Styla Data Processing Addendum

This Styla Data Processing Addendum (“Addendum”) amends the Styla Terms of Service (“Main Contract”) by and between you ("Customer")

and

Styla GmbH
Wetzlarer Str. 54
14482 Potsdam, Germany
Commercial Register / No. : HRB 142689 B
("Processor")

regarding the processing of personal data on behalf of a company pursuant to article 28 of the General Data Protection Regulation (GDPR) of the European Union (EU).

1. Subject Matter

  1. Within the scope of using Styla in accordance with the Main Contract, the Processor must store and process data which is collected by the Customer when Styla technology is used. It cannot be ruled out that such data will be personal data as contemplated in article 4 (1) of the General Data Protection Regulation (GDPR). This Addendum for commissioned data processing applies exclusively to such data ("Customer Data").
  2. This Addendum specifies the data protection rights and obligations of the parties in conjunction with the Processor’s handling of Customer Data in the performance of the Main Contract.

2. Nature, scope, purpose and term of commissioned data processing

  1. The Processor will process Customer Data on behalf of and as instructed by the Customer within the meaning of article 28 GDPR (Processing). With a view to data protection law, the Customer remains the controller pursuant to article 4 (7) GDPR.
  2. The processing of Customer Data within the scope of commissioned data processing will be carried out in accordance with the provisions regarding the type, scope and purpose of data processing contained in Annex 1 to this Addendum. It relates to the type of Customer Data as defined in Annex 1, the purpose of data processing and the group of data subjects defined therein.
  3. Data will be processed and used exclusively in the territory of the Federal Republic of Germany, in a Member State of the European Union or in another contracting state of the agreement on the European Economic Area. Any transfer to a third country is subject to the Customer’s prior consent and may only take place if the special requirements of Article 44 et seqq. GDPR are fulfilled.
  4. The term and termination of this Addendum are subject to the analogous provisions of the Main Contract. Termination of the Main Contract automatically results in termination hereof. Isolated termination of this Addendum is hereby excluded.

3. Customer’s powers of instruction

  1. Customer Data will be handled by the Processor exclusively within the framework of the agreements made and in accordance with Customer’s documented instructions pursuant to article 28 (3) sentence 2 lit. a GDPR, unless the Processor is obliged to process the data under union law or the law of the member states to which the Processor is subject. In such a case, the Processor will notify the controller of such legal requirements prior to processing, unless applicable law prohibits such notification on important grounds of public interest.
  2. Within the scope of the order description in this Addendum, the Customer reserves the right to issue comprehensive instructions on the nature, scope, means and purposes of data processing, which the Customer can specify in more detail in individual instructions. The Customer will immediately confirm oral instructions, either in writing or by e-mail (in text form). In the event that the Customer issues individual instructions with regard to the handling of Customer Data that go beyond the contractually agreed scope of services, the Customer will bear the costs incurred as a result thereof.
  3. Any changes in the subject matter of processing or changes in procedure will be jointly agreed to and documented in writing. The Processor may only disclose information to third parties or to the data subject with the Customer’s prior written consent. The Processor is not entitled to pass on Customer Data to third parties and will not use such data for any other purposes, in particular, not for its own purposes.
  4. The Processor is not obliged to check the Customer’s instructions with a view to (data protection) the law. The Processor will inform the Customer without delay in accordance with article 28 (3) sentence 3 GDPR if, in its opinion, an instruction issued by the Customer infringes statutory provisions. The Processor is entitled to suspend performance of such instruction until this has been confirmed or amended by the Customer’s controller.

4. Customer’s obligations

  1. The Customer is solely responsible for the lawfulness of the data processing by the Processor and for safeguarding the rights of data subjects and is therefore the ‘controller’ as contemplated in article 4 (7) GDPR.
  2. The Customer is the owner of any rights concerning Customer Data.
  3. The Customer will inform the Processor without delay if it detects any errors or irregularities in conjunction with the processing of Customer Data by the Processor.
  4. In the event that third parties assert claims against the Processor due to the processing of Customer Data, the Customer will indemnify the Processor against any such claims upon first request.

