Language
Home
Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

(Agreement pursuant to Art. 28 GDPR)

This Data Processing Agreement (“Agreement”) is concluded between:

Controller:
Point of Difference e.V.

[Wollgrasstr 1a D-26802 Moormerland Germany]
Vereinsregister-Nr.: VR 201299, Amtsgericht Aurich
(“Controller”)

and

Processor:
[Name of service provider / partner]
[Legal form and address]
(“Processor”)

Together referred to as the “Parties”.

1. Subject Matter and Duration

This Agreement governs the processing of personal data by the Processor on behalf of the Controller in accordance with Art. 28 GDPR.

  • Subject matter: Processing of personal data necessary for the provision of agreed services
  • Duration: For the term of the underlying service agreement, unless otherwise terminated

After termination, obligations under this Agreement continue as required by law.

2. Nature and Purpose of Processing

The Processor processes personal data solely for the following purposes:

  • Provision of agreed services to Point of Difference
  • Administrative, operational, and technical support
  • Hosting, communication, IT, or project-related support (as applicable)

Processing for any other purpose is prohibited.

3. Types of Personal Data

Depending on services, processing may include the following data categories:

  • Identification data (name, address, contact details)
  • Administrative and communication data
  • Program- or project-related data
  • Volunteer, donor, or participant data
  • Technical data (log files, access data)

Special categories of data (Art. 9 GDPR) shall only be processed if explicitly agreed and legally permissible.

4. Categories of Data Subjects

Personal data may relate to:

  • Employees and volunteers
  • Beneficiaries and participants
  • Donors and supporters
  • Partners and service providers
  • Website or platform users

5. Obligations of the Controller

The Controller shall:

  • Ensure lawfulness of data processing
  • Provide documented instructions to the Processor
  • Inform the Processor promptly of changes affecting processing
  • Fulfill obligations towards data subjects under GDPR

6. Obligations of the Processor

The Processor shall:

  • Process data only on documented instructions from the Controller
  • Ensure confidentiality of persons authorized to process data
  • Implement appropriate technical and organizational measures (TOMs) under Art. 32 GDPR
  • Assist the Controller in fulfilling data subject rights
  • Assist with data protection impact assessments where applicable
  • Notify the Controller immediately of any data protection breach

7. Technical and Organizational Measures (TOMs)

The Processor shall implement appropriate measures, including but not limited to:

  • Access controls and authentication
  • Data encryption and secure transmission
  • Backup and recovery procedures
  • Data minimization and separation of systems
  • Regular security testing and staff training

Details may be specified in Annex 1.

8. Sub‑Processors

Use of sub-processors requires:

  • Prior written authorization by the Controller (general or specific)
  • Binding sub‑processing agreements meeting Art. 28 GDPR requirements

The Processor remains fully liable for the actions of sub‑processors.

9. Data Subject Rights

The Processor shall assist the Controller, where feasible, in responding to requests relating to:

  • Access (Art. 15 GDPR)
  • Rectification (Art. 16 GDPR)
  • Erasure (Art. 17 GDPR)
  • Restriction (Art. 18 GDPR)
  • Data portability (Art. 20 GDPR)
  • Objection (Art. 21 GDPR)

Processor may not respond directly unless authorized.

10. Data Breaches

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach and provide all relevant information required by Art. 33 GDPR.

11. Audits and Inspections

The Controller may verify compliance with this Agreement by:

  • Requesting audits or reports
  • Conducting inspections, with reasonable notice

The Processor shall cooperate reasonably.

12. Data Transfer to Third Countries

Transfer of personal data to third countries or international organizations is permitted only if:

  • Explicitly instructed by the Controller
  • GDPR requirements (Arts. 44–49) are met
  • Appropriate safeguards (e.g. SCCs) are in place

13. Return or Deletion of Data

Upon termination of services, the Processor shall, at the Controller’s choice:

  • Delete all personal data, or
  • Return all personal data and delete remaining copies

Unless statutory retention obligations apply.

14. Liability

Liability between the Parties is governed by:

  • Art. 82 GDPR
  • Applicable German law (BGB)
  • Underlying service or framework agreement

15. Termination

The Controller may terminate this Agreement without notice if the Processor seriously breaches data protection obligations.

16. Final Provisions

  • This Agreement is governed by German law
  • Place of jurisdiction: registered seat of the Controller, insofar as legally permissible
  • Amendments require written form
  • If any provision is invalid, remaining provisions remain unaffected

17. Signatures

For the Controller
Point of Difference
Name:
Title:
Date:
Signature:

For the Processor
Name:
Title:
Date:
Signature:

×