pursuant to Art. 28 GDPR
As of: 2026-04-24
This is an English translation of the German "Auftragsverarbeitungsvertrag (AVV)" provided for informational purposes. The German version is legally binding; in case of discrepancies between the language versions, the German version prevails (see §11 (5) below).
This Data Processing Agreement (hereinafter the "Agreement") is concluded between:
the Exhibitor — i.e. the company registered under its Exhibitor account on the FAER platform, identified by the master data (company name, registered address, contact email) provided at registration as they are held in the Exhibitor account at the time of acceptance of this Agreement (hereinafter the "Controller")
and
Melvin Ciurletti, operating as a sole proprietor under the name FAER
Stäudach 154
72074 Tübingen
Germany
Email: hello@faer.app
(hereinafter the "Processor")
(each individually a "Party" and collectively the "Parties").
The master data of the Controller held in its Exhibitor account at the time of acceptance is binding for this Agreement and is shown in the Controller's dashboard as well as in booking and invoice documents.
The Controller has concluded an agreement with the Processor regarding the use of the FAER platform (hereinafter the "Main Agreement"). In the course of providing the services, the Processor processes personal data of trade-fair visitors on behalf of the Controller. This Agreement specifies the data protection obligations of the Parties pursuant to Art. 28 GDPR.
(1) The subject matter of this Agreement is the processing of personal data by the Processor on behalf of and on documented instructions of the Controller.
(2) The details of the processing — in particular the nature, purpose, duration and subject matter of the processing, the types of personal data and the categories of data subjects — are set out in Annex I to this Agreement.
(3) This Agreement applies exclusively to the processing of lead data described in Annex I within the meaning of the Processor's Privacy Policy (§§ 14 and 15 of the Privacy Policy, available at https://www.faer.app/en/privacy).
(4) The processing of data that serves exclusively the performance of the contract between the Controller and the Processor — in particular account, billing and log data of the Controller itself — is carried out under the sole responsibility of the Processor and is not subject matter of this Agreement.
(1) In the event of conflicts between this Agreement and the provisions of the Main Agreement, this Agreement prevails insofar as data protection matters are concerned.
(2) In the event of conflicts between this Agreement and the provisions of the GDPR or other applicable data protection laws, the data protection provisions prevail.
(3) Terms used in this Agreement shall be interpreted in accordance with the GDPR. To the extent the GDPR does not contain definitions, the definitions of § 46 BDSG (German Federal Data Protection Act) apply.
(1) The Processor processes personal data exclusively on documented instructions of the Controller, including with regard to the transfer of personal data to a third country or international organisation (Art. 28 (3) lit. a GDPR).
(2) In particular, the following constitute documented instructions:
(3) The Processor informs the Controller without undue delay if it considers that an instruction infringes the GDPR or other applicable data protection laws.
(4) The Processor processes the personal data exclusively for the purposes set out in Annex I. The Processor does not process the data for its own purposes — in particular not for its own marketing, not for cross-Exhibitor profiling and not for training models on personal data.
(5) The Processor implements the technical and organisational measures required under Art. 32 GDPR to ensure the security of processing. The specific measures implemented are described in Annex II.
(6) The Processor reviews the technical and organisational measures regularly and adapts them to the state of the art and to the risks for the rights and freedoms of data subjects. Material changes are documented; the respective current version of Annex II will be made available to the Controller on request.
(7) The Processor commits the persons authorised to carry out the processing to confidentiality, insofar as they are not already subject to an appropriate statutory duty of secrecy (Art. 28 (3) lit. b GDPR). At the time of conclusion of this Agreement, the Processor is a sole-proprietor business without further employees; any additional employees or engaged third parties will be committed to confidentiality in writing prior to commencing their activity.
(8) The Processor maintains records of processing activities pursuant to Art. 30 (2) GDPR and makes available to the Controller on request all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.
(9) The Processor enables reviews — including inspections — conducted by the Controller or by an auditor mandated by the Controller and committed to confidentiality, and contributes to such reviews. Reviews must be announced at least 30 days in advance, must not unreasonably disrupt ongoing business operations, and are limited to one review per calendar year. In the event of specific indications of a data protection breach, an extraordinary review outside this framework is permissible.
