Saal Digital Fotoservice GmbH

Zeppelinstraße 36, 91187 Röttenbach

1 Contract Data
2 Review & Submit

Data Processing Agreement


Controller Contact Details
Please select
Austria
Belgium
Bulgaria
Croatia
Cyprus
Czech Republic
Denmark
Estonia
Finland
France
Germany
Greece
Hungary
Iceland
Ireland
Italy
Lativa
Liechtenstein
Lithuania
Luxembourg
Malta
Netherland
Norway
Poland
Portugal
Romania
Slovakia
Slovenia
Spain
Sweden
Switzerland
Contract Text

Agreement on commissioned data processing within the meaning of Art. 28 para. 3 General Data Protection Regulation (GDPR).



Between the data controller:
[[Firma]]
[[Name]]
[[Strasse]] [[Strasse2]]
[[PLZ]] [[Ort]]
– Client –

and the data processor:
Saal Digital Fotoservice GmbH
Weidenauer Straße 160
57076 Siegen
Germany
– Contractor –

Preamble


This agreement specifies the data protection obligations of the contracting parties resulting from the order processing described in Annex A. It applies to all activities in connection with the service in which employees of the contractor or third parties commissioned by the contractor may come into contact with the client's personal data.
Individual agreements in this data protection agreement take precedence over the general terms and conditions (GTC) of the contractor.

§ 1 Definitions


(1) Personal Data
According to Art. 4 para. 1 GDPR, personal data is all information relating to an identified or identifiable natural person (hereinafter “data subject”); identifiable is a natural person who can be identified directly or indirectly, in particular by assignment to an identification such as a name, an identification number, location data, an online identification or to one or more special features that express the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.

(2) Data Processor
According to Art. 4 para. 8 GDPR, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the data controller.

(3) Instruction
The instruction is usually the written instruction of the client directed at a certain data protection handling (for example storage, pseudonymization, deletion, publication) of the contractor with personal data. The instructions are issued by the client and can be amended, supplemented or replaced by individual instructions (individual instructions). The instructions of the client must be given in writing or by e-mail.

§ 2 Subject matter, duration and specification of order processing
The subject and duration of the order as well as the type and purpose of the processing result from this agreement. In particular, the information on the data in annex A is part of the data processing.

This agreement is valid until revoked. The revocation must be in writing.

§ 3 Scope and responsibility
The contractor processes personal data on behalf of the client. This includes activities that are specified in this agreement. Within the framework of this agreement, the client is solely responsible for compliance with the legal provisions of the data protection laws, in particular for the legality of data transfer to the contractor and for the legality of data processing (“Data Controller” within the meaning of Art. 4 No. 7 GDPR).

§ 4 Duties of the contractor
(1) The contractor may only process data of data subjects within the scope of the order and the instructions of the contracting authority unless there is an exceptional case within the meaning of Article 28 para. 3 a) GDPR. The contractor shall inform the customer without delay if he is of the opinion that an instruction violates applicable laws. The contractor may suspend the implementation of the directive until it has been confirmed or amended by the customer.

(2) The contractor shall design the internal organisation within his area of responsibility in such a way that it meets the special requirements of data protection. He will take technical and organisational measures to adequately protect the data of the contracting authority which meet the requirements of the General Data Protection Regulation (Art. 32 GDPR). The contractor shall take technical and organisational measures to ensure the long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing. The client is aware of these technical and organisational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed.
The contractor reserves the right to change the security measures taken, but it must be ensured that they do not fall below the level of protection agreed here.

(3) To the extent agreed, the contractor shall assist the principal, within the scope of his possibilities, in fulfilling the requests and claims of the persons concerned pursuant to Chapter III of the GDPR and in complying with the obligations specified in Articles 33 to 36 GDPR.

(4) The contractor guarantees that the employees involved in the processing of the data of the principal and other persons working for the contractor are prohibited from processing the data outside the instructions. Furthermore, the contractor guarantees that the persons authorised to process the personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/non-disclosure obligation shall continue to apply even after termination of the order.

