Agreement on data processing in accordance with Art. 28 GDPR

between

the Customer (hereinafter “Controller”)

and

Wizlabs GmbH
Rietgrabenstrasse 10
8152 Opfikon
Switzerland
(hereinafter “Processor”)

1. Subject and Duration

1.1 This agreement governs the processing of personal data by Wizlabs GmbH in the context of providing the cloud software Scanwiz (scanwiz.com) for smart inventory management, stock control, inventory counting, and variant management.

1.2 The Processor processes personal data exclusively on behalf of and according to the documented instructions of the Controller pursuant to Art. 28 (3)(a) GDPR.

1.3 The term of this agreement corresponds to the duration of the Scanwiz usage contract. Termination of the usage contract automatically terminates this agreement. The usage contract is concluded by booking an offer directly through the scanwiz.com platform.

2. Nature and Purpose of Processing

2.1 Nature and Purpose: Provision of the Scanwiz software as a SaaS solution for digital inventory management, including storage, retrieval, administration, and maintenance of the data entered by the Controller.

2.2 Categories of Data Processed:

  • User data: names, email addresses, phone numbers
  • Contract data: contractual relationship, billing and payment data
  • Application data: inventory items, stock levels, inventory data, and other information stored by the customer in Scanwiz

2.3 Data Subjects: Customers, employees of the Controller, suppliers, and points of contact.

2.4 Location of Processing: Exclusively in data centers within Germany or the EU/EEA. Processing in third countries requires prior written consent of the Controller in accordance with Art. 44 et seq. GDPR.

3. Binding to Instructions

3.1 The Processor processes personal data solely based on the documented instructions of the Controller, unless legal obligations require otherwise. In such cases, the Processor will inform the Controller immediately, if legally permitted.

3.2 Instructions must be issued in written or electronically documented form. Oral instructions must be confirmed in writing without delay.

3.3 The Processor will promptly inform the Controller if an instruction violates data protection regulations. Execution will be suspended until clarification.

4. Obligations of the Processor

4.1 Confidentiality: The Processor obligates all employees involved in processing to confidentiality and provides regular training on data protection requirements.

4.2 Data Security: The Processor implements appropriate technical and organizational measures in accordance with Art. 32 GDPR, including in particular:

  • Encryption and pseudonymization
  • Ensuring confidentiality, integrity, and availability
  • Regular backups
  • Access and entry control
  • Protection against malware and unauthorized access

4.3 Support Obligations: The Processor appropriately supports the Controller with:

  • Fulfilling data subject rights (Art. 12–22 GDPR)
  • Reporting personal data breaches
  • Data protection impact assessments, where required

4.4 Notification of Data Breaches: Personal data breaches must be reported to the Controller without delay and no later than 24 hours after becoming known.

4.5 No Change of Purpose: Personal data may not be used for the Processor’s own purposes or disclosed to third parties without consent. Backup copies and legally required retention are permitted.

5. Sub-Processors

5.1 The Processor is permitted to engage sub-processors (e.g., cloud hosting providers). An up-to-date list of sub-processors will be provided to the Controller upon request.

5.2 The engagement of new or different sub-processors must be communicated to the Controller at least 10 business days in advance in written form. The Controller may object within this period for data protection reasons.

5.3 The Processor contractually binds sub-processors to the same data protection obligations set out in this agreement.

6. Rights of the Controller

6.1 Inspection Rights: The Controller has the right, upon prior notice, to verify the Processor’s compliance with data protection obligations. This may be conducted through random checks or authorized auditors.

6.3 Information: The Processor shall promptly provide the Controller with all necessary information regarding processing and support in responding to authorities or data subjects.

7. Return and Deletion of Data

7.1 Upon termination of the service agreement or upon instruction of the Controller, all personal data must either be returned or deleted in compliance with data protection requirements, at the Controller’s discretion.

7.2 Deletion must occur no later than 30 days after contract termination. A deletion protocol must be provided upon request. Statutory retention obligations remain unaffected.

8. Liability and Indemnification

8.1 The Processor is liable for damages resulting from breaches of data protection obligations in accordance with the statutory provisions of Art. 82 GDPR.

8.2 The Controller indemnifies the Processor against claims by third parties resulting from unlawful instructions by the Controller, provided the Processor has informed the Controller thereof.

9. Final Provisions

9.1 Amendments and additions to this agreement must be made in writing.

9.2 Should individual provisions be invalid, the validity of the remaining provisions shall remain unaffected. The parties agree to replace any invalid provision with a valid one that best reflects the original economic purpose.

9.3 This agreement will be adjusted upon request of either party if required due to changes in data protection regulations.

Status: November 2025
Wizlabs GmbH

Powered by  GDPR Cookie Compliance
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.