Contract for order processing

Preamble

This data processing agreement (AV agreement) specifies the data protection obligations of the contracting parties that arise from the services presented in the subject matter of the order.

All obligations described in this contract apply to all activities related to the performance of the contract and in which employees of the contractor or third parties commissioned by the contractor come or may come into contact with the client’s personal data.

Part of the contract implementation is the processing of personal data. In particular, Art. 28 GDPR sets out certain requirements for such data processing. To meet these requirements, the parties conclude the following agreement.

The subject of this contract is exclusively data protection regulations for order processing. Criminal law provisions such as Section 203 of the German Criminal Code cannot be the subject of the contract.

1 Definitions

For terms used in this agreement for which Art. 4 GDPR, Section 2 UWG and Section 2 TMG as well as the State Data Protection Act/State Hospital Act provide a definition, this legal definition in the version valid at the time the contract is concluded also applies to this contract.

2 Information about the competent data protection supervisory authority

(1) The competent data protection supervisory authority for the Contractor is the State Commissioner for Data Protection of Lower Saxony.

(2) The Client and the Contractor and, where applicable, their representatives shall, upon request, cooperate with the data protection supervisory authority in the performance of their duties.

3 Subject of the contract

(1) The contractor provides services for the client on the basis of the main contract. In certain cases (e.g. maintenance work or support services), the contractor and its employees or persons appointed by the contractor are granted access to personal data and process this data on behalf of and in accordance with the instructions of the client. The scope and purpose of the data processing by the contractor are set out in the main contract (and, if available, in the associated service description) and in Appendix 1 - Description of the persons/groups of persons affected and the data/data categories requiring particular protection to this contract.

(2) The Client is responsible for assessing the admissibility of the data processing and the extent of the data processing.

(3) The parties conclude this agreement to specify their mutual data protection rights and obligations. In case of doubt, the provisions of this contract take precedence over the provisions of the main contract.

(4) The term of this contract shall be based on the term of the main contract, provided that the following provisions do not result in obligations that extend beyond the term of the main contract. Termination rights arising from this contract remain unaffected by the above provision.

(5) This Agreement shall remain valid beyond the end of the Main Contract as long as the Contractor retains personal data that was provided to him by the Client or that he has collected for him.

4 Responsibility

(1) Within the framework of this contract, the client is responsible for compliance with the statutory provisions, in particular for the legality of data processing (“controller” within the meaning of Art. 4 No. 7 GDPR).

(2) The contents of this AV Agreement shall apply accordingly if the testing or maintenance of automated procedures or data processing systems is carried out on behalf of the customer and access to personal data cannot be excluded.

(3) Clients and contractors must ensure that the persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. To this end, all persons who can access the client's personal data in accordance with the contract must be obliged to maintain data secrecy and informed of their data protection obligations. Each party is responsible for the obligation of its own staff. Furthermore, the persons employed must be informed that data secrecy continues even after the activity has ended.

(4) The Client and the Contractor are responsible for compliance with the data protection laws applicable to them with regard to the data to be processed.

5 Place of performance

(1) The Contractor shall provide the contractual services in Germany, and any subcontractors shall provide the services at the service locations agreed with the Client in Annex 3 – Approved Subcontractors in the European Union (EU) or the European Economic Area (EEA).

(2) The Client agrees to a relocation of a place of performance within the country of performance for which consent has been given if it can be proven that the same level of safety exists there and no legal provisions applicable to the Client speak against this relocation. The burden of proof for this lies with the Contractor.

(3) If the place of service provision is relocated to countries that are members of the EU/EEA and have a verified level of data protection that satisfies this contract, the Client will be informed in writing.

(4) If the Contractor is not informed by the Client within four weeks of receipt of the notification pursuant to paragraph 3 of the relocation of reasons which do not permit a relocation, the Client shall be deemed to have given its consent to this relocation.

(5) If the Contractor wishes to provide the services owed in whole or in part from a location outside the EU/EEA in a so-called safe “third country” or plans to relocate the provision of services there, the Contractor will first obtain the written consent of the Client.

(6) If the relocation of services to another country is possible according to the above provisions, this shall apply accordingly to any access or viewing of the data by the Contractor, e.g. within the framework of internal controls or for the purposes of development, conducting tests, administration or maintenance.

