GDPR Article 28 compliant agreement governing the processing of personal data
Last updated: April 7, 2026
This Data Processing Agreement ("DPA") forms part of and is incorporated into the Terms of Service or other written or electronic agreement (the "Main Agreement") between HELIX TECHNOLOGIES SINGLE MEMBER P.C. (Monoprosopi I.K.E.), a private company incorporated under the laws of Greece, with registered seat at Leoforos Kifisias 265, Kifisia 14561, Athens, Greece, Tax Identification Number (AFM) 803240617, General Electronic Commercial Registry (GEMI) 192841603000 (hereinafter the "Processor" or "Helix"), and the entity or person that has entered into the Main Agreement with Helix (hereinafter the "Controller" or "Client").
This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (the "General Data Protection Regulation" or "GDPR") and sets forth the terms and conditions under which the Processor shall process Personal Data on behalf of the Controller in connection with the Services provided under the Main Agreement.
For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meanings ascribed to them in the GDPR or the Main Agreement.
This DPA applies to the Processing of Personal Data by the Processor on behalf of the Controller in the context of the provision of the Services under the Main Agreement.
The Processor shall process Personal Data solely on the basis of documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
The purpose of the Processing is to enable the Processor to provide the Services as described in the Main Agreement. The Processor shall not process Personal Data for any purpose other than as set forth in the Controller's documented instructions or as otherwise required by applicable law.
The Processor shall not use, share, or permit the use of the Controller's Personal Data or any confidential data for the training, fine-tuning, improvement, or development of any artificial intelligence models, machine learning systems, or algorithmic tools — whether owned by the Processor, third parties, or sub-processors (including but not limited to OpenAI, Anthropic, Google, Meta, or any other AI provider) — without the Controller's prior explicit written consent. This prohibition applies to both identifiable and de-identified data derived from the Controller's information.
Where AI services are provided to the Controller as part of the Services, the Processor shall ensure that all API calls to third-party AI providers are made with data training opt-out settings enabled (where such settings are available), and that no Controller data is retained by such third-party providers beyond the immediate processing request.
The subject matter of the Processing is the provision of technology services by the Processor to the Controller, which may include, without limitation: artificial intelligence and machine learning solutions, web and mobile application development, SaaS platform operation, cloud infrastructure management, e-commerce solutions, API integrations, IT consulting, cybersecurity services, and digital identity management.
The Processing shall continue for the duration of the Main Agreement between the parties, unless earlier terminated in accordance with the terms hereof or the Main Agreement. Upon termination, the provisions of Section 11 (Term and Termination) shall apply.
The nature and purpose of the Processing is as necessary for the Processor to provide the Services to the Controller under the Main Agreement, including but not limited to: hosting and storage of data, data transmission, account management, user authentication, customer support, analytics and reporting, payment processing, email communications, and any other processing activities reasonably required to fulfill the Processor's obligations under the Main Agreement.
The types of Personal Data processed may include, but are not limited to:
The categories of Data Subjects whose Personal Data may be processed under this DPA include:
The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law. The Processor shall immediately inform the Controller if, in the Processor's opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.
The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The Processor shall ensure that access to Personal Data is limited to those personnel who require such access for the performance of the Services.
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR. These measures shall include, at a minimum:
The Processor shall regularly evaluate the effectiveness of these measures and update them as necessary to address evolving threats and changes in the Processing activities.
Taking into account the nature of the Processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising the Data Subject's rights as laid down in Chapter III of the GDPR (Articles 15 through 22), including the rights of access, rectification, erasure, restriction of processing, data portability, and objection.
If the Processor receives a request directly from a Data Subject, the Processor shall promptly forward the request to the Controller without responding to the Data Subject directly, unless explicitly authorized to do so by the Controller.
The Processor shall provide reasonable assistance to the Controller with any Data Protection Impact Assessments and prior consultations with Supervisory Authorities that the Controller is required to carry out under Articles 35 and 36 of the GDPR, taking into account the nature of the Processing and the information available to the Processor.
Upon termination or expiry of the Main Agreement, and at the Controller's written election, the Processor shall either:
If the Controller does not provide instructions within thirty (30) days of the termination or expiry of the Main Agreement, the Processor shall delete all Personal Data. The Processor shall certify the deletion of Personal Data in writing upon the Controller's request.
The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and this DPA. The Processor shall immediately inform the Controller if, in its opinion, any instruction from the Controller infringes the GDPR or other applicable data protection law.
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to the terms set forth in Section 9 of this DPA.
The Controller hereby grants the Processor general written authorization to engage Sub-processors for the Processing of Personal Data in connection with the Services, subject to the conditions set forth in this Section 5.
A current list of Sub-processors engaged by the Processor is available upon request by contacting [email protected]. The Processor's Sub-processors typically include, but are not limited to, the following categories:
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors by providing the Controller with at least thirty (30) days' prior written notice (including the name, location, and role of the proposed Sub-processor), thereby giving the Controller the opportunity to object to such changes.
If the Controller has a reasonable, legitimate objection to the engagement of a new Sub-processor, the Controller shall notify the Processor in writing within the thirty (30) day notice period, specifying the grounds for the objection. The parties shall discuss the Controller's concerns in good faith. If the parties are unable to reach a mutually acceptable resolution within a further thirty (30) days, the Controller may terminate the affected Services (but not the entire Main Agreement, unless all Services are affected) without penalty by providing written notice.
