The following Data Processing Agreement (DPA) within the meaning of Art. 28 (3) GDPR is part of the General Terms of Use (hereinafter: Main Agreement) and governs the data protection obligations and rights between the Partner (hereinafter: Controller) and the Processor (pursuant to Art. 4 No. 8 GDPR), Wilderness International Foundation, Grundstraße 1, 01326 Dresden, Germany (hereinafter: Processor). The data protection rights and obligations arising from this contract come into force upon conclusion of the main contract.

The content corresponds to the standard contractual clauses of the Commission within the meaning of Art. 28 para. 6, 7 GDPR of 04.06.2021 (C 2021) 3701 final.

Clause 1: Purpose and scope
These Standard Contractual Clauses (hereinafter "Clauses") are intended to ensure compliance with Article 29(3) and (4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of October 23, 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

The controllers and processors listed in Annex I have agreed to these clauses to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 and/or Article 29(3) and (4) of Regulation (EU) 2018/1725.

These clauses apply to the processing of personal data in accordance with Annex II.
Annexes I to IV form an integral part of the clauses.

These clauses are without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.
These clauses do not in themselves ensure compliance with the obligations relating to international data transfers under Chapter V of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

Clause 2: Immutability of the clauses
The parties undertake not to amend the clauses, except to supplement or update the information provided in the appendices.

This does not prevent the parties from including the standard contractual clauses set out in these clauses in a more comprehensive contract and adding further clauses or additional safeguards, provided that these do not directly or indirectly contradict the clauses or restrict the fundamental rights or freedoms of the data subjects.

Clause 3: Interpretation
Where terms defined in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 are used in these clauses, those terms shall have the same meaning as in that Regulation.

These clauses must be interpreted in light of the provisions of Regulation (EU) 2016/679 and Regulation (EU) 2018/1725.

These clauses may not be interpreted in a way that is contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or Regulation (EU) 2018/1725 or that restricts the fundamental rights or freedoms of the data subjects.

Clause 4: Precedence
In the event of any conflict between these clauses and the provisions of any related agreements existing between the parties or subsequently entered into or concluded, these clauses shall prevail.

Clause 6: Description of the processing
The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Annex II.

Clause 7: Obligations of the Parties
7.1 Instructions
The Processor shall process Personal Data only on documented instructions from the Controller, unless the Processor is required to do so by Union or Member State law to which the Processor is subject. In such a case, the processor shall inform the controller of these legal requirements prior to processing, unless the law in question prohibits this due to an important public interest. The controller may issue further instructions for the entire duration of the processing of personal data. These instructions must always be documented.
The processor shall inform the controller without undue delay if it considers that instructions issued by the controller are in breach of Regulation (EU) 2016/679, Regulation (EU) 2018/1725 or applicable Union or Member State data protection provisions.

7.2 Purpose limitation
The processor shall process the personal data only for the specific purpose(s) set out in Annex II, unless it receives further instructions from the controller.

7.3 Duration of the processing of personal data
The data shall only be processed by the Processor for the duration specified in Annex II.

7.4 Security of processing
The Processor shall take at least the technical and organizational measures listed in Annex III to ensure the security of the Personal Data. This shall include the protection of data against a breach of security leading, whether accidental or unlawful, to the destruction, loss, alteration, unauthorized disclosure of, or access to, the data (hereinafter "Personal Data Breach"). When assessing the appropriate level of protection, the parties shall take due account of the state of the art, the implementation costs, the nature, scope, circumstances and purposes of the processing and the risks involved for the data subjects.

The Processor shall grant its personnel access to the personal data subject to processing only to the extent strictly necessary for the performance, management and monitoring of the Contract. The Processor shall ensure that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.

7.5 Documentation and compliance with the clauses
The parties must be able to demonstrate compliance with these clauses.

The Processor shall process requests from the Controller regarding the processing of data in accordance with these Clauses promptly and appropriately.

The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in these Clauses and arising directly from Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725. At the request of the Controller, the Processor shall also allow and contribute to an audit of the processing activities covered by these Clauses at appropriate intervals or where there are indications of non-compliance. When deciding on an inspection or audit, the controller may take into account relevant certifications of the processor.

The controller may carry out the audit itself or commission an independent auditor. The audits may also include inspections of the processor's premises or physical facilities and shall be carried out with reasonable advance notice where appropriate.

The parties shall make the information referred to in this clause, including the results of audits, available to the competent supervisory authority(ies) upon request.

7.6 Use of sub-processors
The Processor shall have the Controller's general authorization to engage sub-processors included in an agreed list. The Processor shall expressly inform the Controller at least 4 weeks in advance in text form of any intended changes to this list by adding or replacing sub-processors, thereby giving the Controller sufficient time to object to these changes before engaging the sub-processor(s) concerned. The Processor shall provide the Controller with the necessary information to enable the Controller to exercise its right to object.

Where the Processor engages a sub-processor to carry out certain processing activities (on behalf of the Controller), such engagement shall be by way of a contract which imposes on the sub-processor substantially the same data protection obligations as those applicable to the Processor under these Clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject under these Clauses and under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

The Processor shall provide the Controller with a copy of any such subcontracting agreement and any subsequent amendments at the Controller's request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the wording of the agreement before providing a copy.

