There are some some contradictions between the Data Processing Agreement (DPA) and the Global Data Privacy Addendum (GDPA).
It seems, like I cannot get a sufficient answer from the support team, so I am trying it here.
So there are contradictions in regards to the processing of Sensitive Personal Data. The GDPA states: “Sensitive Personal Data and applied restrictions: None” (so processing of those data should not be carried out). Whereas the DPA says: “As the Controller, Customer may choose to collect and process Special Categories of Data, as described in GDPR Article 9, 10. Customer will list such additional or specified categories herein or inform Tivian separately in writing.” (so it can be done but has to be marked as such and/or announced to TIVIAN)
second example: regarding “Sub-processors” the GDPA states customers can object within 15 days, whereas the DPA speaks about 30 days.
So in general, I am confused what the binding contract is. And in general: what is the rule, because I have to justify these contradictions to our data protection team before I can carry out a study with Unipark.
Best regards
