Data Processing Agreement (Art. 28 GDPR)

§ 1 Subject Matter of the Agreement

1. This Agreement governs the processing of personal data by the Provider on behalf of the Customer in connection with the Customer’s use of the online platform PxlShare.com. The platform primarily provides photo gallery services.
2. The basis for processing is the usage relationship between the Parties established by registration at https://www.pxlshare.com and acceptance of the Provider’s applicable Terms and Conditions.
3. The Provider supplies technical systems and functionalities and processes personal data solely on the Customer’s documented instructions and for the specified purposes.

§ 2 Scope, Nature, and Purpose of Processing; Data Subjects

1. Types of processing may include in particular:
   • Hosting and storage of images and metadata,
   • Operation of databases containing customer, order, and invoicing data,
   • Processing of payment information (e.g., for invoicing),
   • Technical analysis, logging, support, and troubleshooting.
2. Purposes of processing: Operation, provision, administration, and use of online photo galleries and related services by the Controller for its end customers, as well as system and security administration necessary for operations.
3. Categories of data (depending on use and feature scope):
   • Image files depicting identifiable persons,
   • Master, contact, and delivery data (e.g., name, email, address),
   • Payment and invoicing data,
   • Usage and log data (e.g., IP addresses, user IDs, interactions),
   • Other content provided by the Controller.
4. Categories of data subjects may include in particular:
   • The Controller’s end customers (e.g., purchasers, gallery visitors),
   • The Controller’s employees where internal functions are used.

§ 3 Technical and Organisational Measures (TOMs)

1. The measures implemented at the time of conclusion of this Agreement pursuant to Art. 32 GDPR are listed in the Annex “Technical and Organisational Measures.” The Provider reviews these regularly, adjusts them where required, and will provide appropriate evidence upon request.
2. If the nature, scope, purpose, or categories of data subjects change, the Controller may request adjustments to appropriate TOMs.
3. The Provider may update the Annex at any time where new risks, legal developments, or recognised best practices require it. The agreed security level must not be reduced. The Controller will be informed of relevant changes.

§ 4 Rectification, Restriction, and Erasure

The Controller decides on requests from data subjects for rectification, restriction, and erasure. The Provider receives such requests, does not assess them substantively, and forwards them without undue delay to the Controller for a decision; implementation is carried out in accordance with the Controller’s instructions.

§ 5 Data Protection Duties of the Provider

1. Processing takes place exclusively within systems required for operating PxlShare.com. Access to photo albums and personal data occurs only where strictly necessary for incident resolution or fulfilling contractual obligations.
2. The Provider binds all personnel in writing to confidentiality and documents this.
3. The Provider is currently not required to appoint a Data Protection Officer due to company size and nature of processing. Should this change, the Controller will be informed without delay and contact details will be provided.

§ 6 Subprocessing

1. Engaging sub-processors requires the Controller’s prior general or specific authorisation. The Provider ensures that contracts compliant with Art. 28 GDPR are concluded with sub-processors.
2. At the time of contract conclusion, the following approved sub-processing relationships exist (data processing solely on behalf of the Provider):
   • Ionos SE (platform hosting),
   • AnyAPI (VAT ID validation, if used),
   • Mollie (payment processing),
   • LexOffice (invoicing).
3. Other services—particularly payment services (PayPal) and analytics/tracking tools (e.g., Google Analytics, Meta Pixel)—generally act as independent controllers or on their own legal basis. Details are provided in the privacy policy. The Provider maintains an up-to-date list.

§ 7 Audit and Inspection Rights of the Controller

1. The Controller may, with reasonable prior notice, conduct audits and inspections to the extent necessary, or have them conducted by independent auditors, with due regard to operational processes and other customers’ confidentiality.
2. The Provider will provide all information, evidence, and documentation necessary to verify compliance with Art. 28 GDPR upon request.
3. On-site inspections generally occur by prior appointment and at most once per year unless there is a specific reason. Shorter notice is possible where there is a substantiated suspicion of a data protection incident.

