Data Processing Agreement
In accordance with Article 28 of the General Data Protection Regulation (GDPR) based on the EU Standard Contractual Clauses
Section I
Clause 1 “Purpose and Scope”
(a) These standard contractual clauses (‘the Clauses’) are intended to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(b) The controllers and processors listed in Annex I have agreed to these clauses in order to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.
c) These clauses apply to the processing of personal data as set out in Annex II.
d) Annexes I to IV are an integral part of the clauses.
e) These clauses are without prejudice to the obligations to which the Controller is subject under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
(f) These clauses do not in themselves ensure compliance with the obligations related to international data transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
Clause 2 “Immutability of the Clauses”
a) The parties undertake not to amend the clauses, except to supplement or update the information set out in the annexes.
(b) This does not prevent the parties from including the standard contractual clauses set out in those clauses in a more extensive contract and from adding further clauses or additional safeguards, provided that they do not directly or indirectly contradict the clauses or restrict the fundamental rights or freedoms of the data subjects.
Clause 3 “Interpretation”
(a) Where those clauses use the terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, those terms shall have the same meanings as in that Regulation.
b) These clauses are to be interpreted in the light of the provisions of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725 respectively.
(c) those clauses shall not be interpreted in a way that is contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 or that undermines the fundamental rights or freedoms of data subjects;
Clause 4 “Precedence”
In the event of a conflict between these clauses and the provisions of any related agreements that exist between the parties or are subsequently entered into or concluded, these clauses shall prevail.
Clause 5 “Tying clause”
(a) An entity which is not a party to these Clauses may, with the consent of all parties, accede to these Clauses at any time as a controller or as a processor by completing the Annexes and signing Annex I.
(b) After completing and signing the annexes referred to in point (a), the acceding entity shall be treated as a party to these clauses and shall have the rights and obligations of a controller or a processor as designated in Annex I.
(c) The acceding entity shall not have any rights or obligations arising from these clauses for the period prior to its accession as a party.
Section II
Clause 6 “Description of Processing”
The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Annex II.
Clause 7 “Obligations of the Parties”
7.1. Instructions
a) The processor will only process personal data on documented instructions from the controller, unless it is required to process under Union law or under the law of a Member State to which it is subject. In such a case, the processor shall communicate these legal requirements to the controller prior to processing, unless the relevant law prohibits this on the grounds of an important public interest. The Controller may issue further instructions throughout the period of personal data processing. These instructions must always be documented.
(b) The processor shall inform the controller without undue delay if it considers that instructions given by the controller are in breach of Regulation (EU) 2016/679, Regulation (EU) 2018/1725 or applicable Union or Member State data protection legislation.
7.2. Earmarking
The Processor will only process the Personal Data for the specific purpose(s) set out in Annex II, unless it receives further instructions from the Controller.
7.3. Duration of personal data processing
The data will be processed by the Processor only for the period specified in Annex II.
7.4. Security of processing
a)
b)
7.5. Sensitive data
If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, or containing genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning a person’s health, sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter “Sensitive Data”), the Processor applies specific limitations and/or additional safeguards.
7.6. Documentation and compliance with clauses
a) The parties must be able to prove compliance with these clauses.
b) The Processor shall promptly and appropriately respond to requests from the Controller regarding the processing of data in accordance with these Clauses.
c)
d)
e) The parties shall provide the competent supervisory authority(ies) with the information referred to in this clause, including the results of audits, upon request.
7.7. Use of subcontractors
a)
(b)
c)
d)
(e) The Processor shall enter into a third-party beneficiary clause with the Sub-Processor, according to which, in the event that the Processor ceases to exist in fact or in law or is insolvent, the Controller shall have the right to terminate the Sub-Contracting Agreement and to instruct the Sub-Processor to delete or return the Personal Data.
7.8. International data transfers
(a) Any transfer of data by the processor to a third country or an international organisation shall be made solely on the basis of documented instructions from the controller or in order to comply with a specific provision under Union law or the law of a Member State to which the processor is subject, and shall comply with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.
b) The Controller agrees that in cases where the Processor uses a Sub-Processor in accordance with Clause 7.7 for the performance of certain Processing Activities (on behalf of the Controller) and such Processing Activities involve a transfer of Personal Data within the meaning of Chapter V of Regulation (EU) 2016/679, the Processor and the Sub-Processor shall ensure compliance with Chapter V of the Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of those standard contractual clauses are met.
