[Please be advised that the English version is a preliminary translation]
Data Processing Agreement
According to Art. 28 (3) General Data Protection Regulation (GDPR)
NAME ANSCHRIFT · PLZ ORT · E-Mail E-MAIL
– Data Controller (hereinafter referred to as “principal”) –
Platform „votesUP!“, represented by Tim Schrock
Postbox 18 01 03 · DE-10205 Berlin · E-Mail firstname.lastname@example.org
– Data Processor (hereinafter referred to as “contractor”) –
– together hereinafter referred to as “Parties” –
the following agreement is concluded:
1. Subject matter and duration of the agreement
1.1 The subject of the contract is data processing within the scope of the platform « votesUP! (votesup.eu) » operated by the contractor. The agreement refers specifically to the event with the ID « EVENT-ID », created on ERSTELLDATUM.
1.2 The contract is concluded for an indefinite period.
1.3 It ends by
- a manual deletion of the event, initiated by the principal; or
- the automatic deletion of the event and its contents after 90 days of inactivity; or
- a cancellation by one of the parties with a notice period of one week; in such case, the contractor is obliged to delete all processed data immediately at the termination date.
2. Nature, scope and purpose of data processing
2.1 Purpose of data processing
The principal uses the services offered by votesup.eu in order to organise an event with the title »TITEL DER VERANSTALTUNG« and the before-mentioned event id, especially to
- conduct open or secret votes on an ad hoc basis
- keep lists of speakers
Within this context the contractor processes personal data also to secure account access (authentication, user verification, password reset).
2.2 The following personal data shall be processed
Nature of the personal data
- Reference and traffic data (email addresses, names, IP addresses)
- Communication data (notifications, chat messages)
- Contents of votings
- Speakers' lists and event programme
Categories of affected persons
- Staff or organizational team of the principal
- Participants in the event conducted by the principal
2.3 The personal data to be processed fall predominantly into the risk levels “minor” to “manageable” according to the definition of protection levels by federal and state data protection authorities in Germany (DSK Briefing note Nr. 18): affected persons could be impaired in their social position (“reputation”). Technically, however, the votesUP system is always oriented towards the highest confidentiality requirements; the principal may adjust the concrete level of confidentiality required by configuring an event accordingly.
2.4 The technical implementation ensures that individual votes in ballots conducted as “secret” cannot be attributed to specific voters. This is true to both the principal and the contractor (as system operator). The prerequisite for this is at least two ballots cast in a vote.
2.5 The contractor processes personal data for the principal pursuant art. 4 (2) GDPR (processing with the aid of automated procedures) und Art. 28 GDPR (as data processor) within the framework of this agreement.
2.6 The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union.
3. Ensuring the technical and organisational measures
3.1 A level of security of the data processing appropriate to the risk to the rights and freedoms of the natural persons affected by the processing shall be ensured for the specific processing operation.To this end, on the one hand, at least the protection objectives of article 32 (1) of the GDPR, such as confidentiality, availability and integrity of the systems and services as well as their resilience in relation to the type, scope, circumstances and purpose of the processing operations, are taken into account in such a way that the risk is permanently contained by means of appropriate technical and organisational remedial measures (art. 28 (3) lit. C GDPR).
3.2 The technical and organisational measures are subject to technical progress and further development. This allows the contractor to implement alternative adequate measures. In doing so, the safety level of the defined measures must not be undercut. Significant changes shall be documented. On the other hand, the wording “measures […] including inter alia as appropriate” in art. 32 (1) GDPR makes it clear that the list made there is not exhaustive.
3.3 Prior to the transfer of personal data of the data subjects, the principal has verified that the technical and organisational measures (TOMs) established by the contractor ensure an adequate level of protection. Upon acceptance of the described TOMs, this annex shall become part of the agreement.
4. Rights and responsibilities as well as powers of instruction of the Data Controller (principal)
4.1 The Data Controller alone is responsible for assessing the permissibility of the processing in accordance with art. 6 (1) of the GDPR and for safeguarding the rights of the data subjects in accordance with articles 12 to 22 of the GDPR.
