Data Processing Agreement DeepL
according to Art. 28 of the EU GDPR and UK GDPR
DeepL SE, Maarweg 165, 50825 Cologne Germany (hereinafter referred to as “Processor") and
CHAMELAION GmbH, Berger Str. 342, 60385 Frankfurt am Main (hereinafter referred to as “Controller”)
(jointly hereinafter referred to as the “Parties”) hereby conclude an agreement in accordance with the following provisions.
Date: 10.02.2025
General provisions
§ 1 Subject matter and definitions of the agreement
Controller has concluded a contract with the Processor in order to subscribe to DeepL’s Services ("Main Contract"). Processor grants the Controller access to the services specified in the Main Contract, e.g., its AI-based translation service DeepL Translator Pro (hereinafter referred to as "DeepL Services").
In the context of the use of the DeepL Services, the Controller may transfer Personal Data (as defined in the GDPR) to the Processor for processing (e.g., translation) by the DeepL Services in connection with the Main Contract (the "Personal Data"). This data processing agreement ("Agreement") regulates the rights and obligations of the Parties with regard to such processing of the Personal Data. The Controller and Processor each acknowledge and agree that the Controller is a 'controller', and the Processor a 'processor', of the Personal Data, as each term is defined under the GDPR.
For the purpose of this Agreement, "GDPR" means, as applicable to the Personal Data: (i) the General Data Protection Regulation (EU) 2016/679 (the "EU GDPR") or, (ii) the EU GDPR as it forms part of the domestic law of the United Kingdom by virtue of the European Union (Withdrawal) Act 2018 and the Data Protection Act 2018 (the "UK GDPR).
Where other terms defined in the GDPR are used in this Agreement, they shall have the same meaning as set out in the GDPR.
§ 2 Scope, nature and location of data processing
1. Scope, duration and purpose of data processing The Personal Data shall be processed for the duration of the Main Contract for the purpose and to the scope agreed therein, i.e., the provision of the service within the scope of the DeepL Services.
2. Types of Personal Data processed All types of Personal Data provided by the Controller to the Processor in connection with the use of the DeepL Services under the Main Contract shall be processed. The Controller acknowledges that the Processor has no influence on the type of Personal Data transmitted, and therefore Personal Data of various types may be processed, and this will be determined by the Controller. In addition to general Personal Data, this may also include special categories of Personal Data if inputted by the Controller.
3. Group of data subjects The Controller acknowledges that the group of data subjects is determined by the Content submitted by the Controller to the DeepL Services. This may include, for example, Personal Data of Controller’s customers, business partners, employees or applicants.
4. Location of data processing At present, the contractually agreed DeepL Services are provided in one of the member states of the European Union (EU) or in a member state of the Agreement on the European Economic Area (EEA), unless agreed otherwise (and the Controller acknowledges this). A complete or partial relocation of the service to a third country as well as the use of a Sub-Processor in a third country will only take place if: (i) the specific requirements of Articles 44 to 49 of the GDPR are met (e.g. to a country that is subject to an adequacy decision of the European Commission or under the UK GDPR, as applicable, or appropriate safeguards are in place such as approved standard contractual clauses or approved binding corporate rules); and a (ii) corresponding instruction of the Controller, which can also be given in the account settings, is provided. In the event that the Controller and Processor need to put further measures in place between them to address the international transfer restrictions under the GDPR, the Parties shall in good faith discuss and agree any amendments to this Agreement.
§ 3 Interpretation and amendments
In the event of any contradictions or conflict between this Agreement and the Main Contract, the provisions of this Agreement shall take precedence over the provisions of the Main Contract.
Should individual parts of this Agreement be ineffective, this shall not affect the effectiveness of the rest of the Agreement.
Any amendment to this Agreement, including its termination and this clause, must be made in writing between authorised representatives of the Parties, (and the Parties agree and acknowledge that electronic form is sufficient).
Data processing in accordance with Art. 28 GDPR
§ 4 Processing in accordance with instructions
The Processor shall process Personal Data only on the documented instructions of the Controller, unless required to do so under applicable law to which the Processor is subject, and in such a case, the Processor shall inform the Controller of these legal requirements before processing unless the law in question prohibits such information on important grounds of public interest.
