entered into by and between
(referred to hereinafter as “Service Provider”)
(referred to hereinafter as “Principal“)
1.1 This Agreement for data processing on behalf (referred to hereinafter as “DPA”) sets out the rights and duties of the parties under data protection law. These rights and obligations arise from the contracts concluded between the parties, in particular the agreements on the use of the Provider's services and the General Terms and Conditions of Use for Business Customers, also referred to as ANB-B (hereinafter referred to collectively as the "Main Contract"), insofar as this involves processing of personal data by the Provider for the Customer pursuant to Art. 28 GDPR
1.2 In the case of discrepancies, the provisions of this DPA including all its components have priority over the provisions of the appropriate main contract.
1.3 The duration of the order is specified in the main contract.
1.4 Personal data from the Principal’s sphere of control is processed comprehensively - in particular collected, stored, altered, read out, retrieved, used, disclosed, adjusted, interconnected and deleted - by the Service Provider in accordance with Art. 4 no. 2 GDPR exclusively for the purpose of fulfilling the obligations of the Service Provider under the main contract in connection with the provision of the cloud services and, if applicable, the migration of existing data.
1.5 The following categories of data may be included in and concerned by the processing:
· Master data (addresses)
· Health data
· Personnel and identification numbers
· Credit card data
· Trip booking and travel expense accounting data
· Working hours
· Customer conduct
· Data relating to telecommunication costs accounting
· Audio data
· Wages and salary data
· Data relating to telecommunication connections
· Bank data including payment transactions
· Employees’ evaluation
· Telephone numbers
· Applicants’ data
· Employees (qualifications)
· Contract data
· Image data
· Video data
· User names
· Payment data
· Access data
1.6 The following categories of data subjects may be included in and concerned by the processing:
· Trainees, apprentices and interns
· former employees
· Shareholders, officers/ executive bodies (“Organe”) of the company
· Employees’ relatives
· Potential customers
· Suppliers and service providers
· Tenants/ lessees
· Business partners
· External consultants
· Representatives of the press
1.7 The activity of the Service Provider serves the following agreed purposes:
· Assistance with the implementation of contracts or orders
· Distribution or dispatch of goods or provision of services
· Support of customers and business partners
· Customer surveys within the scope of market and opinion research
· Guarantee of proper and legally compliant accounting
· invoicing for goods or services
· Maintenance and administration of employee data
· Employee Development Planning
· Documentation of working hours
· Payment of salaries and wages
· Planning and administration of further education and training measures
· Employee assessment or performance evaluation
· Management of employees' skills and qualifications
· Administration of applications / Onboarding
· Documentation and definition of compensation and benefits for employees
· Monitoring of operational facilities
· Guarantee of access protection
· Enabling the prosecution of offences
· Exercise of domiciliary rights
· Guarantee of the proper destruction of files and data carriers
· Communication via electronic media
· Enabling the contacting of employees
· Documentation of appointments of employees
· Access management with regard to technology (including telecommunications, network)
· Administration of authorizations
· Management of licenses / software asset management
· Telecommunications expense account
· Maintenance and improvement of communication processes
· Travel booking and travel expense accounting
· Quality assurance
2.1 The Principal is solely responsible under this DPA for compliance with the applicable statutory provisions including but not limited to the lawfulness of the disclosures made to the Service Provider and the lawfulness of data processing (“controller” in terms of Art. 4 no. 7 GDPR).
2.2 The Service Provider, for the purposes of data processing, acts solely on the instructions given by the Principal except in the case of an exemption according to Art. 28 subs. 3 a) GDPR (statutory processing obligation). Oral instructions, if any, must be confirmed in “text form” (“Textform” according to § 126b BGB – German Civil Code) without undue delay (“unverzüglich”). If the Principal acts as a data processor on behalf of a third party, the Principal’s obligations under the data processing contract with the third party are deemed to constitute direct instructions by the Principal which are also applicable in the relationship with the Service Provider if these obligations are stricter than those agreed in this DPA. The Principal will inform the Service Provider of any such third-party requirements regarding data processing on behalf in writing.
