Data Processing Agreement
Last edited : May 25th, 2024
Annex to the terms and conditions: Data Processing Agreement according to Art. 28 GDPR
Art. 28 GDPR places specific requirements on data processing through a processor. In order to comply with these special requirements, the contracting parties conclude this contract in addition to the terms and conditions. It applies to all activities that are related to the main contract concluded and in which employees of the Contractor or persons authorised by the Contractor process personal data (hereinafter “Data”) of the Client. The definitions of the GDPR apply.
1. Subject matter of the contract and the client's right to issue instructions
- The subject of this contract is the services provided by the Contractor for the Client. In addition, reference is made to Annex 1 of this contract as well as the terms and conditions. In the event of changes to the commissioned service, this contract for commissioned processing must be amended and supplemented accordingly in Annex 1.
- As the controller, the client is solely responsible for assessing the permissibility of data processing in accordance with the GDPR.
- When providing the service, the Contractor shall have access to personal data and shall process it exclusively on behalf of and in accordance with the instructions of the Client, unless the Contractor is obliged to process it differently under the law of the Union or the Member States to which it is subject.
- The Client’s instructions are set out in this Agreement and may be amended, supplemented or replaced by the Client in at least documented electronic format by means of individual instructions (individual instructions). If the Contractor is obliged by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall inform the Client of these legal requirements prior to processing. (Art. 28 para. 3 lit. a) GDPR).
- If the Contractor is of the opinion that an instruction from the Client violates data protection regulations, it must inform the Client of this immediately. The Contractor shall be entitled to suspend the implementation of the instruction in question until it is confirmed or amended by the Client. The Contractor may refuse to carry out an obviously unlawful instruction without incurring any negative consequences. The client is responsible for issuing legally valid instructions. (Art. 28 para. 3 sentence 3 GDPR).
- The term of this contract is based on the term of the main contract, unless the following provisions provide for additional obligations or cancellation rights.
2. Technical and organisational measures
- The Contractor shall comply with the statutory provisions on data protection. The Client’s information shall not be passed on or disclosed to third parties without the Client’s express instructions. Documents and data shall be secured against unauthorised access, taking into account the state of the art.
- The Contractor shall design the internal organisation in its area of responsibility in such a way that it meets the special requirements of data protection and ensures that it has taken all necessary technical and organisational measures to protect the Client’s data in accordance with Art. 32 GDPR. Reference is made to Annex 2.
- The Client shall review the Contractor’s technical and organisational measures before commencing data processing and then regularly thereafter. Changes may be made to the agreed security measures, provided that these do not fall below the contractually agreed level of protection.
3. Confidentiality
The Contractor and its employees are prohibited from processing personal data without authorisation. The Contractor shall oblige all persons entrusted by it with the processing and fulfilment of this contract to maintain confidentiality. The confidentiality obligations shall also apply after termination of this contract or the employment relationship between the employee and the contractor.
4. Information obligations of the contractor
- In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security incidents or other irregularities in the processing of personal data by the Contractor, persons employed by the Contractor within the scope of the order or by third parties, the Contractor shall inform the Client immediately in writing or documented electronic format, insofar as they relate to this contract. The same applies to audits of the Contractor by the data protection supervisory authority, insofar as they relate to this contract.
- The notification of a personal data breach to the client shall contain the following information, where possible:
a) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories concerned and the number of personal data records concerned;
b) a description of the likely consequences of the injury and
c) a description of the measures taken or proposed to be taken by the Contractor to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects. - The Contractor shall immediately take the necessary measures to secure the data and minimise possible adverse consequences for the data subjects, inform the Client and request further instructions from the Client.
- Should the Client’s data be jeopardised by seizure or confiscation, by insolvency or composition proceedings or by other events or measures by third parties, the Contractor shall inform the Client of this immediately, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the Client as the “controller” within the meaning of the GDPR.
- Where possible, the Contractor shall support the Client with suitable technical and organisational measures in fulfilling its obligations under Art. 12 to 22 (Art. 28 para. 3 lit. e) GDPR) and Art. 32 to 36 GDPR (Art. 28 para. 3 lit. f) GDPR).
