Services
contact us

Agreement on Data Processing pursuant to Art. 28 GDPR

  1. General Provisions and Subject Matter

    This Data Processing Agreement pursuant to Article 28 GDPR supplements the General Terms and Conditions of alkima as well as the Main Agreement concluded between the Parties. Unless otherwise provided in this Agreement, the General Terms and Conditions of alkima shall apply in addition. The current version is available on the alkima website.

    The subject matter of this Agreement is the processing of personal data by alkima on behalf of the Client in accordance with Article 28 GDPR.

    The subject matter, scope and purpose of the processing, as well as the categories of personal data and data subjects, are set out in Appendix 1 and the respective Main Agreement.

    The Client acts as the Controller within the meaning of Article 4(7) GDPR and is responsible for the lawfulness of the processing of personal data as well as for safeguarding the rights of data subjects.

    alkima shall process personal data solely on documented instructions from the Client, unless processing is required by the laws of the European Union or a Member State to which alkima is subject. In such cases, alkima shall inform the Client of that legal requirement before processing, unless the applicable law prohibits such notification on important grounds of public interest.

    Processing of personal data shall generally take place within the European Union or the European Economic Area.

    Where processing is carried out in a third country or by a Subprocessor located in a third country, such processing shall only take place where the requirements of Articles 44 et seq. GDPR are fulfilled and an adequate level of data protection is ensured. Where required, appropriate safeguards, including adequacy decisions of the European Commission, the EU Standard Contractual Clauses or any other lawful transfer mechanism under the GDPR, shall be used.

    The remuneration for the services provided by alkima shall be governed exclusively by the respective Main Agreement and is not subject to this Data Processing Agreement.

  2. Term and Termination

    This Agreement shall enter into force upon conclusion of the Main Agreement or upon the commencement of the processing of personal data on behalf of the Client and shall remain in effect for the duration of such processing.

    This Agreement shall automatically terminate upon termination of the Main Agreement, unless statutory retention or documentation obligations require individual provisions to remain in effect.

    The right of either Party to terminate this Agreement for good cause shall remain unaffected.

    Good cause shall exist in particular where a Party materially or repeatedly breaches this Agreement or applicable data protection laws and fails to remedy such breach within a reasonable period after being requested to do so, or where the continuation of the contractual relationship can no longer reasonably be expected due to data protection requirements.

    Following termination of the processing activities, the obligations regarding the deletion or return of personal data as well as any applicable statutory retention obligations shall continue to apply.

  3. Instructions of the Client

    alkima shall process personal data exclusively on the documented instructions of the Client, unless processing is required by applicable law.

    If alkima considers an instruction issued by the Client to be unlawful or in breach of applicable data protection laws, alkima shall inform the Client without undue delay. Until the instruction has been confirmed or amended by the Client, alkima shall be entitled to suspend its execution.

    Instructions shall be issued at least in text form. Instructions may, in particular, be provided by email or through jointly used project management or communication systems. Verbal instructions shall be confirmed by the Client in text form without undue delay upon request by alkima.

    Upon request, the Client shall designate one or more persons authorised to issue instructions. Any changes to such authorised persons shall be communicated to alkima without undue delay.

    Instructions exceeding the originally agreed scope of services or resulting in additional effort shall be remunerated separately, unless such additional effort is attributable to a breach of obligations by alkima.

  4. Audit Rights

    The Client shall be entitled to verify compliance with the applicable data protection laws and the obligations set out in this Agreement or to have such verification carried out by an independent third party bound by confidentiality.

    Upon request, alkima shall provide the Client with all information necessary to demonstrate compliance with its obligations under Article 28 GDPR. Such information may include, in particular, appropriate documentation of the implemented technical and organisational measures as well as available certifications, audit reports or comparable evidence.

    On-site audits shall only be permitted where the information, certifications or audit reports provided by alkima are insufficient to demonstrate compliance or where there is a specific and justified reason for a further inspection. Such audits shall generally be conducted during normal business hours upon reasonable prior notice, unless the purpose of the audit would be defeated by prior notification.

    The Client shall bear the costs of any audit unless the audit reveals a material breach of applicable data protection laws or of this Agreement for which alkima is responsible.

    Both Parties shall document the material findings of any audit and any resulting corrective measures in an appropriate manner.

