Data Processing Agreement
1&1 IONOS Limited
This Agreement specifies the data protection obligations of the contractual parties arising from the defined processing activities in which personal data belonging to Controller is processed by 1&1 in compliance with the General Data Protection Regulations (“GDPR”).
- “Controller” shall have the same meaning as set out in article 4 (7) of the GDPR.
- “Personal data” shall have the same meaning as set out in article 4 (1) of the GDPR.
- “Processing” shall have the same meaning as set out in article 4 (2) of the GDPR.
- “Processor” shall have the same meaning as set out in article 4 (8) of the GDPR.
Dedicated Server, Dedicated Hosting, Cloud Server, Virtaul Private Server (VPS), Dynamic Cloud Server, Virtual Server, Managed Cloud, Private Cloud, Cloud Backup
Web Hosting, WordPress Hosting, MyWebsite Now, MyWebsite Creator, MyWebsite Essential, MyWebsite, MyWesbite eCommerce, MyWebsite Now eCommerce, social Buy Button, Shoplement, eShop, Website Design Service
Email Marketing, HiDrive Cloud Storage, Managed Nextcloud, Mail Basic, Mail Business, Hosted Microsoft Exchange, Email Archiving, MyBackup
1. Duration of the Processing on Behalf of the Controller
The term of this Agreement shall continue for the duration of the provision of the services.
2. Area of Application and Responsibility
- 2.1. In the provision of the services, Controller may choose to hold Controller’s customer personal data (“personal data”) at Controller’s own risk, on the platforms and data centres of 1&1. The only processing activities that may be performed by 1&1 are the storage of such personal data and any backups in order to provide continuity of service and disaster recovery. Such backups are merely for the aforementioned purpose and shall not be available to Controller.
- 2.2. Controller shall be solely responsible for compliance with the legal provisions of applicable data protection laws, in relation to such personal data, in particular the lawfulness of the data processing (“Controller” as defined under the GDPR).
3. Obligations of the Provider
- 3.1. To the extent that 1&1 shall be considered a processor of Controller’s customer personal data.
- 3.2. Any additional processing of personal data shall only be in accordance with instruction from Controller, unless an exception applies as defined in the GDPR. 1&1 shall promptly inform Controller if it believes that an instruction of Controller violates applicable laws. In such cases, 1&1 reserves the right to refuse Controller’s instructions.
- 3.3. 1&1 shall implement technical and organisational measures to protect Controller’s customer data and to ensure the confidentiality, integrity, availability and capacity of the systems and services. 1&1 shall be obliged, in accordance with the GDPR, to implement a procedure for regularly reviewing the technical and organisational measures designed to ensure the security of the processing.
- 3.4. 1&1 reserves the right to alter the agreed security measures, provided that any such amendment ensures that the agreed level of protection shall not be materially diminished.
- 3.5. 1&1 agrees to reasonably assist Controller in respect of any requests and claims in accordance with the GDPR.
- 3.6. 1&1 shall ensure that employees, subcontractors and affiliates who may be involved in the processing of Controller’s data shall act in accordance with this Agreement.
- 3.7. 1&1 shall inform Controller promptly if 1&1 becomes aware of any breaches which affect Controller’s personal data.
- 3.8. 1&1 shall, once notified in writing, inform Controller of any request for disclosure of personal data by authorities, unless expressly prohibited under applicable laws.
- 3.9. Controller may contact the Data Protection Officer by sending an email to firstname.lastname@example.org.
- 3.10. At termination of services, all customer data, personal or otherwise, shall be deleted (including the pseudonymisation of data) within an appropriate time, in accordance with applicable laws.
- 3.11. In the event of a claim against Controller regarding any of the rights defined under the GDPR, 1&1 shall provide reasonable assistance to the Controller to avert any such claim.
4. Obligations of Controller
- 4.1. Controller shall inform 1&1 of any issues with respect to data protection laws promptly.
- 4.2. Controller acknowledges that 1&1 shall ensure reasonable security and organisational measures to protect their personal data. Controller shall also agree to undertake similar security measures to ensure the protection of their personal data hosted on the 1&1 platforms and data centres.
- 4.3. In the event of a claim against Controller regarding any of the rights defined under the GDPR, this Agreement shall apply accordingly.
- 4.4. Controller acknowledges and agrees that 1&1 has no knowledge of the retained personal data or how such personal data shall be utilised and therefore, no awareness of how such personal data shall be processed, other than as stated in clause 2.1 above.
- 4.5. It is Controller’s duty to ensure that appropriate backups are retained in relation to the personal data described in this Agreement.
5. Requests from Data Subjects
In the event 1&1 receives a request for correction, deletion or information, 1&1 shall refer such requests to Controller, provided that Controller may be identified. 1&1 shall provide reasonable assistance to Controller. 1&1 shall not be liable in the event the request not be answered at all, not be answered correctly or not answered promptly by Controller.
6. Subcontractors (Additional Processors)
- 6.1. 1&1 may require subcontractors for maintenance, management of the data centre structure, telecommunication services and for provision of the services.
- 6.2. A list of subcontractor companies currently in use, including place of business, shall be available to Controller in the Control Panel.
- 6.3. In the event 1&1 uses subcontractors, it is 1&1’s responsibility to transfer its data protection obligations from this Agreement to the subcontractor. 1&1 retains full responsibility for the subcontractors in respect of this Agreement.
7. Notification Obligations, Amendments and Jurisdiction
- 7.1. In the event the personal data of Controller is located within the 1&1 data centres and suffers the risk of seizure by insolvency proceedings, law enforcement of any other such event, 1&1 shall notify Controller promptly, if permissible by law. 1&1 shall promptly inform all entities involved in the matter that the ownership and control of the data lies exclusively with Controller, as defined in the GDPR.
- 7.2. Changes or additions to this Agreement may be amended at any time.
- 7.3. Should any conflicts arise, the provisions of this Agreement shall take precedence over the provisions of any other agreement or terms. Should any clause of this Agreement be found invalid, this shall not affect the validity of the rest of this Agreement.
- 7.4. The laws of England and Wales shall apply.
- 7.5. This Agreement supersedes all previous agreements or terms in relation to this subject.
8. Liability and Compensation for Damage
Controller and 1&1 may be liable for claims in accordance with the provisions of the GDPR.
This Agreement shall be in conjunction with 1&1’s General Terms and Conditions.