5. Processor’s obligations

  1. The Processor will ensure and regularly check that the processing of Customer Data within the scope of services under the Main Contract within its area of responsibility, which includes the sub-processors referred to in section 9 hereof, is carried out in accordance with the provisions of this Addendum.
  2. The Processor is obliged to appoint a competent and reliable data protection officer who is able to perform his tasks in accordance with Articles 37, 38 and 39 GDPR if and as long as the legal requirements for an obligation to designate such an officer are met. The contact details of such data protection officer will be provided to the Customer on request.
  3. Pursuant to article 28 (3) sentence 2 lit. b GDPR, the Processor will oblige in writing all persons who, pursuant to the contract, have access to personal Customer Data to maintain data secrecy and will instruct them in the special data protection obligations arising from this Addendum and about the existing instruction and/or purpose limitation.
  4. The Processor may not make copies or duplicates of Customer Data in the course of processing the order without the Customer’s prior consent. However, this does not include copies in as far as they are required to ensure proper data processing and the proper provision of services in accordance with the Main Contract (including data backup), as well as copies required to comply with statutory storage obligations.
  5. The Processor is obliged to assist the Customer in the fulfillment of its statutory obligations within the scope of what is reasonable and necessary and against reimbursement of the expenses and costs incurred by the Processor in conjunction with such assistance. This includes compliance with technical and organizational measures, reporting data breaches to the supervisory authority and data subjects, conducting data protection impact assessments and prior consultation with the competent supervisory authority.
  6. The Processor is obliged to provide the Customer with all necessary information, including certifications as well as test and inspection results, which serve as proof of compliance with the obligations laid down in this Addendum.

6. Technical and organizational measures

  1. Before commencing the processing of Customer Data, the Processor will implement the technical and organizational measures listed in Annex 2 to this Addendum and maintain them during the term of hereof.
  2. Since the technical and organizational measures are subject to technical progress and technological development, the Processor will be permitted to implement alternative and adequate measures provided that such measures are in line with the security level of the measures specified in Annex 2. The Processor will document such changes. Significant changes to the measures are subject to the Customer’s prior consent and must be documented by the Processor and made available to the Customer on request.

7. Infringements by the Processor to be notified

  1. The Processor will inform the Customer promptly if it discovers that it or an employee has violated data protection regulations or provisions of this Addendum during the processing of Customer Data, provided there is a personal data breach for the Customer as contemplated in Article 4 (12) GDPR.
  2. In as far as the Customer is subject to statutory information obligations as a result of an incident pursuant to paragraph (1) hereto before due to the unlawful acquisition of Customer Data (in particular, pursuant to articles 33 and 34 GDPR), the Processor will support the Customer in the fulfillment of the information obligations at its request within the bounds of what is reasonable and necessary against reimbursement of the expenses and costs incurred by the Processor as a result hereof.

8. Customer’s inspection rights

  1. Before data processing begins and at regular intervals thereafter, the Customer will at its own expense satisfy itself of the technical and organisational measures taken by the Processor in accordance with Annex 2 and will document the result thereof. For this purpose, the Customer may obtain information from the Processor itself, request presentation of an attestation from an expert or, after arranging an appointment in good time, convince itself personally while strictly observing the Processor’s business and trade secrets and without disrupting business operations. The Processor undertakes to provide appropriate support for the inspection carried out by the Customer and to tolerate all necessary inspection measures.
  2. The Processor undertakes to provide the Customer, upon written request and within a reasonable period of time, with all information which may be necessary to carry out an inspection.
  3. The Processor is entitled, at its own discretion and taking into account the Customer’s legal obligations, not to disclose information which is sensitive with regard to the Processor’s business transactions or if disclosure of such information would cause the Processor to breach legal or other contractual obligations. The Customer is not entitled to access data or information concerning the Processor’s other customers, information concerning costs, quality inspection and contract management reports, or any other confidential data of the Processor which is not directly relevant for the agreed inspection purposes.
  4. The Customer will inform the Processor in good time (as a rule at least two weeks in advance) of all circumstances related to the performance of the inspection. As a rule, the Customer may carry out one inspection per calendar year. This does not affect the Customer’s right to carry out further inspections in the event of special circumstances.
  5. In the event that the Customer commissions a third party to carry out the inspection, the Customer will place such third party under the same written obligation as the Customer has assumed in relation to the Processor under this section 10 of this Addendum. In addition, the Customer is required to oblige the third party to maintain secrecy and confidentiality, unless such third party is already subject to a professional duty of confidentiality. When requested by the Processor, the Customer will immediately submit to the Processor the obligation agreements with such third party. The Customer may not appoint a competitor of the Processor to carry out the inspection.In place of on-site inspection, the Processor may elect to furnish proof of its compliance with the technical and organisational measures as laid down in Annex 2 by presenting a suitable up-to-date audit certificate, reports or extracts from reports by bodies independent of the Processor (e.g. auditor, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or suitable certification in the form of an IT security or data protection audit – e.g. in accordance with BSI baseline protection (‘audit report’) – if the audit report enables the Customer to satisfy itself in a reasonable manner that the technical and organisational measures in accordance with Annex 2 to this Addendum are complied with.