  5. General Obligations of alkima

    alkima shall process personal data exclusively within the scope of the contractual agreements, the documented instructions of the Client and in compliance with the applicable data protection laws.

    alkima shall ensure that all persons authorised to process personal data are bound by confidentiality or are subject to an appropriate statutory duty of confidentiality and are granted access to personal data only to the extent necessary for the performance of their respective duties.

    alkima shall implement appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risks associated with the processing. The technical and organisational measures in place at the time of conclusion of this Agreement are set out in Appendix 2.

    alkima shall regularly review the technical and organisational measures and adapt them where necessary to reflect technical, organisational or legal developments. Any such changes shall not reduce the agreed level of protection.

    Where required by law, alkima shall maintain a record of processing activities in accordance with Article 30(2) GDPR.

    Where alkima is legally required to appoint a Data Protection Officer, it shall ensure that such appointment has been made and shall provide the Client with the relevant contact details upon request.

    The processing of personal data from home offices or other locations outside alkima's business premises shall be permitted, provided that appropriate technical and organisational measures are implemented to ensure that the agreed level of data protection is maintained at all times.

  6. Technical and Organisational Measures

    alkima has implemented appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of security appropriate to the risks associated with the processing of personal data. The technical and organisational measures in place at the time of conclusion of this Agreement are set out in Appendix 2.

    alkima shall be entitled to adapt the technical and organisational measures to reflect the state of the art as well as technical, organisational or legal developments, provided that the agreed level of protection is not reduced.

    Upon request, alkima shall provide the Client with appropriate information regarding any material changes to the technical and organisational measures that may affect the level of data protection.

  7. Assistance Obligations of alkima

    alkima shall assist the Client, taking into account the nature of the processing and the information available to alkima, in fulfilling the Client's obligations under Article 28(3)(e) and (f) GDPR, in particular with regard to the rights of data subjects and the obligations set out in Articles 32 to 36 GDPR, where such assistance is required by law.

    Where such assistance exceeds the contractually agreed scope of services and is not the result of a breach of obligations by alkima, alkima shall be entitled to charge reasonable additional remuneration in accordance with the agreed rates or, where no such rates have been agreed, on a time and material basis.

    alkima shall inform the Client without undue delay if it becomes aware of any circumstances that may impair or jeopardise the proper processing of personal data on behalf of the Client.

  8. Subprocessors

    alkima shall be entitled to engage Subprocessors for the performance of its contractual obligations.

    The Subprocessors engaged at the time of the conclusion of this Agreement are listed in Appendix 3.

    alkima shall ensure that any Subprocessor is contractually bound by data protection obligations that provide a level of protection equivalent to that set out in this Agreement and in Article 28 GDPR.

    alkima shall remain fully responsible to the Client for the performance of the data protection obligations of its Subprocessors.

    alkima shall inform the Client in advance, in text form, of any intended addition or replacement of a Subprocessor.

    The Client may object to such change within fourteen (14) calendar days of receipt of the notification, provided the objection is based on legitimate data protection grounds.

    If no objection is raised within this period, the new or replacement Subprocessor shall be deemed approved.

    The engagement of service providers whose services do not directly relate to the processing of personal data under this Agreement, in particular providers of telecommunications, postal, transport, maintenance, support or other ancillary services, shall not constitute the engagement of a Subprocessor, provided that appropriate measures are implemented to ensure the protection of personal data.

  9. Personal Data Breaches and Other Data Protection Obligations

    alkima shall assist the Client, taking into account the nature of the processing and the information available to alkima, in fulfilling the obligations set out in Articles 32 to 36 GDPR.

    In particular, alkima shall:

    • notify the Client without undue delay of any Personal Data Breach relating to the processing carried out under this Agreement;
    • provide the Client with all available information required to fulfil its legal notification and communication obligations;
    • reasonably assist the Client in investigating, containing and remedying Personal Data Breaches;
    • assist the Client in carrying out Data Protection Impact Assessments and, where required, prior consultations with the competent supervisory authority.

    Where such assistance exceeds the contractually agreed scope of services and is not the result of a breach of obligations by alkima, alkima shall be entitled to charge reasonable additional remuneration.

  10. Deletion and Return of Personal Data

    Upon termination of the Main Agreement or upon the documented instruction of the Client, alkima shall, at the Client's choice, return or securely delete all personal data processed on behalf of the Client, unless applicable law requires continued storage.

