Agreement on commissioned processing pursuant to Art. 28 (3) of the General Data Protection Regulation (GDPR)
Subject matter, duration and specification of the commissioned processing.
The subject matter of the order as well as the type and purpose of the processing are set out in Annex 1. The duration is based on the provisions of the main contract.
2 Scope of application and responsibility
2.1 The Contractor shall process personal data on behalf of the Client. This includes activities that are specified in the contract and in the service description. Within the scope of this contract, the Customer shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the transfer of data to the Contractor as well as for the lawfulness of the data processing (“Responsible Party” within the meaning of Art. 4 No. 7 DS-GVO).
2.2 The instructions shall be stipulated by the main contract and may thereafter be amended, supplemented or replaced by the Customer in writing or in text form (e.g. e-mail) to the office designated by the Contractor by means of individual instructions (individual instructions). Instructions not provided for in the contract shall be treated as a request for a change in performance. Verbal instructions shall be confirmed immediately by the Client in writing or in text form.
3 Obligations of the Contractor
3.1 The Contractor may only process personal data that are the subject of the order within the scope of the order and the Client’s instructions unless an exceptional case within the meaning of Article 28 (3) a) of the GDPR exists and its requirements are met.
3.2 The Contractor shall inform the Client immediately if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Customer.
3.3 The Contractor shall take technical and organizational measures for the adequate protection of the Client’s data that meet the requirements of the General Data Protection Regulation (Art. 32 DS-GVO). In particular, the Contractor shall take technical and organizational measures, measured against the risk to the rights and freedoms of the data subjects, which ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the Processing on a permanent basis. The Contractor shall document the required technical and organizational measures prior to the start of the Processing and provide them to the Customer for review. The details of these technical and organizational measures are set out in Annex 2. The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor shall be permitted to implement alternative adequate measures. These shall be documented accordingly by the Contractor. In doing so, the security level of the measures specified in Annex 2 must not be undercut.
3.4 The Contractor shall adequately support the Client in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set out in Articles 33 to 36 of the GDPR.
3.5 The Contractor shall ensure that the employees involved in the processing of the Client’s data and other persons working for the Contractor are prohibited from processing the data outside of the instruction. Furthermore, the Contractor warrants that the persons responsible for processing the personal data have committed themselves to confidentiality and that this confidentiality obligation shall continue to apply even after termination of the order.
3.6 The Contractor shall inform the Client without undue delay if it becomes aware of any breaches of the Client’s personal data protection. A notification of data protection violations must contain at least:
- a description of the incident, including, to the extent possible, the nature of the personal data breach, the categories and approximate number of individuals affected, the categories affected, and the approximate number of personal data records affected
- the name and contact details of the data protection officer or other point of contact for further information
- a description of the likely consequences of the reported incident, a description of the measures taken to remedy it and, if applicable, measures taken to mitigate its possible adverse effects
3.7 The Contractor shall name to the Customer the contact person for data protection issues arising under the contract.
3.8 The Contractor warrants to implement a procedure for the regular review of the effectiveness of the technical and organizational measures to ensure the security of the Processing (Art. 32 (1) lit. d DS-GVO).
3.9 During the term of the contract, the Contractor shall correct or delete the data subject to the contract at the Client’s instruction. If it is not possible to delete this data in accordance with data protection requirements, the Contractor shall ensure that the data carriers and documents containing the contractual data are destroyed in accordance with data protection requirements. Data carriers and processed data handed over to the Contractor by the Customer, including copies made. The Contractor shall correct or delete the data that are the subject matter of the Contract if the Customer instructs it to do so and this is covered by the scope of the instructions. If deletion in conformity with data protection or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in conformity with data protection on the basis of an individual order by the Customer or shall return these data carriers to the Customer, unless already agreed in the contract. In special cases to be determined by the Customer, storage or transfer, remuneration and protective measures shall be carried out by the Contractor.
3.10 After the end of the order, data, data carriers and all documents shall either be surrendered at the request (in writing or in text form) of the Customer, provided they are the property of the Customer, or deleted. If additional costs are incurred due to deviating specifications for the return or deletion of the data, these shall be borne by the Client.
4 Duties of the Customer
4.1 The Principal shall inform the Contractor immediately and in full if it discovers errors or irregularities in the results of the order.
4.2 In the event of a claim against the Contractor by a data subject with regard to any claims for damages pursuant to Art. 82 of the GDPR, §3 (4) shall apply accordingly.
5 Requests from data subjects
If a data subject approaches the Contractor with requests pursuant to Articles 15 to 21 of the GDPR, the Contractor shall immediately refer the data subject to the Client and shall forward the request to the Client. The Contractor shall support the Client in fulfilling these requests of the Data Subjects to the extent necessary.
6 Means of proof
6.1 The Contractor shall prove to the Customer compliance with the obligations set forth in this Agreement by appropriate means. The Contractor undertakes to make the documented controls and necessary information available to the Customer upon request. In particular, the implementation of the technical and organizational measures pursuant to Art. 32 DS-GVO shall be proven.
6.2 Evidence of compliance with the obligations set forth in this Agreement may be provided by means of
- current attestations, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers, IT security department, data protection auditors, quality auditors)
- Self-audits
- suitable certification by IT security or data protection audit (e.g., in accordance with BSI-Grundschutz, ISO 27001, ISO 27018, ISO 27701)
- compliance with approved rules of conduct in accordance with Art. 40 DS-GVO
- certification in accordance with an approved certification procedure pursuant to Art. 42 DS-GVO
6.3 Inspection rights
6.3.1 The Contractor undertakes to support the Customer in its audits pursuant to Art. 28 (3) sentence 2 lit. h DS-GVO regarding compliance with the regulations on data protection as well as the contractual agreements to the appropriate and necessary extent.