By entering into this Agreement, the Controller instructs the Processor to process the Personal Data to the extent necessary to fulfil the obligations under the Main Contract. The Processor shall inform the Controller without undue delay if it considers that instructions given by the Controller violate the GDPR or other applicable data protection provisions.
§ 5 Obligation of confidentiality / secrecy
The Processor shall ensure that only persons who have been obliged to maintain confidentiality or are under an appropriate statutory obligation of confidentiality shall be authorised to process the Personal Data.
§ 6 Security of processing / technical and organizational measures in accordance with Art. 32 GDPR
The Processor shall implement appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of security of the Personal Data appropriate to the risk. These are specified in Annex 2.
The Controller acknowledges that any technical and organisational measures are subject to technical progress and further development, and that for the duration of this Agreement such measures shall be under the continuous review of the Processor against the requirements of this Agreement and the Processor may amend such measures. Notwithstanding the foregoing, the level of security for the technical and organisational measures must not fall below the level specified in Annex 2. The Processor shall document, in writing or in electronic form, any changes to the technical and organisational measures that are significantly different to Annex 2, as a supplement to Annex 2, and to inform the Controller thereof.
§ 7 Engagement of Sub-Processors
The Processor currently engages the third-party Sub-Processors mentioned in Annex 1. The Controller hereby explicitly gives its consent to the engagement of the Sub-Processors listed in the Annex and any Affiliates (as defined in the Main Contract) of the Processor engaged as SubProcessors from time to time.
The Controller also hereby authorises the Processor to engage any other Sub-Processors, provided that the Processor has informed the Controller of the intended change and provided the Controller with the opportunity to object on reasonable grounds to such appointment or changes. The Controller shall raise any objections within two (2) weeks of being notified of any change.
If the Processor engages a Sub-Processor to carry out specific processing activities, the Processor shall ensure that the Sub-Processor is subject to substantially the same data protection obligations as those set out in this Agreement by way of a written contract, and shall in particular provide sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the GDPR. Should any SubProcessor fail to fulfil its data protection obligations, the Processor shall remain fully liable to the Controller for the performance of the Sub-Processor's obligations.
§ 8 Duty to cooperate / support
Taking into account the nature of the processing, the Processor shall support the Controller by appropriate technical and organisational measures in order to assist the Controller in fulfilling its obligation to respond to data subject requests to exercise their rights as set out in Chapter III of the GDPR in relation to the Personal Data.
§ 9 Support for the fulfilment of the duties of the Controller; personal data breaches
The Processor shall provide reasonable assistance to the Controller in complying with the obligations specified in Articles 32 to 36 GDPR with respect to the Personal Data, with due regard to the nature of the processing and the information available to it (ensuring security of processing, notification of a Personal Data breach to the supervisory authority, communication of a personal data breach to the data subject, data protection impact assessment, and prior consultation).
If the Processor becomes aware of a personal data breach (as defined in the GDPR) affecting the Personal Data that the Controller has transmitted to the DeepL Services for processing (e.g., for for translation) under the Main Contract, the Processor shall notify the Controller without undue delay. The Processor shall provide the Controller with sufficient information (to the extent available to it) to help enable the Controller to comply with any notification or information obligations to a relevant supervisory authority and/or data subjects under the GDPR.
§ 10 Deletion and return of Personal Data
The Processor shall process the Personal Data transmitted by the Controller only for as long as necessary for the performance of the services provided under the Main Contract and shall subsequently delete them in accordance with the GDPR when no longer required to perform the services.
§ 11 Proof of obligations and support for inspections
At the request of the Controller, the Processor shall provide the Controller with all information reasonably required and available to the Processor to demonstrate compliance with its obligations under this Agreement.
Subject to the remainder of this clause, the Controller is entitled to audit the Processor with regard to compliance with the provisions of this Agreement, in particular the implementation of the technical and organisational measures, including by means of on-site inspections, provided that the Controller may only carry out one such audit per calendar year. Any further audits shall be carried out at the cost of the Controller upon prior agreement with the Processor.