(1) The Controller hereby grants the Processor general written authorisation to engage further processors (sub-processors) pursuant to Art. 28 (2) sentence 2 GDPR. The current list of engaged sub-processors is maintained on an ongoing basis by the Processor and is publicly accessible at https://www.faer.app/en/subprocessors (hereinafter the "Sub-processor List"). The Sub-processor List is an integral part of this Agreement.
(2) The Processor notifies the Controller in text form at least 30 days before engaging a new sub-processor or replacing an existing one. Notification is given either by email to the contact address on file in the Exhibitor account or by updating the Sub-processor List; in the event of an update to the list, the Controller will additionally be notified by email.
(3) The Controller may object to the change within 30 days of receipt of the notification on objectively justified data protection grounds. If the Controller objects, the Processor may, at its option, either continue the services without involving the sub-processor in question or extraordinarily terminate the Main Agreement with a notice period of 30 days to the end of the month. In the event of termination by the Processor, fees already paid for service periods not yet used will be refunded pro rata.
(4) The Processor obliges sub-processors by written contract to data protection obligations that substantively correspond to those of this Agreement, in particular to sufficient guarantees with regard to appropriate technical and organisational measures within the meaning of Art. 28 (1) GDPR. If a sub-processor fails to comply with its data protection obligations, the Processor is liable to the Controller for the performance of the sub-processor's obligations.
(1) Transfers of personal data to third countries outside the European Economic Area are only carried out where an adequacy decision of the European Commission exists (Art. 45 GDPR) or where appropriate safeguards pursuant to Art. 46 GDPR are in place.
(2) The Processor transfers personal data exclusively to the sub-processors listed in the Sub-processor List (§4 (1)). To the extent sub-processors are located in the United States of America, the transfer is based on the EU Standard Contractual Clauses pursuant to Commission Implementing Decision (EU) 2021/914 and — to the extent the relevant sub-processor is certified under the EU-US Data Privacy Framework — on the adequacy decision of the European Commission of 10 July 2023 (Commission Implementing Decision (EU) 2023/1795).
(1) Data subject rights: The Processor assists the Controller by appropriate technical and organisational measures in fulfilling its obligations to respond to requests by data subjects exercising their rights pursuant to Articles 15 to 21 GDPR (Art. 28 (3) lit. e GDPR). The standard functions required to fulfil these obligations — in particular inspection, export and deletion of individual lead records — are made available by the Processor directly as self-service functions in the Exhibitor dashboard. Individual support requests going beyond these self-service functions are to be directed to hello@faer.app; they will be processed within a reasonable period on business days (Monday to Friday, excluding public holidays in Baden-Württemberg).
(2) If a data subject approaches the Processor directly with a matter that falls within the Controller's area of responsibility, the Processor forwards the matter to the Controller without undue delay.
(3) Data Protection Impact Assessment and Consultation: The Processor assists the Controller in complying with the obligations laid down in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to it (Art. 28 (3) lit. f GDPR).
(4) No separate remuneration is charged for assistance under paragraphs 1 to 3, except for manifestly unfounded or excessive requests, provided the effort remains within a reasonable scope. For extraordinary effort — in particular for forensic investigations, individual audit requests or extensive data exports outside the standard dashboard interfaces — the Processor may demand reasonable remuneration of EUR 180.00 net per commenced hour. The Controller will be informed in text form about the anticipated costs before chargeable services are rendered.
(1) The Processor notifies the Controller of any personal data breach affecting the data processed under this Agreement without undue delay upon becoming aware thereof, and no later than within 48 hours.
(2) The notification contains at least:
(3) To the extent that not all information is available at the time of notification, it will be provided subsequently without undue further delay.
(4) The Processor assists the Controller in meeting its notification obligations under Articles 33 and 34 GDPR vis-à-vis the competent supervisory authority and the affected data subjects.
(1) Upon termination of the Main Agreement, the Processor deletes all personal data processed under this Agreement or, at the Controller's option, returns it (Art. 28 (3) lit. g GDPR).
(2) Deletion takes place no later than 30 days after termination of the Main Agreement, unless Union or Member State law requires longer storage.
