Data Processing Agreement

This Data Processing Agreement is an appendix to the Terms of Service regarding the delivery of uHost’s services and products. This page can be found on (hereinafter referred to as: the Main Agreement) between the Customer (hereinafter referred to as: Controller) and uHost (hereinafter referred to as: Processor).

This Data Processing Agreement was last modified on 18-05-2018.

Article 1. Purposes of Processing

1.1. Processor may only process personal data in accordance with the instructions of Controller within the conditions of this agreement.
Processing will only take place within the framework of the Main Agreement, namely for the storage of data from Controller in the 'cloud', and associated online services, Hosting of websites and servers, plus the purposes that are reasonably related thereto or that are determined with further consent.

1.2. The personal data processed by Processor in the context of the activities referred to in the previous paragraph and the categories of the data subjects from whom they originate are included in Appendix 1. Processor will not process the personal data for any purpose other than as described by Controller. Controller will inform Processor of the processing objectives if these already have not been mentioned in this data processing agreement.

1.3. The personal data processed on behalf of Controller remain the property of Controller and/or the relevant parties involved.

Article 2. Obligations of Processor

2.1. With regard to the processing operations referred to in Article 1, Processor will ensure compliance with applicable laws and regulations, containing rules on the protection of personal data such as the Personal Data Protection Act.

2.2. Processor will inform Controller, upon Controller's first request, of the measures taken in regard to its obligations under this Data Processor Agreement.

2.3. The obligations of Processor arising from this Data Processing Agreement also apply to those processing the personal data on the authority of the Processor, including but not limited to employees, in the broadest sense of the word.

2.4. Processor will immediately inform Controller if, in his opinion, an instruction of the Controller is in conflict with the legislation referred to paragraph 1.
Processor will, if possible, provide reasonable assistance to Controller for performing data protection impact assessments (PIAs).

Article 3. Transfer of Personal Data

3.1. Processor can process personal data in countries within the European Union. Transfers to countries outside of the European Union are not permitted, unless the Controller gives permission to do otherwise.

3.2. Processor will report to Controller which country or countries it may concern.

Article 4. Division of Responsibility

4.1. The authorised processing operations will be performed by employees of Processor within an automated environment.

4.2. Processor is merely responsible for the processing of the personal data included in this Processing Agreement, in accordance with the instructions of Controller and under the express (final) responsibility of Controller. Processor is expressly not responsible for other processing of personal data, including, but not limited to, the collection of personal data by Controller, processing for purposes not reported to Processor by Controller, processing by third parties and/or for other purposes.

4.3. Controller guarantees that content, use and instructions for processing of the personal data as referred to in this Data Processing Agreement are not illegal and do not infringe any right of third parties.

Article 5. Engaging Third Parties or Subcontractors

5.1. Processor may use third parties in the context of this Data Processing Agreement and will supply a list of third parties (sub-processors) to Controller upon request. Processor may object if the use of a specific reported third party is unacceptable.

5.2. Processor will, in any case, ensure that these third parties take on, in writing, at least the same obligations as agreed upon between Controller and Processor.

5.3. Processor guarantees correct compliance with the obligations in this Processing Agreement by third parties and is responsible for all damages caused by these third parties as if it had caused the damage(s) itself.

Article 6. Security

6.1. Processor will endeavour to undertake sufficient technical and organisational measures with regard to the processing of personal data against loss or any form of unlawful processing (such as unauthorised access, impairment, alteration or provision of the personal data).

6.2. Processor does not guarantee that the security is effective under all circumstances. If an explicitly defined security measure is not included in the Processing Agreement, Processor will endeavour to provide security of a level that is, given the state of the technology, the sensitivity of the personal data and the cost of the security, not unreasonable.

6.3. Controller will only make personal data available to Processor for processing, if it has ensured that the required security measures have been taken. Controller is responsible for compliance with the measures agreed upon by Parties.

Article 7. Report

7.1. Controller is responsible for reporting a security and/or data leak (meaning: a breach in the security of personal data that leads to a chance for negative consequences, or has negative consequences for the protection of personal data) to the supervisor and/or parties involved at all times. To enable Controller to comply with this statutory obligation, Processor will inform Controller of the security and/or data leak within 48 hours of finding out about the leak.

7.2. Every incident must be reported, but only if the event actually occurred.

7.3. The reporting obligation includes the notification of leaks. It also includes:

  • The nature of the breach in relation to personal data, where possible with reference to the categories of the affected parties and personal data registers in question and, by the approach, the number of affected parties and personal data registers in questions;
  • The name and contact details of the data protection officer or another contact point where more information can be obtained;
  • The likely impact of the breach in relation to personal data;
  • The measures that Processor proposed or took to handle the breach in relation to personal data, including, where appropriate, the measures to mitigate any adverse effects.

