Data processing agreement pursuant to Art 28 et seq General Data Protection Regulation ("GDPR") concluded between:
the organisation that has accepted these General Terms and Conditions ("Controller")
and
Interactive Paper GmbH Argentin ierstraße 71/13, 1040 Vienna, Austria ("Processor")
(collectively the "Parties")
The Processor processes the personal data of the data subjects as referred to in Section 2 of Annex 1 on behalf of the Controller in the course of its activities pursuant to Section 1 of Annex 1 to this agreement.
The Processor shall process the personal data on behalf of the Controller for as long as: (i) the processing is necessary for the performance of the activities set out in Section 1 of Annex 1, (ii) this agreement has not been terminated in accordance with Sections 5.2-5.4, or (iii) such order or part thereof has not been withdrawn by Controller. Further conditions of processing, in particular the purpose, the type of personal data and categories of Data Subjects, are defined in Annex 1.
The Controller is the controller within the meaning of Art 4(7) GDPR. The Controller has the right and obligation to decide on the purposes and means of the processing. The Controller is responsible for ensuring a sufficient legal basis for the processing of personal data which the Processor is instructed to perform.
4.1 General - The Processor is a processor within the meaning of Art 4(8) GDPR and shall diligently comply with its obligations under applicable law, in particular the GDPR and the Austrian Data Protection Act (DSG). The Processor undertakes to maintain a register of processing activities as required by Art 30(2) GDPR.
4.2 Instructions - The Processor shall process personal data exclusively within the framework of the Controller's documented instructions. Subsequent instructions may be issued by the Controller throughout the duration of processing and shall be documented in writing (including electronically). Any transfer to a third country shall only occur on the basis of Controller instructions or applicable law, in compliance with the GDPR. The Processor shall immediately inform the Controller if it believes any instruction violates the GDPR. The Processor shall process personal data in accordance with the principle of data minimisation pursuant to Art 5(1)(c) GDPR and only to the extent necessary for the performance of the activities specified in this agreement; data shall be deleted or returned as soon as it is no longer required for the relevant task.
4.3 Confidentiality - The Processor shall grant access only on a need-to-know basis. All persons entrusted with data processing shall be bound by confidentiality obligations under Art 28(3)(b) GDPR and Section 6 DSG before commencing processing.
4.4 Security of processing - The Processor shall implement appropriate technical and organisational measures within the meaning of Art 32 GDPR, as described in Annex 2.
4.5 Sub-processors - The Controller grants general written authorisation pursuant to Art 28(2) GDPR to engage sub-processors as listed in Annex 3. The Processor shall notify the Controller at least 14 days in advance of any intended addition or replacement of a sub-processor. Sub-processors outside the EEA shall only be engaged where an EU adequacy decision applies or EU Standard Contractual Clauses (Commission Decision 2021/914, Module 2) are in place, along with any necessary supplementary measures.
4.6 Data subjects rights - The Processor shall maintain measures enabling the Controller to comply with Art 13-21 GDPR within statutory timeframes. The Processor shall forward any data subject request to the Controller without delay and shall not respond independently unless explicitly instructed.
4.7 Data breaches - The Processor shall notify the Controller of any personal data breach without undue delay and within 48 hours of becoming aware. Notification shall include: (i) nature of the breach; (ii) categories and approximate number of data subjects and records affected; (iii) contact details; (iv) likely consequences; (v) measures taken or proposed. The Processor shall assist the Controller in meeting its Art 33 and 34 GDPR obligations. Where the Processor provides such assistance and is not at fault for the breach, it shall be entitled to reasonable remuneration based on agreed hourly rates.
4.8 Erasure and return of data - Upon termination, the Processor shall at the Controller's choice either return all personal data or securely and irreversibly delete it, providing written certification within 30 days.