4.2 The Data Controller shall issue all orders, partial orders and instructions in writing or in a documented electronic format. Verbal instructions shall be confirmed immediately in writing or in a documented electronic format.
4.3 The Controller shall be entitled to satisfy themselves in a reasonable manner before the start of the processing and periodically thereafter of compliance with the technical and organisational measures taken at the contractor and the obligations set out in this agreement.
4.4 The principal shall inform the contractor without delay if errors or irregularities have been detected during an audit of the data processing.
4.5 The principal is obliged to keep all knowledge of business secrets and data security measures of the contractor, obtained within the framework of this contractual relationship, confidential. This obligation shall remain in force even after termination of this agreement.
5. Duties of the Data Processor (contractor)
5.1 The contractor processes personal data exclusively within the framework of this agreement and according to the instructions of the principal, unless otherwise obliged by the law of the European Union or of the Member States to which the contractor is subject to (e.g. investigations by law enforcement or state protection authorities); in such a case, the contractor shall notify the principal of the legal requirements prior to the additional processing, unless the law in question prohibits such notification due to an important public interest (Art. 28(3) sentence 2 lit. a GDPR).
5.2 The contractor shall not use the personal data provided for processing for any other purposes, in particular not for their own purposes. Copies or duplicates of the personal data will not be made without the knowledge of the Data Controller.
5.3. The contractor shall ensure that all agreed measures in the area of the processing of personal data are carried out in accordance with this agreement. Compliance with the measures shall be ensured by regular inspections. The result of the checks shall be documented.
5.4 The contractor shall cooperate to the necessary extent in the fulfilment of the rights of the data subjects pursuant to art. 12 to 22 of the GDPR by the Controller, in the creation of directories of processing activities as well as in necessary data protection impact assessments of the Controller and support the Controller appropriately as far as possible (art. 28 (3) sentence 2 lit. e and f of the GDPR).
5.5. If the Data Processor thinks that an instruction issued by the Data Controller violates legal regulations (art. 28 (3) sentence 3 GDPR), the contractor shall immediately draw the attention of the principial to such fact. The contractor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or changed after review..
5.6 The contractor shall correct, delete or restrict the processing of personal data from the contractual relationship if the Controller requests this by means of an instruction, as long as the legitimate interests of the Processor do not conflict with this. Irrespective of this, the contractor shall correct, delete or restrict the processing of personal data from the contractual relationship if the instruction of the principal is based on a legitimate claim of a data subject under articles 16, 17 and 18 of the GDPR.
5.7 The contractor undertakes to maintain confidentiality when processing the personal data of the data controller in accordance with the contract. This obligation shall continue to exist even after termination of the agreement. The contractor may only provide information about personal data from the contractual relationship to third parties or the data subject after prior instruction or consent by the data controller.
5.8 The contractor warrants that the team members involved have been familiarised with the provisions of applicable data protection regulations before commencing their work. All team members are obliged to maintain confidentiality in an appropriate manner both during and after the end of their involvement (Art. 28 Abs. 3 Satz 2 lit. b und Art. 29 GDPR).
5.9 The contractor has mandated Tim Schrock as data protection officer, contact email@example.com as well by regular mail to the above-mentioned postal address.
5.10 The contractor agrees that the Data Controller is generally entitled, with prior appointment, to monitor compliance with the provisions on data protection and data security as well as the contractual agreements to a reasonable and necessary extent themselves or through third parties commissioned by the Controller (art. 28 (3) sentence 2 lit. h GDPR). The contractor assures to assist in these controls as far as necessary.
5.11 The contractor shall notify the principal, without undue delay, of any disruptions or breaches in the data processing as well as in the event of breaches of data protection regulations or the stipulations made in the commission as well as any suspected data protection breaches or irregularities in the processing of personal data. This also applies in particular with regard to any reporting and notification obligations of the controller pursuant to art. 33 and art. 34 of the GDPR. Notifications on behalf of the Controller may only be carried out by the contractor after prior instruction.