The Processor shall be fully liable to the Controller for ensuring that the Sub-Processor fulfills its obligations under the contract concluded with the Processor. The Processor shall notify the Controller if the Sub-Processor fails to fulfill its contractual obligations.

The processor agrees a third-party beneficiary clause with the sub-processor, according to which the controller - in the event that the processor no longer exists in fact or in law or is insolvent - has the right to terminate the subcontracting agreement and instruct the sub-processor to delete or return the personal data.

7.7 International data transfers
Any transfer of data by the Processor to a third country or an international organization shall be made solely on the basis of documented instructions from the Controller or to comply with a specific provision under Union law or the law of a Member State to which the Processor is subject and shall comply with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

The Controller agrees that in cases where the Processor uses a sub-processor pursuant to clause 7.7 for the performance of certain processing activities (on behalf of the controller) and where such processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission pursuant to Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of such standard contractual clauses are met.

Clause 8: Assistance to the controller
The processor shall inform the controller without undue delay of any request received from the data subject. It shall not respond to the request itself unless it has been authorized to do so by the controller.

Taking into account the nature of the processing, the processor shall assist the controller in fulfilling the controller's obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations under points (a) and (b), the processor shall follow the instructions of the controller.

In addition to the Processor's obligation to assist the Controller pursuant to Clause 8(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to the Processor: 

• Obligation to carry out an assessment of the impact of the intended processing operations on the protection of personal data (hereinafter "data protection impact assessment") if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
• Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment indicates that the processing would result in a high risk, unless the controller takes measures to mitigate the risk;
• Obligation to ensure that the personal data is accurate and up to date by the processor informing the controller immediately if it discovers that the personal data it is processing is inaccurate or out of date;
• Obligations under Article 32 of Regulation (EU) 2016/679.

The Parties shall specify in Annex III the appropriate technical and organizational measures for the Processor to assist the Controller in the application of this Clause and the scope and extent of the assistance required.

Clause 9: Notification of personal data breaches
In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 or, where applicable, Articles 34 and 35 of Regulation (EU) 2018/1725, taking into account the nature of the processing and the information available to the Processor.

9.1 Personal data breach of the data processed by the controller
In the event of a personal data breach in connection with the data processed by the controller, the processor shall assist the controller as follows:

• in notifying the personal data breach to the competent supervisory authority(ies) without undue delay after the controller becomes aware of the personal data breach, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
• when obtaining the following information to be included in the controller's notification in accordance with Article 33(3) of Regulation (EU) 2016/679, which must include at least the following information:
  • the nature of the personal data, where possible, indicating the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
  • the likely consequences of a personal data breach;
  • the measures taken or proposed to be taken by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.
• If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter;
• in complying with the obligation under Article 34 of Regulation (EU) 2016/679/ to notify the data subject without undue delay of a personal data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.

9.2 Breach of the protection of data processed by the processor
In the event of a personal data breach in connection with the data processed by the processor, the processor shall notify the controller without undue delay after becoming aware of the breach. This notification must contain at least the following information:

• a description of the nature of the breach (if possible, specifying the categories and approximate number of data subjects affected and the approximate number of data records affected);
• Contact details of a contact point where further information about the personal data breach can be obtained;
• the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.

If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.

The parties shall specify in Annex III any other information that the processor must provide to assist the controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679.

Clause 10: Breaches of the Clauses and termination of the contract
Without prejudice to the provisions of Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725, if the Processor fails to comply with its obligations under these Clauses, the Controller may instruct the Processor to suspend the processing of personal data until it complies with these Clauses or the contract is terminated. The processor shall inform the controller immediately if, for whatever reason, it is unable to comply with these clauses.

The controller is entitled to terminate the contract insofar as it relates to the processing of personal data in accordance with these clauses if

• the controller has suspended the processing of personal data by the processor in accordance with point (a) and compliance with these clauses has not been restored within a reasonable period and in any event within one month of the suspension;
• the processor materially or persistently breaches these clauses or fails to comply with its obligations under Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725
• the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority(ies) relating to its obligations under these Clauses, Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

The Processor shall be entitled to terminate the Contract insofar as it relates to the processing of Personal Data under these Clauses if the Controller insists on the fulfillment of its instructions after being informed by the Processor that its instructions violate applicable legal requirements under Clause 

7.1 letter b is violated.

Upon termination of the contract, the processor shall, at the choice of the controller, erase all personal data processed on behalf of the controller and certify to the controller that this has been done, or return all personal data to the controller and erase existing copies, unless there is an obligation to retain the personal data under Union or Member State law. Until the deletion or return of the data, the processor shall continue to ensure compliance with these clauses.
 

The controller pursuant to Article 4(7) of the EU General Data Protection Regulation (GDPR) is
Wilderness International Foundation
Grundstraße 1
01326 Dresden
Germany

E-mail: contact [at] wilderness-international.org

We are legally represented by Kai Andersch and Ronny Scholz.

