Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

Between

______________________________
______________________________
______________________________
______________________________

–Controller–

and

LoyJoy GmbH Kapuzinerstraße 20 48149 Münster

–Processor–

on data processing pursuant to Art. 28 (3) General Data Protection Regulation (GDPR).

Preamble

The Processor provides the Controller with the cloud platform “LoyJoy” in its current version for the use of chatbots, live chats, and AI agents (including generative AI features) for interaction with the Controller’s customers.

This Data Processing Agreement (“DPA”) governs the resulting data protection obligations of the parties.

This DPA applies in addition to the General Terms and Conditions (GTC) of LoyJoy GmbH.

§ 1 Subject, Duration, and Specification of Data Processing

1. This contract defines the subject matter and duration of the order, as well as the type and purpose of processing. In particular, the following data are subject to processing (please strike out what is not applicable and add further data if necessary):

Type of Data	Type and Purpose of Data Processing	Categories of Data Subjects
IP addresses, email addresses, first name, last name, telephone data, postal address, transcripts of chats with a chatbot and live chat of the Controller	Chatbot or AI agent based on generative AI and live chat for consultation on products and services of the Controller, obtaining marketing consent, conducting surveys, competitions, registration processes, forwarding customer inquiries, handling complaint requests	Customers, prospects, website visitors, employees

2. Depending on the process and database, the Controller may configure deletion periods, ranging from 7 to 720 days. An overview of processes and databases is contained in the document “Data Protection”.
3. Upon request, the Controller may have individual databases deactivated if they are not required.
4. The term of this agreement corresponds to the term of the subscribed LoyJoy platform plan, unless provisions of this agreement impose obligations beyond that term.

§ 2 Scope and Responsibility

1. The Processor processes personal data on behalf of the Controller. This includes activities specified in the service description. The Controller is solely responsible, under this agreement, for compliance with the legal requirements of data protection laws, in particular for the lawfulness of the disclosure of data to the Processor and the lawfulness of data processing (»Controller« within the meaning of Art. 4 No. 7 GDPR).
2. Instructions are issued upon subscription to a LoyJoy cloud plan by the Controller and may thereafter be modified, supplemented, or replaced in text form to the contact designated by the Processor (individual instruction). Oral instructions must be promptly confirmed and documented in text form.

§ 3 Obligations of the Processor

1. The Processor may process data of data subjects only within the scope of the order and the Controller’s instructions, except in cases under Article 28 (3)(a) GDPR. The Processor shall immediately inform the Controller if it believes that an instruction violates applicable law. In this case, the Processor may suspend execution of the instruction until it has been confirmed or amended by the Controller.
2. The Processor undertakes, in accordance with Art. 28 GDPR, to structure its internal organization within its area of responsibility to comply with the specific requirements of data protection. It shall implement technical and organizational measures to adequately protect the Controller’s data, meeting the requirements of Art. 32 GDPR. The Processor shall ensure confidentiality, integrity, availability, and resilience of systems and services related to processing on a lasting basis. The specific technical and organizational measures are attached as Annex 1 to this agreement. The Controller is responsible for ensuring these provide an adequate level of protection in relation to the risks of the processed data. The Processor reserves the right to modify security measures, provided that the agreed level of protection is not reduced.
3. The Processor shall support the Controller, to the extent possible, in fulfilling requests and claims of data subjects pursuant to Chapter III GDPR, and in complying with obligations under Articles 32 to 36 GDPR.
4. The Processor shall ensure that employees and other persons working for it and engaged in processing the Controller’s data are prohibited from processing the data outside of instructions. The Processor shall also ensure that persons authorized to process personal data are committed to confidentiality or are subject to an appropriate statutory obligation of secrecy. This confidentiality obligation shall continue after termination of the LoyJoy cloud plan.
5. The Processor shall notify the Controller without undue delay of any personal data breach affecting the Controller’s data. The Processor shall take necessary measures to secure the data, mitigate possible adverse effects for data subjects, and coordinate with the Controller immediately.
6. The Processor shall designate a contact person for data protection matters under this agreement.
7. The Processor shall ensure the implementation of a process for regularly testing the effectiveness of technical and organizational measures to ensure processing security (Art. 32 (1)(d) GDPR).
8. Upon completion of contracted services or earlier upon instruction of the Controller – at the latest upon termination of the main contract – the Processor shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller and confirm this to the Controller, or return all personal data to the Controller and delete existing copies, unless EU or Member State law requires storage.
9. After expiry of the LoyJoy cloud plan, the Controller may request the transfer of the contractual data. Fees and protective measures for this shall be agreed separately, unless already provided in the contract.
10. In case of claims against the Controller by a data subject under Art. 82 GDPR, the Processor undertakes to assist the Controller in defending the claim, within its capabilities.
11. Processing of the Controller’s data shall take place exclusively in the Federal Republic of Germany, in a Member State of the European Union, or in another state party to the Agreement on the European Economic Area. Any transfer to a third country requires the Controller’s prior written consent and may only occur if the special conditions of Articles 44 to 49 GDPR are fulfilled.