For audits in the form of on-site inspections, the Controller shall only be entitled to enter the Processor’s business premises in which the Personal Data are processed during normal business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) without disrupting the course of operations and under strict confidentiality of Processor’s business and trade secrets. The Controller shall provide reasonable prior notice to the Processor (as a minimum, at least two (2) weeks prior notice) about any such on-site inspection and all circumstances related to the performance of the on-site inspection. With respect to any audit, the Processor is entitled, at his own discretion, to refuse to disclose information that is sensitive or confidential to the Processor’s business or information, the disclosure of which by the Processor would breach any legal or other contractual provision. The Controller is also not entitled to have access to data or information about other customers of the Processor, cost information, quality audit and contract management reports or any other confidential data of the Processor that is not directly relevant to the agreed verification purposes. Only qualified persons who can prove their identity and who are obliged to maintain confidentiality with regard to the Processor's business and trade secrets and processes are permitted to carry out audits (and where required by the Processor, the Controller shall, or procure that their qualified persons shall, enter into confidentiality agreements prior to any such audit).
Notwithstanding the foregoing, at the choice of the Processor, evidence of compliance with the obligations under this Agreement may also, instead of by means of an audit (including on-site inspection), be provided by submission of an appropriate, up-to-date audit certificate or report by an independent body (e.g. auditor, reviewer, data protection officer, IT security department, data protection auditors or quality auditors), or by appropriate IT security or data protection certification(”audit report”), if the audit report adequately enables the Controller to verify compliance with the contractual obligations.
Annex 1: List of engaged third-party Sub-Processors
DeepL Pro Services
- DeepL Translator Pro
- DeepL Write Pro
- DeepL API Pro
Name of Sub-Processor: None, unless agreed otherwise with Customer. - DeepL Voice for Conversations
- DeepL Voice for Meetings
Name of Sub-Processor: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, D18 P521 Dublin 18, Ireland
Service provided by Sub-Processor: Cloud Service
Types of personal data processed: All Content (e.g., audio data, transcriptions) that is processed while using DeepL Voice for Meetings.
Location of processing: Sweden - DeepL Voice for Meetings
Name of Sub-Processor: Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L1855 Luxembourg
Service provided by Sub-Processor: Cloud Service
Types of personal data processed: All Content (e.g., audio data, transcriptions) that is processed while using DeepL Voice for Meetings.
Location of processing: Ireland
Annex 2: Technical and organisational measures in accordance with Art. 32 GDPR
Technical and organisational measures to be taken in accordance with Art. 32 GDPR
Taking into account the
- State of technological knowledge,
- implementation costs,
- the nature, scope, context,
- purposes of the processing, and
- the risk of varying likelihood and severity for the rights and freedoms of natural persons
the Processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
In assessing the appropriate level of security, particular account shall be taken of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data transmitted, stored or otherwise processed.
Unless expressly stated otherwise in this Agreement (e.g., in Annex 1 with regard to the engagement of Sub-Processors), the data transmitted to the DeepL Services for processing (e.g., for translation) shall be processed exclusively in countries within the European Economic Area (EEA). The data are encrypted on the transmission paths to the data centre using cryptographic procedures according to the current state of the art. On the systems of DeepL SE the data is only stored for the duration of the processing. During this storage and also during transmission to the user the data is encrypted. As soon as the data processed by the DeepL Services has been transferred to the user, the data on the system is irrevocably deleted.
Located in a state-of-the-art, ISO/IEC 27001 certified data centre (co-location model), the DeepL servers are administered exclusively by employees of DeepL SE, which offers the highest standard of access control and reliability. For DeepL Voice services, Microsoft Azure and AWS cloud infrastructure are used for technical reasons.
The Processor shall take the following measures:
1. Pseudonymisation
Pseudonymisation ensures that Personal Data can only be assigned to a specific person if additional information is called in.
The Processor does not receive any structured data within the framework of contract fulfilment. For the purpose of processing the DeepL Services, the Processor receives texts that must be clear and not pseudonymised. Pseudonymisation is therefore not a suitable measure for the Processor when fulfilling the contract.