(7) If the data processing may be carried out outside Germany in accordance with this Agreement and the statutory provisions for the processing of personal data on behalf of or for the transmission of personal data abroad, the Contractor will ensure compliance with and implementation of the statutory requirements to ensure an adequate level of data protection in the event of relocations and cross-border data traffic.

6 Remote access

The following additional rights/obligations of the client/contractor apply to the implementation of remote access for the testing and/or maintenance of automated procedures or data processing systems or for remote access for other services:

(1) Remote access within the scope of testing and/or maintenance work on workstation systems will only be carried out after approval by the respective authorized person/responsible employee of the client.

(2) Remote access within the scope of testing and/or maintenance work on automated procedures or data processing systems shall, unless access to personal data can be safely excluded, be carried out exclusively with the consent of the Client (also verbally by employees of the Client).

(3) The Contractor’s employees shall use appropriate identification and encryption procedures.

(4) Before carrying out remote access, the Client and the Contractor shall agree on any necessary data security measures in their respective areas of responsibility.

(5) Remote access as part of inspection and/or maintenance work is documented and logged. The client is entitled to monitor inspection and maintenance work before, during and after execution. In the case of remote access, the client is entitled - as far as technically possible - to monitor this from a control screen and to cancel it at any time.

(6) The Contractor shall only use the access rights granted to him to automated procedures or data processing systems (in particular IT systems, applications) of the Client to the extent - including in terms of time - as is necessary for the proper execution of the commissioned maintenance and inspection work.

(7) If the provision of services requires activities for error analysis which require knowledge (e.g. also read access) or access to the Client’s effective data (production/real data), the Contractor will obtain the Client’s prior consent.

(8) Error analysis activities that require a data copy of the actual operating data require the prior consent of the client. If the actual operating data is copied, the contractor will delete these copies after the error has been corrected, regardless of the medium used. Actual data may only be used for the purpose of error analysis and only on the equipment provided by the client or on that of the contractor, provided that the client has given prior consent. Actual data may not be copied to mobile storage media (PDAs, USB memory sticks or similar devices) without the client's consent.

(9) Remote access as part of testing and/or maintenance work and all activities required in this context, in particular activities such as deletion, data transfer or error analysis, will be carried out taking into account technical and organizational measures to protect personal data. In this context, the Contractor will take the technical and organizational measures as described in Appendix 2 - Technical and organizational measures of the Contractor.

7 Correction, restriction of processing, deletion and return of data carriers

(1) During the ongoing contract, the Contractor shall correct, delete or block the data subject to the contract only on the instructions of the Client.

(2) If destruction is to be carried out during the ongoing contract, the Contractor will only undertake the destruction of data storage media and other materials in a manner that is demonstrably compliant with data protection regulations if the Client has specifically commissioned the destruction. This does not apply if a corresponding provision has already been made in the main contract.

(3) In special cases to be determined by the Client, storage or handover shall take place.

(4) After completion of the contractual work – or earlier upon request by the Client – the Contractor shall

(a) all documents or data media that have come into his possession in the context of the contract,

b) processing results created,

c) Data sets related to the contractual relationship

to be handed over to the client or, at the client's instruction, to be deleted or destroyed in accordance with data protection regulations, provided that there is no legal obligation to retain the data. The deletion log must be presented on request.

(5) If additional costs arise due to deviating specifications for the release or deletion of data, a prior written agreement on the bearing of costs is required.

(6) If transport of the storage medium before deletion is unavoidable, the Contractor will take appropriate measures to protect it, in particular against theft, unauthorized reading, copying or modification. The measures and the deletion procedures to be used will be agreed in more detail in addition to the service descriptions if necessary.

(7) Documentation that serves as proof of the order and proper data processing must be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand it over to the Client at the end of the contract to relieve him of liability.

(8) The Client may at any time, i.e. both during the term of the contract and after termination, request the rectification, erasure, restriction of processing (blocking) and release of data by the Contractor, as long as the Contractor has the opportunity to comply with this request.

(9) The contractor will correct, delete or block the data that is the subject of the contract if the client instructs this. The contractor will undertake the destruction of data media and other materials in accordance with data protection regulations on the basis of an individual order from the client, unless otherwise agreed in the contract. In special cases to be determined by the client, the data will be stored or handed over. If a data subject should contact the contractor directly to correct or delete his data, the contractor will forward this request to the client immediately.

