1. Definitions. Unless otherwise defined in the Agreement, capitalized terms have the following meaning:

1.1. “Data Subject” means any identified or directly or indirectly identifiable natural person. Within the meaning of this DPA, the term “Data Subject” refers to the third-party Data Subjects whose Personal Data is submitted to Marosa by the Customer in connection with the use of the Services. This includes the Customer’s legal and/or authorized representatives, workers, affiliated persons and any other natural persons who are not the Customer’s Authorized Users and whose Personal Data is contained in the Customer Data provided by the Customer and Processed by Marosa in the course of provision of the Service.

1.2. “GDPR” means regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data.

1.3. “Personal Data” means any information relating to an identified or identifiable natural person; an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

1.4. “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.5. “Controller” means a person who alone or jointly with others, determines the purposes and means of the Processing of Personal Data. In this DPA, the Customer is considered as the Controller.

1.6. “Processor” means a person who Processes Personal Data on behalf of the Controller. In this DPA, Marosa is considered as the Processor.

1.7. “Recipient” means a legal person to which the Personal Data is disclosed.

1.8. “Pseudonymization” means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not attributed to an identified or identifiable natural person.

1.9. “Personal Data breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed.

1.10. “Supervisory authority” means an independent public authority which is established by a Member State pursuant to Article 51 of the GDPR.

2. Object of the Data Processing Agreement

2.1. The Customer acknowledges that the nature of the Services requires that Marosa access and Process Customed Data provided by the Customer on behalf of the Customer for the purposes of the provision of Services. The Customer Data processed by Marosa under the Agreement may contain Personal Data of Data Subjects, who do not have any legal relationship with Marosa. In cases where the Customer’s use of the Platform and/or the Services under the Terms predisposes or encompasses the Processing of any Personal Data by Marosa on behalf of the Customer, Marosa shall have the right to process Personal Data on behalf of the Customer in accordance with and to the extent laid down in this DPA and the documented instructions of the Customer.

2.2. Marosa can only provide the Services to the Customer and legally process the Personal Data of Data Subjects if the Customer as the data Controller authorizes Marosa as the data Processor, by accepting and adhering to the terms of the DPA. Under this DPA, the Parties shall agree on the Personal Data Processing requirements in order to secure that the Processing complies with applicable data protection legislation and to ensure the protection of Data Subjects’ rights.

2.3. Marosa Processes the Personal Data of such Data Subjects upon:

2.3.1. usage of the Platform and the Services by the Customer and its Authorized Users, including when they submit to Marosa Customer Data, which contains Personal Data about Data Subjects;

2.3.2. processing the Customer Data provided by the Customer via the Service;

2.3.3. ongoing monitoring of the Customer’s information retained in the Platform.

2.4. The Personal Data of Data Subjects shall be Processed in accordance with this Data Processing Agreement. The object of this DPA is to define the subject-matter and duration of the Processing of Personal Data, the nature and purpose of the Processing, the types of Personal Data being Processed and the categories of Data Subjects (hereinafter “Details of Processing”) and the Personal Data Processing related rights and obligations of the parties concerning any Personal Data Processing that the Processor performs on behalf of the Controller under the DPA. The DPA shall apply to any Processing of Personal Data carried out by the Processor on behalf of the Controller.

2.5. The types of such Personal Data are not restricted and depend on the decision of the Customer on how it wants to use the Service and generally include the identification data (full name, date of birth or personal identification code, home address) of the Data Subject, but may also include financial information etc.

2.6. Any Personal Data of the Customer and users in the Customer’s organization, including any data of the Customer’s authorized representatives and personnel, which is provided to Marosa by the Data Subject directly via the Platform or Services, will be Processed and used in accordance with the Privacy Policy. For the avoidance of doubt, this DPA does not regulate the Processing of Personal Data of Authorized Users who use the Platform and the Services on behalf of the Customer and provide their Personal Data to Marosa directly.

3. Processing of Personal Data on behalf of the Controller

3.1. Marosa Processes the Personal Data according to documented instructions from the Customer. The Customer inserts these instructions by using the Service and by agreeing with the DPA, Privacy Policy and Terms. The instructions of the Customer for Processing of Personal Data must always comply with the applicable laws and Marosa reserves itself the right to refuse to fulfill the instructions that are in the opinion of Marosa unlawful.

