Data Processing Agreement (DPA)
Agreement on the processing of personal data pursuant to Art. 28 GDPR.
This DPA applies only when TattooMate is used as a hosted SaaS solution.
1. Subject and duration
This Data Processing Agreement governs the processing of personal data by the processor on behalf of the controller in connection with the use of TattooMate as a SaaS solution. The duration of processing corresponds to the term of the underlying contract.
2. Nature and purpose of processing
Processing is carried out for the purpose of providing and operating the TattooMate software. This includes in particular the storage, organization, display and processing of customer data, consents, health information, signatures, images and documents recorded by the studio.
3. Categories of data subjects
Data subjects include in particular: - Customers of the studio - Legal guardians (for underage cases) - Employees and artists of the studio
4. Categories of personal data
The following categories of personal data are processed in particular: - Master data (e.g. name, date of birth) - Contact data - Health-related data - Consents and signatures - Image and document data (e.g. IDs, tattoo and touch-up images)
5. Responsibility
The controller is responsible for the lawfulness of data collection and processing. The processor processes personal data exclusively on documented instructions from the controller.
6. Obligations of the processor
The processor undertakes to: - treat personal data confidentially - implement appropriate technical and organizational measures (TOMs) - ensure that only authorized personnel process personal data - support the controller in responding to data protection requests
7. Technical and organizational measures
Measures include in particular: - access restrictions and role/permission systems - encrypted connections (TLS) - separate instances per studio - protection against unauthorized access A detailed overview of the TOMs can be provided upon request.
8. Sub-processors
The use of sub-processors (e.g. hosting or infrastructure providers) takes place only if they are contractually bound to comply with GDPR requirements. The controller will be informed of material changes.
9. Rights of data subjects
The processor supports the controller in fulfilling data subjects’ rights (e.g. access, erasure, rectification), insofar as this is technically feasible.
10. Termination of processing
Upon termination of the contract, personal data will be deleted or made available for return at the controller’s choice, unless statutory retention obligations apply.
11. Liability
The liability provisions of the main contract apply. Liability is governed by the applicable provisions of the GDPR.
12. Final provisions
The law of the Federal Republic of Germany shall apply. If individual provisions of this DPA are or become invalid, the validity of the remaining provisions shall remain unaffected.