9. Sub-contracting

  1. The Processor may establish sub-contracting relationships with regard to the processing of the Customer Data subject to the Customer’s prior written consent. The Customer may only refuse such prior consent for good cause, which must be proven to the Processor. On request, the Processor will provide the Customer with an up-to-date overview of the sub-contracted processors involved. In the event of written approval, the Processor will always inform the Customer of any intended change with regard to the involvement or replacement of other processors.
  2. The sub-processors designated in Annex 3 are deemed to have been approved by the Customer.
  3. In the event that a sub-processor is employed, the Processor will, by means of a contract or any other legal instrument under Union law or the law of the member state concerned, impose on such sub-processor the same data protection obligations as those laid down herein. Should a sub-processor fail to comply with the obligations laid down in this Addendum or breach any data protection rules, the Processor will be liable to the Customer for compliance with such sub-processor’s obligations.
  4. Third-party services retained by the Processor for performing ancillary services to support the performance hereof are not deemed to constitute sub-contracting relationships within the meaning of this provision. Such services include, in particular, telecommunications services, security services, maintenance and user services, cleaning staff, auditors and the disposal of data media. The Processor is, however, obliged to make and enter into suitable law-compliant contractual agreements and to implement control measures in order to ensure the protection and safety of the Customer's data even in the case of ancillary services awarded to external parties.

10. Rights of data subjects

  1. The rights of persons affected by the data processing must be asserted against the Customer.
  2. In the event that a data subject contacts the Processor directly in order to exercise their rights under articles 12 to 22 GDPR regarding the data concerning them, the Processor will refer the data subject to the Customer.
  3. In the event that a data subject asserts their rights pursuant to articles 12 to 22 GDPR, the Processor will assist the Customer in the enforcement of these claims to a reasonable extent and to the extent necessary for the Customer if the Customer is unable to fulfil such claims without the Processor’s cooperation. The Customer will reimburse the Processor for any additional expenditure.
  4. The Processor will enable the Customer to correct, erase or block Customer Data or, when requested by the Customer, to perform such correction, blocking or erasure itself if and to the extent that this is impossible for the Customer itself.

11. Return and erasure of Customer Data provided

  1. The Processor will return or erase, as elected by the Customer, all Customer Data after the contractual service provided ceases (in particular, upon any form of termination of the Main Contract) and will destroy existing copies, unless there is a legal obligation to store such data.
  2. The Processor will draw up a report on the erasure or destruction of Customer Data, which will be presented to the Customer on request.
  3. The Processor will store documentation that serves as proof of correct data processing as contracted or of statutory retention periods beyond termination of this Addendum and in line with the respective retention periods.

12. Miscellaneous provisions

  1. In the event that this Addendum contains ineffective provisions, the effectiveness of the Addendum as a whole will remain unaffected thereby.
  2. The services are provided exclusively on the basis of this Addendum. The Addendum therefore also applies to companies for all future business relations, even if they are not once again expressly agreed to. The inclusion of terms of a customer that contradict this Addendum is hereby already contradicted.
  3. This Addendum is governed by German law to the exclusion of the UN Convention on Contracts for the International Sale of Goods.
  4. The exclusive place of jurisdiction for all legal disputes arising under this Addendum or in conjunction herewith is the Processor's place of business.


Last update on: November 3rd, 2022

Annex 1 – Customer Data

The Processor will provide the services agreed under this Annex to the Customer solely in accordance with the instructions issued by the Customer and on the basis of the agreement made and entered into by and between the parties concerning the processing of personal data.

The Processor will process the following personal data on behalf of the Customer for the purposes mentioned below:

Type of data: Browser data (IP, User Agent, Referrer)
Purpose of data processing: Used for statistical evaluation of user behaviour to improve the service
Group of data subjects: Visitors to the Customer's website where the Styla solution is integrated

Type of data: Customer Data
Purpose of data processing: Customer Service
Group of data subjects: Individuals on the customer side interacting with Styla

Annex 2 – Technical and organisational measures

The Processor will use the services of cloud computing provider Amazon Web Services (hereinafter referred to as AWS) to fulfil its main contractual obligations. By outsourcing and using the hosting service, parts of the technical and organisational measures listed below fall under the responsibility of AWS.

