Data Processing Agreement


Fitness Nation GmbH
Bergstr. 18
59394 Nordkirchen, GERMANY

– hereinafter referred to as “Processor”–


the contracting party of the Master Agreement

– hereinafter referred to as “Controller” –

Processor and Controller may hereinafter also be referred to individually as a “Party” or together as the “Parties”.

§ 1 Subject of the Agreement

(1) This Data Processing Agreement (“DPA”) is entered between the Parties concerning the processing of personal data under the Master Agreement (hereinafter “Master Agreement”). Providing Controller with the services under the Master Agreement (“Services”) requires processing of data. If and inasmuch as such data consists of or contains personal data within the meaning of data protection laws, Processor will act as a processor regarding such data, whereas Controller remains the controller regarding such data within the meaning of Art. 28 of the General Data Protection Regulation (hereinafter “GDPR”).

(2) The Services are provided by Processor in such a way that Controller brings its own data, controls the transfer of such data to Processor, and, where the Services are rendered in a Software as a Service model, handles directly the use of such data that has been uploaded onto the Services. Controller agrees and understands that Processor will not monitor Controller’s data or Controller’s use of any such data, unless Controller submits an explicit written request to Processor to access Controller’s data. It is, therefore, the sole responsibility and liability of Controller to ensure that Controller’s data is collected and transmitted to Processor in compliance with applicable data protection laws and, in particular, to have a legal basis for its processing and to properly inform data subjects of the collection and processing of their personal data.

(3) Acting as a processor, Processor will process personal data on Controller’s behalf only in accordance with the provisions of the present DPA and the documented instructions received from Controller. If Processor is required to process personal data otherwise than as instructed by you under Union or Member State law to which it is subject, it shall inform Controller before such processing occurs, unless the law requiring such processing prohibits Processor from informing Controller on an important ground of public interest, in which case Processor shall notify Controller as soon as that law permits it to do so. Processor shall ensure and regularly check that, in its area of responsibility, which includes any sub-processors employed in accordance with the present DPA, the processing of personal data is carried out in accordance with the provisions of the present DPA, with applicable data protection laws, and especially with the GDPR.

§ 2 Details of the Processing

(1) The details of the processing are laid out in the following sections. in addition to the Master Agreement In consideration of Controller’s responsibilities as a controller, also the responsibility to request any further specification of the stipulations of the Master Agreement remains with Controller.

(2) Processor will process personal data to provide the Services as further specified in the Master Agreement.

(3) Processor will generally process personal data for the duration of the Master Agreement and the present DPA, unless otherwise agreed upon in writing.

§ 3 Place of the Processing; Transfer to Third Countries

(1) Controller’s personal data will be processed by Processor at its own or its authorized sub-contractor’s premises. Usually, any processing activities will, therefore, be carried out in the member states of the European Union or in another state that is party to the Agreement on the European Economic Area.

(2) Any processing of personal data outside the EU/EEA shall be permitted only upon prior agreement of the Parties, and only if the conditions of Art 44 et seq. of the GDPR are met.

§ 4 Controller’s Instructions

(1) The Parties agree, and Controller understands that the provisions of the present DPA comprise Controller’s general instructions concerning the processing of personal data under the Master Agreement.

(2) Individual instructions which deviate from the provisions of the present DPA or which impose additional requirements require Processor’s prior consent and are made in accordance with the change procedure agreed in the Master Agreement, if any.

(3) Controller shall ensure that Controller’s specific instructions with relation to personal data comply with data protection laws, and that the processing of personal data in accordance with Controller’s instructions will not cause Processor to be in breach of data protection laws and, in particular, of the GDPR. If Processor is of the opinion that a permissible specific instruction infringes applicable data protection laws, it shall inform Controller thereof as soon as possible. Furthermore, Processor is entitled to suspend the execution of the instruction until Controller confirms the instruction.