(10) If the Client is unable to take back the data, he will inform the Contractor in writing in good time. The Contractor is then entitled to delete personal data on behalf of the Client.

8 Right to give instructions

(1) The contractor may only process data within the scope of the pre-contractual services of the main contract and in accordance with the written instructions of the client. If the contractor is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall inform the client of these legal requirements before processing, provided that it is legally permitted to do so.

(2) The client's instructions are initially specified in this contract and can then be changed, supplemented or replaced by the client in written or text form through individual instructions (individual instructions). The client is entitled to issue appropriate instructions at any time. This includes instructions regarding the correction and deletion of data as well as the restriction of processing. The persons authorized to give instructions are listed in Appendix 4 - Persons authorized to give instructions. In the event of a change or a long-term inability of the named persons, the contractual partner must be informed immediately in text form of the successor or representative.

(3) All instructions given (including verbal ones) must be documented by both the client and the contractor. Instructions that go beyond the service agreed in the main contract will be treated as a request for a change in service. Regulations regarding any compensation for additional expenses that arise from additional instructions from the client to the contractor remain unaffected.

(4) If the Contractor is of the opinion that an instruction from the Client violates data protection regulations, he must inform the Client of this immediately. The Contractor is entitled to suspend the implementation of the instruction in question until it is confirmed or changed by the Client. The Contractor may refuse to implement an obviously unlawful instruction.

9 Contractor’s protective measures

(1) The Contractor is obliged to observe the statutory provisions on data protection and not to pass on information obtained from the Client's area to third parties without appropriate instructions or to suspend their access. Paper documents and data must be protected against access by unauthorized persons, taking into account the state of the art.

(2) The contractor will design the internal organization within his area of responsibility in such a way that it meets the special requirements of data protection. The contractor guarantees that he has taken all necessary technical and organizational measures to adequately protect the client's data in accordance with Art. 32 GDPR, in particular at least the measures listed in Appendix 2 - Technical and organizational measures of the contractor. If special categories of personal data are also processed, the contractor will also take the appropriate and specific measures resulting from Section 22 Para. 2 BDSG, which are specified in more detail in Appendix 2. At the client's request, the contractor will disclose the details of the determination of which measures are taken and the implementation of the measures.

The Contractor reserves the right to improve the security measures taken, while ensuring that the contractually agreed level of protection is not undercut and that the Client is informed immediately of any significant changes.

(3) The contact person for data protection at the contractor is INSECCO – a brand of Alsterbyte IT Solutions GmbH, Friedrich-Penseler-Straße 15, 21337 Lüneburg. Any change of contact person for data protection must be communicated to the client immediately.

(4) The persons employed by the contractor in data processing are prohibited from processing personal data without authorization. The contractor will impose an appropriate obligation on all persons entrusted by him with the processing and fulfillment of this contract (hereinafter referred to as employees) (obligation to maintain confidentiality, Art. 28 Para. 3 Subpara. 1 Sentence 2 Letter b GDPR) about the special data protection obligations arising from this contract as well as the existing instructions and purpose binding and will ensure compliance with the aforementioned obligation with the necessary care. These obligations must be formulated in such a way that they remain in force even after termination of this contract or the employment relationship between the employee and the contractor. The obligations of the employees must be proven to the client in an appropriate manner upon request.

10 Contractor’s obligations and information duties

(1) In the event of disruptions in the processing activities, suspicion of data protection violations or violations of the contractor's contractual obligations or suspicion of other security-related incidents at the contractor, at persons employed by him within the scope of the contract or by third parties, the contractor will inform the client immediately in writing or text form. The same applies to audits of the contractor by the data protection supervisory authority that concern processing or facts relevant to the client. The notification of a breach of the protection of personal data contains, as far as possible, the following information:

(a) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories and number of personal data records concerned

(b) a description of the likely consequences of the breach

(c) a description of the measures taken or proposed by the Contractor to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects

(2) The Contractor shall immediately take the necessary measures to secure the data concerned and to mitigate possible adverse consequences for the person(s) concerned, inform the Client thereof, request further instructions and provide the Client with further information at any time if the Client’s data is affected by a breach pursuant to paragraph 1.