§ 8 Notifications of Data Protection Incidents

1. If the Provider becomes aware of a security incident or concrete indications thereof that could compromise the confidentiality, integrity, or availability of personal data, it will inform the Controller without undue delay. This applies in particular to unlawful disclosure, unauthorised access, or loss.
2. As special categories of personal data within the meaning of Art. 9 GDPR (biometric data) may also be affected, the Provider supports the Controller—within legal limits—in fulfilling notification and communication obligations (Arts. 33, 34 GDPR).
3. The Provider will immediately take appropriate countermeasures, document the incident, causes, immediate and follow-up actions, and propose any necessary TOM adjustments.

§ 9 Controller’s Instructions

1. The Provider processes data solely on the Controller’s documented instructions, insofar as these are lawful and covered by the service scope.
2. The Controller shall designate authorised instruction-givers in text form; changes must be communicated without delay.
3. The Provider will only disclose information to third parties with the Controller’s prior written consent, unless disclosure is required by law. In such a case, the Provider will inform the Controller in advance to the extent legally permissible.
4. The creation and transmission of copies, exports, and compilations are carried out exclusively on instruction. Backups are created by the Provider in accordance with the Annex and statutory requirements.
5. If the Provider makes copies to fulfil its own statutory retention duties, it will inform the Controller of the type, scope, and duration of retention. Taking screenshots during support cases is permitted only in exceptional cases or upon express instruction.

§ 10 Return and Deletion of Data

1. Upon termination of the contract and on the Controller’s instruction, the Provider will erase all personal data processed on behalf of the Controller in a GDPR-compliant manner or, if agreed, return them in a common and secure format. Access credentials will be transmitted separately. Erasure will be documented.
2. Where statutory retention obligations or legitimate interests (e.g., evidence preservation) prevent erasure, the data will be restricted instead. Erasure will follow after the retention period expires.
3. The Provider retains processing and compliance documentation within statutory periods. Access is provided upon request where there is a legitimate interest.

§ 11 Term

1. This Agreement becomes effective once the Controller actively confirms data processing during registration at https://www.pxlshare.com (e.g., via checkbox).
2. Its validity extends for the duration of the Parties’ usage relationship for the PxlShare.com platform.
3. Upon termination of the usage relationship, this Agreement also ends, subject to continuing retention or accountability obligations. § 10 applies.

§ 12 Extraordinary Termination

1. The Controller may terminate this Agreement for cause without notice. Good cause exists in particular in the event of serious or repeated breaches by the Provider of data protection obligations or of this Agreement.
2. Before termination, the Provider shall generally be granted a reasonable cure period, where feasible.
3. If the extraordinary termination is based on intentional or grossly negligent conduct by the Provider, the Controller may claim reimbursement of proven additional costs; statutory claims remain unaffected.
4. After termination, the Provider shall, upon request, hand over all personal data, relevant documentation, and access credentials, and delete remaining data pursuant to § 10 unless statutory duties prevent this.

§ 13 Liability and Responsibility

1. The Provider is liable to the Controller for damages arising from culpable breaches of the obligations set out in this Agreement and in applicable data protection law. The Provider is liable without limitation for intent and gross negligence; in cases of simple negligence, only for breaches of essential contractual duties (cardinal obligations) and limited to the typical, foreseeable damage.
2. As between the Parties, each Party is responsible for data protection violations it causes pursuant to Art. 82 GDPR. If one Party is claimed against by third parties, the other Party shall indemnify it to the extent it is responsible for the breach. The Parties will cooperate to clarify the matter.

§ 14 Final Provisions

1. Should any provision of this Agreement be or become invalid, the validity of the remaining provisions shall not be affected. The Parties undertake to agree on a valid provision that most closely reflects the economic intent and the requirements of Art. 28 GDPR.
2. In the event of any conflict between this Agreement and other arrangements between the Parties (in particular the main contract), the provisions of this Data Processing Agreement shall prevail.