Clause 8 “Support of the controller”
a)
b) Taking into account the nature of the processing, the processor assists the controller in fulfilling its obligation to respond to data subjects’ requests to exercise their rights. In fulfilling its obligations under points (a) and (b), the processor shall comply with the instructions of the controller.
c) In addition to the Processor’s obligation to assist the Controller in accordance with Clause 8(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to it:
-
the obligation to carry out an assessment of the impact of the envisaged processing operations on the protection of personal data (hereinafter referred to as the “Data Protection Impact Assessment”) if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
-
Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment shows that the processing would result in a high risk, unless the controller takes measures to mitigate the risk;
-
the obligation to ensure that the personal data is accurate and up-to-date, by informing the controller without undue delay if it discovers that the personal data it processes is inaccurate or out of date;
-
obligations under Article 32 of Regulation (EU) 2016/679.
(d) The parties shall set out in Annex III the appropriate technical and organisational measures to assist the controller by the processor in the application of this clause, as well as the scope and scope of the assistance required.
Clause 9 “Notification of personal data breaches”
In the event of a personal data breach, the Processor shall cooperate with and provide appropriate assistance to the Controller in order to enable the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or, where applicable, Articles 34 and 35 of Regulation (EU) 2018/1725, taking into account the nature of the processing and the information available to it.
9.1. Breach of the protection of data processed by the controller
In the event of a personal data breach related to the data processed by the Controller, the Processor shall assist the Controller as follows:
a) when notifying the personal data breach to the competent supervisory authority(ies) without undue delay after the controller becomes aware of the breach, if relevant (unless the personal data breach is not likely to result in a risk to the personal rights and freedoms of natural persons);
(b) when obtaining the following information to be provided in the controller’s notification in accordance with Article 33(3) of Regulation (EU) 2016/679, which information shall include at least:
-
the type of personal data, where possible, with an indication of the categories and the approximate number of data subjects, as well as the categories and approximate number of personal data sets;
-
the likely consequences of the personal data breach;
-
the measures taken or proposed by the Controller to remedy the personal data breach and, where applicable, measures to mitigate their possible adverse effects.
If and to the extent that not all such information can be provided at the same time, the original notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay;
(c) when complying with the obligation under Article 34 of Regulation (EU) 2016/679 to notify the data subject without undue delay of the personal data breach, where such breach is likely to result in a high risk to the rights and freedoms of natural persons.
9.2. Breach of the protection of data processed by the processor
In the event of a personal data breach related to the data processed by the Processor, the Processor shall report it to the Controller without undue delay after becoming aware of the breach. This notification must contain at least the following information:
(a) a description of the nature of the breach (indicating, if possible, the categories and the approximate number of persons concerned and the approximate number of data sets concerned);
b) contact details of a contact point from which further information about the personal data breach can be obtained;
c) the likely consequences and the measures taken or proposed to remedy the personal data breach, including measures to mitigate their possible adverse effects.
If and to the extent that all such information cannot be provided at the same time, the original notification will contain the information available at that time and further information will be provided thereafter without undue delay as it becomes available.
The Parties shall specify in Annex III any other information that the processor is required to provide in order to assist the controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
Section III
Clause 10 “Breach of the Clauses and Termination of the Agreement”
a)
b) The Controller shall be entitled to terminate the Agreement insofar as it concerns the processing of personal data pursuant to these Clauses if:
- the controller has suspended the processing of personal data by the processor in accordance with point (a) and compliance with these clauses has not been restored within a reasonable period of time, and in any event within one month of the suspension;
- the processor is in material or persistent breach of these Clauses or fails to comply with its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725;
- the processor fails to comply with a binding decision of a competent court or supervisory authority(ies) concerning its obligations under these Clauses, Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
c) The Processor shall be entitled to terminate the Agreement to the extent that it concerns the processing of personal data pursuant to these Clauses, if the Controller insists on complying with its instructions after being informed by the Processor that its instructions violate applicable legal requirements pursuant to Clause 7.1(b).
