Data Processing Agreement (DPA)

This DPA specifies the data-protection obligations of the parties in connection with the processing on behalf pursuant to Art. 28 GDPR that arise from the Main Agreement. It applies uniformly to all customers who conclude the Main Agreement with the processor.

The processor processes personal data on behalf and on the instructions of the controller within the scope of providing the software “KITALE”.

The duration of the processing corresponds to the term of the Main Agreement. Upon termination of the Main Agreement, this DPA also ends, without prejudice to the obligations to return and erase pursuant to § 10 of this DPA.

Personal data is processed exclusively for the purpose of providing and operating the software “KITALE” for the controller, in particular:

• Administration of child master data and group structures
• Parent and educator communication
• Absence reports and attendance documentation
• Meal ordering, billing and catering management
• Administration of education-and-participation benefits (BuT)
• AI-assisted assistant (chatbot, automation) to support facility administration
• Automatic translation of content (e.g. parent communication)
• Email dispatch (transactional emails, notifications)
• Technical operation, maintenance and support of the software
• Data backup (backups) pursuant to § 5 of the Main Agreement

The following categories of personal data are processed:

The processing concerns:

• Children cared for in the controller's facilities
• Parents or guardians of the children cared for
• Educators, pedagogical specialists and other staff of the controller
• Where applicable, further persons authorised by the facility (e.g. persons authorised for pick-up)

The controller is solely responsible for compliance with data-protection provisions, in particular for the lawfulness of the data processing and for safeguarding the rights of data subjects.

The controller issues all orders, sub-orders and instructions generally in text form (email is sufficient). Verbal instructions must be confirmed in text form without undue delay.

The controller informs the processor without undue delay if it identifies errors or irregularities in the processing of personal data.

The controller is obliged to obtain the necessary consents of the data subjects (in particular parents/guardians) insofar as consent is the legal basis for the processing. This applies in particular to the processing of special categories of personal data pursuant to Art. 9 GDPR.

The controller names a contact person for the processor for data-protection-related matters.

The processor processes personal data exclusively on documented instructions from the controller (“bound by instructions”), unless it is required to process by Union or Member State law to which it is subject. In this case, the processor informs the controller of this legal requirement before processing, unless that law prohibits such notification on important grounds of public interest (Art. 28(3)(a) GDPR).

The processor ensures that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).

The processor takes all technical and organisational measures (TOMs) required pursuant to Art. 32 GDPR to protect personal data. The current TOMs are documented in Annex A to this DPA.

The processor supports the controller in fulfilling its obligations pursuant to Art. 32–36 GDPR (security of processing, notification of personal data breaches, data protection impact assessments, prior consultation).

The processor informs the controller without undue delay if it considers that an instruction from the controller infringes data-protection provisions. The processor is entitled to suspend the execution of the relevant instruction until confirmation or amendment by the controller.

The controller grants the processor a general authorisation to engage sub-processors pursuant to Art. 28(2) GDPR.

The sub-processors currently engaged are listed in Annex B to this DPA. Annex B is maintained centrally by the processor and published in its respective valid version at https://kitale.de/auftragsverarbeitungsvertrag. Upon conclusion of the Main Agreement, the controller consents to the use of the sub-processors listed in Annex B at the respective time.

The processor informs the controller at least 30 days in advance in text form (e.g. by email) of the intended use of new sub-processors or the change of existing ones and updates Annex B accordingly. The controller may object to the use in writing within 14 days of notification on legitimate data-protection grounds. The provisions of § 8.6 of the Main Agreement apply accordingly.

The processor contractually ensures that the sub-processors comply with the same data-protection obligations as set out in this DPA, in particular with regard to the technical and organisational measures and being bound by instructions.

The processor is liable to the controller for compliance with data-protection obligations by its sub-processors.

The processor engages Degeler Consulting e.U. as a narrowly limited sub-processor to provide support in connection with KITALE. Access by Degeler Consulting e.U. takes place exclusively insofar as this is necessary for product management, project coordination, customer communication, contract handling and data-protection process consulting. Access may in particular cover contract documents, software and administration interfaces, customer and communication data, support data as well as technical operating information such as logs or infrastructure information, in each case only to the extent necessary and exclusively on the instructions of the processor. Processing for its own purposes by Degeler Consulting e.U. is excluded.

The processor supports the controller, where possible, with appropriate technical and organisational measures in fulfilling requests from data subjects pursuant to Chapter III of the GDPR (in particular access, rectification, erasure, restriction, data portability, objection).

