Data Processing Agreement
(A) The Parties have entered into a service agreement (“Main Agreement”) according to which the Jimdo GmbH, Stresemannstr. 375, 22761 Hamburg, Germany (“Jimdo”, the “Processor”) provides the agreed upon online service (the “Service”) to you (“Customer”) .
(B) Pursuant to Art. 28 (1) EU Regulation 2016/679 – General Data Protection Regulation (“GDPR”), where processing is to be carried out on behalf of a controller, Customer shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of the GDPR and ensure the protection of the rights of the data subject. In accordance with Art. 28 (3) GDPR, processing by a processor on behalf of a controller shall be governed by a contract that is binding on Jimdo with regard to Customer and that sets out the subject-matter and duration of the processing, the nature and purpose of the processing, the type of* Personal Data* and categories of data subjects and the obligations and rights of Customer. That contract shall stipulate, in particular, Jimdo’s obligations pursuant to Art. 28 (3) GDPR.
(C) With this agreement including the documents referenced herein (“Data Processing Agreement” or** “DPA**”), the Parties intend to provide the required contractual basis for the processing of Personal Data by Jimdo in the provision of Jimdo’s Service. Personal Data has the meaning assigned to it by Article 4(1) GDPR. For the purposes of this DPA, the definitions included in the GDPR apply to all italicised terms _of this DPA, _in particular those described under Article 4 GDPR. **Subprocessors** means processors of Jimdo, being third parties authorised under this DPA to process the Personal Data as outlined in the Main Agreement in order to provide parts of the Service and any related technical support.
NOW THEREFORE, the Parties agree as follows:
1. Scope and Details of Processing
1.1 For the performance of some of the Service under the Main Agreement, Jimdo processes Personal Data (Art. 4 (1) GDPR) as a* Processor* (Art. 4 (8) GDPR) on behalf of Customer as a Controller (Art. 4 (7) GDPR.
1.2 The subject matter, the specific Service provided by Jimdo on behalf of the Customer , the duration of the processing, the nature and purpose of the processing, the type of Personal Data and the categories of data subjects are outlined in the Main Agreement.
1.3 The scope and details of the Service may change subject to the provisions of the Main Agreement.
2. Obligations and Rights of Customer
2.1 Customer is responsible for compliance with the obligations applicable to Controller _pursuant to the GDPR, in particular compliance with the principles relating to processing of _Personal Data pursuant to Chapter II GDPR and compliance with data subjects' rights pursuant to Chapter III GDPR.
2.2 The provisions of this DPA, in particular the details of processing as per 1.2, serve as general instructions to process Personal Data as reasonably necessary for the provision of the Service.
2.3 Jimdo undertakes to provide the Customer, upon request, with all necessary information regarding his/her obligations under this Agreement and, in particular, to prove the implementation of the Technical and Organisational Measures, as defined under Article 32 GDPR. To enable the Customer to exercise those supervisory rights and obligations prior to and during the contractual relationship, upon request Jimdo shall provide the Customer with an extract from an independent instance in accordance with Art. 42 GDPR, i.e. an auditors report written by its Data Protection Officer concerning the regular auditing of Jimdo’s Data Protection Management System and the Technical and Organisational Measures adopted by Jimdo. The report, in accordance with the regular auditing conducted by the Jimdo’s data protection officer, shall be updated at least every 24 months.
3. Obligations and Rights of Jimdo
3.1 Jimdo processes the Personal Data only on documented instructions from the Customer. This also applies to transfers of Personal Data to a Third Country or an international organisation, except in cases where Jimdo is legally required to process Personal Data. In such cases, Jimdo will inform Customer of that legal requirement before processing, unless Jimdo is legally prohibited from providing such information e.g. on important grounds of public interest.
3.2 Jimdo ensures that persons authorised to process the Personal Data which is subject to this_ _DPA are bound to maintain confidentiality and have previously been familiarised with the data protection regulations relevant to their work.
3.3 Jimdo takes all Technical and Organisational Measures required pursuant to Art. 32 GDPR. Details of the most current measures are set out here. These measures are subject to technological progress and refinement. Jimdo is therefore allowed to modify or adapt these measures during the term of this DPA, as long as they continue to comply with the applicable legal requirements.
3.4 Jimdo will notify Customer without undue delay after becoming aware of a Personal Data Breach relating to Personal Data which is subject to this DPA.
