jeffemmett
/
gdpr-compliance-kit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gdpr-compliance-kit/NETCUP_DPA_ANNEX3_GUIDE.md

4.6 KiB
Raw Permalink Blame History

Netcup DPA Annex 3 - Processing Specifications Guide

This guide helps you fill out Annex 3 of the Netcup Data Processing Agreement.

Your Specific Situation

Based on your infrastructure:

  • Hosting Provider: netcup GmbH (Germany)
  • CDN/Security: Cloudflare
  • Newsletter: Listmonk (self-hosted on Netcup)
  • Analytics: Vercel Analytics

Section 1: Subject (Nature & Purpose) of the Processing

Recommended text to enter:

Web hosting and delivery of websites and web applications. This includes:
- Serving static and dynamic web content to visitors
- Processing contact form submissions
- Managing newsletter subscriptions (via self-hosted Listmonk)
- Collecting anonymized website analytics
- Storing user-generated content where applicable

Section 2: Duration of the Processing

This is automatically determined by your contract term with Netcup.

Section 3: Location of the Processing

The location is determined by your Netcup server location. For your RS 8000 G12 Pro:

  • Primary Location: Nuremberg, Germany (EU)
  • Additional Processing: Via Cloudflare's global network (with EU data residency options)

Section 4: Categories of Data Subjects

Check the following boxes:

  • Customers - if you have any e-commerce or client portals
  • Interested parties - potential customers visiting your sites
  • Suppliers - only if you process supplier data
  • Visitors to the website - all website visitors
  • Employees of the Client - only if you have employee data on the sites
  • External employees - only if applicable
  • Data processors, other processors - only if you subcontract
  • Newsletter subscribers - you use Listmonk

Additional data subjects (if any):

Event attendees (if you host events/conferences)
Community members (if you have user accounts)

Section 5: Categories of Personal Data

Check the following boxes:

  • Name data - contact forms, newsletter signups
  • Date of birth - only if you collect this
  • Bank and payment data - only if you handle payments directly
  • Location and geographic information data - only if you track location
  • Education data - only if relevant to your sites
  • Traffic data - only if you log detailed traffic
  • Data relevant to criminal law - NO
  • Contact and address data - contact forms
  • Customer contract data - only if you have customer portals
  • Login and authentication - only if you have user accounts
  • Preference and behavior data - only if you track preferences
  • Motion profile data - NO
  • Photo, video, or audio data - only if you store media

Additional data types:

Email addresses
IP addresses (anonymized for analytics)
Browser/device information (anonymized)
Cookie consent preferences

Special Categories of Data (Art. 9 GDPR)

IMPORTANT: Select the first option unless you specifically process sensitive data.

  • No special categories of personal data ("sensitive data") according to Art 9 GDPR are processed.

If any of your sites deal with health, religion, political opinions, biometric data, etc., you would need to check the second option and specify which categories.

Complete Form Example

Here's how your completed Annex 3 should look:

1. Subject Matter

Web hosting and content delivery for multiple websites and web applications including:
- Static and dynamic website hosting
- Newsletter subscription management (Listmonk)
- Contact form processing
- Anonymized web analytics collection
- Content management systems

4. Data Subjects (check these):

  • Interested parties
  • Visitors to the website
  • Newsletter subscribers
  • Customers (if applicable)

5. Personal Data Categories (check these):

  • Name data
  • Contact and address data

Additional data:

Email addresses
IP addresses (anonymized)
Browser user agent information
Cookie consent preferences
Website usage data (anonymized)

Special Categories:

  • No special categories of personal data are processed

After Submitting

  1. Save a copy of the completed agreement for your records
  2. Date it when you submit
  3. Review annually to ensure it still accurately reflects your processing activities

Tips

  1. Be conservative - only check categories you actually process
  2. When in doubt, exclude - you can always add categories later
  3. Keep it updated - if you add new features that collect data, update the DPA
  4. Document everything - maintain your own Records of Processing Activities (ROPA)