(5) The contractor shall inform the principal immediately if he becomes aware of any violation of the protection of personal data of the principal.

The contractor shall take the necessary measures to secure the data and to mitigate possible adverse consequences of the persons concerned and shall consult with the customer without delay.

(6) The contractor shall name the contact person for any data protection issues arising within the scope of this agreement.

(7) The contractor shall ensure that he fulfills his obligations under Art. 32 para. 1 point d) GDPR to establish a procedure for the regular review of the effectiveness of technical and organisational measures to ensure the security of processing.

(8) The contractor corrects or deletes the data subject to the agreement, if the client instructs this and this is included in the instruction framework. If deletion in conformity with data protection or a corresponding restriction of data processing is not possible, the contractor shall undertake the destruction of data carriers and other materials in conformity with data protection on the basis of an individual order by the customer or shall return these data carriers to the customer, unless already agreed.
In special cases to be determined by the customer, the goods shall be stored or handed over, remuneration and protective measures shall be agreed separately.

(9) Data, data carriers and all other materials shall either be surrendered or deleted at the request of the customer at the end of the order.

(10) In the event of a claim against the principal by a person concerned with regard to any claims under Art. 82 GDPR, the contractor undertakes to support the principal in defending the claim within the scope of his possibilities.

§ 5 Obligations of the contracting authority
(1) The customer shall immediately and completely inform the contractor if he detects errors or irregularities with regard to data protection regulations in the order results.

(2) In the event of a claim against the principal by a person concerned with regard to any claims pursuant to Art. 82 GDPR, §4 para. 10 shall apply accordingly.

(3) The customer shall name the contact person for data protection issues arising within the scope of the agreement to the contractor.

§ 6 Requests from data subjects
If a data subject addresses the contractor with claims for correction, deletion or information, the contractor will refer the data subject to the principal, provided that an assignment to the principal is possible according to the data of the data subject. The contractor shall immediately forward the application of the person concerned to the contracting authority. The Contractor shall support the Customer within the scope of his possibilities and upon instruction, to the extent agreed. The contractor shall not be liable if the client does not respond to the request of the person concerned, does not respond correctly or does not respond in due time.

§ 7 Detection possibilities
(1) The contractor shall prove to the principal that he has complied with the obligations laid down in this agreement by suitable means.

(2) If inspections by the client or an auditor commissioned by the client are required in individual cases, they shall be carried out during normal business hours without disrupting operations after notification, taking into account an appropriate lead time. The contractor may make them subject to prior notification with a reasonable lead time and to the signing of a confidentiality agreement with regard to the data of other customers and the technical and organisational measures set up. If the inspector commissioned by the customer is in a competitive relationship with the contractor, the contractor has a right of objection against the contractor.
The contractor may charge a fee for assistance in carrying out an inspection. The cost of an inspection is generally limited to one day per calendar year for the contractor.

(3) If an inspection is carried out by a data protection supervisory authority or another sovereign supervisory authority of the contracting authority, paragraph 2 shall apply mutatis mutandis. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or legal secrecy, in which a violation is punishable under the Criminal Code.

§ 8 Subcontractors (other contractors)
(1) The use of subcontractors as additional contract processors is only permitted if the customer has given his prior consent.

(2) A subcontractor relationship requiring approval exists if the contractor commissions further contractors to perform all or part of the service agreed in the agreement. The Contractor shall enter into agreements with such third parties to the extent necessary to ensure appropriate data protection and information security measures.
The agreed services or the partial services described below are carried out with the involvement of the following subcontractors:

Name and address of subcontractor
Amazon Web Services Germany GmbH
Krausenstr. 38
10117 Berlin
Data Center in the AWS Region Frankfurt, Germany (Data Center)

Description of partial services
-image enhancement
-prepress processing
-data memory

Before calling in further subcontractors or replacing the subcontractors listed, the Contractor shall obtain the Client's consent, which may not be refused without good reason under data protection law.

(3) If the contractor places orders with subcontractors, the contractor is responsible for transferring his data protection obligations under this agreement to the subcontractor.

