Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR

IMPORTANT NOTE: The German version of this document will govern our relationship – this translated version is provided for convenience only and will not be interpreted to modify the German version. For the German version, please see: https://www.teamecho.com/dpa

Effective as of: February 17, 2025

1. Preamble and Scope

1.1 This Data Processing Agreement (“DPA”) governs the processing of personal data by TeamEcho GmbH (hereinafter “teamecho” or “Processor”) under the software and services (hereinafter collectively referred to as “Services”) utilized by the Service Recipient (hereinafter also “Controller”, “Responsible Party” or “Customer”), regardless of whether these are used for a fee or free of charge.

1.2 This DPA takes effect as soon as the Service Recipient agrees to the General Terms and Conditions (hereinafter “GTC”) of teamecho or uses teamecho’s Services. By agreeing to the GTC, the Service Recipient also accepts this Data Processing Agreement.

1.3 Insofar as terms such as “processing,” “personal data,” or “data subject” are used in this DPA, they have the meaning as defined in the General Data Protection Regulation (GDPR).

2. Subject Matter and Duration of Processing

2.1 Subject Matter of the Processing teamecho provides the Customer with a digital feedback and organizational development platform as well as supplementary service and consulting offerings. The specific scope of services is determined by the main contract and the GTC of teamecho.

2.2 Duration This DPA becomes effective upon acceptance of the GTC and remains in force for the duration of the main contractual relationship between teamecho and the Customer. No separate termination of this DPA is required; it automatically ends when the main contractual relationship ends.

3. Nature and Purpose of the Personal Data

3.1 Types of Data

• Basic data (e.g., email address, assignment to an organizational unit)
• Activity data (e.g., inputs made in the software)
• Correspondence data (e.g., support requests)
• User settings (e.g., email notification preferences, preferred language)

3.2 Categories of Data Subjects

• Users (e.g., employees who are set up in the system)
• Customer contact persons (e.g., admin users and other contact persons on the customer’s side)

3.3 Purpose of Processing teamecho processes personal data solely to fulfill the services agreed upon in the main contract (e.g., conducting surveys, evaluating results) and in accordance with the instructions of the Customer.

4. Duties and Rights of the Controller

4.1 Responsibility for the Data In accordance with Art. 4(7) GDPR, the Customer is responsible for the lawfulness of the collection, processing, and use of personal data as well as for safeguarding the rights of the data subjects. teamecho is not obliged to verify the lawfulness of the data collection or the existence of a sufficient legal basis for the processing; it relies on the instructions of the Customer. teamecho merely provides the platform and the agreed-upon services and assumes no responsibility for the content or legal bases of the data collection.

4.2 Right to Issue Instructions The Customer instructs teamecho to process the data specified in this DPA solely for the performance of the agreed services. If the Customer changes or supplements its instructions, it shall notify teamecho in written form (e.g., email).

4.3 Rights of Inspection The Customer has the right, at any time, to inspect and review the data processing facilities used by teamecho concerning the processing of data provided by the Customer, including via third parties commissioned by the Customer. The Processor undertakes to make available to the Customer all information required to verify compliance with the obligations laid down in this Agreement.

4.4 Liability and Indemnification Unless otherwise stipulated in this DPA, the liability provisions of teamecho’s GTC apply. The Customer shall indemnify teamecho against all third-party claims arising from an unlawful or erroneous instruction from the Customer or any other breach of data protection obligations by the Customer. This applies in particular if the Customer collects or processes personal data without an adequate legal basis.

5. Duties of the Processor

5.1 Processing Only on Instructions teamecho processes personal data solely on the basis of this DPA and in accordance with documented instructions from the Customer. If teamecho receives an official order to disclose data, teamecho will inform the Customer without delay, provided that this is legally permissible.

5.2 Confidentiality teamecho ensures that all persons engaged in the processing are legally or contractually bound to confidentiality and that this obligation continues even after they have ceased to work in that capacity.