(3) The records required to be kept by the Processor pursuant to Art. 5 (2), Art. 7 (1) and Art. 30 (2) GDPR — in particular the consent log pursuant to §15 of the Privacy Policy — are excluded from deletion under paragraph 1 and are retained until the expiry of the respective applicable statutory retention and evidence periods, in a form that technically and organisationally precludes use for any other purposes.
(4) Database backups are overwritten in continuous rotation after at most 30 days; a targeted individual deletion from backup sets does not take place. Within the rotation, however, the data is no longer productively accessible.
(1) For the liability of the Parties inter se, the provisions of the Main Agreement apply.
(2) The liability of the Parties vis-à-vis data subjects is governed by Art. 82 GDPR. In their internal relationship, the Parties bear any damage incurred in accordance with their respective share of responsibility within the meaning of Art. 82 (5) GDPR.
(1) This Agreement enters into force upon conclusion of the Main Agreement between the Parties and automatically terminates upon its termination.
(2) Rights and obligations of the Parties that by their nature survive the end of the Agreement — in particular the deletion, documentation and evidence obligations under §8 — remain unaffected by the termination.
(1) Amendments and additions to this Agreement must be made in text form. This also applies to any waiver of this text form requirement.
(2) Should individual provisions of this Agreement be or become invalid, the validity of the remaining provisions shall remain unaffected. The Parties undertake to replace the invalid provision with a valid provision that comes closest to the economic and data protection purpose of the invalid provision.
(3) Applicable law: This Agreement is governed by the law of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG).
(4) Place of jurisdiction: The exclusive place of jurisdiction for all disputes arising from or in connection with this Agreement is, to the extent legally permissible, Tübingen, Germany.
(5) Language versions: This Agreement is provided in a German and an English version. Only the German version is legally binding. The English version is provided for informational purposes only; in the event of discrepancies between the language versions, the German version prevails.
Controller: as identified in the Preamble of this Agreement.
Processor: as identified in the Preamble of this Agreement.
Categories of data subjects
Categories of personal data
No processing of special categories of personal data within the meaning of Art. 9 GDPR takes place.
Nature of the processing: collection, storage, structuring, display in the Controller's Exhibitor dashboard, export by the Controller, deletion upon withdrawal of consent by the data subject, and deletion upon deletion of the Visitor's account.
Purpose of the processing: provision of the lead functionality of the FAER platform to the Controller, including the documentation of consents granted by Visitors for evidentiary purposes pursuant to Art. 7 (1) GDPR.
Duration of the processing:
The supervisory authority competent for the Controller pursuant to Art. 55 GDPR is determined by the Controller's place of establishment.
The supervisory authority competent for the Processor is:
State Commissioner for Data Protection and Freedom of Information, Baden-Württemberg (LfDI BW)
Office address: Heilbronner Straße 35, 70191 Stuttgart
Postal address: Postfach 10 29 32, 70025 Stuttgart
The Processor implements the following technical and organisational measures pursuant to Art. 32 GDPR. The appropriateness of the measures is to be assessed taking into account the state of the art, the cost of implementation, the nature, scope, circumstances and purposes of the processing, and the varying likelihood and severity of the risk for the rights and freedoms of natural persons.
Physical access control — no unauthorised physical access to data-processing facilities:
System access control — no unauthorised use of systems:
HttpOnly, Secure and SameSite=Lax.Data access control — no unauthorised reading, copying, alteration or removal within the system:
Separation control:
Pseudonymisation and encryption (Art. 32 (1) lit. a GDPR):
Input control:
Disclosure control:
sendDefaultPii: false, replaysSessionSampleRate: 0, replaysOnErrorSampleRate: 0, tracesSampleRate: 0).Conclusion of Contract: This Agreement is an integral part of the General Terms and Conditions of the FAER platform and is incorporated into them by express reference. It comes into existence upon registration of an Exhibitor account, when the Controller accepts the General Terms and Conditions. The respective valid version of this Agreement is available at https://www.faer.app/en/dpa prior to conclusion of contract. The Processor documents the time of acceptance, the identity of the accepting Exhibitor account and the version of this Agreement in force at the time of acceptance.
As of: 2026-04-24