Services
All Services
Highlights
All Highlights

  • Welcome, Serviceplan Agents!

    Meet the first Serviceplan Agents who support marketing professionals and enhance their work through well-founded insights and strategic expertise.
    Read more
  • Design ohne Titel - 1

    Heated Rivalry: How Fandoms Create New Brand Spaces

    What brands can learn from “Heated Rivalry”: How series create community and become a stage for relevance, attitude, and genuine brand connection.
    Read more

For individual solutions

You are welcome to discover our Houses of Communication, where you will find fully integrated and individualised offerings.

Let's talk
Highlights
All Highlights
TWELVE Media Platform as Typo on a colorful background

TWELVE is our platform for communication, inspiration and meaningful discussion. Using a variety of media formats, we address relevant topics, share practical knowledge and experiences, present new approaches and perspectives, and provide valuable insights.

TWELVE

  • Mediaplus Group Wins Burger King® Germany Media Account

    The House of Communication becomes the House of Whopper: Starting in January 2026, Mediaplus Group will take over the media account for Burger King® Germany.
    Read more

  • GORE-TEX appoints Mediascale as media agency

    The Mediaplus Group and its subsidiary Mediascale lead strategy, planning & media buying in EMEA and the US – with full-funnel data and brand expertise.
    Read more
Serviceplan Logo on a decorative background image
Serviceplan

Expertise for (Über)Creativity & Content
Mediaplus Logo on adecorative background image
Mediaplus

Leading independent media agency with 2,500 experts at 25 locations worldwide. Data-driven media consulting, planning and implementation for maximum efficiency.
Plan.Net Logo on adecorative background image
Plan.Net

Expertise for Digital Experience & Technology

© Serviceplan Group 2026

locations
Get in touch with us

Privacy Policy

Annex C: Data Processing Agreement Terms

These Data Processing Agreement Terms ("DPA") form an integral part of the AGREEMENT to the extent PROVIDER processes personal data of the CUSTOMER based on CUSTOMER's instructions under the Agreement. Under this DPA, CUSTOMER acts as the controller of personal data ("CONTROLLER") and PROVIDER acts as the processor ("PROCESSOR") within the meaning of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). Both are collectively referred to as the "PARTIES" and individually as a "PARTY".

Unless otherwise defined herein, the definitions of the AGREEMENT apply to this DPA.

  1. General Provisions

1.1 The PROCESSOR shall process PERSONAL DATA only on behalf of and in accordance with the documented INSTRUCTIONS of the CONTROLLER, within the scope and for the purposes of the AGREEMENT and in compliance with the GDPR and any other applicable data protection laws.

1.2 The CONTROLLER has selected the PROCESSOR in accordance with the duty of care under applicable data protection laws. This DPA constitutes the data processing agreement within the meaning of Art. 28 GDPR.

1.3 "PERSONAL DATA" or "DATA" means any information relating to an identified or identifiable natural person ("DATA SUBJECT").

1.4 "PROCESSING" shall be understood in a broad sense and includes any operation carried out with or without automated procedures in connection with PERSONAL DATA, including collection, storage, use, disclosure, restriction, deletion or destruction.

1.5 "INSTRUCTION" means a documented instruction issued by the CONTROLLER to the PROCESSOR regarding PERSONAL DATA.

1.6 The CONTROLLER retains all rights in the DATA. Upon termination of the AGREEMENT, the PROCESSOR shall return or delete the DATA in accordance with this DPA. The PROCESSOR shall not assert any right of retention except where required by applicable law.

 

2. Scope and Purpose of PROCESSING

2.1 The purpose of this DPA is to define the scope, purpose and subject matter of DATA PROCESSING carried out by the PROCESSOR.

2.2 The PROCESSOR shall process PERSONAL DATA solely to the extent necessary for providing, administering and operating the SOFTWARE under the AGREEMENT.

2.3 Categories of DATA SUBJECTS and types of PERSONAL DATA processed are specified in Appendix 1.

2.4 Special categories of PERSONAL DATA pursuant to Art. 9 GDPR may only be processed where
2.4.1 such DATA has been lawfully collected by the CONTROLLER; and
2.4.2 appropriate INSTRUCTIONS have been provided.

 

3. CONTROLLER's Rights and Obligations

3.1 The CONTROLLER determines the admissibility of the PROCESSING.

3.2 The CONTROLLER may issue additional or amended INSTRUCTIONS at any time.

3.3 DATA SUBJECT rights shall be exercised towards the CONTROLLER.

3.4 The CONTROLLER may inform the PROCESSOR of any irregularity in the PROCESSING.

 

4. PROCESSOR's Obligations and Responsibilities

4.1 The PROCESSOR shall process DATA only within the scope of this DPA and the AGREEMENT.

4.2 The PROCESSOR shall not make copies of PERSONAL DATA for its own purposes. Copies may only be made where
4.2.1 necessary to provide the services;
4.2.2 necessary to ensure proper PROCESSING (including backups and redundancy); or
4.2.3 required by legal obligations.

