In accordance with Article 28 of the General Data Protection Regulation (GDPR) based on the EU Standard Contractual Clauses
(a) These standard contractual clauses (‘the Clauses’) are intended to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(b) The controllers and processors listed in Annex I have agreed to these clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
c) These clauses apply to the processing of personal data as set out in Annex II.
d) Annexes I to IV are an integral part of the clauses.
e) These clauses are without prejudice to the obligations to which the Controller is subject under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(f) These clauses do not in themselves ensure compliance with the obligations related to international data transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
a) The Parties undertake not to amend the Clauses except to supplement or update the information provided in the Annexes.
(b) This does not prevent the parties from including the standard contractual clauses set out in those clauses in a more extensive contract and from adding further clauses or additional safeguards, provided that they do not directly or indirectly contradict the clauses or restrict the fundamental rights or freedoms of the data subjects.
(a) Where those clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, those terms shall have the same meanings as in that Regulation.
b) These clauses are to be interpreted in the light of the provisions of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 respectively.
(c) those clauses shall not be interpreted in a way that is contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 or that undermines the fundamental rights or freedoms of data subjects;
In the event of a conflict between these clauses and the provisions of any related agreements that exist between the parties or are subsequently entered into or concluded, these clauses shall prevail.
(a) An entity which is not a party to these Clauses may, with the consent of all parties, accede to these Clauses at any time as a controller or as a processor by completing the Annexes and signing Annex I.
(b) After completing and signing the annexes referred to in point (a), the acceding entity shall be treated as a party to these clauses and shall have the rights and obligations of a controller or a processor as designated in Annex I.
(c) The acceding entity shall not have any rights or obligations arising from these clauses for the period prior to its accession as a party.
The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Annex II.
a) The processor will only process personal data on documented instructions from the controller, unless it is required to process under Union law or under the law of a Member State to which it is subject. In such a case, the processor shall communicate these legal requirements to the controller prior to processing, unless the relevant law prohibits this on the grounds of an important public interest. The Controller may issue further instructions throughout the period of personal data processing. These instructions must always be documented.
(b) The processor shall inform the controller without undue delay if it considers that instructions given by the controller are in breach of Regulation (EU) 2016/679, Regulation (EU) 2018/1725 or applicable Union or Member State data protection legislation.
The Processor will only process the Personal Data for the specific purpose(s) set out in Annex II, unless it receives further instructions from the Controller.
The data will be processed by the Processor only for the period specified in Annex II.
a) The processor shall take at least the technical and organisational measures listed in Annex III to ensure the security of the personal data. This includes protecting the data from a security breach that leads to the destruction, loss, alteration or unauthorized disclosure of or access to the data, whether accidental or unlawful (hereinafter “Personal Data Breach”). In assessing the adequate level of protection, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, circumstances and purposes of the processing, as well as the risks associated with the data subjects.
b) The Processor shall grant its staff access to the personal data that are the subject of the processing only to the extent strictly necessary for the performance, management and monitoring of the Agreement. The Processor guarantees that the persons authorised to process the personal data received have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality.
If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or containing genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “Sensitive Data”), the Processor applies specific limitations and/or additional safeguards.
a) The parties must be able to prove compliance with these clauses.
b) The Processor shall promptly and appropriately respond to requests from the Controller regarding the processing of data in accordance with these Clauses.
c) The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in these Clauses and deriving directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the request of the Controller, the Processor shall also allow and contribute to the audit of the processing activities covered by these Clauses at appropriate intervals or in the event of indications of non-compliance. When deciding on a review or audit, the controller may take into account relevant certifications of the processor.
d) The controller may carry out the audit himself or commission an independent auditor. The audits may also include inspections at the Processor’s premises or physical facilities and, where appropriate, shall be carried out with reasonable notice.
e) The parties shall provide the competent supervisory authority(ies) with the information referred to in this clause, including the results of audits, upon request.
a) The processor has the general authorisation of the controller to engage sub-processors who are included in an agreed list. The Processor shall expressly notify the Controller in writing at least one month in advance of any intended changes to this list by adding or replacing Sub-Processors, thereby allowing the Controller sufficient time to object to such changes prior to engaging the relevant Sub-Processor(s). The processor shall provide the controller with the necessary information to enable the controller to exercise its right of objection.