1. Access control
The purpose of access control is to prevent unauthorised persons from gaining access to the processing equipment used in processing.

AWS is responsible for compliance with this technical and organisational measure which is laid down in No. 5 of the sub-contracting agreement between the Processor and AWS.

2. Data medium control
The purpose of data medium control is to prevent unauthorised persons from reading, copying, modifying or erasing data media.

AWS is responsible for compliance with this technical and organisational measure which is laid down in No. 5 of the sub-contracting agreement between the Processor and AWS.

3. Storage control
The purpose of storage control is to prevent unauthorised persons from accessing stored personal data as well as from entering, modifying or erasing such data.

  1. Authorisations defined in the IT systems
  2. Differentiated read, erase and modify authorisations
  3. Differentiated authorisations for data, applications and operating system
  4. Rights managed by system administrators
  5. Number of administrators reduced to the ‘bare minimum’ 
  6. Password policy including password length, password change
  7. Logging of access to applications


4. User control
The purpose of user control is to prevent unauthorised persons from using automated processing systems by means of data transmission.

  1. Determination of employees authorised to access
  2. User profiles
  3. Assignment of passwords
  4. Authentication with username/password
  5. Regular checking of authorisations
  6. Revocation of authorisation of departing employees
  7. Assignment of user profiles to IT systems
  8. Use of encryption technology
  9. Use of anti-virus software


5. Access control
The purpose of access control is to ensure that persons authorised to use an automated processing system have access only to the personal data covered by their access authorisation.

  1. Authorisations defined in the IT systems
  2. Differentiated read, erase and modify authorisations
  3. Differentiated authorisations for data, applications and operating system
  4. Rights managed by system administrators
  5. Number of administrators reduced to the ‘bare minimum’
  6. Password policy including password length, password change
  7. Logging of access to applications


6. Transfer control
The purpose of transfer control is to ensure that it is possible to verify and establish to which bodies personal data has been or may be transferred or made available by means of data transfer equipment.

  1. Installation of dedicated lines or encryption technologies
  2. Overview of regular retrieval and transmission processes
  3. Documentation of the recipients of data and the time periods of the planned transfer or agreed upon erasure periods


7. Input control
The purpose of input control is to ensure that it is possible to later verify and establish which personal data has been input or modified in automated processing systems, at what time and by whom.

  1. Logging of the input
  2. Overview showing which applications can be used to enter, change and erase which data
  3. Allocation of rights to enter, change and erase data on the basis of an authorisation concept


8. Transport control
The purpose of transport control is to ensure that the confidentiality and integrity of data is protected during the transmission of personal data and the transport of data media.

  • Installation of dedicated lines or encryption technologies


9. Restorability
The purpose of restorability is to ensure that systems in use can be restored in the event of failure.

AWS is responsible for compliance with this technical and organisational measure which is laid down in No. 5 of the sub-contracting agreement between the Processor and AWS.

10. Reliability
The purpose of reliability is to ensure that all functions of the system are available and that any malfunctions that occur are reported.

AWS is responsible for compliance with this technical and organisational measure which is laid down in No. 5 of the sub-contracting agreement between Processor and AWS.

11. Data integrity
The purpose of data integrity is to ensure that stored personal data cannot be damaged by a system malfunction.

AWS is responsible for compliance with this technical and organisational measure which is laid down in No. 5 of the sub-contracting agreement between Processor and AWS.

12. Contract control
The purpose of contract control is to ensure that personal data processed under contract can only be processed in accordance with the Customer’s instructions.

  1. Selection of the sub-processor on the basis of due diligence (especially with regard to data security)
  2. Prior examination of the documentation of the security measures taken by the sub-processor
  3. Obligation of the employees of the sub-processor to maintain data secrecy (Article 28 (3) sentence 2 lit. b GDPR)
  4. Sub-processor has appointed a Data Protection Officer
  5. Destruction of data after completion of the contract ensured
  6. Effective control rights agreed with the sub-processor
  7. Monitoring of compliance with data protection regulations
  8. Ongoing review of the sub-processor and its activities


13. Availability control
The purpose of availability control is to ensure that personal data is protected against destruction or loss.

AWS is responsible for compliance with this technical and organisational measure which is laid down in No. 5 of the sub-contracting agreement between the Processor and AWS.

14. Separability
The purpose of separability is to ensure that personal data collected for different purposes can be processed separately.

  • Logical client separation (at the software end)
  • Preparation of an authorisation concept


Annex 3 – Authorized sub-processors

These can be found at: 
https://www.styla.com/legal/dpa/sub-processors