(3) If the client's data is at risk at the contractor's premises due to seizure or confiscation, insolvency or composition proceedings or other events or measures by third parties, the contractor must inform the client immediately, unless prohibited from doing so by a court or official order. In this context, the contractor will immediately inform all relevant authorities that the decision-making authority over the data lies exclusively with the client.

(4) The Contractor shall inform the Client immediately of any significant changes to the security measures.

(5) The Contractor shall maintain a register of all categories of processing activities carried out on behalf of the Client, which shall contain all information pursuant to Article 30(2) GDPR. The register shall be made available to the Client upon request.

(6) The Contractor must cooperate to an appropriate extent in the preparation of the procedure directory by the Client and in the preparation of a data protection impact assessment in accordance with Art. 35 GDPR and, if necessary, in the prior consultation of the data protection supervisory authorities in accordance with Art. 36 GDPR. The Contractor must provide the Client with the information required in each case in an appropriate manner. Costs incurred by the Contractor as a result of its support activities must be reimbursed to the Contractor to an appropriate extent.

(7) The Contractor may only collect, process or use data within the scope of the order and in accordance with the instructions of the Client.

(8) The contractor must ensure that telecommunications secrecy is maintained in accordance with Section 88 of the Telecommunications Act. To this end, the contractor must require all persons who, in accordance with the contract, can access the client's data using telecommunications means such as telephone or email, to observe telecommunications secrecy and instruct them on the special confidentiality obligations resulting from this.

(9) The Contractor shall not store any personal data on systems that are outside the control of the Client.

11 Obligations of the Client

(1) The client is solely responsible for assessing the admissibility of data processing and for safeguarding the rights of those affected. The client will ensure, within his area of responsibility, that the legally necessary requirements are met (e.g. by obtaining declarations of consent for the processing of data) so that the contractor can provide the agreed services without violating the law.

(2) The Client must inform the Contractor immediately and fully if, when checking the order results, he discovers errors or irregularities with regard to data protection regulations.

(3) The Client is responsible under data protection law with regard to the procedures used by the Contractor and approved by the Client for the automated processing of personal data and – in addition to the Contractor’s own obligation – is also obliged to maintain a register of processing activities.

(4) The Client is responsible for the information obligations resulting from Art. 33 and 34 GDPR towards the supervisory authority or those affected by a breach of the protection of personal data.

(5) The Client shall determine the measures for returning the data media provided and/or deleting the stored data after completion of the order by contract or by instruction.

(6) The Client is obliged to treat all knowledge of the Contractor’s trade secrets and data security measures acquired within the framework of the contractual relationship as confidential.

(7) The Client shall ensure that the requirements resulting from Art. 32 GDPR with regard to the security of processing are complied with. This applies in particular to the Contractor's remote access to the Client's data.

(8) If the client issues individual instructions that go beyond the contractually agreed scope of services, the resulting costs must be borne by the client. If the agreed scope of services is exceeded, a separate written agreement must be made in advance.

12 Client’s rights of inspection

(1) The client shall ensure that the contractor's technical and organizational measures are in place before data processing begins and then on a regular basis. To do so, he may, for example, obtain information from the contractor, have existing expert reports, certifications or internal audits presented to him or, if possible, personally inspect the contractor's technical and organizational measures after timely coordination during normal business hours or have them inspected by a knowledgeable third party, provided that the third party is not in a competitive relationship with the contractor. The client will only carry out checks to the extent necessary and will not disproportionately disrupt the contractor's operations.

(2) The Contractor undertakes to provide the Client, upon oral or written request, within a reasonable period of time with all information and evidence required to carry out an inspection of the Contractor’s technical and organisational measures in accordance with Annex 2 – Technical and organisational measures of the Contractor.

(3) The client shall document the results of the checks it has carried out and inform the contractor of them. If the client discovers any errors or irregularities, particularly when checking the results of the order, the client must inform the contractor immediately. If the check reveals facts that require changes to the ordered procedure in order to avoid them in the future, the client shall inform the contractor of the necessary procedural changes immediately.

(4) The Contractor shall, at the Client’s request, provide the Client with a comprehensive and up-to-date data protection and security concept for the order processing and for persons authorized to access the data.

(5) The Contractor shall, upon request, provide the Client with evidence of the employees’ obligations pursuant to Section 6 (4).

(6) The Client shall reimburse the Contractor for the reasonable expenses incurred in carrying out the inspection.