3.5 Customer hereby grants authorisation for the processing of Personal Data outside the premises of the processor (e.g. teleworking, home office work, mobile work). Jimdo determines the appropriate Technical and Organisational Measures required for this purpose in accordance with the processing in such cases.
3.6 Customer hereby grants a general authorisation to the engagement of Subprocessors (as defined in section “C” above) for the performance of the Service. The Subprocessors currently engaged by Jimdo are listed here. Customer is obliged to access this link at least once per calendar month to obtain information about changes to the List of Subprocessors. Changes to the List of Subprocessors are subject to the following terms:
a) Customer may object (e.g. by email or contact form) to an update within the timeframe provided in the List of Subprocessors, only if – taking into account all circumstances and weighing up the interests of both sides – the update is unreasonable to Customer relating to the protection of _Personal Data _which is subject to this DPA. In such case Jimdo shall at its sole discretion take any such measures that it deems appropriate to eliminate the cause for objection, Jimdo will then inform the Customer of the measures taken. If Customer’s objection has not been resolved to the Parties’ mutual satisfaction within 30 days of Jimdo’s receipt of the Objection Notice, either Party may terminate the Main Agreement with immediate effect. In this case section 3.9 of this DPA applies.
b) Where Jimdo engages a Subprocessor, the same level of data protection obligations as set out in this DPA are imposed on that other Subprocessor.
c) Where that Subprocessor fails to fulfil its data protection obligations, Jimdo shall remain fully liable to Customer for the performance of that Subprocessor's obligations.
3.7 Jimdo, taking into account the nature of the processing, assists Customer by appropriate Technical and Organisational Measures, insofar as this is possible, for the fulfilment of Customer's obligation to respond to requests for exercising the Data Subject'_s rights laid down in Chapter III GDPR relating to _Personal Data which is subject to this DPA.
3.8 Upon request, Jimdo shall provide reasonable assistance to Customer for the fulfilment of its obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to Jimdo relating to Personal Data which is subject to this DPA.
3.9 Four weeks after a termination of the contract, Jimdo will delete all the Personal Data which is subject to this DPA, including all existing copies unless Union or Member State law requires further storage of the Personal Data.
4. Transfers of Personal Data to Third Countries
Jimdo and/or its Subprocessors shall transfer and/or process Personal Data which is subject to this DPA to/in Third Countries only where the conditions set out in Chapter V of the GDPR are met.
If any questions regarding this Data Processing Agreement arise, Jimdo can be contacted via email or via a letter to: Jimdo GmbH, Legal Department, Stresemannstraße 375, 22761 Hamburg, Germany, privacy (at) jimdo.com
6. Final provisions
6.1 This DPA comes into force upon conclusion of the Main Agreement. The term of this DPA corresponds to the term of the Main Agreement.
6.2 Jimdo is entitled to amend this DPA as required in order to comply with applicable law or to further develop the Service, provided that such amendments would not significantly alter the relationship between the Customer and Jimdo in Jimdo's favour. Jimdo will provide the Customer (30) days' notice of any changes to the terms of this DPA before they take effect. The notice may be provided via email or via the log-in customer area, where the DPA can be downloaded and/or printed. The amended DPA will take effect if the Customer does not object in text form (e.g. by email) within the period stated in the notification and continues to use the Service after the expiry of the period. Jimdo will inform the Customer as to the consequences of non-acceptance separately via the notification. The termination rights of both the Customer and Jimdo remain unaffected.
6.3 If any provision of this DPA is or becomes fully or partly invalid or unenforceable, this shall not affect the validity of the remaining provisions. The Parties undertake to jointly replace the invalid or unenforceable provision with a valid provision which comes as close as possible to the invalid or unenforceable one. The same applies to any omission in this DPA.
6.4 In case of conflicts between this DPA and other agreements between the Parties, in particular the Main Agreement, the provisions of this DPA shall prevail.
Details of Processing
The following descriptions set out the details of the data processing under the Service provided by Jimdo. The overview complements the Data Processing Agreement.
The subject matter of the processing is the provision of the Service as described in the Main Agreement.
|Provision of the Jimdo Service
|Duration of Processing
The duration of the processing is determined by the duration of the provision of the Service.
|Purpose of Processing
|Categories of Data Subjects
Customers of the Controller, customers or visitors to the website or online store of the controller, employees of the controller, interested parties.
|Type of Personal Data
The list of Subprocessors can be accessed here.