3.2. In accordance with Article 4 (7) of GDPR, the Customer is the Controller of the Personal Data submitted to Marosa by the Customer via the Service for the purpose of Processing on behalf and in the interest of the Customer. According to Article 4 (8) of the GDPR, Marosa acts as the Processor on the Customer’s behalf when Processing the Personal Data submitted by the Customer. Therefore, the Customer:

3.2.1. is fully responsible for the Processing of Personal Data that the Customer submits to Marosa;

3.2.2. guarantees to Marosa explicitly that in order to use the Platform and Services, the Customer has all the necessary consents from Data Subjects and/or other legal grounds for lawful processing of Personal Data in accordance with this DPA;

3.2.3. obliges to inform Marosa immediately of the expiry of legal grounds for the processing, modification, inaccuracy, or change to the Personal Data that Marosa is Processing on behalf of the Customer.

3.3. Marosa and the Customer undertake to comply with all obligations arising from any applicable data protection legislation, including the GDPR. The parties shall refrain from any action which could result in the other party’s failure to comply with its obligations under applicable data protection legislation.

3.4. Taking into account the nature of the Processing, Marosa shall assist the Customer with appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising of Data Subject’s rights laid down in the GDPR, including the right of access to Personal Data by Data Subjects, right to rectification, right to be forgotten, right to restriction of processing, etc. Marosa shall accept instructions for the fulfillment of the rights of Data Subjects only from the Customer. Should the Data Subjects approach Marosa with the requests for the fulfillment of their rights, Marosa shall inform the Customer and act according to instructions from the Customer. The obligation to delete the data of Data Subjects shall always remain with the Customer and Marosa shall not undertake deletion for and on behalf of the Customer, unless otherwise explicitly stipulated in the DPA, Privacy Policy or Terms.

3.5. Marosa shall assist the Customer in ensuring compliance with the obligations of guaranteeing security of the Processing of Personal Data as established by the GDPR while taking into account the nature of Processing and the information available to Marosa. Inter alia Marosa undertakes the obligations detailed in Appendix II.

4. Use of Sub-Processors

4.1. In the course of providing the Service and access to the Platform and Services, Marosa uses different third-party service providers, to whom it may also transfer Personal Data (“Sub-Processors”). Marosa has the Customer’s general authorisation for the engagement of Third Parties from the list of Sub-Processors in Appendix III. Marosa shall inform in writing the Customer of any intended changes of that list through the addition or replacement of Sub-Processors at least one month in advance, thereby giving the Customer sufficient time to be able to object to such changes prior to the engagement of the concerned Sub-Processor(s). Marosa shall provide the Customer with the information necessary to enable the Customer to exercise the right to object.

4.2. Where Marosa subcontracts its obligations under the DPA to a Third Party, then it shall agree on data processing agreement imposing at least the same obligations on the Third Party as are imposed on Marosa under the DPA. The processor shall ensure that the sub-processor complies with the obligations to which the processor is subject pursuant to these Clauses and to Regulation (EU) 2016/679 and/or Regulation (EU) 2018/1725.

4.3. If Marosa wishes to transfer the Personal Data to Third Parties located outside of the European Economic Area (EEA), then Marosa shall ensure the application of the appropriate safeguards by such Third Party, including applying the measures detailed in Appendix II. 

5. Guarantees for Personal Data Processing

5.1. Marosa shall Process the Personal Data provided by the Customer only to the extent and in such a manner as is necessary for the provision of the Services.

5.2. Marosa confirms that it shall not Process the Personal Data for any other purpose which is not necessary for the provision of the Services. To ensure this, Marosa shall:

5.2.1. refrain from any personal use, including commercial use, of the Personal Data processed for the provision of the Services;

5.2.2. comply with this DPA and any applicable data protection legislation and ensure that its own employees or any third party used by it for Personal Data Processing complies with the same;

5.2.3. process the Personal Data only on behalf of the Customer and in compliance with its instructions and the DPA.

5.3. Marosa shall take all appropriate technical and organizational security measures to prevent the destruction, loss or alteration, unauthorized disclosure of Personal Data or unauthorized access to such data, either accidentally or unlawfully.