(4) Specific instructions from Controller shall in principle be issued in writing or at least in text form by the persons of Controller authorized to do so in accordance with the present DPA. Oral instructions must be confirmed immediately in writing or in text form by Controller in order to be effective.

§ 5 Processor’s Representations

(1) Processor's employees (a) who have access to personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality; (b) shall process personal data only as instructed to by Processor, unless otherwise required to do so by data protection laws; and (c) shall be provided training as necessary from time to time, but no less than once a year, with respect to Processor’s obligations under this DPA, under data protection laws and, in particular, under the GDPR.

(2) Processor shall not make any copies or duplicates of personal data without Controller’s prior consent. However, copies are excluded from this, insofar as they are required to ensure proper data processing and to properly provide the Services (including data backups), as well as insofar as copies are required to comply with statutory retention obligations.

(3) Processor shall appoint a competent and reliable data protection officer if and as long as the legal requirements for an appointment obligation are met. The contact details of such data protection officer will be provided to Controller.

§ 6 Technical and Organizational Measures

(1) Prior to the commencement of the processing, Processor shall implement the technical and organizational measures listed under and maintain them during the term of the present DPA. These are data security measures to ensure a level of protection appropriate to the risk regarding the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of processing as well as the varying likelihood and severity for the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account.

(2) Since the technical and organizational measures are subject to technical progress and technological development, Processor is permitted to implement alternative and adequate measures, provided that the safety level of the measures specified under is not compromised.

§ 7 Appointment of Sub-Processors

(1) Processor may not subcontract processing operations under the Master Agreement without Controller’s prior written consent. Controller hereby grants authorization to Processor to subcontract processing operations to the sub-processors listed under (2) Processor shall impose privacy, confidentiality and data security obligations on any sub-processor that are at least as stringent as those set forth in the present DPA. Where a sub-processor fails to fulfil its data protection obligations with respect to the processing of personal data, Processor shall remain fully liable to Controller for the performance of that sub-processor’s obligations.

(3) Processor shall give Controller written notice of the appointment of any new sub-processor. If, within thirty (30) days of receipt of that notice, Controller notifies Processor in writing of any reasonable objection to the proposed appointment, the Parties shall negotiate in good faith a mutually acceptable alternative. If no such alternative is agreed within two (2) months of the objection, Controller will have the right to terminate the Master Agreement to the extent it relates to Services which require use of the proposed sub-processor.

(4) The Parties agree that ancillary service providers are no processors within the meaning of data protection laws; this includes in particular transport services of postal or courier companies, cash transport services, telecommunication services, security services and cleaning services. However, Processor shall enter into customary confidentiality agreements with such service providers.

(5) The provisions in this § 7 shall also apply if Processor appoints a sub-processor in a third country. Conditional upon Controller’s consent with the appointment of such sub-processor, Controller hereby authorizes Processor to enter into an agreement on behalf of Controller, including the EU standard contract clauses for the transfer of personal data to processors in third countries dated February 5, 2010 or, if applicable, standard data protection clauses issued later by the EU Commission or the competent supervisory authority, with such sub-processor located in a third country.

§ 8 Assistance of Controller

(1) Upon Controller’s written request, Processor will assist Controller in the event of an investigation by or request from a supervisory authority, if and to the extent that such investigation or request relates to the Services. Processor will take steps reasonably requested by Controller to assist Controller in complying with any obligations in connection with such an investigation or request. If an investigation by or a request from a supervisory authority affects Processor itself, it shall inform Controller hereof without undue delay if so permitted and shall co-operate within the course of such investigation or request.

(2) Processor shall inform Controller without delay if it discovers a violation of the protection of personal data in connection with the processing under the present DPA. If Controller is obliged by law to provide information due to a risk to the rights and freedoms of natural persons as a result of such an (in particular but not limited to the information duties according to Art. 33, 34 of the GDPR), Processor shall assist Controller in fulfilling its duties to provide information to the extent reasonable and necessary at the latter's request; inasmuch as Processor is not at fault for the incident, support shall be provided against a remuneration to be calculated in accordance with the Master Agreement.