5. Control rights of the client
- The Contractor undertakes to provide the Client with all information and evidence required to carry out a check of the Contractor’s technical and organisational measures within a reasonable period of time at the Client’s verbal, written or electronic request.
- Inspections by the Client or its authorised inspectors, who may not be in a competitive relationship with the Contractor, may be carried out during normal business hours and with a lead time of 14 days’ notice. The Client shall only carry out inspections to the extent necessary and shall only disrupt the Contractor’s operating processes in a proportionate manner. The Contractor may demand remuneration for assistance in carrying out an inspection. The remuneration shall be agreed in individual contracts.
6. Use of subcontractors
- The contractually agreed services or the partial services described below shall be performed with the involvement of the subcontractors (sub-processors) listed in Annex 3. All other processors already involved and approved by the client at the time of conclusion of the contract are listed in Annex 3. The client grants general authorisation to involve other processors with regard to the processing of client data (subcontractors). We are obliged to inform our clients of the involvement of or changes to other processors, whereby written information in text form is sufficient. We shall inform our clients in writing at least 14 days in advance of any intended changes to this list by adding or replacing sub-processors and thus give the controller sufficient time to object to these changes before commissioning the sub-processor(s) concerned (right of objection pursuant to Art. 28 para. 2 sentence 2 GDPR). The right to object expires if you have not objected in writing within 14 days of receipt of the notification of the change or involvement. In the event of an objection, both parties have the right to terminate the main contract and this contract for commissioned processing with a notice period of 3 months.
- A subcontractor relationship within the meaning of these provisions does not exist if the Contractor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and dispatch services, cleaning services, telecommunications services with no specific connection to services provided by the contractor for the client and security services. Maintenance and testing services constitute subcontractor relationships requiring approval if they are provided for IT systems that are also used in connection with the provision of services for the client.
7. Liability
The client and contractor are liable to data subjects in accordance with the provisions of Art. 82 GDPR.
8. Termination of the main contract
- The Contractor shall return to the Client all documents, data and data carriers provided to it after termination of the main contract or at any time at the Client’s request or – at the Client’s request, unless there is a legal obligation to store the personal data – delete them. This also applies to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still in existence.
- The Contractor shall be obliged to treat the data it has become aware of in connection with the main contract confidentially even after the end of the main contract. This agreement shall remain valid beyond the end of the main contract for as long as the Contractor has personal data that was forwarded to it by the Client or that it has collected for the Client.
9. Final provisions
- The parties agree that the defence of the right of retention by the Contractor with regard to the data to be processed and the associated data carriers is excluded.
- Amendments and supplements to this agreement must be made in writing or in a documented electronic format.
- Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions and the statutory provisions of Art. 28 GDPR shall apply.
- This agreement is subject to German law.
Attachments:
Annex 1 – Description of data subjects/groups of data subjects and particularly sensitive data/categories of data
Annex 2 – Technical and organisational measures of the contractor
Annex 3 -Subcontractor
Annex 1 - Description of data subjects/groups of data subjects and particularly sensitive data/categories of data
Object of the processing Type and Purpose of the processing | Provision of the EINO application in accordance with the terms and conditions The Contractor is obliged to use the personal data provided to it exclusively for the contractually agreed service. The Contractor shall be permitted to create interim, temporary or duplicate files required for procedural and security reasons in order to collect, process and/or use the personal data in accordance with the service, provided that this does not lead to a reorganisation of the content. The contractor is not permitted to make unauthorised copies of the personal data |
Type of personal data | The client determines the categories of data per EINO used. The personal data transmitted can generally be assigned to one of the following data categories: Name, telephone number, email address, address, audio files, video data, transcripts, system access/usage/authorisation, company name, contract data, invoice data and application-specific data collected from the client’s Authorised Users. |
Categories of affected persons |
|
Annex 2 - Technical and organisational measures of the Contractor
Information on the technical and organisational measures taken | |
Version | 1.0 |
date | 24.05.2024 |
Subsequent measures for confidentiality, integrity, availability and resilience as well as proceduresfor regular review, assessment and evaluation have been implemented.