The Processor shall impose on each Sub-processor, by way of a written contract, data protection obligations no less protective than those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations. Where a Sub-processor fails to fulfill its data protection obligations, the Processor shall remain liable to the Controller for the Sub-processor's failure.
Personal Data processed under this DPA is primarily processed within the European Economic Area (EEA). The Processor shall not transfer Personal Data outside the EEA unless the conditions set forth in this Section 6 are met.
Where transfers of Personal Data outside the EEA are necessary for the provision of the Services, the Processor shall ensure that such transfers are protected by appropriate safeguards in accordance with Chapter V of the GDPR, including:
The Controller hereby authorizes transfers of Personal Data to the Sub-processors listed in the current Sub-processor list maintained by the Processor, subject to the safeguards described in this Section 6. The Processor shall ensure that all Sub-processors involved in international data transfers are bound by appropriate transfer mechanisms.
The Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours after becoming aware of a Personal Data Breach affecting Personal Data processed on behalf of the Controller. Where it is not possible to provide all information at the time of the initial notification, the Processor shall provide such information in phases without further undue delay.
The notification to the Controller shall include, at a minimum, the following information:
The Processor shall cooperate with and assist the Controller in fulfilling the Controller's obligations under Articles 33 and 34 of the GDPR, including the Controller's obligation to notify the competent Supervisory Authority and, where applicable, the affected Data Subjects. The Processor shall take all reasonable steps to contain, investigate, and remediate the Personal Data Breach and to prevent a recurrence.
The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including the rights of access (Article 15), rectification (Article 16), erasure (Article 17), restriction of processing (Article 18), data portability (Article 20), objection (Article 21), and rights related to automated decision-making and profiling (Article 22).
The Processor shall not respond to Data Subject requests directly, unless expressly authorized in writing by the Controller. If the Processor receives a request from a Data Subject, the Processor shall promptly redirect or forward the request to the Controller and shall not disclose any Personal Data to the Data Subject without the Controller's prior written instruction.
Where the Controller requests that the Processor provide substantial assistance with Data Subject requests that are manifestly unfounded, excessive, or require disproportionate effort beyond what is reasonably necessary, the Processor may charge a reasonable fee based on administrative costs, having regard to the nature, complexity, and frequency of the requests. The Processor shall inform the Controller of any such charges in advance.
The Controller may audit the Processor's compliance with this DPA once per calendar year, subject to the following conditions:
In lieu of an on-site audit, the Processor may, at its sole discretion, satisfy the Controller's audit requirements by providing:
Where such alternative mechanisms are provided, the Controller shall not be entitled to an on-site audit unless the alternative mechanisms are insufficient to reasonably demonstrate compliance with this DPA.
Any third-party auditor engaged by the Controller must be bound by written confidentiality obligations no less protective than those in the Main Agreement and must not be a competitor of the Processor. The Processor may object to a proposed auditor on reasonable grounds and request that the Controller appoint a different auditor. All audit findings and information obtained during the audit shall be treated as confidential information of the Processor.
The liability of each party under this DPA is subject to the limitations and exclusions of liability set forth in the Main Agreement (Terms of Service), except where such limitation is prohibited by applicable law.
Each party shall be liable for its own infringements of the GDPR. The Controller shall be responsible for ensuring that its instructions to the Processor comply with applicable data protection law. The Processor shall be liable for Processing that does not comply with the GDPR or this DPA, or where it has acted outside of or contrary to the lawful instructions of the Controller.
Without prejudice to any mandatory statutory liability under the GDPR, the Processor's total aggregate liability arising out of or in connection with this DPA shall not exceed the total fees actually paid by the Controller to the Processor under the Main Agreement during the twelve (12) months immediately preceding the event giving rise to the claim.
This DPA shall become effective on the date the Controller enters into the Main Agreement and shall remain in force for the duration of the Main Agreement.
This DPA shall survive termination or expiry of the Main Agreement until all Personal Data processed on behalf of the Controller has been deleted or returned to the Controller in accordance with Section 4.6.
Upon termination or expiry of the Main Agreement, and subject to the Controller's election under Section 4.6, the Processor shall delete all Personal Data within thirty (30) days, unless retention of such Personal Data is required by Union or Member State law. Where retention is required, the Processor shall inform the Controller of the legal requirement and shall continue to protect the Personal Data in accordance with this DPA and the GDPR. The Processor shall certify the deletion in writing upon the Controller's request.
This DPA shall be governed by and construed in accordance with the laws of the Hellenic Republic (Greece) and applicable European Union law, without regard to its conflict of laws principles.
Any dispute, controversy, or claim arising out of or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts of Athens, Greece.
Where Standard Contractual Clauses are incorporated into this DPA, the governing law of the SCCs shall be the law of the EU Member State in which the Controller (data exporter) is established, provided that such law allows for third-party beneficiary rights. Where the Controller is not established in an EU Member State, the governing law shall be the law of the Hellenic Republic (Greece).
If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The invalid or unenforceable provision shall be modified to the minimum extent necessary to make it valid, legal, and enforceable while preserving its original intent.
For any questions, concerns, or requests regarding this Data Processing Agreement or data protection matters, please contact: