proof manner.
Purpose of processing: Provision of email services (receiving, sending, retaining and archiving) including the creation, configuration and deletion of email addresses and the management of contacts, appointments and tasks
Type of personal data: Emails, contacts, appointments, tasks, domain and log files
Categories of data subjects: Customers, customer employees, customer contacts
Deletion periods:
HiDrive Cloud storage
service description: Our cloud storage allows you to store your data in our data center so that you can access the data from anywhere and at any time. Depending on the package you order, you can, for example, create multiple users or make other configurations. You can also grant permissions and manage them.
Purpose of processing: Provision of an online storage solution
Type of personal data : Data that you store in the cloud, log files
Categories of data subjects: Customers, customer employees, users
Deletion period: Up to two months after the end of the contract, unless the customer deletes them earlier. Log files are stored for a maximum of 12 months.
Hosting products (web hosting, WordPress hosting, homepage builder)
Service description: The basis of the hosting products is the storage space on which a website can be published. This web space is held by us and connected to the Internet. Depending on the product or scope of services selected, the following different components are available in particular:
Purpose of processing: Providing web space for publishing on the Internet, providing tools and services for creating and operating websites.
Type of personal data: Website content data, domain, log files
Categories of persons affected: Customers’ employees, website visitors
Deletion periods: Log files about visitors to your website are stored for a maximum of 7 days. We delete content data within 2 months of the end of the contract. We delete other log data after a maximum of 12 months.
Webshop
service description: With the help of a STRATO webshop, you can set up an online shop and use it to sell your goods. For this purpose, we provide SaaS software that has all the necessary functionalities for operating an online shop within a website or via various social media channels . It is up to you as the shop operator to fill the shop with your individual content, e.g. selection of shipping and payment methods. Additional features from external partners can be added to the shop solution to expand the functionality. If you would like to use these features, they require separate contracts directly between you and the respective partners; they are not part of this product.
Purpose of processing: Web hosting, provision of shop infrastructure
Type of data processed: Shop master data (such as product data, prices, general settings in the shop), other data as far as required to process sales (address and customer data, shipping and payment information, inventory, orders, etc.), log files
Categories of persons affected: Shop operators, shop customers and website visitors
Deletion periods: Logs and statistical data are retained for one year. Other data such as master data is stored indefinitely for undeleted contracts. The data of terminated contracts is deleted after 60 days.
Online Marketing Tools
Service description: Online marketing products such as marketingRadar , rankingCoach , listingCoach or adCoach can support customers in their business success. Depending on the product selected, company contacts are published in yellow pages and on other platforms, search results on Google are optimized, advertisements are placed on Google or newsletters are sent. Each of these applications supports sales, initiating business contacts, conveying information in its specific context and thus helps to increase reach, awareness and customer loyalty for customers.
Purpose of processing: Increasing reach and awareness, placing advertising, publishing company data, sending newsletters , optimizing for search engine results.
Type of data processed: Company data, contact details, content data, usage data
Categories of persons affected: Employees, customers, website visitors
Deletion periods: Customer data is deleted from our systems 30 days after termination; the product partner also deletes all data 30 days after termination.
Server products (dedicated server, dedicated hosting, cloud server, vServer (VPS),
virtual server, private cloud, cloud backup)
Service description: You can order a wide variety of server products from us. Depending on the product you choose, we provide you with hosted servers on individually used hardware (dedicated servers) or in a virtualized environment, with only shared storage space (virtual servers). We support the setup, administration, operation and data backup with automated processes and tools. Data processing on the platform itself is carried out independently and under your own responsibility by you as the customer.
Purpose of processing: Provision and operation of the server infrastructure.
Type of data processed: Content data that you store on the server, user account information (IP addresses, MAC addresses, usernames)
Categories of persons affected: Customers, users
Deletion periods: User account information that is required for the purpose of providing the service and customer data that is stored on the server will be deleted within seven days at the latest for cancellations of the function/contract confirmed online by customers and within 30 days at the latest for all other terminations of the contract. User account information that is collected for the purpose of error diagnosis will be deleted seven days after it is collected.
Appendix 2 to the Data Processing Agreement – Approved Subcontractors / Other Processors
Status: 18.03.2024
| Subcontractors | address | Short description of the service | appropriate safeguards in case of transfer to third countries |
| we22 Solutions GmbH | Otto-Ostrowski-Straße 7, 10249 Berlin | Strato homepage design service; development, maintenance and care of the homepage builder | – |
| ePages GmbH | Pilatuspool 2, 20355 Hamburg | Development, maintenance and care of the webshop software | – |
| Ionos SE | Elgendorfer Strasse 7, 56410 Montabaur | Provision, operation and maintenance of products; in particular:
| – |
| Dropsuite Ltd. | PTE, Ltd. 01-12 Block 71, Ayer Rajah Crescent, Singapore 139951, Singapore | Development, maintenance, care and operation of the Strato Mail archiving software | EU standard data protection clauses according to Art. 46 para. 2 lit. c GDPR |
| Virtuozzo International GmbH | Vordergasse 59, 8200 Schaffhausen, Switzerland | Virtualization software for V-Server including support | EU standard data protection clauses according to Art. 46 para. 2 lit. c GDPR |
| rankingcoach GmbH In | rankingCoach GmbH c/o wework , Friesenplatz 4, 50672 Cologne | Applications to improve the visibility of a website in search engines | – |
| Hewlett-Packard GmbH | Herrenberger Strasse 140, 710 Böblingen | Support for a V-Server platform | – |
| Acronis International GmbH | Landsbergerstrasse 105, 80339 Munich | Operation and support backup product | – |
| SiteLock , LLC | 8701 East Hartford Drive Suite 200, Scottsdale AZ 85255 US, USA | Detecting and removing malware | EU standard data protection clauses according to Art. 46 para. 2 lit. c GDPR |
| Eleven GmbH | Heidestrasse 10, 10557 Berlin | Spam filter for email | – |
| Plesk International GmbH | Vordergasse 59, 8200 Schaffhausen / CH | Provision of the server administration software PLESK | EU standard data protection clauses according to Art. 46 para. 2 lit. c GDPR |
| ServerGuard24 GmbH | Fritz-Schäffer-Strasse 1, 53113, Bonn | Operation of a monitoring service for dedicated and virtual servers | – |
| Open- Xchange GmbH | Olper Hütte 5f, 57462 Olpe | Use of OX App Suite and OX Premium mailboxes | – |
