Order processing agreement

The Client shall commission the Contractor with the services specified in § 3. Part of the performance of the contract is the processing of personal data. In particular, Art. 28 DS-GVO imposes certain requirements on such commissioned processing. In order to comply with these requirements, the Parties enter into the following agreement, the performance of which shall not be remunerated separately unless this is expressly agreed.

Pursuant to Art. 4 (7) DS-GVO, the controller is the body which alone or jointly with other controllers determines the purposes and means of the processing of personal data.

According to Article 4 (8) of the GDPR, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.

Pursuant to Article 4(1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Personal data requiring special protection are personal data pursuant to Article 9 of the GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of data subjects, personal data pursuant to Article 10 of the GDPR on criminal convictions and offences or related security measures, and genetic data pursuant to Article 4(13) of the GDPR. 10 GDPR on criminal convictions and offences or related security measures as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR and data on the sex life or sexual orientation of a natural person.

According to Article 4 (2) of the GDPR, processing is any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Pursuant to Article 4 (21) of the GDPR, the supervisory authority is an independent state body established by a member state pursuant to Article 51 of the GDPR.

The competent supervisory authority for the Contractor is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18 91522 Ansbach.

The contracting authority and the contractor and, where appropriate, their representatives shall cooperate with the supervisory authority in the performance of its duties upon request.

By registering, the user expressly affirms that he/she is not a consumer within the meaning of § 13 BGB. (A consumer is a natural person who concludes a legal transaction for purposes that can predominantly be attributed neither to his/her commercial nor to his/her independent professional activity).  

This contract on commissioned processing (hereinafter referred to as "commissioned processing" or "GCP") sets out in concrete terms the rights and obligations of the parties under data protection law for all processing operations which result from the contracts (hereinafter referred to as "main contract") already existing between the parties or to be concluded in the future under which personal data are processed by the contractor for the client.

The Parties conclude the present Agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract.

Processing shall be carried out for an unlimited period of time, unless otherwise agreed in the service descriptions and the respective contractual agreements. The notice periods regulated in the respective contractual agreements remain unaffected.

The Contractor may only collect, process or use data within the scope of the main contract of the service description and in accordance with the Client's instructions; this applies in particular with regard to the transfer of personal data to a third country or to an international organisation. If the Contractor is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall notify the Client of these legal requirements prior to the processing.

The Client's instructions shall initially be determined by this contract and may thereafter be amended, supplemented or replaced by the Client in writing or in text form by individual instructions (individual instructions). Verbal instructions shall be confirmed by the Client immediately in writing or in an electronic format offered by the Contractor for this purpose.

The client is entitled to issue corresponding instructions at any time. This includes instructions with regard to the correction, deletion and blocking of data. The persons authorised to issue instructions are the managing directors, authorised signatories or partners of the client.

If the Client's instructions are not included in the contractually agreed scope of services, they shall be treated as a request for a change in services. In the case of proposed changes, the Contractor shall inform the Client of the effects on the agreed services, in particular the possibility of providing the service, deadlines and remuneration. If the Contractor cannot reasonably be expected to implement the instruction, the Contractor shall be entitled to terminate the processing. In all other respects, the service descriptions and respective contractual agreements shall apply.

If the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall notify the Client thereof without delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. The Contractor may refuse to carry out an instruction that is obviously unlawful.

Type of personal data means all types of personal data processed by the Contractor on behalf of the Contractor. This also includes special categories of personal data.

With regard to the processing of personal data concerning criminal convictions and criminal offences within the meaning of Art. 10 DS-GVO, the Client shall be obliged to ensure on its own responsibility that the legal requirements applicable in this respect are complied with.

In the course of the performance of the service description, the Contractor shall have access to the personal data specified in more detail in Appendix 1 "Description of the personal data processed".

These data include the special categories of personal data listed and identified as such in Appendix 1 "Description of personal data processed".

The group of data subjects is shown in Appendix 2 "Description of data subjects/groups of data subjects".

The contractor is obliged to observe the statutory provisions on data protection and not to disclose information obtained from the client's domain to third parties or expose it to their access. Documents and data shall be secured against access by unauthorised persons, taking into account the state of the art.