    Statutory retention obligations and personal data contained in backup copies shall remain unaffected. Such data may only be processed for the purposes permitted by law and shall be deleted once the applicable retention periods have expired.

    Upon request, alkima shall confirm the deletion of the personal data, provided that such confirmation is technically and organisationally feasible.

    Documentation required to demonstrate proper and lawful processing may be retained by alkima for the duration of the applicable statutory retention periods.

  11. Final Provisions

    This Agreement shall enter into force upon conclusion of the Main Agreement and shall automatically terminate upon termination of the Main Agreement, unless statutory retention or documentation obligations require individual provisions to remain in effect.

    The right of either Party to terminate this Agreement for good cause shall remain unaffected.

    Any amendments or additions to this Agreement shall be made in text form, unless a stricter form is required by applicable law.

    This Agreement shall be governed exclusively by the laws of Malta.

    If the Client is a merchant, a legal entity under public law or a special fund under public law, the exclusive place of jurisdiction for all disputes arising out of or in connection with this Agreement shall be the registered office of alkima.

Appendix 1 to the contract in accordance with Article 28 GDPR: Processing Details

Subject Matter of the Processing

alkima processes personal data solely within the scope of the services agreed between the Parties. The nature, scope and purpose of the processing are determined by the respective Main Agreement, the corresponding offer or the applicable service description.

The processing may include, in particular, the following services:

  • Web development and software development
  • Development and maintenance of websites, online shops and web applications
  • Web hosting
  • Managed servers
  • Managed hosting
  • Storage and backup services
  • Domain registration and domain management
  • Email hosting
  • Email archiving
  • Email encryption
  • Email security services
  • Managed Microsoft 365
  • Cloud and infrastructure services
  • Server administration and system maintenance
  • Technical support and troubleshooting
  • Maintenance and support services
  • IT consulting
  • Digital transformation consulting
  • Business consulting
  • Project management
  • Technical migrations
  • Data migrations
  • Custom software development
  • API development and system integrations
  • Any other IT services agreed in the Main Agreement

alkima shall process personal data solely for the purpose of providing the contractually agreed services and only in accordance with the documented instructions of the Client.

Nature of the Processing

Depending on the agreed services, the processing may include in particular:

  • collection
  • recording
  • organisation
  • structuring
  • storage
  • adaptation
  • alteration
  • retrieval
  • consultation
  • use
  • disclosure by transmission
  • making available
  • alignment
  • combination
  • restriction
  • erasure
  • destruction

within the meaning of Article 4(2) GDPR.

Categories of Personal Data

Depending on the agreed services, the following categories of personal data may be processed:

  • personal master data
  • contact details
  • communication data
  • contract data
  • billing and payment data
  • user account data
  • authentication data
  • log and usage data
  • IP addresses
  • content data, including files, documents, databases, website content and emails
  • configuration and system data
  • backup data
  • any other personal data provided by the Client in connection with the agreed services

Special categories of personal data pursuant to Article 9 GDPR and personal data relating to criminal convictions and offences pursuant to Article 10 GDPR are generally not subject to processing unless expressly agreed between the Parties.

Categories of Data Subjects

Depending on the agreed services, the processing may concern in particular:

  • customers of the Client
  • prospective customers of the Client
  • visitors to websites or online shops operated by the Client
  • users of the Client's systems or applications
  • employees of the Client
  • contact persons of the Client
  • suppliers and business partners of the Client
  • applicants, where relevant to the agreed services

Duration of the Processing

The processing shall be carried out for the duration of the respective Main Agreement or for as long as necessary to perform the agreed services or to comply with applicable statutory retention obligations.

Appendix 2 to the contract in accordance with Article 28 GDPR: Technical and Organisational Measures pursuant to Article 32 GDPR

Purpose Limitation and Separation

To ensure purpose limitation and the separation of personal data, the following measures are implemented in particular:

  • role based access and authorisation concepts
  • logical separation of customer data where technically required
  • separation of production, test and development environments where technically required
  • restriction of access to personal data based on the intended processing purpose
  • processing of personal data exclusively in accordance with documented instructions

Confidentiality and Integrity

Physical Access Control

Measures to prevent unauthorised access to data processing facilities:

  • secured business premises
  • access limited to authorised persons
  • visitors are accompanied where appropriate
  • secure data centres operated by the respective infrastructure and hosting providers

