Data Processing Agreement (DPA) – TRACE.Parser

§1 Subject Matter and Duration of Processing

1. This Agreement governs the processing of personal data by the Processor on behalf of the Controller in the context of using the service TRACE.Parser (parser.trace-electricity.com; analysis of electricity production profiles as described in the Terms of Use (ToU-Parser)).
2. Processing shall take place for the duration of the existing contractual relationship. Upon termination, the provisions of §10 of this Agreement shall apply.
3. This Agreement supersedes all prior agreements between the parties regarding the processing of data on behalf of the Controller in connection with TRACE.Parser.
4. The description of processing activities is set out in Annex A to this Agreement, which forms an integral part thereof.
5. This DPA is available at trace-electricity.com/en/dpa-parser/.

This DPA applies exclusively to processing carried out in connection with TRACE.Parser. Separate agreements apply to TRACE.App and TRACE.Configurator/Studio.

§2 Nature and Purpose of Processing

The processing of personal data takes place exclusively for the purpose of providing the contractually agreed services, in particular:

• Analysis and evaluation of uploaded electricity production profiles (CSV/Excel files)
• Provision of visualisations, key metrics and reports based on the uploaded data
• Storage and management of files and results in the Controller's user account
• Technical operation of the platform, error logging and security monitoring
• User communication in the context of support operations

Processing for the Processor's own purposes does not take place. Anonymised usage statistics that cannot be attributed to individual persons (e.g. number of uploads, average file sizes) are exempt from this restriction.

AI training data: AI service providers (OpenAI, Anthropic, AWS AI services) are not permitted to use the Controller's personal data to train their foundation models. TRACE Electricity is prohibited from using the Controller's personal data to train its own AI models.

TRACE Electricity reserves the right to use fully anonymised aggregates from production profiles (not personal data within the meaning of Art. 4 No. 1 GDPR) to improve the analytical quality of TRACE.Parser. The anonymisation methods (k-anonymity, differential privacy) are documented in the Technical and Organizational Measures (TOM-Parser). The Controller will be informed of material changes to training data usage and may object to the use of their (including anonymised) data at any time by contacting privacy@trace-electricity.com.

Specification: Purpose: provision of the TRACE.Parser service (analysis of electricity consumption profiles, generation of evaluation reports). Categories of data subjects: managing directors, employees, and contact persons of the Controller. Categories of personal data: name, email address, company data, energy consumption data.

Note: The website analytics tools used on the TRACE.Parser landing page at trace-electricity.com (Google Analytics 4, Hotjar, LinkedIn Insight Tag) are not subject to this Data Processing Agreement; in this respect, TRACE Electricity GmbH acts as an independent Controller pursuant to Art. 4 No. 7 GDPR. Further details are governed by the Privacy Notice – TRACE.Parser.

§3 Types of Personal Data and Categories of Data Subjects

Categories of Data Subjects

• Users of TRACE.Parser (employees, agents or representatives of the Controller)
• Natural persons potentially included in production profiles (to the extent that the uploaded data contains personal references)

Categories of Personal Data

• Usage data: Email address, password hash, session data, IP address (anonymised prior to permanent storage; full IP addresses are not persisted)
• Uploaded files and their contents: Production profiles and the data contained therein (personal data to the extent filled in by the Controller accordingly)
• Analysis results: Reports and visualisations generated on the basis of the uploaded files
• Upload metadata: Timestamps, file name, file size, processing status
• Technical log data: Error reports, access times (system logs: max. 30 days, then automatically deleted; security audit logs: 12 months pursuant to Art. 6(1)(c) GDPR in conjunction with §§ 147 AO, 257 HGB)

The Controller is solely responsible for ensuring that it has an appropriate legal basis pursuant to Art. 6 GDPR for transmitting personal data contained in the uploaded production profiles to the Processor for processing.

Special categories of personal data pursuant to Art. 9 GDPR are not covered by the subject matter of this Agreement and must not be uploaded to the platform by the Controller.

The Controller shall ensure that an appropriate legal basis exists for the transfer of team user data to TRACE (e.g. § 26 BDSG for employees).

