Data Processing Agreement (DPA)
Agreement for the processing of personal data pursuant to Art. 28 GDPR.
This DPA only applies when using TattooMate as a hosted SaaS solution.
1. Subject matter and duration
This Data Processing Agreement governs the processing of personal data by the processor on behalf of the controller in the context of using TattooMate as a SaaS solution. The duration of processing is governed by the term of the underlying contract.
2. Nature and purpose of processing
Processing takes place for the purpose of providing and using the TattooMate software. This includes in particular the storage, organisation, display and processing of client data, consents, health details, signatures, images and documents captured by the studio.
3. Categories of data subjects
Data subjects are in particular: - Clients of the studio - Parents/guardians (in U18 processes) - Staff and artists of the studio
4. Types of personal data
The following are processed in particular: - Master data (e.g. name, date of birth) - Contact data - Health details - Consents and signatures - Image and document data (e.g. IDs, tattoo/touch-up images)
5. Responsibility
The controller is responsible for the lawfulness of data collection and processing. The processor processes data exclusively on documented instructions from the controller.
6. Obligations of the processor
The processor undertakes to: - treat personal data confidentially - implement appropriate technical and organisational measures (TOMs) - only involve authorised personnel in processing - support the controller with data protection enquiries
7. Technical and organisational measures
Measures include in particular: - Access restrictions and role/permission systems - Encrypted connections (TLS) - Separate instances per studio - Protection against unauthorised access A detailed overview of the TOMs can be provided on request.
8. Sub-processors
Sub-processors (e.g. hosting or infrastructure service providers) are only used if they are contractually obliged to comply with the GDPR. The controller will be informed of significant changes.
9. Rights of data subjects
The processor supports the controller in upholding the rights of data subjects (e.g. access, deletion, rectification) where technically possible.
10. Termination of processing
After termination of the contract, personal data will be deleted or made available for handover at the controller's choice, provided there is no legal retention obligation.
11. Liability
The liability provisions of the main contract apply. Liability is governed by the statutory provisions of the GDPR.
12. Final provisions
The law of the Federal Republic of Germany applies. Should individual provisions of this DPA be invalid, the validity of the remaining provisions shall remain unaffected.