jeffemmett
/
gdpr-compliance-kit
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
gdpr-compliance-kit/NETCUP_DPA_ANNEX3_GUIDE.md

155 lines
4.6 KiB
Markdown
Raw Permalink Blame History

# Netcup DPA Annex 3 - Processing Specifications Guide
This guide helps you fill out Annex 3 of the Netcup Data Processing Agreement.
## Your Specific Situation
Based on your infrastructure:
- **Hosting Provider**: netcup GmbH (Germany)
- **CDN/Security**: Cloudflare
- **Newsletter**: Listmonk (self-hosted on Netcup)
- **Analytics**: Vercel Analytics
---
## Section 1: Subject (Nature & Purpose) of the Processing
**Recommended text to enter:**
```
Web hosting and delivery of websites and web applications. This includes:
- Serving static and dynamic web content to visitors
- Processing contact form submissions
- Managing newsletter subscriptions (via self-hosted Listmonk)
- Collecting anonymized website analytics
- Storing user-generated content where applicable
```
---
## Section 2: Duration of the Processing
This is automatically determined by your contract term with Netcup.
---
## Section 3: Location of the Processing
The location is determined by your Netcup server location. For your RS 8000 G12 Pro:
- **Primary Location**: Nuremberg, Germany (EU)
- **Additional Processing**: Via Cloudflare's global network (with EU data residency options)
---
## Section 4: Categories of Data Subjects
**Check the following boxes:**
- [x] **Customers** - if you have any e-commerce or client portals
- [x] **Interested parties** - potential customers visiting your sites
- [ ] **Suppliers** - only if you process supplier data
- [x] **Visitors to the website** - all website visitors
- [ ] **Employees of the Client** - only if you have employee data on the sites
- [ ] **External employees** - only if applicable
- [ ] **Data processors, other processors** - only if you subcontract
- [x] **Newsletter subscribers** - you use Listmonk
**Additional data subjects (if any):**
```
Event attendees (if you host events/conferences)
Community members (if you have user accounts)
```
---
## Section 5: Categories of Personal Data
**Check the following boxes:**
- [x] **Name data** - contact forms, newsletter signups
- [ ] **Date of birth** - only if you collect this
- [ ] **Bank and payment data** - only if you handle payments directly
- [ ] **Location and geographic information data** - only if you track location
- [ ] **Education data** - only if relevant to your sites
- [ ] **Traffic data** - only if you log detailed traffic
- [ ] **Data relevant to criminal law** - NO
- [x] **Contact and address data** - contact forms
- [ ] **Customer contract data** - only if you have customer portals
- [ ] **Login and authentication** - only if you have user accounts
- [ ] **Preference and behavior data** - only if you track preferences
- [ ] **Motion profile data** - NO
- [ ] **Photo, video, or audio data** - only if you store media
**Additional data types:**
```
Email addresses
IP addresses (anonymized for analytics)
Browser/device information (anonymized)
Cookie consent preferences
```
---
## Special Categories of Data (Art. 9 GDPR)
**IMPORTANT**: Select the first option unless you specifically process sensitive data.
- [x] **No special categories of personal data ("sensitive data") according to Art 9 GDPR are processed.**
If any of your sites deal with health, religion, political opinions, biometric data, etc., you would need to check the second option and specify which categories.
---
## Complete Form Example
Here's how your completed Annex 3 should look:
### 1. Subject Matter
```
Web hosting and content delivery for multiple websites and web applications including:
- Static and dynamic website hosting
- Newsletter subscription management (Listmonk)
- Contact form processing
- Anonymized web analytics collection
- Content management systems
```
### 4. Data Subjects (check these):
- [x] Interested parties
- [x] Visitors to the website
- [x] Newsletter subscribers
- [x] Customers (if applicable)
### 5. Personal Data Categories (check these):
- [x] Name data
- [x] Contact and address data
**Additional data:**
```
Email addresses
IP addresses (anonymized)
Browser user agent information
Cookie consent preferences
Website usage data (anonymized)
```
### Special Categories:
- [x] No special categories of personal data are processed
---
## After Submitting
1. **Save a copy** of the completed agreement for your records
2. **Date it** when you submit
3. **Review annually** to ensure it still accurately reflects your processing activities
---
## Tips
1. **Be conservative** - only check categories you actually process
2. **When in doubt, exclude** - you can always add categories later
3. **Keep it updated** - if you add new features that collect data, update the DPA
4. **Document everything** - maintain your own Records of Processing Activities (ROPA)
Reference in New Issue View Git Blame Copy Permalink