(b) Where the Processor engages a Sub-Processor to carry out certain processing activities (on behalf of the Controller), such engagement shall be made by means of a contract which imposes on the Sub-Processor substantially the same data protection obligations as those applicable to the Processor under those Clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject under these Clauses and under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
c) The Processor shall provide the Controller with a copy of such subcontracting agreement and any subsequent amendments at the Controller’s request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the wording of the Agreement prior to disclosing a copy.
d) The Processor shall be fully liable to the Controller for the sub-processor’s compliance with its obligations under the contract concluded with the processor. The Processor shall notify the Controller if the Sub-Processor fails to fulfil its contractual obligations.
(e) The Processor shall enter into a third-party beneficiary clause with the Sub-Processor, according to which, in the event that the Processor ceases to exist in fact or in law or is insolvent, the Controller shall have the right to terminate the Sub-Contracting Agreement and to instruct the Sub-Processor to delete or return the Personal Data.
(a) Any transfer of data by the processor to a third country or an international organisation shall be made solely on the basis of documented instructions from the controller or in order to comply with a specific provision under Union law or the law of a Member State to which the processor is subject, and shall comply with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
b) The Controller agrees that in cases where the Processor uses a Sub-Processor in accordance with Clause 7.7 for the performance of certain Processing Activities (on behalf of the Controller) and such Processing Activities involve a transfer of Personal Data within the meaning of Chapter V of Regulation (EU) 2016/679, the Processor and the Sub-Processor shall ensure compliance with Chapter V of the Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of those standard contractual clauses are met.
a) The processor shall immediately inform the controller of any request it has received from the data subject. He does not answer the application himself, unless he has been authorized to do so by the controller.
b) Taking into account the nature of the processing, the processor assists the controller in fulfilling its obligation to respond to data subjects’ requests to exercise their rights. In fulfilling its obligations under points (a) and (b), the processor shall comply with the instructions of the controller.
c) In addition to the Processor’s obligation to assist the Controller in accordance with Clause 8(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to it:
the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter referred to as the “Data Protection Impact Assessment”) if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment shows that the processing would result in a high risk, unless the controller takes measures to mitigate the risk;
the obligation to ensure that the personal data is accurate and up-to-date, by informing the controller without undue delay if it discovers that the personal data it processes is inaccurate or out of date;
obligations under Article 32 of Regulation (EU) 2016/679.
(d) The parties shall set out in Annex III the appropriate technical and organisational measures to assist the controller by the processor in the application of this clause, as well as the scope and scope of the assistance required.
In the event of a personal data breach, the Processor shall cooperate with and provide appropriate assistance to the Controller in order to enable the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or, where applicable, Articles 34 and 35 of Regulation (EU) 2018/1725, taking into account the nature of the processing and the information available to it.
In the event of a personal data breach related to the data processed by the Controller, the Processor shall assist the Controller as follows:
a) when notifying the personal data breach to the competent supervisory authority(ies) without undue delay after the controller becomes aware of the breach, if relevant (unless the personal data breach is not likely to result in a risk to the personal rights and freedoms of natural persons);
(b) when obtaining the following information to be provided in the controller’s notification in accordance with Article 33(3) of Regulation (EU) 2016/679, which information shall include at least:
the type of personal data, where possible, with an indication of the categories and the approximate number of data subjects, as well as the categories and approximate number of personal data sets;
the likely consequences of the personal data breach;
the measures taken or proposed by the Controller to remedy the personal data breach and, where applicable, measures to mitigate their possible adverse effects.
If and to the extent that not all such information can be provided at the same time, the original notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay;
(c) when complying with the obligation under Article 34 of Regulation (EU) 2016/679 to notify the data subject without undue delay of the personal data breach, where such breach is likely to result in a high risk to the rights and freedoms of natural persons.
In the event of a personal data breach related to the data processed by the Processor, the Processor shall report it to the Controller without undue delay after becoming aware of the breach. This notification must contain at least the following information:
(a) a description of the nature of the breach (indicating, if possible, the categories and the approximate number of persons concerned and the approximate number of data sets concerned);
b) contact details of a contact point from which further information about the personal data breach can be obtained;
c) the likely consequences and the measures taken or proposed to remedy the personal data breach, including measures to mitigate their possible adverse effects.