§ 9 Duty to inform, written form clause, choice of law
(1) Should the data of the principal be endangered by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the contractor must inform the principal immediately. The contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the principal as “Data Controller” within the meaning of the General Data Protection Regulation.

(2) Changes and additions to this Annex and all its components - including any warranties of the contractor - require a written agreement, which can also be made in an electronic format (text form), and an express indication that these terms and conditions are to be changed or supplemented. This also applies to the waiver of this formal requirement.

(3) In the event of any contradictions, the provisions of this agreement on data protection take precedence over the provisions of the contract. Should individual parts of this Annex be invalid, this shall not affect the validity of the remainder of the Annex.

(4) German law applies.

§ 10 Liability and damages
Principal and contractor are liable to the persons concerned in accordance with the provisions of Art. 82 GDPR.

§ 11 Severability clause, place of jurisdiction, applicability
(1) Should any provision of this agreement be or become invalid or unenforceable, this shall not affect the remaining provisions of this agreement. The parties agree to replace the invalid or unenforceable provision with a valid and enforceable provision that most closely approximates the economic purpose of the parties. The same applies in the event of a loophole.

(2) Changes and supplements to this agreement and all its components - including any assurances of the contractor - require a written agreement or in text form (electronic format) and the express indication that this agreement is an amendment or addition. This also applies to the waiver of this formal requirement.

(3) This translation is for information purposes only and is not a legally binding document. The original provisions are set out in the original German version.

(4) It is hereby agreed that Siegen shall be the place of jurisdiction. 

2026-07-16, [[Ort]]
signed [[Name]]

2026-07-16, Siegen
signed Reinhard Saal, Robin Saal, Tim Saal, Florian Stellwag (Managing Directors, Saal Digital Fotoservice GmbH)

