Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR

Between:

[[Company Name]], [[Street and Number]], [[ZIP City]] – represented by: [[Representative]]

– hereinafter referred to as "Controller" –

and:

IT-Hilbert GmbH, Mühlenberg 15, 24217 Schönberg, Germany

– hereinafter referred to as "Processor" –

§ 1 Subject Matter and Duration of Processing

The Processor provides the Controller with services in the area of consent management, website scanning, and automated generation of privacy-related legal texts (SaaS service "ConsentLaw") for the domain . The duration corresponds to the term of the main agreement (subscription) and terminates automatically upon cancellation.

§ 2 Nature and Purpose of Processing

The nature and purpose of processing are described in Annex 1. Data processing takes place exclusively within the EU/EEA.

§ 3 Categories of Personal Data and Data Subjects

The categories of personal data and data subjects are specified in Annex 1.

§ 4 Client's Right to Issue Instructions

The Processor processes personal data solely on the documented instructions of the Controller (Art. 28 (3)(a) GDPR). Configuring the system via the customer dashboard constitutes documented instructions. Instructions must be issued in writing; verbal instructions must be confirmed in writing without delay.

§ 5 Confidentiality

The Processor ensures that all persons authorized to process personal data have committed themselves to confidentiality or are subject to a statutory obligation of secrecy (Art. 28 (3)(b) GDPR).

§ 6 Technical and Organizational Measures (Art. 32 GDPR)

The Processor implements the measures described in Annex 2. These may be adapted by mutual agreement, provided that the level of protection is not reduced.

§ 7 Engagement of Sub-processors

The Controller grants general authorization to engage the sub-processors listed in Annex 3 (Art. 28 (2) GDPR). The Processor shall inform the Controller at least 30 days in advance of any planned changes.

§ 8 Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling requests from data subjects exercising their rights under Art. 15–22 GDPR (Art. 28 (3)(e) GDPR).

§ 9 Assistance with GDPR Obligations (Art. 32–36 GDPR)

The Processor shall assist the Controller in particular with:

  • Security of processing (Art. 32 GDPR)
  • Notification of personal data breaches (Art. 33/34 GDPR), in particular within 48 hours
  • Data protection impact assessment (Art. 35 GDPR)
  • Prior consultation with the supervisory authority (Art. 36 GDPR)

§ 10 Erasure and Return of Data

Upon termination of the main agreement, the Processor shall delete or return all personal data, unless a statutory retention obligation exists (Art. 28 (3)(g) GDPR). The Controller may request return of data in writing within 30 days after termination.

§ 11 Audit Rights

The Controller has the right to carry out audits and inspections at the Processor's premises, or to have them carried out by an authorized third party (Art. 28 (3)(h) GDPR).

§ 12 International Data Transfers

Processing outside the EEA only takes place where an adequacy decision by the European Commission exists or where appropriate safeguards (Standard Contractual Clauses) have been put in place (Art. 46 GDPR). Approved third-country transfers are listed in Annex 3.

Annex 1: Description of Processing

  • Subject matter: Consent management, logging of consents, website scanning for third-party services, generation of legal texts for the domain .
  • Nature of processing: Collection, storage, retrieval, modification (deletion after expiry), transmission.
  • Categories of personal data: Consent log entries (opt-in/opt-out), truncated IP addresses, timestamps, User Agent, Consent IDs.
  • Categories of data subjects: Website visitors of the domain .

Annex 2: Technical and Organizational Measures (TOM)

The Processor and its engaged sub-processors guarantee a level of security appropriate to the risk (Art. 32 GDPR).

2.1 Internal Measures of the Processor

The following measures are implemented and continuously monitored directly by the Processor (ConsentLaw):

System Access Control

  • Two-factor authentication (2FA) for all admins

2.2 Measures of Infrastructure Providers (Hosting)

Physical security and fundamental infrastructure security are ensured by certified hosting providers:

Physical Access Control

  • Key/chip-protected access to the data center
  • Video surveillance of the server room
  • Hosting in ISO 27001 certified data center

Encryption

  • TLS 1.2/1.3 encryption across all connections

Availability Control

  • Daily automated backups
  • Redundant server infrastructure
  • Active DDoS protection

Note on other sub-processors (e.g., AI services, email providers): These contractually guarantee an equivalent level of security through EU Standard Contractual Clauses or adequacy decisions (Data Privacy Framework) as well as their own ISO certifications.

Annex 3: List of Approved Sub-processors

  • Mollie B.V. (Amsterdam, Netherlands (EU)) – Service: Payment Processing
  • Mistral AI SAS (Paris, France (EU)) – Service: AI Text Generation & Optimization (DPA/Privacy)

Date: 19.03.2026

This document was automatically generated by ConsentLaw on 19.03.2026.