§4 Legal Status and Obligations of the Controller

1. The Controller is solely responsible for the lawfulness of the data transfer and the processing carried out by the Processor, in particular for ensuring that an appropriate legal basis pursuant to Art. 6 GDPR exists for the processing.
2. Instructions are generally issued in writing (including by email to privacy@trace-electricity.com). Verbal instructions shall be confirmed in writing without delay. The Controller is entitled to issue additional instructions at any time. Instructions should be issued in text form (email is sufficient). TRACE shall document instructions received and their execution.
3. The Controller shall notify the Processor without delay if it identifies errors or irregularities with data protection relevance when reviewing the results of the processing.
4. The Controller shall ensure that all persons involved in processing on its side are informed of the relevant data protection requirements.

§5 Obligations of the Processor

The Processor undertakes, in particular, the following obligations vis-à-vis the Controller:

The Technical and Organizational Measures (TOMs) pursuant to Art. 32 GDPR are described in the TOM documentation, available at: Technical and Organizational Measures TRACE.Parser (TOM). TRACE is entitled to adapt the TOMs provided the level of protection is not reduced.

1. To process personal data solely on documented instructions from the Controller, unless required to do so by Union or Member State law; in such a case, the Processor shall inform the Controller of those legal requirements before processing, unless that law prohibits such information on important grounds of public interest.
2. Suspension Right (right to suspend unlawful instructions): If the Controller issues an instruction that, in the assessment of TRACE Electricity, violates the GDPR or other applicable data protection laws, TRACE Electricity is entitled and obliged to suspend the execution of that instruction without delay and to inform the Controller thereof in writing. TRACE Electricity will only execute the instruction after the Controller has confirmed in writing that the instruction is lawful and that TRACE Electricity is indemnified from any resulting liability.
3. The Processor shall process personal data solely on behalf of and for the purposes of the Controller and not for its own business purposes, unless required by law to do so; in the latter case, it shall inform the Controller without delay to the extent legally permissible.
4. To ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
5. To take all measures required pursuant to Art. 32 GDPR to ensure the security of processing (§7).
6. To assist the Controller, taking into account the nature of the processing, in fulfilling its obligation to respond to requests by data subjects (§9).
7. To assist the Controller in ensuring compliance with the obligations set out in Art. 32 to 36 GDPR, in particular in connection with Data Protection Impact Assessments.
8. To return or delete all personal data to or for the Controller after the end of the provision of processing services, at the Controller's choice (§10).
9. To make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR and to allow for and contribute to audits, including inspections (§11).

§6 Confidentiality of Processing

1. The Processor shall ensure that persons engaged in the processing of personal data are bound to confidentiality. Corresponding confidentiality obligations shall be agreed in writing and monitored.
2. The Processor shall ensure that only those persons who require access for the performance of their duties are granted access to the Controller's data (principle of least privilege / need-to-know).
3. This confidentiality obligation shall continue to apply after the termination of this Agreement.
4. The Controller hereby grants general authorisation for sub-processing by the sub-processors listed in §8. TRACE shall inform the Controller of planned changes at least 30 days in advance. The Controller may object to changes.

§7 Technical and Organizational Measures (Art. 32 GDPR)

Prior to commencing processing and on an ongoing basis, the Processor has implemented Technical and Organizational Measures (TOM) to ensure a level of security appropriate to the risk pursuant to Art. 32 GDPR.

The complete TOM documentation (Technical and Organizational Measures TRACE.Parser (TOM)) constitutes Annex B of this DPA. TRACE is entitled to adapt the TOMs provided the level of protection is not reduced. Material changes will be communicated to the Controller.

§8 Engagement of Sub-Processors

1. The Controller grants general authorisation for the engagement of the following sub-processors:

2. The Processor shall inform the Controller of any intended addition of new sub-processors or replacement of existing sub-processors in good time in advance (at least 30 days) by email to the registered contact address.
3. The Controller has the right to object to the change. If the Controller does not object within 30 days of receipt of the notification, the change shall be deemed approved. In the event of a justified objection, the Controller shall be granted a special right of termination. The Processor will in this case examine whether the relevant sub-processor can be replaced by an equivalent provider that meets the Controller's requirements. In the event of termination following a justified objection, the Processor shall ensure that any personal data of the Controller already processed by the new sub-processor is deleted or returned without delay upon the effective date of termination in accordance with the provisions of §10 (Deletion and Return).
4. The Processor shall contractually impose on its sub-processors the same data protection obligations as agreed in this Agreement, in particular with regard to ensuring adequate Technical and Organizational Measures.

