Skip to content


Data Processing Agreement


The CUSTOMER, as indicated in the ORDER FORM (hereinafter the "CUSTOMER" or the "Controller")


Finmatics GmbH
Lindengasse 41/10, 1070 Wien
(hereinafter referred to as "FINMATICS" or the "Processor“)


    1. The CUSTOMER is a Controller within the meaning of Article 4 (7) of the General Data Protection Regulation (Regulation [EU] 2016/679 - "GDPR") with regard to any information relating to an identified or identifiable natural person within the meaning of Article 4 (1) GDPR ("personal data"), that is transferred to the Processor within the scope of the activities to be performed under Section 2.

    2. FINMATICS acts as a Processor within the meaning of Article 4 (8) GDPR for the CUSTOMER.


    FINMATICS processes the personal data described in Section 4 by scanning and extracting this data from receipts and other accounting-related documents using the FINMATICS-SOFTWARE. This processing is carried out for the purpose of creating the financial accounting of the CUSTOMER or of business partners of the CUSTOMER.


    The data is processed by FINMATICS for as long as there is a contractual relationship between FINMATICS and the CUSTOMER.


    First and last name, address, UID number, date of birth, telephone number, e-mail address, customer number.


    1. Natural persons who have a business relationship with the CUSTOMER.
    2. Natural persons who are listed as document creators, document recipients, vicarious agents, business partners or similar on the processed documents or data records.


    1. FINMATICS processes personal data exclusively within the scope of this AGREEMENT or upon separate instruction from the CUSTOMER, unless FINMATICS is obligated by law to carry out a specific processing. FINMATICS shall refrain from any actions that contradict its role as a Processor. FINMATICS shall diligently comply with obligations arising from applicable laws, in particular the GDPR and the Austrian Data Protection Act (“DSG”) as amended. Uploading information into the software of FINMATICS by the CUSTOMER shall be deemed as an instruction within the meaning of this provision. The instruction pertains to processing the information according to the terms and conditions specified in the attached data processing agreement. In the absence of contrary instructions from the CUSTOMER, FINMATICS is not authorized or obliged to delete information uploaded by the CUSTOMER into the Software of FINMATICS.

    2. FINMATICS therefore undertakes to use personal data exclusively within the framework of the documented instructions of the CUSTOMER and to return such data exclusively to the CUSTOMER or to transmit it to third parties only in accordance with the CUSTOMER's instructions.

    3. FINMATICS processes personal data according to the principle of data minimization as defined in Article 5 (1) (c) GDPR, and therefore, only to the extent that this is necessary for provision of services mentioned under Section 2. In addition, FINMATICS undertakes to maintain a register of processing activities as required by Article 30 (2) GDPR. FINMATICS shall ensure that personal data and other own data of FINMATICS or its customers are processed separately.

    4. FINMATICS declares in a legally binding manner that it has obligated all persons engaged in data processing or potentially authorized to access data to maintain data secrecy within the meaning of Article 28 (3) (b) GDPR and Section 6 DSG before commencing their activities. In particular, the confidentiality obligation of the persons engaged in data processing shall remain in force even after the termination of their activities and their departure from FINMATICS.

    5. FINMATICS ensures the technical and organizational requirements so that the CUSTOMER can exercise the rights of the data subjects, in particular the provisions of Articles 13 and 14 GDPR (obligation to provide inform), Article 15 GDPR (right of access), Articles 16 and 17 GDPR (right to rectification and deletion), Article 18 GDPR (right to restriction of processing), Article 20 GDPR (right to data portability) and Article 21 GDPR (right to object), within the statutory deadlines. FINMATICS provides the CUSTOMER with all necessary information for this purpose.

    6. FINMATICS declares in a legally binding manner that it has appointed a data protection officer if required to do so under Article 37 GDPR. In such case, the contact details of the data protection officer will be communicated to the CUSTOMER. FINMATICS shall also promptly notify the CUSTOMER of any changes regarding the data protection officer.