The commissioned subprocessor for the core server operation, located in the data centre in Nuremberg, is:
Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Deutschland
Tel.: +49 9831 505-0, Fax: +49 9831 505-3, E-Mail: firstname.lastname@example.org
The provider is certified according to ISO 27001 (establishment, implementation, maintenance and continuous improvement of a documented information security management system).
Between votesUP and the provider a data processing agreement is in place. The technical and organisational measures of the provider pursuant to art. 28 GDPR can be retrieved at https://www.hetzner.com/AV/TOM.pdf.
7. Liability and damages
The contracting parties shall be liable in accordance with the relevant statutory provisions or vis-à-vis data subjects pursuant to art. 82 of the GDPR.
The contractor may charge an expense allowance for the cooperation and information duties agreed in this contract. The allowance is € 25.-- per 15 minutes or part thereof.
9. Final provisions
9.1 For ancillary agreements, the written form or a documented electronic format is required.
9.2 If the personal data of the principal to be processed at the contractor are endangered by measures of third parties (such as attachment or seizure), by insolvency or composition proceedings or by other events, the contractor shall notify the data controller without delay.
9.3 Should individual parts of this agreement be invalid, this shall not affect the validity of the rest of the agreement. The invalid provision shall be replaced by a valid provision that comes as close as possible to the intended agreement. This also applies to loopholes.
This agreement was created on 30.11.2022 by the Data Controller »ERSTELLER:IN« by means of the digital votesUP wizard for data processing agreements.
Technical and organisational measures in compliance with GDPR
Technical and organisational measures in compliance with GDPR
Art. 32 GDPR defines various areas of security for which appropriate technical and organisational measures (TOMs) are to be taken. The aim is to ensure an appropriate level of protection, taking into account the state of the art, the necessary effort and assessing risks. [↗ Legal text at EUR-LEX]
The following technical and organisational measures defined for votesUP are only part of the security scheme: the basic server operation is ensured by the provider Hetzner as a subprocessor. The TOMs of the provider can be retrieved from ↗ www.hetzner.com/AV/TOM.pdf
Data protection is an ongoing task. The IT world continues to evolve. Organisational measures depend on the size of an accompanying team and are based on risk assessments. Therefore, we will constantly adapt the TOMs to current developments and also improve them on the basis of empirical values.
- Immediately after the delivery of content, the system shortens IP addresses and only stores them in a reduced manner in the log files.
- As little personal data as possible is requested and processed: votesUP offers the participation via anonymous tokens. Users can change their display name.
- All connections to votesUP are automatically transport-encrypted.
- Domain-validated TLS certificates (formerly known as “SSL certificates”) are used according to the current state of the art, which are renewed every 90 days at the latest. We use certificates from Mozilla's “Let's Encrypt” issuing authority for this purpose.
- Browser connections are only possible based on the newer TLS 1.2/1.3 standards. However, this means that outdated operating systems such as Windows XP, which can no longer be secured, are excluded from votesUP use.
- For a validation check of certificates, we use the improved Online Certificate Status Protocol (OCSP Stapling) so that the requesting browser can check the status of the provided encryption certificate. In addition, votesup.eu is equipped with a DNS resource record for “Certification Authority Authorization“ (CAA), which legitimizes only certain issuers of TLS encryption certificates.
3. Ensuring confidentiality
- Confidentiality is ensured by personal behaviour as well as automatic access restrictions. We rely on automated procedures as far as possible in order not to unnecessarily expand the discretion of users and thus expose them to unnecessary responsibility.
- The scopes of possible data access are defined by the assigned user roles and the restrictions on changing these roles.
- Data access is only possible via password-protected accounts. The password requirements differ according to the user's role of responsibility.
- Passwords are not stored directly, but only as check values (hash + salt).
- Additional access protection is ensured via the optional two-factor authentication.
- The data options for administrative access are tailored for the tasks that need to be supervised.
- votesUP's supporting team members are sensitised and trained on data protection requirements. They sign a confidentiality agreement.