Note: GA4, Hotjar and LinkedIn Insight Tag are used by TRACE as an independent Controller for marketing purposes and are not subject to this DPA.

§9 Assistance Obligations of the Processor

The Processor shall assist the Controller in fulfilling its data protection obligations, in particular:

1. Data subject rights (Art. 15–22 GDPR): The Processor shall assist the Controller in handling requests from data subjects regarding access, rectification, erasure, restriction, data portability and objection. Where these rights can be exercised directly through self-service functions in the user account, implementation is the responsibility of the Controller. For assistance beyond this, privacy@trace-electricity.com should be contacted.
2. Data Protection Impact Assessment (Art. 35 GDPR): Upon request of the Controller, the Processor shall assist in carrying out a Data Protection Impact Assessment (DPIA) and prior consultation pursuant to Art. 36 GDPR, in particular by providing technical documentation, risk assessments and information about the processing systems used.
3. Prior consultation (Art. 36 GDPR): Where required, the Processor shall assist the Controller in consulting with the competent supervisory authority.
4. Data security (Art. 32 GDPR): The Processor shall provide the Controller, upon request, with a current overview of the TOM implemented.

Assistance services that exceed the contractual scope of services shall be reasonably remunerated on the basis of actual effort.

§10 Deletion and Return of Data

1. Following final termination or ending of the user relationship, the Processor shall irreversibly delete all personal data of the Controller within 30 calendar days.
2. At the Controller's request, the Processor shall make the processed data available in a machine-readable format (CSV or JSON) prior to deletion (data portability pursuant to Art. 20 GDPR). The Processor shall make the data export available for download within 14 days of the request; the download link shall be valid for 30 days. After this period expires or after the Controller confirms that no export is required, the 30-calendar-day deletion period shall commence.
3. Deletion shall extend to all copies created in the course of commissioned processing, including backups. Statutory retention obligations of the Processor shall remain unaffected; in such cases, the data in question shall be restricted in its processing until the end of the retention period. Billing data shall be retained for up to 10 years pursuant to § 147 AO and § 257 HGB.
4. Upon request, the Processor shall confirm the complete deletion in writing by email.
5. The 30-calendar-day deletion period following contract termination begins at the end of the last billing period. Within the first 14 days, an export option is available. Maximum total duration: 44 days.

§11 Audit Rights of the Controller

1. The Controller has the right to verify compliance with data protection regulations and the obligations set out in this Agreement at the Processor and any sub-processors at any time.
2. Audits may be carried out by:
   • Requesting information and documentation (e.g. current TOM documentation, sub-processor list)
   • Interviewing the responsible data protection officer or designated employees
   • On-site inspections (with reasonable advance notice of at least 14 calendar days, and if necessary subject to a confidentiality agreement)
3. Audits are limited to once per year; TRACE certifications (ISO 27001, SOC 2) are accepted as equivalent.
4. Instead of an on-site inspection, the Processor may provide the Controller with current certifications, audit reports (e.g. ISO 27001, SOC 2), where available, or equivalent evidence (e.g. a self-declaration on the status of the TOMs pursuant to §7 of this Agreement), provided these cover the subject matter of the audit.
5. The costs of on-site inspections shall be borne by the Controller, unless the Processor is responsible for material contractual or data protection breaches.