    7. FINMATICS is obliged to comply with any inquiries or requests from the data protection authority ("DPA") or other competent authorities and to adjust the internal processing operations accordingly. This obligation applies regardless of whether such inquiries or requests are issued directly by the authority or are brought to FINMATICS via the CUSTOMER.

    8. In connection with the services referred to in this AGREEMENT, FINMATICS shall cooperate to the fullest extent possible with the relevant authorities and the CUSTOMER, in particular in the preparation of the register of processing activities (Article 30 GDPR), data protection impact assessments (Article 35 GDPR) and prior consultations with the supervisory authority (Article 36 GDPR).

    9. The CUSTOMER shall have the right to inspect and control the data processing equipment at any with regard to the processing of the data provided. FINMATICS undertakes to provide the CUSTOMER, in accordance with Article 28 (3) (h) GDPR with the information necessary to monitor compliance with the obligations set forth in this AGREEMENT.


    1. The CUSTOMER hereby grants FINMATICS the general written consent pursuant to Article 28 (2) GDPR, to engage other companies/persons as sub-processors for the data processing activities. The sub-processors can be viewed on the following website: If a new sub-processor is engaged, FINMATICS shall update this website accordingly in advance and notify the CUSTOMER by e-mail in due time, allowing the CUSTOMER to raise any objections in accordance with Article 28 (2) GDPR. If the CUSTOMER does not raise any objections within two weeks of receiving this e-mail, the engagement of the new sub-processor shall be deemed approved.

    2. In the event of an objection to the engagement of a new sub-processor, FINMATICS shall have the right to terminate the AGREEMENT in accordance with Section 13.5 of the GTC.

    3. FINMATICS may engage sub-processors outside the EEA if (i) they are established in a third country which has an adequate level of data protection accepted by the EU Commission by way of a decision (Adequacy Decision) or (ii) appropriate safeguards, such as the EU standard contractual clauses or equivalent contract templates issued by the EU Commission have been agreed upon with them in accordance with Article 46 (2) (c) and (d) GDPR.

    4. In any case, FINMATICS remains fully responsible to the CUSTOMER for the performance of services by the sub-processor, its obligations, and the fulfillment of the assigned tasks. In addition, a contract must be concluded between FINMATICS and the sub-processor in accordance with Article 28 (4) GDPR, ensuring that the sub-processor undertakes the same obligations as FINMATICS under this AGREEMENT. In addition, FINMATICS ensures that the CUSTOMER can also directly provide instructions to the sub-processor if required from a data protection perspective.

    5. If the sub-processor fails to comply with the obligations under the GDPR, FINMATICS shall be liable to the CUSTOMER for such non-compliance.


    The CUSTOMER undertakes to promptly inform FINMATICS of any changes to the GDPR and the DSG and supplementary provisions applicable to the data processing in question. The CUSTOMER grants FINMATICS a reasonable period of time to adjust its organizational, administrative and technical measures to comply with the amended data protection regulations and new requirements.


    1. FINMATICS hereby declares, as a legally binding commitment, to promptly inform the CUSTOMER if FINMATICS becomes aware of a personal data breach or if data from a data application provided to FINMATICS has been systematically and seriously used in an unlawful manner, posing a risk of harm to data subjects.

    2. FINMATICS takes appropriate technical and organizational measures to ensure that the CUSTOMER can comply with the provisions of Articles 33 and 34 GDPR ("Data Breach Notification") within the statutory time limit. In this context, FINMATICS is obliged to provide the CUSTOMER with all necessary information without undue delay, which is required for reporting breaches of the protection of personal data to the supervisory authority and/or to the data subject.


    1. FINMATICS warrants that it has implemented appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of data subjects. FINMATICS will follow up with adequate measures, if necessary changes arise in this regard during the collaboration.

    2. FINMATICS warrants that the processing is carried out in accordance with customary industry standards and the statutory provisions, in particular the data protection regulatory requirements.