5.3 Technical and Organizational Measures Taking into account the state of the art, the costs of implementation, as well as the nature, scope, context, and purposes of processing and the varying degrees of risk to the rights and freedoms of natural persons, teamecho implements appropriate technical and organizational measures (“TOM”) pursuant to Art. 32 GDPR to ensure an appropriate level of security for the personal data of the Customer. The current version of the TOM is available at www.teamecho.com/en/tom. teamecho regularly reviews the TOM in light of technological progress and new requirements. Updates or adjustments may only be made provided that they do not reduce the level of protection.

5.4 Assistance Obligations teamecho assists the Customer in fulfilling the rights of data subjects (Chapter III GDPR) as well as the obligations set out in Art. 32 to 36 GDPR (e.g., notification of data breaches, data protection impact assessments).

5.5 Record of Processing Activities teamecho maintains a record of all categories of processing activities carried out on behalf of the Customer in accordance with Art. 30(2) GDPR.

5.6 Notification of Breaches teamecho will promptly inform the Customer if teamecho believes that an instruction violates applicable data protection regulations or if teamecho detects a violation of data protection regulations or contractual agreements.

6. Place of Data Processing and Data Transfers

6.1 EU/EEA Processing Data is generally processed within the European Union (EU) or the European Economic Area (EEA).

6.2 Processing in Third Countries Insofar as processing takes place in a third country (e.g., by sub-processors) or personal data is transferred to such a third country, teamecho ensures that the requirements of Chapter V GDPR (e.g., adequacy decision, standard contractual clauses) are met.

7. Sub-Processors

7.1 General Authorization The Customer hereby grants general authorization pursuant to Art. 28(2) GDPR for teamecho to engage sub-processors.

7.2 Duty to Inform teamecho will inform the Customer before adding or replacing a sub-processor. The current list of sub-processors is available at https://www.teamecho.com/en/sub-processors. The Customer may object within 30 days of being notified; if no objection is raised within this period, the change is considered approved.

7.3 Contract with Sub-Processors teamecho will conclude agreements with each sub-processor in accordance with Art. 28(4) GDPR, ensuring that at least the same data protection obligations apply as those set forth in this DPA.

7.4 Ancillary Services Ancillary services without a direct connection to processing (e.g., telecommunications and postal services) are not considered sub-processing relationships.

8. Rights of Data Subjects

8.1 Rectification, Erasure, and Restriction teamecho does not make any unilateral changes, deletions, or restrictions to personal data but acts solely on the instructions of the Customer. If a data subject makes a claim directly against teamecho, teamecho will forward the request to the Customer without delay.

8.2 Data Portability If included in the scope of services, teamecho assists the Customer in implementing requests for data portability (Art. 20 GDPR).

8.3 Data Deletion at the End of the Contract After termination of the main contract (and thus this DPA), teamecho will delete all personal data of the Customer, unless statutory retention periods or other legal obligations prevent this. The Customer has 30 days to export data beforehand. After this period, the data will be irreversibly deleted.

9. Amendments and Additions

9.1 Form Amendments and additions to this DPA require notice in text form (e.g., email) and will be announced at least 30 days before taking effect, unless legal requirements necessitate more immediate changes.

9.2 Continued Validity Should any provision of this DPA be invalid or unenforceable, the validity of the remaining provisions shall remain unaffected.

10. Final Provisions

10.1 Governing Law Exclusively Austrian law shall apply, to the exclusion of any rules that refer to another jurisdiction.

10.2 Place of Jurisdiction If permissible, the parties agree that the competent court at the seat of TeamEcho GmbH shall have jurisdiction.

10.3 No Separate Signature This DPA becomes legally binding through acceptance of the GTC. No separate signature of the parties is required.

Contact

Representative of the Processor MMag. Markus Koblmüller (Managing Director) DI David Schellander (Managing Director) TeamEcho GmbH 4020 Linz, Austria Phone: +43 732 997898 Email: legal@teamecho.com

The Customer may contact the above representatives at any time with questions regarding data protection or this Agreement.