Article 8. Handling Requests from Data Subjects

8.1. In case a data subject submits a request to execute his/her legal rights to Processor, Processor will forward the request to Controller, who will handle the request from there. Processor may inform the data subject of this.

Article 9. Confidentiality and Privacy

9.1. All personal data received by Processor from Controller and/or is collected by Processor in the framework of this Processing Agreement, is subject to a confidentiality obligation towards third parties. Processor will not use this information for any purpose other than that for which it was obtained, even if it is in such form that it cannot be traced back to the parties involved.

9.2. This confidentiality obligation is not applicable if the Controller has given express permission to provide the information to third parties, if the provision of the information to third parties is logically necessary considering the given assignment and the execution of this Processing Agreement, or if there is a legal obligation to provide the information to a third party.

Article 10. Audit

10.1. Processor hereby gives Controller the right to have an independent third party who is bound to confidentiality perform an audit in order to check compliance with the provisions in this Data Processing Agreement or Processor shall provide Controller with a third party account notification that proves that Processor is acting in compliance with the provisions in this Data Processing Agreement.

10.2. This audit may be performed in case of a concrete suspicion for abuse of personal data.

10.3. Processor will cooperate with the audit and will make all reasonably relevant information, including supporting data such as system logs, and employees available as quickly as possible.

10.4. The findings resulting from the performed audit will be assessed by Processor and may be implemented by Processor, at the discretion of Processor and in the manner that Processor sees most fit.

10.5. The cost of an audit will always be for Controller.

Article 11. Liability

11.1. The liability of Processor for damage as a result of attributable shortcoming in the fulfilment of the Processing Agreement, in tort or otherwise, is limited per event (a series of consecutive incidents will be considered one event) to the compensation of direct damages, up to the amount of payment received by Processor from Controller for activities under the Processing Agreement in the month prior to the event that caused the damage. The liability of the Parties for direct damage will in total never exceed € 5,000.00.

11.2. Direct damage is exclusively understood to mean all damages consisting of:

  • Damage caused directly to property (“property damage”);
  • Reasonable and demonstrable costs to urge Processor to properly comply with the Data Processing agreement.
  • Reasonable costs to determine the cause and extent of the damage insofar that it relates to the direct damage as referred to here;
  • Reasonable and demonstrable costs that Controller made to prevent or limit the direct damage as referred to in this article.

11.3. The liability of Processor for indirect damage is excluded. Indirect damage is understood to mean all damage that is not direct damage, including, but not limited to, consequential losses, lost profit, missed savings, reduced goodwill, loss due to business stagnation, damage due to non-determination of marketing objectives, damage related to the use of data or data files prescribed by Controller, or loss, mutilation or destruction of data or data files.

11.4. The exclusions and limitation referred to in this article will be cancelled if and in so far as the loss sustained is the result of intent or deliberate recklessness on the part of the management of Processor.

11.5. Unless compliance by Processor becomes permanently impossible, the liability of Processor due to imputable shortcoming in the fulfilment of the Agreement arises only if Controller immediately informs the Processor in writing of the shortcoming, where a reasonable period for the rectification of the shortcoming is determined, and Processor remains attributable to the fulfilment of its obligations after the set period. The notice of default must contain a complete and detailed description, insofar that is possible, of the shortcoming, so that Processor is given the opportunity to respond adequately.

11.6. Any claim for compensation by Controller against Processor that has not been specified and explicitly reported, shall expire in twelve (12) months after the claim arose.

Article 12. Duration and Termination

12.1. The Processor Agreement is an attachment to uHost's Terms of Service. This Processor Agreement becomes effective when the customer agrees to General Terms of Service during the ordering process. In addition, this Data Processing Agreement is concluded by the signing of both Parties and starts on the date of the last signature.

12.2. This Data Processing Agreement has been entered into for the duration as determined in the main agreement between Parties and, in the absence thereof, at least for the duration of the cooperation.

12.3. As soon as the Processing Agreement has been terminated, for whatever reason and in whatever way, Processor will – by choice of Controller – return all original personal data and its copies to Controller, and/or delete and/or destroy all this personal data and possible copies.

12.4. This Data processor agreement may be modified in the same way as the Main Agreement.

Appendix 1: Specification of personal data and data subjects

Personal data

In the context of the Agreement, Processor will process the following (special) personal data on behalf of Controller:

  • Personal details
  • Phone number
  • Email address
  • Visitor Behaviour
  • IP address
  • Financial details

Categories of data subjects

  • Customers
  • Website visitors

Controller guarantees that the personal data, categories of data subjects and processing purposes described in this Appendix 1 are complete and correct and indemnifies Processor for any defects and claims that result from an incorrect representation by Controller.