Data Processing Agreement in Accordance with Article 28 of the General Data Protection Regulation (GDPR)

Agreement between XXXXX, Street number and name, postal code & city, country and the Controller – hereafter named the “Client” - and Nocodelytics LDT, Kemp House, 124 City Road, London, United Kingdom, EC1V 2NX the Processor – hereafter named the “Supplier“.

Subject matter and duration of the Agreement or Contract

The subject matter and duration of the Agreement or Contract shall be determined entirely according to the information provided in the respective contractual relationship. The Supplier shall process personal data for the Client in accordance with Art. 4 No. 2 and Art. 28 GDPR on the basis of this Agreement.

Object, nature, and purpose of the collection, processing or use of data

The object, nature and purpose of any possible collection, processing, or use of personal data, the nature of data, and the People Affected shall be described to the Supplier by the Client, insofar as this is not governed by the contractual relationships described in the content of Section 1 of this document. The provision of the contractually agreed upon data processing shall occur exclusively in a member state of the European Union or in another member state party to the Agreement on the European Economic Area. Any transfer to a third country shall require the prior consent of the Client and may only occur if the special conditions defined in Articles 44 et seq. of the GDPR are fulfilled.

Technical and organizational measures in accordance with Art. 32 GDPR (Art. 28 Para. 3 Sent. 2 Clause c of the GDPR)

(1)  The Supplier shall ensure the security of the data in accordance with Art. 32 GDPR, taking into account the nature of web analytics services. The measures to be taken are those ensuring confidentiality, integrity, availability and resilience of the systems and services. The state of the technology, the costs of implementation, and the nature and purposes of data processing must be taken into account.

(2) The technical and organizational measures shall be subject to progress and further development. The Supplier may implement alternative adequate measures as long as the level of security is maintained.

Correction, restriction, and deletion of data

(1) The Supplier is not entitled to delete or restrict the processing of data processed on behalf of third parties without authorization. Insofar as an Affected Person contacts the Supplier directly regarding this, the Supplier will forward this request to the Client without delay.

(2) The Supplier must ensure data correction, deletion, portability, and disclosure as per the Client’s instructions.

Quality assurance and other duties of the Supplier

The Supplier shall comply with statutory obligations in accordance with Articles 28 to 33 GDPR and ensure:

• Appointment of a Data Protection Officer with their contact details accessible on the Supplier's website.

• Confidentiality as per Art. 28 Para. 3 Sent. 2 Clause b, Art. 29 and Art. 32 Para. 4 GDPR. Employees involved in data processing must be committed to confidentiality and familiar with data protection provisions.

• Cooperation with the Client and supervisory authority in the performance of their duties.

• Prompt notification to the Client of any supervisory authority inspections or measures concerning this Agreement.

• Support for the Client in case of investigations, liability claims, or other claims related to the Agreement’s processing.

• Regular monitoring of internal processes and measures to ensure compliance with data protection laws and protection of Affected People's rights.


Subcontracting relationships are those services which directly relate to the principal commission. Ancillary services used by the Supplier must have appropriate and legally binding contractual arrangements to ensure data protection and security.

The Client’s inspection rights

(1) The Supplier must provide necessary information and proof of implementation of technical and organizational measures to the Client upon request.

(2) Evidence of such measures may be provided by compliance with approved codes of conduct or certification procedures in accordance with GDPR.

Communication in the case of infringement by the Supplier

The Supplier shall assist the Client in complying with obligations concerning security of personal data, data breach reporting, data protection impact assessments, and prior consultations as per Articles 32 to 36 of the GDPR.

The Client’s authority to issue instructions

(1) Oral instructions from the Client must be confirmed in text form.

(2) The Supplier must inform the Client if an instruction is believed to violate data protection regulations and may suspend execution of such instructions until clarified.

Deletion and return of personal data

(1) No copies or duplicates of data shall be created without the Client's consent, except for necessary backup copies.

(2) Upon conclusion of the contracted work or upon the Client’s request, the Supplier must return or destroy all data related to the contract, unless required to retain it by law.

Other agreements

11.1. Reimbursement

A fee for this contract is not required unless specified for additional services.

11.2. Duration of contract

This Agreement is linked to the existence of a principal contractual relationship. Termination of the principal contract will invalidate this Agreement.

11.3. Choice of law and jurisdiction

The laws of the Federal Republic of Germany shall apply.


Kemp House, 124 City Road, London, United Kingdom, EC1V 2NX