§12 Notification Obligations

1. The Processor shall inform the Controller without undue delay, and at the latest within 24 hours of becoming aware, of any personal data breach within the meaning of Art. 4 No. 12 GDPR that occurs within its area of responsibility. The notification must contain all information required pursuant to Art. 33(3) GDPR to the extent known to the Processor at the time of notification; missing information shall be provided without undue delay. Information not available at the time of the initial notification shall be provided without undue delay, and at the latest within 72 hours of the initial notification (Art. 33(2) GDPR). The obligation to notify the competent data protection supervisory authority pursuant to Art. 33(1) GDPR lies exclusively with the Controller.
2. The initial notification must contain at least:
   • A description of the nature of the breach (to the extent known)
   • The approximate number of affected data subjects and records
   • The likely consequences of the breach
   • Measures already taken or proposed to address the breach and minimise risk
3. Enquiries from supervisory authorities relating to processing carried out on behalf of the Controller shall be forwarded by the Processor to the Controller without delay, without the Processor responding to the substance of the matter itself, unless required to do so by applicable law.
4. If the Processor receives requests from data subjects concerning data processed under this Agreement, it shall forward these to the Controller without delay.
5. Material changes to this Agreement, in particular changes to the sub-processor list, shall be communicated to the Controller pursuant to §8(2).

§13 Final Provisions

1. This Agreement is governed by the laws of the Federal Republic of Germany, excluding the UN Convention on Contracts for the International Sale of Goods. The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement is Hamburg, Germany, unless mandatory legal provisions provide otherwise.
2. Third-country transfers (Art. 46 GDPR): For transfers to third countries, the EU Standard Contractual Clauses (Decision 2021/914) apply. For transfers from the Controller to the Processor, Module 2 (Controller → Processor) applies; for transfers between processors, Module 3 (Processor → Sub-Processor) applies. The legal basis for transmission to sub-processors in third countries is the EU Standard Contractual Clauses pursuant to Decision (EU) 2021/914, Module 3 (Processor as data exporter, sub-processor as data importer).
3. Should individual provisions of this Agreement be or become wholly or partially invalid, this shall not affect the validity of the remaining provisions. The parties undertake to replace the invalid provision with a valid one that comes as close as possible to the commercial purpose of the invalid provision.
4. Amendments and supplements to this Agreement and its annexes require text form (email is sufficient). This also applies to the waiver of this formal requirement.
5. To the extent that provisions of this Agreement are incompatible with the requirements of the GDPR, the requirements of the GDPR shall take precedence.
6. TRACE Electricity GmbH designates the following contact for data protection queries: privacy@trace-electricity.com. Further information can be found in the Privacy Notice – TRACE.Parser and the general Privacy Policy.
7. The Processor maintains, pursuant to Art. 30(2) GDPR, a record of all categories of processing activities carried out on behalf of controllers. The record shall be made available upon request by the Controller or a competent supervisory authority.

DPF Fallback: To the extent that data transfers to the USA are based on the EU-US Data Privacy Framework (DPF, adequacy decision of the European Commission of 10 July 2023) and this decision is declared invalid or suspended, the fallback to the EU Standard Contractual Clauses pursuant to Decision (EU) 2021/914 shall automatically be deemed agreed. The Processor undertakes in such a case to conclude the necessary SCC agreements without delay.

§14 Liability

Each party shall be liable for data protection violations for which it is responsible. To the extent that a data subject claims damages pursuant to Art. 82 GDPR from a party that did not cause or did not solely cause the damage, the other party shall be obliged to indemnify the paying party in the internal relationship proportionally according to the respective degree of fault. The Processor shall be liable in particular where it has acted contrary to the Controller's instructions or contrary to its obligations under Art. 28 GDPR. The Controller shall be liable in particular where the damage results from the unlawfulness of its instructions. The assertion of further statutory claims shall remain unaffected.

§15 Cessation of Operations and Insolvency

(1) In the event of insolvency, liquidation or permanent cessation of operations of the Processor, all personal data of the Controller stored by the Processor shall be returned to the Controller without delay, and at the latest within 30 calendar days, in a machine-readable format (JSON or CSV) or irrevocably deleted in accordance with documented instructions from the Controller.

(2) The Processor shall inform the Controller without delay of an imminent cessation of operations.

(3) This provision applies in addition to the Standard Contractual Clauses (Clause 8.5 of the SCC 2021/914).

Annex A — Description of Processing Activity

This Annex describes, pursuant to Art. 28(3) GDPR, the subject matter of the commissioned processing in the context of TRACE.Parser.