2.3 The Service Provider rectifies or deletes the data to be processed under the contract or restricts the processing of such data (referred to hereinafter as “blocking”) if the Principal so instructs the Service Provider and this is within the agreed limits of the authority to give instructions.
2.4 The Service Provider informs the Principal without undue delay (“unverzüglich”) if it considers an instruction to be contrary to the applicable data protection regulations or this DPA. The Service Provider is entitled to suspend the implementation of the instruction until it is confirmed or adjusted by the Principal by notice in text form (“Textform” according to § 126b BGB – German Civil Code). The Service Provider is entitled to refuse the implementation of instructions which obivously are contrary to data protection law.
2.5 The parties designate to each other by notice in text form (“Textform” according to § 126b BGB – German Civil Code) one or several mutual contact persons to be addressed for data protection issues, including their appointed data protection officers. If the contact persons or their contact data change, the parties are obliged to mutually inform each other by notice in text form.
2.6 The Service Provider ensures that the persons who are authorised to process the data (a) are familiar with the instructions given by the Principal and comply with them and (b) have been committed to secrecy or are subject to an appropriate statutory obligation of secrecy. The obligation of secrecy and confidentiality continues in effect even after the termination of the data processing.
2.7 If the Principal acts as a data processor on behalf of a third party, the obligations imposed on the the Service Provider by this DPA are deemed to apply and to be immediately binding also in the relationship between the third party and the Service Provider. This applies to all services which the Service Provider renders to the third party on the Principal’s behalf. The third party is in particular entitled to assert the right to control and information according to § 8 directly against the Service Provider.
3.1 The parties agree TOM according to Art. 32 GDPR to ensure adequate protection of the data (referred to hereinafter as “Annex TOM”).
3.2 The right to make changes to the Annex TOM is reserved to the Service Provider; it must however be ensured that the changes do not cause the overall protection level to fall below the contractually agreed protection level. The Service Provider is obliged to notify the Principal of any essential changes by notice in text form (“Textform” according to § 126b BGB – German Civil Code) and such essential changes are subject to prior consent to be given by the Principal by notice in text form.
4.1 The Service Provider is obliged to notify the Principal without undue delay (“unverzüglich”) if it becomes aware of any breach of the data entrusted to it by the Principal which has occurred within its sphere of organisation, as described in Art. 4 no. 12 GDPR, or if there is any specific reason to suspect that a data breach has occurred with the Service Provider.
4.2 The Principal is obliged to inform the Service Provider without undue delay (“unverzüglich”) if it becomes aware of any processing errors.
4.3 The Service Provider is to take, without undue delay (“unverzüglich”), all measures which are required to eliminate the data breach described in § 4.1 or the errors described in § 4.2 and mitigate any possible detrimental consequences or impact, in particular with regard to the data subjects concerned. For such purpose, the Service Provider consults with the Principal. Oral information about any incidents according to § 4.1 or § 4.2 must be documented and confirmed by notice in text form (“Textform” according to § 126b BGB – German Civil Code) without undue delay (“unverzüglich”).
The transfer of data to a recipient in a third country outside the EU and the EEA is permissible if the requirements fixed in Articles 44 et seqq. GDPR are complied with.
6.1 The Service Provider may have the processing of personal data wholly or partly performed by other processors (hereinafter referred to as "subcontractors"). The Service Provider shall inform the Principal in text form in good time in advance about the assignment of subcontractors or changes in subcontracting. The Principal may object to the subcontracting in text form within four weeks of becoming aware of it, if there are objective reasons for doing so. The Service Provider shall agree with the subcontractor on the content of the provisions of these DPA in the same way. In particular, the TOMs to be agreed with the subcontractor must provide an equivalent level of protection.
6.2 The Service Provider shall agree with the Subcontractor on the content of the provisions of these DPA. In particular, the TOMs to be agreed with the subcontractor must provide an equivalent level of protection. No subcontracting in the sense of this regulation are services which the Service Provider uses as a mere ancillary service to support his business activities outside the processing of the order. The Service Provider is, however, obliged to take appropriate precautions to ensure the protection of the data also for such ancillary services.
