Personal Data Protection Agreement (Auftragsverarbeitungsvertrag)
Personal Data Protection Agreement (AVV) according to Art. 28 GDPR (General Data Protection Regulation)
1. Subject and Duration of the Agreement This Data Processing Agreement (Auftragsverarbeitungsvertrag, "AVV") governs the rights and obligations of the Controller (Client) and the Processor (Elvedin Selimović) in connection with the processing of personal data on behalf of the Controller, as defined in Art. 28 GDPR.
The duration of this agreement corresponds to the duration of the service contract between the parties.
2. Scope and Purpose of Data Processing The Processor shall process personal data on behalf of the Controller exclusively within the scope and for the purposes defined in the main service contract. Processing includes any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, or erasure.
3. Types of Personal Data Processed The types of personal data processed depend on the specific project and may include: - Contact data (name, email address, phone number) - Technical data (IP addresses, log files) - User data (usernames, passwords in hashed form) - Any other data categories as defined in the main service contract
4. Categories of Data Subjects - Employees and contractors of the Controller - Customers and users of the Controller's products or services - Business partners and suppliers
5. Obligations of the Processor The Processor shall: a) Process personal data only on documented instructions from the Controller b) Ensure that persons authorized to process personal data have committed themselves to confidentiality c) Take all measures required pursuant to Art. 32 GDPR (security of processing) d) Respect the conditions for engaging sub-processors as referred to in Art. 28(2) and (4) GDPR e) Assist the Controller in responding to requests for exercising data subject rights f) Assist the Controller in ensuring compliance with Arts. 32–36 GDPR g) Delete or return all personal data to the Controller after the end of the provision of services h) Make available to the Controller all information necessary to demonstrate compliance
6. Sub-Processors The Processor shall not engage another processor (sub-processor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes.
7. Data Transfers Any transfer of personal data to a third country or an international organization shall only take place on documented instructions from the Controller and in compliance with Chapter V of the GDPR.
8. Technical and Organizational Measures The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including: - Encryption of personal data where applicable - Ability to ensure ongoing confidentiality, integrity, availability, and resilience - Ability to restore the availability and access to personal data in a timely manner - Regular testing, assessing, and evaluating the effectiveness of measures
9. Notification of Data Breaches The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach, providing all necessary information as required by Art. 33(3) GDPR.
10. Audit Rights The Controller shall have the right to conduct audits, including inspections, to verify the Processor's compliance with this agreement. The Processor shall make all necessary information and facilities available.
11. Liability Liability is governed by Art. 82 GDPR and the terms of the main service contract.
Contact for Data Protection Inquiries: Elvedin Selimović Email: contact@elvedinselimovic.de
Note: This is a template AVV. Please consult with a legal professional to ensure full compliance with GDPR and applicable national data protection laws before use.