System Access Control

Measures to prevent unauthorised access to IT systems:

  • personalised user accounts
  • secure password policies
  • multi factor authentication (MFA), where technically available
  • automatic screen locking
  • encrypted end devices
  • endpoint protection and malware protection
  • regular security updates
  • restriction of administrative privileges according to the principle of least privilege

Data Access Control

Measures to restrict access to personal data:

  • role based access permissions
  • principle of least privilege
  • regular review of user permissions
  • deactivation of obsolete user accounts
  • logging of administrative access
  • encrypted storage of personal data where technically feasible

Input Control

Measures to ensure traceability of data processing activities:

  • logging of relevant modifications
  • user specific traceability
  • documentation of administrative activities
  • version control where supported by the respective systems

Processor Control

Measures to ensure processing in accordance with instructions:

  • conclusion of data processing agreements pursuant to Article 28 GDPR
  • careful selection of Subprocessors
  • regular review of data protection requirements
  • confidentiality obligations for all employees
  • regular data protection awareness and training

Availability and Resilience

Measures to ensure the availability of personal data include in particular:

  • regular backups in accordance with the agreed services
  • backup and recovery procedures
  • redundant cloud and server infrastructures where included in the agreed services
  • monitoring of critical systems
  • patch and vulnerability management
  • protection against malware
  • use of uninterruptible power supplies and redundant infrastructure by the respective data centre providers
  • documented business continuity and disaster recovery procedures

Procedures for Regular Review

To ensure the ongoing effectiveness of the technical and organisational measures, alkima performs in particular:

  • regular review of the technical and organisational measures
  • installation of security updates
  • regular review of access and authorisation concepts
  • employee awareness and data protection training
  • review of Subprocessors
  • documentation of essential security measures
  • incident management procedures for security incidents
  • continuous adaptation of the technical and organisational measures to reflect the current state of the art

Appendix 3 to the contract in accordance with Article 28 GDPR: Subprocessors

The following Subprocessors are engaged by alkima at the time this Agreement is concluded:

  • alkima GmbH, Colmarer Str. 12, 65203 Wiesbaden, Germany
  • 23M GmbH, Johann-Krane-Weg 18, 48149 Münster, Germany
  • aifinyo AG, Friedrichstraße 94, 10117 Berlin, Germany
  • Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855 Luxembourg
  • Atlassian Pty Ltd, Level 6, 341 George Street, Sydney NSW 2000, Australia
  • Cloudflare, Inc., 101 Townsend Street, San Francisco, CA 94107, United States
  • consentmanager GmbH, Eppendorfer Weg 183, 20253 Hamburg, Germany
  • Dropbox International Unlimited Company, One Park Place, Floor 5, Upper Hatch Street, Dublin 2, Ireland
  • eRecht24 GmbH & Co. KG, Lietzenburger Straße 94, 10719 Berlin, Germany
  • Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee, Germany
  • GitHub, Inc., 88 Colin P. Kelly Jr. Street, San Francisco, CA 94107, United States
  • Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, D04 E5W5, Ireland
  • Heinlein Hosting GmbH, Schwedter Straße 8/9A, 10119 Berlin, Germany
  • Hetzner Online GmbH, Industriestraße 25, 91710 Gunzenhausen, Germany
  • Hornetsecurity GmbH, Am Listholze 78, 30177 Hannover, Germany
  • Host Europe GmbH, Hansestraße 111, 51149 Cologne, Germany
  • InterNetX GmbH, Johanna-Dachs-Straße 55, 93055 Regensburg, Germany
  • Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland
  • sipgate GmbH, Gladbacher Straße 74, 40219 Düsseldorf, Germany
  • Zoom Communications, Inc., 55 Almaden Boulevard, Suite 600, San Jose, CA 95113, United States

The above listed Subprocessors are engaged at the time this Agreement is concluded. alkima is entitled to appoint additional Subprocessors or replace existing Subprocessors. The Client shall be informed of such changes in advance in text form. The Client may object to the intended change within fourteen (14) calendar days after receipt of the notification if the objection is based on legitimate data protection grounds. If no objection is raised within this period, the change shall be deemed approved.

Contact us

We would be happy to advise you and find the perfect solution for you. Let yourself be inspired by our ideas!

Footer contact image
contact us