10.3 The Supplier shall use the following subcontractors for the processing
· CANCOM Managed Services GmbH, Von-der-Wettern-Straße 27, 51149 Köln
(Purpose: Computer centre services)
· d.velop AG, Schildarpstrasse 6-8, 48712 Gescher
(Purpose: Assistance with the operation, support, etc. of the platform)
An agreement on order processing was concluded with both subcontractors in accordance with the legal requirements of Art. 28 GDPR. This agreement reflects in particular the requirements of Art. 28 para. 2, para. 4 GDPR, which specifically refer to the commissioning of subcontractors. A further component of these agreements is in particular that the subcontractors ensure that they have taken appropriate and suitable technical and organisational measures in accordance with Art. 32 GDPR with regard to the processing of personal data carried out by you.
For the operation of the customer systems, both subcontractors use exclusively German data centers. CANCOM Managed Services GmbH has been certified many times (including DIN ISO/IEC 27001) and both subcontractors guarantee a secure operation of the IT systems provided to the customer by d.velop business Services GmbH.
For legal reasons, it is not possible to integrate further details on the technical and organisational measures of the two subcontractors directly into this data protection concept. Disclosure for examination by the customers of d.velop business services GmbH requires the prior signing of a non-disclosure agreement in favour of the respective subcontractor.
If a data subject asserts claims according to chapter III GDPR against any of the parties, such party is to inform the other party without undue delay (unverzüglich”). The Service Provider supports and assists the Principal within the realms of possibility in handling any such claims and in complying with the duties specified in Art. 33 to 36 GDPR.
8.1 The Service Provider provides the Principal with appropriate evidence to demonstrate compliance with its duties. The Principal checks the appropriateness of the evidence provided.
8.2 As to compliance with and implementation of the agreed protection measures and their proven efficiency, the Service Provider may refer to adequate certifications or other appropriate testing records or certificates. In particular, certifications according to Art. 40 GDPR and other certifications or evidence according to Art. 42 GDPR are deemed to be adequate certifications or evidence. In addition, the following certifications may be appropriate, too: certification according to ISO 27001 or ISO 27017, an ISO 27001 certification based on IT Grundschutz (IT basic protection), certification according to acknowledged and appropriate industry standards or a testing certificate according to SOC / PS 951. The certification and testing procedures must be conducted by an acknowledged independent third party. The Service Provider is obliged to make its certificates or testing certificates available to the Principal. Appropriate additional documents (e.g. activity reports of the data protection officer or extracts from auditors’ reports) can also be made available to the Principal to document compliance with the agreed protection measures. The Principal’s right to inspection according to § 8.3 remains unaffected.
8.3 The Principal is entitled to conduct, during usual business hours and without interfering with the Service Provider’s operations and, as a rule, following an appropriate notification to be given reasonable time before the intended audit, audits/ inspections at the Service Provider’s premises to verify compliance with the applicable data protection regulations. The Service Provider may request as a prerequiste for the audit/ inspection the prior signing of a non-disclosure agreement to ensure confidentiality of the data of other customers and the TOM implemented by the Service Provider.
8.4 If insufficiencies are found in the audit/ inspection, the parties will consult on the measures to be implemented for remedy.
8.5 If a supervisory authority makes use of its powers according to Art. 58 GDPR, the parties are to inform each other without undue delay (“unverzüglich”). They support and assist each other within their respective sphere of control and responsibility in fulfilling the obligations imposed on them by the competent supervisory authority.
If social data within the meaning of § 67 subs. 2 SGB X (German Social Code X – new version) is processed on behalf under this DPA, this DPA applies along with the following prevailing regulations and “data” is then deemed to include personal data within the meaning of Art. 4 no. 1 GDPR and social data as defined by § 67 subs. 2 SGB X (German Social Code X – new version).