4.3 The PROCESSOR shall support the CONTROLLER in inspections or information requests by supervisory authorities.

4.4 Where required by law, the PROCESSOR shall appoint a data protection officer or designate a contact point.

4.5 The PROCESSOR shall inform the CONTROLLER without undue delay if it considers any INSTRUCTION unlawful.

4.6 The PROCESSOR shall assist the CONTROLLER in fulfilling obligations under Art. 32–36 GDPR.

4.7 The PROCESSOR shall inform the CONTROLLER prior to any legally required disclosure of DATA.

4.8 The PROCESSOR shall correct, delete or block DATA upon reasonable request.

4.9 The PROCESSOR shall implement and maintain procedures ensuring compliance.

4.10 The PROCESSOR shall inform the CONTROLLER without undue delay if DATA becomes endangered due to third-party measures.

 

5. Data Breach Notification

5.1 In the event of a breach of PERSONAL DATA, the PROCESSOR shall notify the CONTROLLER without undue delay and no later than 48 hours after becoming aware.

5.2 The notification shall include at least:
5.2.1 Description of the breach;
5.2.2 Categories and approximate number of affected DATA SUBJECTS;
5.2.3 Contact details of the data protection officer;
5.2.4 Likely consequences;
5.2.5 Measures taken or proposed.

5.3 The PROCESSOR shall cooperate with the CONTROLLER under Art. 33 and 34 GDPR.

 

6. DATA SUBJECTS' Rights

6.1 Requests shall be forwarded immediately to the CONTROLLER.

6.2 The PROCESSOR shall support the CONTROLLER in fulfilling DATA SUBJECT claims.

 

7. Sub-Processors

7.1 The PROCESSOR may engage sub-processors based on general written authorization.

7.2 The CONTROLLER shall be informed of intended changes.

7.3 Sub-processors must provide sufficient guarantees.

7.4 Written contracts shall impose equivalent data protection obligations.

7.5 The PROCESSOR remains fully liable.

7.6 International transfers require appropriate safeguards under Art. 44 GDPR.

7.7 The CONTROLLER may object within fifteen (15) days.

7.8 Current sub-processors are listed in Appendix 2.

 

8. Audit Rights

8.1 Audits shall primarily be conducted remotely.

8.2 On-site audits only where justified.

8.3 Audits no more than once per year unless required.

8.4 Necessary compliance information shall be provided.

 

9. Data Secrecy

9.1 The PROCESSOR shall protect data confidentiality.

9.2 Authorized personnel shall be subject to confidentiality obligations and receive adequate training.

 

10. Technical and Organizational Measures

10.1 The PROCESSOR shall implement appropriate technical and organizational measures pursuant to Art. 32 GDPR.

10.2 Measures may be modified provided the protection level is not reduced.

10.3 Documentation shall be provided upon request.

10.4 Significant changes shall be communicated in advance.

 

11. Term

11.1 This DPA automatically terminates upon expiration or termination of the AGREEMENT.

 

12. Destruction, Deletion and Return of Data

12.1 Upon termination, the PROCESSOR shall cease use of DATA.

12.2 PERSONAL DATA shall be irretrievably deleted using industry-standard secure deletion methods.

12.3 The PROCESSOR shall document deletion upon request.

12.4 Statutory retention obligations remain unaffected.

APPENDIX 1
DATA SUBJECTS AND DATA CATEGORIES

  1. Purpose of Processing
    1.1 Processing exclusively for performing, administering and operating the SOFTWARE.

  2. Categories of DATA SUBJECTS
    2.1 End users;
    2.2 Employees or representatives of the CONTROLLER;
    2.3 Authorized employees of the PROCESSOR;
    2.4 Other individuals whose DATA is submitted via the SOFTWARE.

  3. Categories of PERSONAL DATA
    3.1 User master data;
    3.2 Content data;
    3.3 Usage data;
    3.4 Technical data;
    3.5 Payment data.

  4. Special Categories
    4.1 Only where lawfully collected and instructed.

  5. Duration
    5.1 For the duration of the AGREEMENT.

APPENDIX 2
Sub-Processors

  1. Anthropic, PBC
    1.1 548 Market St, PMB 90375, San Francisco, CA 94104, USA
    1.2 Transfer based on Standard Contractual Clauses (SCC).

  2. Apify Technologies s.r.o.
    2.1 Vodickova 704/36, 110 00 Prague 1, Czech Republic
    2.2 No third-country transfer.

APPENDIX 3
Technical and Organizational Measures

  1. Access control and user management

  2. Physical and environmental security

  3. Encryption and pseudonymisation

  4. System and network security

  5. Incident response and business continuity

  6. Data protection by design and by default