1. Confidentiality
Confidentiality = personal data must not be made available or disclosed to unauthorised persons or organisations
a) Access control to data processing systems that are used to process personal data
= Measures to prevent unauthorised persons from gaining access to data processing systems
Alarm system; protection of properties, windows, shafts; security locks and key regulations as well as logging of key issue; video surveillance of building entrances; logging of visitors; locked doors during absence.
All certifications, such as the ISO 27.001 certification of our subcontractor OHV GmbH, can be viewed here: https://www.ovhcloud.com/de/enterprise/certification-conformity/
All certifications, such as the ISO 27.001 certification of our subcontractor Zoho Corporation B.V., can be viewed here: https://www.zoho.com/de/trust.html
b) Access control to data processing systems
= Measures to ensure that data processing systems cannot be used by unauthorised persons
Two-factor authentication, where possible, and partial biometric approval (currently under development – release in Q3 2024); login via user name and password; regulations on password complexity; automatic locking of the screen & password entry for renewed access; Use of anti-virus software; active firewall for hardware and software; no use of USB sticks; encryption of smartphones/laptops/tablets; create user authorisations (assignment according to the need-to-know principle); careful selection of service providers; clean desk policy; no-print policy.
c) Access control
Measures that only allow authorised persons to access the data; this applies to processing, use and storage (no unauthorised reading, copying, modification or removal)
Access logging to data processing systems (e.g. logging of entries, changes and deletions); encryption of smartphones; authorisation concept (rules for requesting, approving, implementing and withdrawing authorisations) including rules for accessing data backups; management of rights by system administrators and number of administrators reduced to the bare minimum (need-to-know principle).
d) Pseudonymisation/anonymisation
Locally hosted test data; use of dummy data; separation of allocation data and storage in separate and secure systems; deletion/complete anonymisation of personal data after expiry of the statutory retention period; end-to-end encryption
e) Separation control
=Data from different clients is stored separately
Logical client separation on the software side; logical separation (folder structure, structured file storage);separation of development, test and production environments; no use of personal real data for test purposes; management of separate databases; multi-client capability; authorisation concept; definition of database rights.
2. Integrity
Ensuring the accuracy, integrity and completeness of personal data
a) Transfer control
= No unauthorised reading, copying or modification of data during electronic transmissions (e.g. e-mails) or transport
No sending of sensitive data by email; end-to-end encryption; prohibition of certain transfers (e.g. USB sticks, CDs, tapes); anonymised/pseudonymised transfer; transfer exclusively according to the need-to-know principle, transfer of paper documents in sealed, opaque envelopes; https encryption on the website; careful selection of service providers.
b) Input control
= it is possible to determine whether, when and by whom personal data has been entered, modified or removed from data processing systems
Automatic logging of changes; differentiated user authorisations (read, change, delete); assignment of individual user names; logging of administrative activities.
3. Order control
Order data processing in accordance with the order and instructions is guaranteed. The client’s data is processed exclusively in accordance with the client’s instructions. An order processing contract has been concluded for this purpose. Subcontractors are only engaged by the client in accordance with the contractual provisions.
4. Availability & resilience
Protection against destruction and loss and guaranteeing the use of data Utilisation of redundant systems; backup concept implemented; redundant system landscape.
5. Regular review, assessment & evaluation of the technical and organisational measures taken
Continuous review of TOMs; maintenance of a processing register; appointment of a data protection officer – contact details: Mag.a iur. Elisa Drescher, office@scaleline-ltd.com; employee training; documented processes established for compliance with the GDPR (responding to requests for information in a timely manner, reporting breaches to the supervisory authority); careful selection of service providers; implementation of the purpose limitation principle;
Appendix 3 - Authorised subcontractors
Authorised subcontractors according to 6. of this contract:
Commissioned company | Processing activity | Processing location |
OVH GmbH Christophstrasse 19 50670 Cologne | Cloud storage location for all information in EINO | Germany |
Zoho Corporation B.V. 3527 HT UTRECHT The Netherlands | Subscription data, invoices and communication data (e-mails) | Primary data centre: Amsterdam |
Barycenter Technologies UG | Development and reworking of EINO | Germany |