    3. FINMATICS undertakes to comply with the technical-organizational measures specified in Schedule ./1 of this Annex 3, to the extent applicable based on the subject matter and circumstances of the processing.

    4. In the event that changes become necessary during the collaboration, FINMATICS will adequately adapt the measures taken. The CUSTOMER is obliged to periodically check whether an adequate level of data protection is ensured by suitable technical and organizational measures of FINMATICS.

    5. In case FINMATICS engages a sub-processor, FINMATICS ensures that equivalent technical and organizational measures are agreed upon with the sub-processor. FINMATICS will regularly verify, through appropriate controls, that these measures are effectively implemented by the sub-processor at all times. If any risks become apparent in this context, which FINMATICS cannot sufficiently mitigate/control, FINMATICS shall inform the CUSTOMER thereof in an appropriate manner.


    1. FINMATICS is obligated to completely delete all processing results and documents containing personal data after having completed the provision of services. Alternatively, the CUSTOMER may, within a reasonable period prior to the termination of the provision of services, demand the return of such data from FINMATICS. FINMATICS is not permitted to further retain personal data, documents or parts thereof. This does not apply to data that FINMATICS is obliged to retain and to the deletion of personal data from backup copies, as in this case advance deletion is not technically feasible. Personal data stored in backup copies will be stored for a maximum period of three years and will then be deleted.

    2. FINMATICS is obligated to ensure the return or deletion of data by sub-processor as well.

Schedule ./1 - Technical and organizational measures according to article 32 GDPR

  1. Confidentiality

    FINMATICS ensures that the confidentiality of personal data is guaranteed at all times. To this end, the following measures are taken in particular:

    1. Physical access control

      1. FINMATICS grants access authorizations and checks them at regular intervals. Unauthorized persons shall be denied access to data processing equipment with which personal data are processed.

      2. FINMATICS shall comply with all physical security requirements resulting from any certifications or industry standards.

    2. Data access control

      1. FINMATICS is responsible for preventing unauthorized persons from using the data processing systems.

      2. In particular, the granting individual access rights must ensure that employees or other authorized persons are only granted access to personal data to the extent necessary for the performance of their tasks.

    3. Authorization control

      1. FINMATICS must ensure that authorized persons can only access data that falls under their access permissions and that personal data is not read, copied, altered, or removed without authorization.

      2. Access must be technically restricted to those authorized persons who require access to the data for the effective performance of the contract.

      3. User lists must be maintained. FINMATICS must also ensure that only users with a valid contractual relationship and the designated roles have access to personal data.

  2. Integrity

    FINMATICS shall ensure the integrity of personal data at all times. To this end, the following measures are implemented:

    1. Transfer control

      FINMATICS ensures to prevent data breaches. To this end, FINMATICS takes measures to prevent unauthorized reading, copying, alteration, or deletion/removal of personal data or data carriers during electronic transmission or transportation. FINMATICS must also ensure that it is possible to determine the destinations to which personal data is transmitted by data transmission equipment.

    2. Input control

      FINMATICS must ensure that it is possible to determine whether and by whom personal data is entered, modified or removed in data processing systems.

  3. Availability and resilience

    FINMATICS ensures that its systems are available and resilient in accordance with the industry standards and the state of the art.

    1. Availability

      1. FINMATICS takes measures to protect personal data from accidental or deliberate destruction or loss.

      2. In the event of significant disruptions with the systems, FINMATICS collaborates with the Controller.

      3. FINMATICS will make regular backups to ensure rapid restoration after technical and/or physical incidents.

    2. Resilience

      FINMATICS is responsible for ensuring that their systems are protected in the event of technical attacks and that capacities are available to enable smooth operation despite unforeseeable loads.

  4. Procedure for regular review, assessment and evaluation

    1. FINMATICS regularly reviews, assesses and evaluates its technical and organizational measures to ensure ongoing security of the processing.

    2. FINMATICS agrees to allow its security measures to be reviewed and assessed by its contractual partners or by an expert appointed by them.


Last Change: 07.07.2023