13 Use of subcontractors

(1) The contractually agreed services or the partial services described below are carried out with the involvement of the subcontractors named in Appendix 3 - Approved Subcontractors. The Contractor is authorized within the scope of its contractual obligations to establish further subcontracting relationships with subcontractors ("subcontractor relationship"), provided that it informs the Client of this in advance and the Client has consented in writing to the appointment of the subcontractor. The Contractor is obliged to select subcontractors carefully according to their suitability and reliability. When engaging subcontractors, the Contractor must oblige them in accordance with the provisions of this agreement and ensure that the Client can exercise its rights under this agreement (in particular its inspection and control rights) directly against the subcontractors if necessary. If subcontractors in a third country are to be involved, the Contractor must ensure that an appropriate level of data protection is guaranteed by the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). The Contractor will provide the Client with evidence of the conclusion of the aforementioned agreements with its subcontractors upon request.

(2) A subcontractor relationship within the meaning of these provisions does not exist if the contractor commissions third parties to provide services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services that the contractor provides for the client and security services.

(3) Maintenance and testing services constitute subcontracting relationships within the meaning of paragraph 1 insofar as they are provided for IT systems that are also used in connection with the provision of services for the client.

14 Requests and rights of data subjects

(1) The Contractor shall support the Client with appropriate technical and organizational measures in fulfilling the Client’s obligations under Art. 12–22 and 32 and 36 GDPR.

(2) If a data subject asserts rights, such as the right to information, rectification or erasure of his or her data, directly against the Contractor, the Contractor shall not react independently, but shall immediately refer the data subject to the Client and await the Client's instructions.

15 Liability

(1) The client and the contractor are liable to data subjects in accordance with the provisions of Art. 82 GDPR. The contractor shall coordinate any fulfilment of liability claims with the client.

(2) The Contractor shall indemnify the Client against all claims asserted by data subjects against the Client due to the violation of an obligation imposed on the Contractor by the GDPR or due to the non-compliance with or violation of an obligation set out in this Agreement or of an instruction issued separately by the Client.

(3) The parties shall each release themselves from liability if/to the extent that a party proves that it is in no way responsible for the circumstance that caused the damage to a data subject. In all other respects, Art. 82 Para. 5 GDPR applies.

(4) Unless otherwise provided above, liability under this contract shall correspond to that of the main contract.

16 Extraordinary right of termination

(1) The client may terminate the main contract in whole or in part without notice if the contractor fails to comply with its obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or is unable or unwilling to carry out an instruction from the client. In the case of simple violations - i.e. violations that are neither intentional nor grossly negligent - the client shall set the contractor a reasonable deadline within which the contractor can remedy the violation.

17 Termination of the main contract

(1) After termination of the main contract or at any time upon request, the Contractor shall return to the Client all documents in paper form, data and data carriers provided to him or - at the Client's request, unless there is an obligation to store personal data under Union law or the law of the Federal Republic of Germany - delete them. The obligation to return or destroy also applies to any data backups held by the Contractor. The Contractor must provide documented evidence of proper deletion.

(2) The Client has the right to check the complete and contractually compliant return or deletion of the data by the Contractor in an appropriate manner or to have this checked by a competent third party, provided that the third party is not in a competitive relationship with the Contractor.

(3) The Contractor is obliged to treat as confidential all information which has become known to him in connection with the Main Contract, even after the end of the Main Contract.

18 Final provisions

(1) The parties agree that the contractor shall have no right of retention with regard to the data to be processed and the associated data carriers.

(2) Changes and additions to this contract, the declaration of termination and the amendment of this clause must be in writing to be effective (Section 126 Paragraphs 1 and 2 of the German Civil Code). The replacement of the written form by electronic form (Sections 126 Paragraph 3 and 126 a of the German Civil Code) or text form (Section 126 b of the German Civil Code) is excluded. The priority of individual contractual agreements remains unaffected by this.

(3) Should individual provisions of this Agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions.

(4) This agreement is subject to German law. The sole place of jurisdiction is that of the client.

Investments

Annex 1 – Description of the persons/groups of persons affected and the data/data categories requiring particular protection

Annex 2 – Technical and organizational measures of the contractor

Annex 3 – Approved subcontractors

Annex 4 – Persons authorized to give instructions