2. Encryption measures
Encryption protects the data from unauthorized access by third parties. In the process, data is protected by encryption during transport to the user and storage. Specifically, the following measures are in place:
- The transmission of data between the user of the DeepL-Pro service and the computers of DeepL SE on the public Internet is only carried out in encrypted form (secure data transmission via TLS). The permitted encryption procedures are selected according to current technological standards.
- If data is stored on hard disk, it is always encrypted according to the current technological standards.
3. Measures to ensure confidentiality
In addition to encryption, other measures are taken to ensure the confidentiality of Personal Data. A regular distinction is made between measures for physical access, system access and data access control:
a. Physical access control
Physical access control measures ensure that unauthorised persons cannot gain physical access to buildings or individual rooms in which Personal Data is processed. In particular, the following measures are in place:
- physical access-controlled and fenced area
- centrally authorized access for physical access control
- burglar alarm system
- building-in-building construction
- multiple security zones
- very limited physical access to server halls
- video surveillance system (internal and external)
- security patrols
- direct alarms to the security officer on duty
b. System access control
The system access control measures ensure that unauthorised use of the systems processing Personal Data is not possible. In particular, the following measures are in place:
- personal and individual user log-in when logging into the system or company network
- authorization process for system access authorizations
- limitation of authorized users
- password procedures (high complexity due to corresponding keys)
- tokens
- two-factor authentication
- logging of system access
- automatic blocking of clients after a certain period of time without user activity
- firewall
- Host IDS/IPS
c. Data access control
The data access control measures ensure that only authorized persons can process the respective Personal Data within the system. Specifically, employees are only given data access to the Personal Data that they require to carry out their tasks in the Processor's company. In particular, the following measures are in place:
- administration and documentation of differentiated authorizations
- annual re-certifications of the authorisations
- logging of data access
- approval routines
- profiles/roles
- data access groups and scheduled data access
4. Measures to ensure integrity
To protect Personal Data against unlawful or unwanted alteration or deletion, technical and organizational measures are taken to ensure integrity. In particular, the following measures are in place:
- data access rights
- ensuring integrity by encrypting stored data
- system-side logs
- functional responsibilities, organizationally defined responsibilities
- logging of data transmission or data transport
5. Measures to ensure and restore availability
Personal Data is protected from accidental or deliberate destruction, or loss, by measures to ensure and restore availability. The measures are chosen in such a way that potentially damaging events that could result in the loss of data (e.g. viruses, overheating) are averted preventively, and also, in the event of an incident, so as to restore the data as comprehensively as possible. These measures relate to the short period of time in which the data is stored on the servers of DeepL SE. In particular, the following measures are in place:
- security concept for software and IT applications
- redundant structure
- need-based import of security updates
- installation of an uninterruptible power supply (UPS)
- air-conditioned computer centre
- protection against malware
- firewall
- contingency plan
6. Measures to ensure resilience
In order to prevent unauthorised access, or the loss or alteration of Personal Data, data processing systems must be resilient. Specifically, the following measures are in place:
- emergency plan for machine failure
- redundant power supply
- sufficient capacity of IT systems and equipment
- logistically controlled process to prevent performance peaks
- redundant Systems/Plants
7. Measures to ensure effectiveness control
The effectiveness control measures are used to regularly review the implemented security measures. If measures are no longer up-to-date or, for other reasons, are no longer sufficient, they will be rectified or replaced. In particular, the following measures are in place:
- procedures for regular inspections/audits
- emergency tests (e.g. for system failure)
8. Instruction control / contract control
In principle, the measures of instruction and contract control serve to ensure that the Processor adheres to the instructions of the Controller when rendering the services, as well as to regularly check the activities of the Sub-Contractors involved and to ensure that they only process the Personal Data in accordance with the instructions given. At present, the Processor engages the Sub-Processors (if any) mentioned in Annex 1. The Processor has obligated its own employees to confidentiality.
9. Other
Processor as well as the data centre used by DeepL SE have a certified information security management system in accordance with ISO/IEC 27001.
.svg)
© 2025 CHAMELAION GmbH
.avif)