Our data protection officer can be contacted at
heyData GmbH
Schützenstraße 5
10117 Berlin
www.heydata.eu
E-mail: datenschutz [at] heydata.eu
.

Categories of data subjects whose personal data is processed
Partners (users)

Categories of personal data that are processed
First name, surname, email address, profile photo, IP address

Type of processing
The type of processing involves the collection and provision of personal data from cooperation partners

Purpose(s) for which the personal data are processed on behalf of the controller
The respective processor of a partner site confirms the applicable Wilderness International terms of use for partners as part of the creation of a partner site.  

The data is stored and processed exclusively for the purposes resulting from the registration in compliance with the relevant statutory data protection provisions 

Duration of processing
Relevant here is the duration of the underlying main contract. After termination (deletion of the partner site), the data will be deleted within 6 months.
 

Confidentiality (Art. 32 para. 1 lit. b GDPR)

Access control
No unauthorized access to data processing systems: electronic key system with logged issue and return, separate locking groups corresponding to established security zones, electric door openers, alarm system, data protection-compliant perimetry monitoring (video system).

All visitors are accompanied personally.

There is a regulated workflow for the approval, administration and deletion of access authorizations. The management or its representatives periodically (at least annually) check the necessity of access media for employees and initiate the necessary steps.

IT systems for the public provision of online platforms are operated exclusively in secure third-party data centers. In the case of data transfers to (sub-)processors, the specific technical and organizational measures that the (sub-)processor must take to support the controller must also be described.

Access control
No unauthorized system use: unique user IDs with secure passwords, IP blocking, encryption of data carriers.
Further technical safeguards are provided by firewalls and proxy servers in the contractor's systems.

Access control
No unauthorized reading, copying, modification or removal within the system: authorization concepts and needs-based access rights, logging of accesses.
Each employee can only access the systems required for his or her work and the required data with the authorization assigned to him or her.

All of the contractor's employees are subject to certain verification routines when they are hired and are bound in writing to data secrecy (GDPR) and confidentiality

Separation control
Separate processing of data collected for different purposes: Separation of test and product systems, functional separation of test and production data, separation of data sets for other customers.

Pseudonymization and encryption (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)
The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures.

Integrity (Art. 32 para. 1 lit. b GDPR) 

Transmission control
No unauthorized reading, copying, modification or removal during electronic transmission or transport: encryption, virtual private networks (VPN), electronic signature, transport security (transmission protocol): TLS 1.2

The integrity of personal data during storage and transfer within the IT systems and IT applications is ensured by plausibility checks and/or verification procedures. Firewall systems and constantly updated virus software, in addition to secure socket layer (SSL) encryption and the use of VPN technology, secure communication on the Internet.

Input control
Determining whether and by whom personal data has been entered, changed or removed from data processing systems: Logging, document management.

Thanks to the strict implementation of the role concept, each user only has the rights they need to carry out their work tasks. In addition, administrator access is documented as follows: SSH log and protocol data for administrator access via shell.

Availability and resilience (Art. 32 para. 1 lit. b GDPR)

Availability control
Protection against accidental or willful destruction or loss: backup strategy, patch management; virus protection; firewall.

Maintenance and troubleshooting: regular maintenance of the production facilities ensures high availability of the technical systems. This is ensured by corresponding service contracts

Data storage: redundant data storage on storage systems using RAID technology; creation of backups; secure storage of backup copies
Organizational measures: Emergency plans; implementation of emergency drills
Emergency power: Essential systems are equipped with uninterruptible power supplies (UPS).

Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

Order control
No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client, e.g: Clear contract design, formalized order management, strict selection of the service provider, obligation to convince in advance, follow-up checks.

It is ensured in the IT systems that the data provided is processed in accordance with the statutory provisions only within the framework of the instructions of the respective client and, in particular, is not passed on to unauthorized third parties. The same applies to order-related information; this is only provided to the client or in accordance with the client's instructions.

The controller has authorized the use of the following sub-processors:

The Constant Company, LLC. (VULTR)
319 Clematis St. Suite 900 FL, 33410 West Palm Beach, USA
https://www.vultr.com/legal/privacy/
Hosting of the website

Pipedrive OÜ
Mustamäe tee 3a, 10615 Tallinn, Estonia
https://www.pipedrive.com/en/privacy
CRM

Weglot
138, rue Pierre Joigneaux in BOIS-COLOMBES (92270), France
https://weglot.com/de/privacy/
Translation

Stripe Payments Europe Ltd.
Grand Canal Street Lower, Grand Canal Dock, Dublin, Ireland
https://stripe.com/de/privacy#translation
Payment service provider

Help Scout PBC
177 Huntington Ave, Ste 1703, PMB 78505, Boston, MA 02115-3153
https://www.helpscout.com/company/legal/privacy/
Support ticket system

Hotjar Ltd.
Dragonara Business Centre, 5th Floor, Dragonara Road, Paceville St Julian's, STJ 3141, Malta
https://www.hotjar.com/legal/policies/privacy/
Website tracking