(d)
Annex I
“List of parties”
Controller(s):
The controller is the customer within the meaning of the General Terms and Conditions (GTC) of Perseus Technologies GmbH, who has commissioned Perseus Technologies GmbH with the service(s) (i.e. “booked” such within the meaning of the GTC) that (if applicable) also includes order processing. The name, address and contact details of the customer and thus of the person responsible(s) are part of his booking and thus of the contract that is concluded between the customer and Perseus Technologies GmbH for the services in question as a result of the booking.
If, in addition to the customer itself, other users within the meaning of the general terms and conditions of Perseus Technologies GmbH are also allowed to obtain services that include order processing, these clauses shall also apply to these users if they are specifically named as entitled recipients in the customer’s booking in question, whereby the customer (within the meaning of clause 5 – coupling clause) declares his consent to their accession to these clauses as controllers.
Processors:
Name: Perseus Technologies GmbH
Address: Hagelberger Straße 53-54, 10965 Berlin
Annex II
Description of the processing
The description of the data processing is only applicable to the contractual relationship to the extent that the said service has also been commissioned and is used.
Personal data is processed for the duration of the services booked in each case, in accordance with the Terms and Conditions; once this period has ended, the data will be deleted or returned in accordance with statutory retention obligations and the contractual agreements.
I. Perseus Cyber Security Services (PCSS) incl. sending of simulated phishing emails
A) DATA SUBJECTS
–> Data subjects are employees of the client.
B) CATEGORIES OF PERSONAL DATA
–> The following system and application data (partly personal) is processed:
- Name
- E-mail address
- Company
- Participation status and results of the online trainings
- Course progress and learning behavior of the online trainings
- Results of phishing checks
- File information
- Network information
- Account Information
- Device Identity
C) PURPOSE OF DATA PROCESSING
–> The data will be processed for the following purposes:
- Establishing, maintaining and improving cybersecurity and data protection compliance with customers and beneficiaries
- Technical and organisational data protection (data security) and cyber security (information security) to maintain confidentiality, availability and integrity of information and personal data
- Implementation and evaluation of online training courses
- Analysis of employee sensitivity
- Raising awareness among employees
II. Incident Response Management (IRM)
A) DATA SUBJECTS
–> Data subjects may regularly be employees of the customers and authorized recipients, the employees of their customers and suppliers and other natural persons whose personal data are processed by the customers and authorized recipients and who are processed in the context of the provision of services by PERSEUS or to whom PERSEUS has access on occasion of the provision of the service (e.g. customers of the customer or their employees, suppliers of the client or their employees, other natural persons).
B) CATEGORIES OF PERSONAL DATA
–> In the case of incident management, there is potential access to all (personal) data contained in the Client’s data records that must be accessed by the Contractor and its subcontractors as part of incident management. These can be:
- all personal connection and content data (master and transaction data) that are processed in the compromised systems of the customer or authorized recipient exist potential access
- All personal data that is transferred to PERSEUS systems for analysis or forensic preservation of evidence
C) PURPOSE OF DATA PROCESSING
–> There is no targeted access to this data, but access may occasionally take place in the context of the provision of services.
The data will be processed for the following purposes:
- Establishing, maintaining and improving cybersecurity and data protection compliance with customers and beneficiaries
- Technical and organizational data protection (data security) and cybersecurity (information security) to maintain confidentiality, availability and integrity of information and personal data
- Analysis and reconstruction of security incidents
- Issuing recommendations for action
- Restore systems, applications, information, and data
- Documentation of security incidents
- Forensic preservation of evidence
- Continuous improvement (“PDCA cycle”)Detection of malware in emails and related attacks and threats
III. Perseus individual phishing campaigns:
A) DATA SUBJECTS
–> Data subjects are employees of the client.
B) CATEGORIES OF PERSONAL DATA
–> The following system and application data (partly personal) is processed:
- Name
- E-mail address
- Company
- Results of phishing checks
C) PURPOSE OF DATA PROCESSING
–> The data will be processed for the following purposes:
- Establishing, maintaining and improving cybersecurity and data protection compliance with customers and beneficiaries
- Analysis of employee sensitivity
- Raising awareness among employees
Annex III
The annex “Technical and organisational measures, including to ensure the security of data” is available here .
As of: June 2026
Annex IV
The annex “List of sub-processors” is available here .