If a data subject addresses requests directly to the processor, the processor forwards the request to the controller without undue delay and awaits the controller's instruction, unless it is already evident from the request that it is intended to be directed to the controller.

The processor provides the controller with export functions via the software that enable the controller to fulfil data-subject rights independently (e.g. data export for access requests, deletion of individual records).

The processor notifies the controller of any breach of the protection of personal data (personal data breach pursuant to Art. 33 GDPR) without undue delay, but no later than within 24 hours of becoming aware of it.

The notification contains at least:

• A description of the nature of the personal data breach, where possible indicating the categories and approximate number of data subjects and records concerned
• The name and contact details of the data protection officer or other point of contact
• A description of the likely consequences of the breach
• A description of the measures taken and proposed to remedy and mitigate the breach

The processor supports the controller in fulfilling its notification obligations towards the supervisory authority (Art. 33 GDPR) and the data subjects (Art. 34 GDPR).

Insofar as the personal data breach was caused by the processor or its sub-processors, the processor takes appropriate measures to contain and remedy the breach without undue delay.

After termination of the Main Agreement, the processor erases all personal data processed on behalf in accordance with the provisions of § 9.4 and § 9.5 of the Main Agreement (30-day transition phase with export option, followed by complete erasure).

The erasure covers all copies of the data, including backups and backup copies, unless a statutory retention obligation exists (e.g. under the German Fiscal Code (AO) or Commercial Code (HGB)). In the case of statutory retention obligations, the relevant data is blocked and erased after expiry of the respective period.

The processor confirms the complete erasure to the controller in writing upon request.

The processor provides the controller with all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

The controller is entitled to conduct audits (inspections) or have them conducted by a commissioned auditor bound to confidentiality. The audits may include:

• Review of the technical and organisational measures
• Inspection of relevant documentation and certifications
• On-site inspections of the data centres (insofar as proportionate and taking into account the confidentiality interests of the processor and other customers)

Audits must be announced at least 14 days in advance in text form and carried out during normal business hours. The processor supports the controller in carrying them out. The costs of the audits are borne by the controller, unless the audit reveals material breaches by the processor.

The processor may also provide proof of compliance with its obligations by submitting suitable, current certifications or audit reports (e.g. ISO 27001, SOC 2). Such proof may replace an on-site audit, provided the controller agrees.

Personal data is processed exclusively within the European Union or the European Economic Area (EU/EEA). Hosting takes place on servers in Germany (cf. § 1.3 of the Main Agreement).

A transfer of personal data to a third country (outside the EU/EEA) or to an international organisation requires the prior written consent of the controller and is only permissible under the conditions of Art. 44–49 GDPR.

Should a sub-processor process personal data in a third country, the processor ensures that appropriate safeguards exist pursuant to Art. 46 GDPR (e.g. EU Commission standard contractual clauses, adequacy decision).

The parties are aware that, in the context of using the software, special categories of personal data pursuant to Art. 9 GDPR may be processed, in particular:

• Health data of children (allergies, intolerances, dietary particularities)
• Social data (BuT notices, funding status)

For these special categories, the processor takes additional protective measures, in particular:

• Encryption of data during transmission (TLS 1.2 or higher) and at rest (AES-256 or comparable)
• Strict access control based on the principle of least privilege
• Logging of all access to special categories of personal data
• Regular awareness-raising and training of staff in handling sensitive data

The processor's data protection officer (or the data-protection point of contact) can be reached at:

• Email: privacy@kitale.de

The controller informs the processor in text form of the contact details of its data protection officer (if appointed) or its data-protection contact person.

This DPA is an integral part of the Main Agreement. In the event of contradictions between this DPA and the Main Agreement, the provisions of this DPA take precedence with regard to the protection of personal data.

The processor is entitled to unilaterally amend this DPA as well as Annexes A and B in the event of changes in the legal situation, regulatory requirements or the use of new sub-processors, provided that the level of data protection is not lowered as a result. The controller is informed of material changes at least 30 days before they take effect in text form (e.g. by email). The respective current version of this DPA is available at https://kitale.de/auftragsverarbeitungsvertrag.

Should individual provisions of this DPA be or become wholly or partially invalid or unenforceable, the validity of the remaining provisions shall not be affected.

This DPA is governed by the law of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods. The place of jurisdiction is – insofar as legally permissible – the registered office of the processor (Hermaringen, Germany).