§ 4 Obligations of the Controller

1. The Controller must promptly and fully inform the Processor if it identifies errors or irregularities in the order results regarding data protection provisions.
2. In the event of claims against the Controller by a data subject under Art. 82 GDPR, § 3(10) shall apply accordingly.
3. The Controller shall designate a contact person for data protection matters under this agreement.

§ 5 Requests of Data Subjects

1. If a data subject contacts the Processor with requests for rectification, erasure, or access, the Processor shall refer the data subject to the Controller, provided assignment to the Controller is possible based on the data subject’s information. The Processor shall promptly forward the request to the Controller. The Processor shall support the Controller to the extent possible upon instruction. The Processor shall not be liable if the Controller fails to respond, fails to respond correctly, or fails to respond in time to the data subject’s request.

§ 6 Demonstration of Compliance

1. The Processor shall demonstrate compliance with obligations under this agreement to the Controller by appropriate means.
2. If, in individual cases, inspections by the Controller or an auditor appointed by the Controller are required, they shall be conducted during regular business hours, without disrupting business operations, upon prior notice with reasonable lead time. The Processor may make such inspections subject to prior notice with reasonable lead time and to the signing of a confidentiality agreement regarding the data of other clients and implemented technical and organizational measures. If the auditor appointed by the Controller is in a competitive relationship with the Processor, the Processor shall have a right of objection. Inspections shall be limited for the Processor to one day per calendar year.
3. If a data protection authority or other supervisory authority of the Controller carries out an inspection, paragraph 2 shall apply accordingly. Signing a confidentiality agreement is not required if the authority is subject to professional or statutory confidentiality obligations where violations are punishable under criminal law.

§ 7 Sub-Processors (Further Data Processors)

1. Use of sub-processors is only permitted with prior consent of the Controller. Consent may not be unreasonably withheld for data protection reasons. Sub-processing relationships refer to services directly related to the provision of the main service. Ancillary services, such as telecommunications, postal/transport, cleaning, or security services, are not considered sub-processing. Maintenance and testing services constitute sub-processing if provided for IT systems related to services under this contract.
2. A sub-processing relationship requiring consent exists when the Processor commissions another processor with all or part of the agreed services. The Processor shall enter into agreements with such third parties to ensure adequate data protection and information security measures.
3. If the Processor engages sub-processors, it is the Processor’s responsibility to transfer its data protection obligations under this contract to the sub-processor.

§ 8 Duty to Inform

1. If the Controller’s data at the Processor is endangered by seizure, confiscation, insolvency or composition proceedings, or other events or measures by third parties, the Processor shall inform the Controller immediately. The Processor shall immediately notify all relevant parties that ownership and control of the data lie exclusively with the Controller as the “Controller” within the meaning of the GDPR.

§ 9 Liability and Damages

Controller and Processor shall be liable to data subjects in accordance with Art. 82 GDPR.

§ 10 Final Provisions

1. Amendments and supplements to this agreement and all its components – including any assurances by the Processor – must be made in text form, with explicit reference to the fact that these are amendments or supplements to these terms. This also applies to any waiver of this form requirement.
2. In the event of any contradictions, the provisions of this data protection agreement shall take precedence over provisions of any main contract. If individual provisions of this agreement are invalid, the validity of the remaining provisions shall not be affected.
3. German law shall apply.

LoyJoy GmbH – Processor –

Place, Date: ________________________ Signature: ________________________

Controller

Place, Date: ________________________ Signature: ________________________

Place, Date: ________________________ Signature: ________________________

Annex 1

This DPA includes an annex with the technical and organizational measures pursuant to Art. 32 GDPR.

Annex 2

This DPA includes an annex with the sub-processors of LoyJoy GmbH.