(3) Processor will cooperate and assist Controller with any data protection impact assessments which are referred to in Art. 35 GDPR or with any regulatory consultations that Controller is legally required to make in respect of such data protection impact assessment in accordance with Art. 36 GDPR, taking into account the nature of the processing and the information made available to Processor. Such assistance shall be made subject to a remuneration to be calculated in accordance with the Master Agreement.

(4) Processor shall notify Controller without undue delay about any complaint, communication or request received directly by Processor from a data subject and pertaining to his or her personal data, without responding to that request, unless Processor has been otherwise authorized to do so by Controller. Processor shall provide Controller with reasonable assistance in relation to any complaint, communication or request received from a data subject, subject to a remuneration to be calculated in accordance with the Master Agreement.

§ 9 Return or Deletion of Personal Data

(1) Upon Controller’s written request during the term of the Master Agreement or upon termination or expiration of the Master Agreement, and when Processor is no longer required to retain all or part of personal data in order to provide the Services, Processor shall, upon respective instruction of Controller, return or destroy such personal data. If data protection laws to which Processor is subject prevent Processor from returning or destroying all or part of personal data, Processor warrants that it will guarantee the confidentiality of personal data and will not actively process personal data anymore, and will guarantee the return or destruction of personal data as requested by Controller when the legal obligation to not return or destroy the personal data is no longer in effect.

(2) Processor shall draw up a report on any erasure or destruction of personal data, which shall be submitted to Controller upon request.

§ 10 Audit Rights

(1) During normal business hours (Monday to Friday from 9 a.m. to 5 p.m.), Controller is entitled to enter Processor’s business premises in which personal data are processed on behalf of Controller, at Controller’s own expense, without disrupting operations and with strict confidentiality of Processor’s trade secrets, in order to audit compliance with the present DPA. Controller shall inform Processor in good time (generally at least two weeks in advance) of all circumstances relating to the execution of an audit.

(2) As a rule, Controller may carry out one inspection per calendar year. This does not affect Controller’s right to carry out further audits in the event of special incidents.

(3) If Controller commissions a third party to carry out the audit, Controller must oblige the third party in writing in the same way as Controller is obligated towards Processor on the basis of the present DPA. In addition, Controller must oblige the third party to secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of Processor, Controller shall provide the latter without delay with the confidentiality agreements concluded with the third party. Controller must not appoint a competitor of Processor to carry out the inspection.

(4) Instead of on-premise audits, the demonstration of compliance with the present DPA may also be verified by adherence to an approved code of conduct in accordance with Art. 40 GDPR, a certification in accordance with an approved certification mechanism in accordance with Art. 42 GDPR and the presentation of appropriate, up-to-date certificates, reports or report extracts from independent bodies (e.g. auditor, revision, data protection officer, IT security department, data protection auditors or quality auditors), or by a suitable certification after an IT security or data protection audit – e.g. according to ISO 27001 – (“Audit Report"), if and inasmuch as the Audit Report allows Controller to convince itself in an appropriate way of Processor’s compliance with the present DPA.

(5) If and inasmuch as Processor did not force an audit by fault, support during such audit shall be provided against a remuneration to be calculated in accordance with the Master Agreement.

§ 11 Miscellaneous Provisions

(1) The present DPA will be governed by the same law as the Master Agreement, and the competent courts agreed between the Parties under the Master Agreement shall have the sole jurisdiction concerning all conflicts arising out of or in connection with the present DPA as well.

(2) No modification or amendment of the present DPA shall be effective unless in writing.

(3) If any provision in this DPA is held by the competent court to be invalid or unenforceable, all other provisions shall remain in full force and effect.

(4) This DPA will become effective as of the effective date of the Master Agreement and shall form an integral part thereof. Notwithstanding expiry of the term of the Master Agreement, it will remain in effect until, and will automatically expire upon, deletion of all personal data by Processor and/or any applicable sub-processors.