No, this is not necessary for the following reasons:
AZUM system PLC (AZUM) is to be classified as a data protection controller (“controller” pursuant to Art. 4 No. 7 GDPR) and not as a commissioned data processor (“processor” pursuant to Art. 4 No. 8 GDPR). Therefore, the contractual relationship between AZUM and the end customers is to be depicted via General Terms and Conditions (GTC) and a data protection declaration and not via a commissioned data processing contract.
– According to the definition of the GDPR, the controller is the person who decides on the purposes and means of the processing of personal data. The processor processes data on behalf of a controller. It is therefore a question of who factually makes the decision as to whether and how the processing of the data takes place.
– As the operator of the application and website, AZUM decides whether and how the customers’ data is processed. AZUM defines in its GTC what its service is. The customer cannot determine how AZUM processes the data (they can only decide whether they want to be a customer or not).
– Facebook, Instagram etc. are all clearly classified as data protection controllers. In contrast, typically e.g. cloud providers, server infrastructure providers etc. are classified as processors.
– AZUM is therefore classified as a data controller and not as a processor. Accordingly, AZUM concludes GTCs with all users and a DPA is neither necessary nor legally the correct mapping. Furthermore, AZUM must explain to its customers in a data protection statement which data is processed, how and for what purpose, etc.