9.1 If social data is transferred to a recipient in a third country or in an international organisation, § 77 SGB X (German Social Code X – new version) and § 80 subs. 2 SGB X (German Social Code X – new version) must be observed and complied with in addition to § 5.
9.2 The Principal has fulfilled the duty to give prior notice of the intended data processing on behalf according to § 80 subs. 1 sentence 1 SGB X (German Social Code X – new version). If the Service Provider is a public body, the Service Provider has fulfilled the duty to give prior notice of the intended data processing on behalf according to § 80 subs. 1 sentence 1 SGB X (German Social Code X – new version).
9.3 If the Service Provider is a non-public body, the Principal makes sure that the special conditions required for the contract for data processing on behalf according to § 80 subs. 3 SGB X (German Social Code X – new version) are fulfilled if the processing on behalf does not pertain to the audit or maintenance of automated procedures or of data processing equipment where access to social data cannot be ruled out.
9.4 If disturbances of the operations are to be expected or have already occurred in the processing procedures carried out on behalf which pertain to the audit or maintenance of automated procedures or of data processing equipment where access to social data cannot be ruled out, the Principal is obliged to notify the legal or technical supervisory authority (“Rechts- oder Fachaufsicht”) without undue delay (“unverzüglich”) according to § 80 subs. 5 sentence 2 SGB X (German Social Code X – new version).
The Service Provider, when processing data on behalf, is obliged to maintain bank secrecy if and to the extent the Principal is subject to bank secrecy. The Principal will inform the Service Provider accordingly if this cannot be seen from the main contract or if this is not obvious by the Principal’s position. Bank secrecy applies to all personal data and other information regarding the Principal’s customers, potential customers or third parties of which the Principal takes cognizance in the context of its business relationship with them. Bank secrecy also comprises information on whether the Principal has a business relationship with a customer at all.
11.1 If a data subject asserts claims for damages against either of the parties for breach of data protection regulations, the party against which the claims are asserted is obliged to inform the other party without undue delay (“unverzüglich”).
11.2 The Principal and Service Provider are liable to the data subjects according to the regulation contained in Art. 82 GDPR.
11.3 The parties support and assist each other in defending themselves against the claims for damages asserted by data subjects unless this would endanger the legal position of one party in relation to the other party or the supervisory authority or to third parties.
The term of this DPA is linked to the term of the main contract.
13.1 If the Principal’s data should be endangered while under the Service Provider’s custody due to seizure or confiscation, insolvency or composition proceedings or other incidents or measures taken by third parties, the Service Provider is obliged to inform the Principal by notice in text form (“Textform” according to § 126b BGB – German Civil Code) without undue delay (“unverzüglich”). The Service Provider is obliged to inform all responsible parties involved without undue delay (“unverzüglich”) that the responsibility for the data lies exclusively with the Principal.
13.2 There are no oral side agreements. Changes and amendments to the DPA require appropriate agreement in text form (“Textform” according to § 126b BGB – German Civil Code) to be valid as well as explicit reference to this DPA. Any non-compliant oral agreements between the parties are deemed to be invalid This also applies to any changes to the present clause.
13.3 If only one provision of this DPA should be or become invalid or void in whole or in part, this will be without prejudice to the validity of the remaining provisions of this DPA. The statutory provisions will apply in lieu of the invalid or void provision if the gap which has arisen as a result of the invalidity cannot be filled by supplementary contract interpretation (“ergänzende Vertragsauslegung”) according to §§ 133, 157 BGB (German Civil Code). However, in this case, both parties are obliged to enter into negotiations without undue delay (“unverzüglich”) to reach an agreement to replace the invalid or void provision and which corresponds most closely to the legal and economic purpose and intention of the invalid or void provision and which in particular comes up to the nature of the agreement which is an agreement for the performance of a continuing obligation (“Dauerschuldverhältnis”) and which is meant to regulate data protection issues.
13.4 This DPA is governed by German law with the exception of the conflict of laws rules; Art. 3 subs. 3 and subs. 4 of the Rome I Regulation remain unaffected.