4.9 Cooperation and assistance - The Processor shall cooperate with supervisory authorities and assist the Controller in relation to data protection impact assessments (Art 35 GDPR) and prior consultations (Art 36 GDPR). The Processor shall also comply with any requests or demands from the Data Protection Authority or other competent authorities directly, and shall adapt its internal processing operations accordingly. Where the Processor provides such assistance and is not at fault, it shall be entitled to reasonable remuneration based on agreed hourly rates.
4.10 Audit and inspection - The Controller may audit the Processor's data processing facilities upon reasonable prior notice. The Processor shall cooperate fully. Results shall be made available to the competent supervisory authority upon request.
5.1 This Agreement is governed by Austrian law. The courts of Vienna, Austria shall have exclusive jurisdiction.
5.2 This Agreement is effective upon the Controller's acceptance of the General Terms and Conditions of Interactive Paper GmbH (including via digital acceptance mechanisms such as a checkbox or click-through), or upon separate written execution by both Parties, whichever occurs first, and remains in force for the duration of the cooperation.
5.3 Amendments shall be made in writing (including electronically). The Processor may unilaterally update the Annexes due to changes in processing activities, law, or scope; such updates shall be notified to the Controller and deemed accepted unless the Controller objects within 14 days.
5.4 In case of contradiction, the provisions of this Agreement shall prevail with respect to the processing activities in Annex 1.
5.5 If the Processor fails to comply with its obligations under this Agreement, the Controller may instruct the Processor to suspend the processing of personal data until the Processor demonstrates full compliance with the terms of this Agreement. The Processor shall inform the Controller immediately if, for whatever reason, it is unable to comply with its obligations under this Agreement.
5.6 The Processor shall be entitled to terminate this Agreement without notice for cause if the Controller insists on the performance of instructions that the Processor has notified are in breach of applicable legal requirements. In any event, any personal data held by the Processor at the time of termination shall be returned to the Controller or securely deleted in accordance with clause 4.8.
5.7 Where the Parties have entered into a separately negotiated and signed Data Processing Agreement, that separately executed agreement shall take precedence over this click-through version in its entirety. The click-through acceptance of this DPA via the General Terms and Conditions serves as the legally binding minimum agreement and remains in effect unless and until superseded by a separately executed DPA.
Annexes forming an integral part of this Agreement:
Annex 1 - Further conditions of the processing
Annex 2 - Technical and Organisational Measures (TOMs)
Annex 3 - List of Sub-processors
Purposes of processing: (a) Creation, hosting and operation of interactive digital marketing campaigns via the < letsinteract.com > platform; (b) Operation of interactive web tools for campaign interaction and control; (c) Campaign analytics and reporting; (d) Delivery and postal dispatch of physical Interactive Paper materials to end users (where ordered); (e) SaaS platform account management for the Controller's authorised users. Types of personal data processed:
Relating to end users of Campaigns (scope determined solely by the Controller):
- Contact data (name, email, phone) where collected via campaign forms
- Interaction data (clicks, responses, form submissions, scan events)
- Technical and device data (IP address, browser type, operating system, device type)
- Location data (country, region, city - derived from IP address)
- Consent records and timestamps
Relating to the Controller's platform account holders:
- Name, email address, job title
- Hashed credentials or OAuth tokens
- Account activity and audit logs
- Billing reference data (full payment card data processed by Stripe; not stored by Processor)
Categories of data subjects:
- End users of interactive campaigns created by the Controller
- Authorised platform users (employees or contractors) of the Controller
Retention periods:
- Campaign interaction data: duration of campaign plus 24 months, unless earlier deletion is requested
- Account holder data: duration of contractual relationship plus applicable statutory retention obligations
- On contract termination: all personal data deleted or returned within 30 days of written request with written confirmation
Processing location: European Economic Area (EEA) - primary infrastructure: Hetzner (Germany), DigitalOcean Frankfurt. For sub-processors outside the EEA, see Annex 3.
This document is incorporated by reference as Annex 2. The Processor shall notify the Controller of any material changes to the TOMs.
This document is incorporated by reference as Annex 3. The Processor shall provide at least 14 days' prior notice of any changes to the sub-processor list.