Back to Home

Data Processing Agreement – Eliteair

1. General

For the data processing activities, the parties agree to the following provisions on the commissioned processing of personal data, which shall supplement the Eliteair Terms of Use (ToU) (Data Processing Agreement, “DPA”) until further notice.

The DPA does not apply if the Customer is a natural person using the Software or the Services in the course of a purely personal or family activity (cf. Art. 2(2)(c) EU General Data Protection Regulation, “GDPR”).

The provisions of this DPA and the ToU, concluded at the same time complement each other and exist side by side. In the event of any contradictions regarding data protection, the DPA shall take precedence over the ToU.

2. Rights and obligations of Eliteair

2.1. Compliance with applicable laws

The obligations of Eliteair shall arise from this DPA and the applicable laws. The applicable laws shall, in particular, include the EU General Data Protection Regulation (“GDPR”) and, where relevant, the German Federal Data Protection Act, as well as the French Data Protection Act (“Loi Informatique et Libertés”). Eliteair and the Customer acknowledge that, as Eliteair is established in France, the competent supervisory authority for data protection matters is the Commission nationale de l’informatique et des libertés (CNIL). This DPA shall therefore comply with both the GDPR and the Loi Informatique et Libertés.

2.2. Processing instructions only

To the extent this DPA is applicable, Eliteair shall only process personal data within the scope of this DPA and on documented instructions of the Customer, which are mutually agreed upon by the parties in the ToU and primarily defined by the Product functionality, unless Eliteair is required to do so by Union or the member state law to which Eliteair is subject; in such a case Eliteair shall inform the Customer of that legal requirement before processing, unless the respective law prohibits such information on substantial grounds of public interest. The Customer can provide additional written instructions as necessary to comply with the applicable data protection law. The documentation on issued instructions shall be kept by the Customer for the term of the DPA.

2.3. Obligation of confidentiality

Eliteair shall ensure that the persons authorized to process the personal data have committed themselves to confidentiality unless they are subject to an appropriate legal obligation of secrecy.

2.4. Security measures according to Art. 32 GDPR

2.5. Assistance with safeguarding the rights of data subjects

Eliteair shall, taking into account the nature of the processing, assist the Customer as far as possible by appropriate technical and organizational measures in the fulfillment of requests to exercise the rights of affected data subjects as referred in Chapter III of the GDPR. Should a data subject contact Eliteair directly to exercise the data subject’s rights regarding the data processed on behalf of the Customer (as far as identifiable), Eliteair shall immediately forward such request to the Customer. The Customer shall remunerate Eliteair an hourly rate of 70 Euros for the effort resulting from such assistance, if and as far as permitted by applicable data protection laws.

2.6. Assistance with ensuring compliance with Art. 32 – 36 GDPR

Taking into account the type of processing and the information available to Eliteair, Eliteair shall support the Customer with appropriate technical and organizational measures to comply with the obligations mentioned in Article 32-36 GDPR, especially with regard to the security of the processing, the notification of personal data breach, the data protection impact assessment as well as the consultation with supervisory authorities. The Customer shall remunerate Eliteair an hourly rate of 70 Euros for the effort resulting from such assistance, if and as far as permitted by applicable data protection laws.

2.7. Records of processing activities

Eliteair will provide the Customer with the information necessary to maintain the records of processing activities.

2.8. Deletion and return at the end of processing

At the choice of the Customer, Eliteair shall delete or return the personal data that is processed on behalf of the Customer, if and to the extent that the law of the European Union or a member state to which Eliteair is subject does not provide for an obligation to store the data.

2.9. Information to demonstrate compliance with data protection obligations and inspections

Eliteair shall provide the customer with all information necessary to demonstrate compliance with the obligations resulting from Sections 2 and 3 of this DPA.

If and insofar there are objectively justified indications of a violation of this DPA or of data protection regulations by Eliteair, Eliteair will enable and contribute to additional audits, including inspections, which are carried out by the Customer or by a qualified auditor appointed by the Customer. When conducting the inspection, the Customer will not disrupt Eliteair’s operations in a disproportionate manner.

2.10. Obligation to notify in case of doubts about instructions

Eliteair shall inform the Customer immediately if Eliteair is of the opinion that the execution of an instruction could lead to a violation of the applicable data protection law. Eliteair is entitled to suspend the execution of the relevant instruction until it is confirmed in writing or changed by the Customer after the review.

2.11. Obligation to notify breaches

If Eliteair detects violations of the applicable data protection law, this DPA, or instructions of the Customer regarding the commissioned processing of personal data, Eliteair shall inform the Customer immediately.

2.12. Appointment of a data protection officer

2.13. Data transfers to a third country

Eliteair will generally only transfer personal data processed within the scope of this DPA to a country outside the EU or the European Economic Area (EEA) for which no adequacy decision of the EU Commission in the sense of Art. 45 para. 3 GDPR exists (“unsafe third country”), provided that:

1. the Customer or the Customer’s user gives Eliteair instructions for such a transfer, e.g., by requesting Eliteair to establish a connection to an endpoint located in an unsafe third country (in such cases the Customer is responsible for ensuring that the data transfer is carried out in accordance with Art. 44 et seq. GDPR), or
2. Eliteair is obliged to do so according to the law of the European Union or a member state to which Eliteair is subject; in such a case Eliteair will inform the Customer about these legal requirements prior to processing, unless the respective law prohibits such a communication on important grounds of public interest. Furthermore, Eliteair shall be entitled to utilize Subprocessors in a third country to process personal data, insofar the requirements of Art. 44 GDPR are met.
3. Where personal data is transferred to a third country without an adequacy decision, such transfer shall be governed by the European Commission’s Standard Contractual Clauses or equivalent safeguards pursuant to Articles 46 – 49 GDPR.

3. Subprocessors

3.1. Subprocessors engaged upon conclusion of the DPA

Eliteair utilizes the services of a number of other processors (hereinafter, “Subprocessors”). By concluding the DPA, the Customer agrees to the engagement of the Subprocessors at the time of concluding the DPA for the relevant Eliteair Product.

3.2. Notification regarding further Subprocessors

If Eliteair wishes to commission further or other Subprocessors to provide the contractually agreed services (e.g., hosting), such Subprocessors have to be selected with the required care and due diligence. Eliteair shall notify the Customer at least 15 days in advance about the appointment of any new Subprocessors. The Customer has the right to object to the engagement of the Subprocessor by stating objectively comprehensible reasons. If no objection is raised within this period, the new Subprocessor notified accordingly shall be deemed approved. If, in the event of an objection within the deadline, no solution can be reached, either party is entitled to terminate the DPA with a notice period of two (2) weeks. When the termination of the DPA becomes effective, the ToU shall also be considered terminated.

3.3. Subprocessors in third countries

Subprocessors in third countries may only be engaged if the special requirements of Art. 44 et seq. GDPR are fulfilled.

3.4. Obligations of Subprocessors

4. Changes to this DPA

Eliteair is generally entitled to amend the provisions of this DPA. Eliteair will inform the Customer about the planned change and the content of the new DPA at least twenty-eight (28) days before such changes become effective. The change is considered approved if the Customer does not object to Eliteair within fifteen (15) days after receipt of this information. If the Customer objects to the change, the DPA continues under the existing conditions.

5. Liability

Reference is made to Art. 82 of the GDPR.

For the rest, it is agreed that the regulations on limitation of liability from the corresponding license agreement shall apply.