6.3.2 The audits shall be carried out by the Customer itself or by a third party commissioned by it. If the third party commissioned by the Customer is in a competitive relationship with the Contractor, the Contractor shall have a right of objection against it. Commissioned third parties must be bound to secrecy by the Customer. The Contractor shall be entitled to demand that the commissioned third party submit a separate declaration of confidentiality. This applies in particular to the submission of declarations of professional or legal confidentiality.
7 Further Processors (Subcontractors)
7.1 A subcontractor relationship requiring consent exists if the Contractor commissions further contractors to process personal data as agreed in the contract. The Contractor shall enter into agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures.
7.2 The use of subcontractors as further processors is only permitted if the Customer has given its prior consent.
7.3 The Customer agrees that the Contractor may involve subcontractors. The Contractor shall inform the Customer before calling in or replacing the subcontractors. The Customer may object to the change - within a reasonable period of time - to the Contractor for an important reason under data protection law. If no objection is made within the time limit, the consent to the change shall be deemed given. If there is an important reason under data protection law and if a mutually agreeable solution cannot be found between the parties, the Customer shall be granted a special right of termination.
7.4 If the Contractor places orders with subcontractors, it shall be incumbent on the Contractor to assign its data protection obligations under this Agreement to the subcontractor.
7.5 The subcontractors listed in Annex 3 shall be deemed approved.
8 Transfer to Third Countries
There shall be no transmission to third countries outside the EU and the EEA.
9 Liability
The Client and the Contractor shall be liable vis-à-vis data subjects in accordance with the provision set out in Art. 82 DS-GVO.
10 Duty to inform, written form clause, choice of law
10.1 Should the Customer’s data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Customer thereof without undue delay. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Customer as the “responsible person” within the meaning of the General Data Protection Regulation.
10.2 Amendments and supplements to this Annex and all its components - including any warranties of the Contractor - shall require a written agreement, which may also be in an electronic format (text form), and the express indication that it is an amendment or supplement to these Terms and Conditions. This shall also apply to any waiver of this formal requirement.
10.3 In the event of any contradictions, the provisions of this Annex on data protection shall take precedence over the provisions of the Agreement. Should individual parts of this Annex be invalid, this shall not affect the validity of the rest of the Annex.
10.4 German law shall apply.
Annex 1
Overview of data and processing activities
The Client shall transfer the following categories of data subjects and subsequent types of personal data to the Contractor.
1 Categories of data subjects
- Internet users
- Customers
- Interested parties
- Other
2 Type of personal data
2.1 Contact and identification data
- First and last name, e-mail, address
2.2 Financial and insurance data
- Credit card data
2.3 Other personal data
- IP address, user agent, URLs
3 Description of the purpose and nature of the processing of personal data
The Contractor provides the Client with software for statistical reach measurement and performance evaluation of web offers such as websites, online stores or apps.
In doing so, the Contractor obtains access to personal data and processes them exclusively on behalf of and according to the instructions of the Customer, unless the Contractor is obligated to process them otherwise by the law of the Union or the member states to which it is subject. The Client shall be solely responsible for assessing the permissibility of the data processing pursuant to Art. 6 (1) DSGVO.
Annex 2
Technical and organizational measures of the Contractor
The Contractor shall take the following technical and organizational measures (hereinafter TOMs) for data security within the meaning of Art. 32 DSGVO. The aim is to ensure in particular the confidentiality, integrity and availability of the information processed in the order. The TOMs in the data center are ensured by our subcontractor Hetzner Online GmbH and are subject to regular audits.
1 Confidentiality (Art. 32 para. 1 lit. b DSGVO)
1.1 Access control
- Key
1.2 Access control
- Key
- Passwords
- Anti-virus software clients
- firewall
- encrypted transmission
- rights management
- privacy policies
1.3 Access control
- Authorization concepts and needs-based access rights
1.4 Separation control
- Separation of productive and test environment
- Physical separation
- Multi-client capability
- Control via authorization concept
- Definition of database rights
2 Integrity (Art. 32 Par. 1 lit. b DS-GVO)
2.1 Transfer control
- Description of interfaces
- Secure data transfer between server and client
- Secure transmission in the backend
- Secure transmission to external systems
2.2 Input control
- Logging of input
- Documentation of input authorizations
3 Availability and resilience
- Backup
- Firewall
- Recovery concept
- Monitoring
- Data backup concepts and implementation
4 Data protection organization
- Definition of responsibilities
- Implementation and control of suitable processes
- Reporting and approval process
- Implementation of training measures
- Commitment to confidentiality
- Regulations on the internal allocation of tasks
5 Process for regular review, assessment and evaluation (Art. 32 (1) (d) GDPR; Art. 25 (1) GDPR)
- Process for evaluating technical and organizational measures
- Security incident management process (emergency plan)
- Execution of technical reviews
Annex 3
The Contractor shall use the services of the following subcontractors for the processing of data on behalf of the Customer.
- Hetzner Online GmbH, Gunzenhausen: The company provides the corresponding servers for hosting the application. A DPA exists with Hetzner Online GmbH.
The document has been machine translated, in case of legal proceedings the German original shall prevail.
Changelog
- Jun 28, 2023: Initial Version