- We make risk-based assessments of data processing with foresight. The severity of the potential damage of votesUP events falls predominantly into the “manageable” category according to the classification of the German federal and state data protection authorities (DSK briefing #18): the social status of the persons concerned could be affected (“reputation”). Despite possibly lower requirements in a certain situation, the votesUP system is always oriented towards the highest confidentiality needs.
- By means of mediated stapling of the OCSP (as mentioned under 2.), the data protection problem with validation requests is averted: the votesUP server submits validation requests, so that the personal IP addresses of the actual users do not have to be passed on to certification authorities.
4. Ensuring integrity
- The processing and especially the storage of data records is carried out via several security layers (availability of the request → authorisation → plausibility).
- For the protection against manipulation, check mechanisms are integrated in certrain areas (especially voting): besides regular access to the database, they involve keys from the programme code as well as from configuration files. That combination reduces dangers in the event of a database attack and manipulation is immediately noticeable. The checksums are created using standardised hashing procedures.
- Session management uses increased standards for key lengths, bit depth, origin of requests and transmission.
- Error logging makes it easier to identify problems. Error logging is in place, which itself is also improved based on further development.
5. Ensuring availability
- votesUP is operated in a data centre of a reputable German provider, who is certified according to ISO 27001 (establishment, implementation, maintenance and continuous improvement of a documented information security management system).
- The constant monitoring and maintenance of our servers (operating system, web server, database server, e-mail server as well as supporting systems such as firewalls or attack detection) is ensured by trained technicians of the provider.
- Both the votesUP platform and the user-generated data (votes, etc.) are continuously stored on redundant storage devices. This ensures uninterrupted operation even if a hard disk fails.
- The systems are fully and automatically backed up once a day. These daily backups are stored for 14 days.
- New features are first evaluated in a test system before they are included in the productive system of votesUP.
- Major maintenance work and upgrades to the votesUP system take place during less frequented periods (0 a.m. - 6 a.m. Berlin time) and are announced in advance on the votesUP homepage if possible.
6. Ensuring the resilience of the systems
- A general resilience test of the system takes place at certain intervals (most recently after server migrations in December 2020 and in February 2021 as well as in September 2021).
- A continuous monitoring is in place for the load average of the server.
- Unusually increased access attempts or sources of misuse are blocked automatically if necessary. In the case of user-specific activity, those affected are informed about the limit being reached.
- Events are limited to a certain number of users by default. The limit is only increased upon request and specification of the time period.
- Organisers are requested to register their specific event periods in advance via the administration interface. The calendar of expected load is checked daily by the votesUP team.
- System settings can be adjusted on an ad hoc basis to reduce the load per user. This applies in particular to the frequency of status requests (chat, session, new votes, requests to speak).
- Resource-intensive database queries can be cached.
7. Procedures for restoring the availability of personal data after a physical or technical incident
- Every night a backup of the entire system is created. The data can be restored for 14 days.
- The creation and management of these backups is automated. We check these mechanisms at different intervals to ensure that they are functioning properly.
- The programme code is versioned, i.e. changes can be reversed in the event of problems.
- For the evaluation of programme code, a second system is permanently available and a third one on an ad hoc basis.
8. Procedures for regular review, assessment and evaluation of the effectiveness of technical and organisational measures
- As part of the ongoing development, the functionality and security of votesUP is constantly reviewed and analysed.
- External tools like the Mozilla Observatory (observatory.mozilla.org/analyze/votesup.eu), the SSLlabs (www.ssllabs.com/ssltest/analyze.html?d=votesup.eu), the Geekflare Content-Security-Policy Test (geekflare.com/tools/csp-test) and the MX-Tools for checking the security of mail servers (mxtoolbox.com/SuperTool.aspx?action=mx%3avotesup.eu) make their test reports publicly available for inspection at any time.
- The publicly available documentation of changes (votesup.eu/news) is supplemented by a more detailed, internal development changelog.
Last TOM update (translation from German language): 21/11/2022