5.4. If requested by the Customer and within the time frames as reasonably determined by the Customer, Marosa shall supply the Customer with full details of the technical and organizational measures in place to safeguard the security of the Personal Data and compliance with the Appendix II “Technical and Organisational Security Measures Applied by Marosa”. Marosa shall enable the Customer to carry out security audits and take all necessary steps to verify the implementation of the technical and organizational security measures. All costs related to the fulfilment of the obligations specified herein, incl. costs related to the organization of an audit shall be borne by the Customer.

5.5. Marosa shall notify the Customer without undue delay if it becomes aware of any Personal Data Breach. The notification provided to the Customer shall describe the nature of the Personal Data Breach and any relevant details. 

6. International Transfers

6.1. Any transfer of Personal Data to a third country or an international organisation by Marosa shall be done only on the basis of documented instructions from the Customer or in order to fulfil a specific requirement under Union or Member State law to which Marosa is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 or Regulation (EU) 2018/1725.

6.2. Marosa agrees that where the Marosa engages a Sub-Processor for carrying out specific processing activities (on behalf of the Customer) and those processing activities involve a transfer of Personal Data within the meaning of Chapter V of Regulation (EU) 2016/679, Marosa and the Sub-Processor can ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission in accordance with of Article 46(2) of Regulation (EU) 2016/679, provided the conditions for the use of those standard contractual clauses are met.

7. Liability

7.1. The Customer shall assume liability for damage, administrative fines or any other claims arising with regard to the Customer’s violation of the DPA or requirements of the applicable law.

8. Safety Measures for Protection of Personal Data

8.1. Marosa takes the appropriate legal, organizational, and technical measures to protect Personal Data consistent with applicable privacy and data security laws. Security measures shall be applied to protect Personal Data from involuntary or unauthorized processing, disclosure, or destruction and are detailed in Appendix II.

9. Retention Periods

9.1. Marosa shall preserve the Personal Data as long as it is required for the use of the Platform and Services by the Customer and its Authorized Users, but no longer than applicable law permits preservation.

9.2. The Customer confirms that it agrees with the provided retention periods and guarantees to inform and obtain necessary approvals for application of such retention periods.

10. Contact Information

10.1. Should the Customer have any questions regarding this DPA or the processing of Personal Data, it is welcome to contact Marosa with all such requests, inquiries or any complaints via e-mail: [email].

• Employees, contractors, or agents of the user (business) who interact with the tax technology software, including those who manage the software, input invoice data, or oversee VAT returns, and provide their name, telephone number, and email address.
• Representatives or contact persons of the Customer, vendors, or business partners whose name, telephone number, and email address may be included in the invoice information processed by the tax technology software.
• Any other individuals whose personal data may be contained in the invoice information or related records processed by the tax technology software, as required for the preparation and filing of VAT returns.

• Purpose: The primary purpose of processing personal data within the tax technology Platform is to facilitate the provision of Services to the Customer, including preparation and filing of VAT returns for users, streamline tax-related processes, and ensure compliance with applicable tax laws and regulations.
• Collection: Marosa collects users' names, telephone numbers, and email addresses, as well as invoice data required for the preparation and filing of VAT returns.
• Storage: Personal data is securely stored within the Platform’s databases or data storage systems, in accordance with applicable data protection regulations and industry best practices.
• Analysis: The Platform processes and analyzes invoice data to calculate VAT amounts, generate VAT returns, and identify potential tax savings or discrepancies.
• Reporting: The Platform prepares and generates VAT returns and other relevant tax-related reports based on the processed invoice data.
• Transfer: The Platform may transfer personal data to authorized third parties, such as tax authorities or other relevant entities, as required for the filing of VAT returns or as mandated by applicable laws and regulations.
• Deletion and Retention: Personal data is retained for the duration necessary to fulfill the purposes for which it was collected, in compliance with applicable data protection regulations and Marosa’s data retention policies.

1. Marosa Group Sub-Processors:

The following entities are subsidiaries or Affiliates of Marosa (as defined in the Marosa General Service Terms and Conditions available at). Accordingly, they function as sub-processors when they perform activities to provide the Services. Depending on the geographic location of Customer and the Services provided, Marosa may engage one or more of its subsidiaries or affiliates as sub-processors to deliver some or all of the Services provided to Customer. Marosa subsidiaries or affiliates are as follows:

2. Marosa External Sub-Processors:

Information Collection and Use