[This agreement is valid without signature.]
Appendix A: Job details
1. Types of data
2. Types and purposes of data processing
3. Categories of persons concerned
Appendix B: Technical and Organizational Measures
Measure Protection Goal Beschreibung
Physical access control
Closed Shop-Betrieb (nur berechtigte Personen haben Zutritt) C .
Einsatz eines Zugangskontrollsystems C Schlüsselregelung und aktuelle Schlüsselliste
Einsatz eines Zugangskontrollsystems, Schlüsselregelung und aktuelle Schlüsselliste C
Festlegung der zugangsberechtigten Personen C .
Identifikation durch Ausweise C .
Protokollierung der Zu- und Abgänge C .
Revisionsfähigkeit der Zugangsberechtigungen C .
Richtlinien zur Begleitung und Kennzeichnung von Gästen im Gebäude C .
Zugangsregelungen für betriebsfremde Personen C .
System access control
Festlegung der nutzungsberechtigten Personen und Einschränkung der Benutzerrechte auf Tätigkeitsbereiche C .
geteiltes Passwort mit 4-Augen-Prinzip C Ohne das Beisein bzw. die Eingabe des 2. Teils des Passworts kein Zugriff.
Identifikation und Authentifizierung der Benutzer C .
Passwortrichtlinie C (Angabe von Kennwortparametern hinsichtlich Komplexität und Aktualisierungsintervall)
Passwortrichtlinie (Angabe von Kennwortparametern hinsichtlich Komplexität und Aktualisierungsintervall) C
Regelungen / Voraussetzungen zur Telearbeit C (Zwei-Faktor-Authentifizierung)
Regelungen / Voraussetzungen zur Telearbeit (Zwei-Faktor-Authentifizierung) C
Sicherung der Datenstationen, Netze und Übertragungsleitungen C .
Sperrung der Clients nach gewissem Zeitablauf ohne Useraktivität C (auch passwortgeschützter Bildschirmschoner oder automatische Pausenschaltung)
Sperrung der Clients nach gewissem Zeitablauf ohne Useraktivität (auch passwortgeschützter Bildschirmschoner oder automatische Pausenschaltung) C
Verschlüsselung der zu übertragenden Daten C .
Data access control
Anlegen von revisionsfähigen Benutzerprofilen C .
Benutzerbezogene Protokollierung der (Fehl-)Zugriffe C .
Beschränkung der freien Abfragemöglichkeiten von Datenbanken C (Query-Sprache)
Beschränkung der freien Abfragemöglichkeiten von Datenbanken (Query-Sprache) C
Einführung zugriffsbeschränkender Maßnahmen C (z. B. nur Leseberechtigung)
Einführung zugriffsbeschränkender Maßnahmen (z. B. nur Leseberechtigung) C
Einsatz von Verschlüsselungsverfahren C .
Identifikation und Authentifizierung der Benutzer C .
Maschinelle Überprüfung der Berechtigungen C .
Zentrale Vergabestelle von Benutzerrechten C .
Disclosure / transfer control
Externe Zugriffe auf Daten erfolgt ausschließlich über VPN bzw. verschlüsselten Verbindungen C .
Sichere Übertragung der Daten im Internet durch SSL-Verschlüsselung (https) C .
Input control
Festlegung von Eingabebefugnissen I .
Protokollierung der Eingaben, Veränderungen und Löschungen I .
Speicherung des Veranlassers I .
Commissioned data processing control
Abgrenzung der Kompetenzen und Pflichten zwischen Auftragnehmer und Auftraggeber C, I, A .
Formalisierung der Auftragserteilung C, I, A .
Klare Vereinbarungsgestaltung und -ausführung C, I, A .
Protokollierung und Kontrolle der ordnungsgemäßen Vereinbarungsausführung C, I, A .
Schulungen aller zugriffsberechtigten Mitarbeiter. Regelmäßig stattfindende Nachschulungen. C, I, A .
Sorgfältige Auswahl des Auftragnehmers C, I, A .
Vereinbarung zur Auftragsdatenverarbeitung gem. Art. 28 DS-GVO mit Regelungen zu den Rechten und Pflichten des Auftragnehmers C, I, A .
Verpflichtung auf die Vertraulichkeit Art. 28 Abs. 3 S. 2 lit. b, 29, 32 Abs. 4 DS-GVO C, I, A .
Availability control
Application-/Device-Control A .
Brandmelder A .
Klimatisierung A .
Objektsicherung insb. der Serverräume A .
Permanente Serverüberwachung durch Monitoring-Software A .
USV (Unterbrechungsfreie Stromversorgung) A .
Virenschutz / Firewall A .
Separation control
Für interne Zwecke (z.B. Entwicklung, Test und Backup) werden getrennte Systeme mit eigener Datenstruktur genutzt C .
Mandantentrennung auf Auftragsebene - Logische Trennung der Daten C .
Pseudonymisation
Trennung Stammdaten C Trennung von Kundenstammdaten und Auftragsdaten in der Produktion
Encryption
Speicherung C Verschlüsselte Datenspeicherung (z.B. Dateiverschlüsselung nach AES256 Standard)
Übertragung C Verschlüsselte Datenübertragung (z.B. E-Mailverschlüsselung nach PGP oder S/Mime, VPN, verschlüsselte Internetverbindungen mittels TLS/SSL, Einsatz FTAPI - Datentransfertool)
Recoverability
Backup-Systeme zur Wiederherstellung verlorener Daten A .
Dezentrale Datensicherung A .
Mehrfach redundantes Active-Active-Cluster A .
Testen der Wiederherstellung A .
Management system
Durchführung regelmäßiger interner Audits C, I, A .
Durchführung regelmäßiger IT-Schwachstellenanalysen (z.B. Penetrationstest) C, I, A .
Einsatz softwaregestützter Tools zur Einhaltung der datenschutzrechtlichen Anforderungen C, I, A .
Einsatz von Software mit datenschutzfreundlichen Voreinstellungen gem. (Art. 25 Abs. 2 DS-GVO) C, I, A .
Incident-Response-System zur Nachvollziehbarkeit von Sicherheitsverstößen und Problemen C, I, A .
Managementsystem zum Datenschutz und der Informationssicherheit (in Anlehnung an ISO 27001) C, I, A .
Signatories

Signatories 1

Back