Data Processing Agreement pursuant to Art 28 GDPR
Template based on the Austrian Chamber of Commerce (WKO) model agreement (June 2025), pre-filled for Bracharz Consulting as processor. This version is provided for information and as a contractual basis — the project-specific, signed version is available on request: rainer@bracharz.com. Version: July 2026. In case of dispute, the German version at bracharz.com/avv/ prevails.
Parties
Controller (client): [company, address — completed per project]
Processor (contractor): Bracharz Consulting, owner: Mag. Rainer Bracharz MSc, Rametzbergsiedlung III/5, 3150 Wilhelmsburg, Austria, VAT ID ATU68683622.
1. Subject Matter
1.1 The subject matter is the processing of personal data in the course of the commissioned consulting, marketing or data protection services; the nature and purpose of the processing follow from the respective main contract (offer/engagement), which this agreement supplements.
1.2 Categories of data processed (depending on the engagement): contact data, contract data, billing data, communication data, customer and prospect data of the controller.
1.3 Categories of data subjects: customers, prospects, suppliers, contact persons and employees of the controller.
2. Duration
This agreement applies for the duration of the main contract and ends upon its termination. The right to extraordinary termination for good cause remains unaffected.
3. Obligations of the Processor
3.1 The processor processes data and processing results exclusively within the scope of the controller's documented instructions. If an authority orders the processor to hand over the controller's data, the processor will — where legally permissible — inform the controller without delay and refer the authority to the controller. Processing for the processor's own purposes requires a written instruction.
3.2 The processor legally warrants that all persons entrusted with the data processing have been bound to confidentiality prior to commencing their activities or are subject to an appropriate statutory duty of confidentiality; this duty survives the end of their activities.
3.3 The processor has taken all measures required to ensure the security of processing pursuant to Art 32 GDPR (Annex 1).
3.4 The processor supports the controller with technical and organisational measures so that the controller can fulfil data subjects' rights under Chapter III GDPR (information, access, rectification, erasure, data portability, objection) within the statutory deadlines, and forwards requests addressed to it in error without delay.
3.5 The processor supports the controller in complying with the obligations of Art 32 to 36 GDPR (data security, notification of personal data breaches, communication to data subjects, data protection impact assessments, prior consultation).
3.6 The processor maintains a record of processing activities pursuant to Art 30 GDPR for this processing.
3.7 The controller has the right to inspect and audit the processing of the data provided — including through commissioned third parties; the processor provides the information necessary for such controls.
3.8 Upon termination, the processor hands over all processing results and documents containing data to the controller or destroys them on the controller's instruction; data in special technical formats are returned in a common format on request.
3.9 The processor informs the controller without delay if it considers an instruction to violate Union or Member State data protection law.
4. Place of Processing
Processing activities are generally carried out in Austria. Where IT service providers process data in third countries, this only occurs subject to an adequacy decision (Art 45 GDPR) or appropriate safeguards (Art 46 GDPR, in particular EU Standard Contractual Clauses).
5. Sub-Processors
5.1 The processor may engage sub-processors for hosting, email/communication, cloud storage and accounting. Current categories: web hosting (easyname GmbH, Vienna), email and collaboration services, cloud storage, appointment scheduling.
5.2 Intended changes will be notified to the controller in good time so that the controller may object. The processor concludes the agreements required under Art 28(4) GDPR and ensures the sub-processor assumes the same obligations. If the sub-processor fails to meet its data protection obligations, the processor is liable to the controller for the sub-processor's compliance.
Annex 1 — Technical and Organisational Measures (Summary)
- Confidentiality: access control via passwords with policy and two-factor authentication; full-disk encryption; automatic locking; need-to-know permissions; privacy-compliant disposal of data media; clear-desk/clear-screen.
- Integrity: encrypted transmission (TLS), encrypted file transfer for sensitive content, logging of material changes via document management.
- Availability: multi-level backup strategy (online/offline), antivirus and firewall, defined reporting paths and contingency plans, rapid recoverability.
- Review: data protection management with regular training (certified data protection manager), incident response process, privacy-friendly defaults, engagement control through clear contract design.
The detailed version of Annex 1 (checklist format per the WKO model) and the signed agreement are provided during onboarding.