If and to the extent that all such information cannot be provided at the same time, the original notification will contain the information available at that time and further information will be provided thereafter without undue delay as it becomes available.
The Parties shall specify in Annex III any other information that the processor is required to provide in order to assist the controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
a) In the event that the Processor fails to comply with its obligations under these Clauses, the Controller may, without prejudice to the provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, instruct the Processor to suspend the processing of Personal Data until it complies with these Clauses or the Agreement is terminated. The Processor shall inform the Controller without undue delay if, for whatever reason, it is unable to comply with these Clauses.
b) The Controller shall be entitled to terminate the Agreement insofar as it concerns the processing of personal data pursuant to these Clauses if:
c) The Processor shall be entitled to terminate the Agreement to the extent that it concerns the processing of personal data pursuant to these Clauses, if the Controller insists on complying with its instructions after being informed by the Processor that its instructions violate applicable legal requirements pursuant to Clause 7.1(b).
(d) Upon termination of the Agreement, the Processor shall, at the Controller’s option, erase all personal data processed on behalf of the Controller and certify to the Controller that this has been done, or return all Personal Data to the Controller and delete existing copies, unless there is an obligation to retain the personal data under Union or Member State law. Until the data is deleted or returned, the processor will continue to ensure compliance with these clauses.
Controller(s):
The controller is the customer within the meaning of the General Terms and Conditions (GTC) of Perseus Technologies GmbH, who has commissioned Perseus Technologies GmbH with the service(s) (i.e. “booked” such within the meaning of the GTC) that (if applicable) also includes order processing. The name, address and contact details of the customer and thus of the person responsible(s) are part of his booking and thus of the contract that is concluded between the customer and Perseus Technologies GmbH for the services in question as a result of the booking.
If, in addition to the customer itself, other users within the meaning of the general terms and conditions of Perseus Technologies GmbH are also allowed to obtain services that include order processing, these clauses shall also apply to these users if they are specifically named as entitled recipients in the customer’s booking in question, whereby the customer (within the meaning of clause 5 – coupling clause) declares his consent to their accession to these clauses as controllers. . Thus, these users are also controllers within the meaning of these clauses within the meaning of the GTC of Perseus Technologies GmbH.
Processors:
Name: Perseus Technologies GmbH
Address: Hagelberger Straße 53-54, 10965 Berlin
Description of the processing
The description of the data processing is only applicable to the contractual relationship to the extent that the said service has also been commissioned and is used.
I. Perseus Cyber Security Services (PCSS) incl. sending of simulated phishing emails
A) DATA SUBJECTS
–> Data subjects are employees of the client.
B) CATEGORIES OF PERSONAL DATA
–> The following system and application data (partly personal) is processed:
C) PURPOSE OF DATA PROCESSING
–> The data will be processed for the following purposes:
II. Incident Response Management (IRM)
A) DATA SUBJECTS
–> Data subjects may regularly be employees of the customers and authorized recipients, the employees of their customers and suppliers and other natural persons whose personal data are processed by the customers and authorized recipients and who are processed in the context of the provision of services by PERSEUS or to whom PERSEUS has access on occasion of the provision of the service (e.g. customers of the customer or their employees, suppliers of the client or their employees, other natural persons).
B) CATEGORIES OF PERSONAL DATA
–> In the case of incident management, there is potential access to all (personal) data contained in the Client’s data records that must be accessed by the Contractor and its subcontractors as part of incident management. These can be:
C) PURPOSE OF DATA PROCESSING
–> There is no targeted access to this data, but access may occasionally take place in the context of the provision of services.
The data will be processed for the following purposes:
III. Perseus individual phishing campaigns:
A) DATA SUBJECTS
–> Data subjects are employees of the client.
B) CATEGORIES OF PERSONAL DATA
–> The following system and application data (partly personal) is processed:
C) PURPOSE OF DATA PROCESSING
–> The data will be processed for the following purposes:
The annex “Technical and organisational measures, including to ensure the security of data” is available here .
The annex “List of sub-processors” is available here .
As of: June 2026