The Contractor shall organise the internal organisation in its area of responsibility in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organisational measures to adequately protect the Client's data in accordance with Art. 32 of the GDPR, in particular at least the measures listed in Appendix 3 "Technical and organisational measures of the Contractor".

The contractor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.

The Contractor has appointed as data protection officer:

PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstr. 21
80802 Munich
datenschutzbeauftragter@datenschutzexperte.de

When contacting the data protection officer, please state the company to which your enquiry relates. Please refrain from enclosing sensitive information such as a copy of an identity card with your request.

The persons employed in data processing by the contractor are prohibited from collecting, processing or using personal data without authorisation. The contractor shall oblige all persons entrusted by him with the processing and performance of this contract (hereinafter referred to as employees) accordingly (obligation to confidentiality, Art. 28 Para. 3 lit. b DS-GVO) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after the termination of this contract or the employment relationship between the employee and the contractor. Evidence of the obligations shall be provided to the Client in an appropriate manner upon request.

The Client can view the currently applicable technical and organisational measures on the following website: https://www.top.legal/toms. The Client shall inform itself about these technical and organisational measures before concluding the agreement on commissioned processing and at regular intervals thereafter. The Principal shall be responsible for ensuring that the currently applicable, contractually agreed technical and organisational measures provide an appropriate level of protection for the risks of the data to be processed.

In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security-related incidents or other irregularities in the processing of personal data by the Contractor, by persons employed by the Contractor within the scope of the contract or by third parties, the Contractor shall inform the Client immediately in writing or text form. The same shall apply to audits of the Contractor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

The Contractor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences of the data subjects, inform the Client thereof and request further instructions.

Furthermore, the Contractor shall be obliged to provide the Client with information at any time insofar as the Client's data is affected by a breach pursuant to paragraph 1.

Should the Client's data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client thereof without delay, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall immediately inform all competent bodies that the decision-making sovereignty over the data lies exclusively with the Client as the "responsible party" within the meaning of the GDPR.

The Contractor shall inform the Client without delay of any significant changes to the safety measures pursuant to § 6 para. 2.

A change in the person of the contact person for data protection for data protection shall be notified to the Client without delay.

The contractor and, if applicable, his representative shall keep a register of all categories of processing activities carried out on behalf of the principal, which shall contain all information pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Principal upon request.

The contractor shall cooperate to a reasonable extent in the preparation of the procedure directory by the client. The contractor shall provide the client with the required information in an appropriate manner.

The Client shall satisfy itself of the technical and organisational measures of the Contractor prior to the commencement of data processing and thereafter once a year. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or, after timely coordination, personally inspect the Contractor's technical and organisational measures during normal business hours or have them inspected by a competent third party, provided that this third party is not in a competitive relationship with the Contractor. The Client shall only carry out inspections to the extent necessary and shall not disproportionately disrupt the Contractor's operating processes in the process.

The Contractor undertakes to provide the Client, upon the Client's oral or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the Contractor's technical and organisational measures.

The Client shall document the inspection result and inform the Contractor thereof. In the event of errors or irregularities discovered by the Client, in particular during the inspection of order results, the Client shall inform the Contractor without delay. If facts are discovered during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall inform the Contractor of the necessary procedural changes without delay.

At the Client's request, the Contractor shall provide the Client with a comprehensive and up-to-date data protection and security concept for the commissioned processing as well as on persons authorised to access the data.

The Contractor shall provide the Client with evidence of the commitment of the employees in accordance with paragraph 6 of this Agreement "Nature of Personal Data and Categories of Data Subjects" upon request.

The Contractor and each person subordinate to it - may only process the personal data within the scope of the service description and the respective contractual agreements between the Contractor and the Client and the Client's instructions, unless there is an exceptional case within the meaning of Article 28 (3) sentence 2 lit.a DS-GVO. The Contractor shall accept instructions from the Principal in written form as well as via the electronic formats offered by the Contractor for this purpose. Verbal instructions shall be confirmed by the Client without delay in writing or in an electronic format offered by the Contractor for this purpose.

The Contractor shall inform the Client without delay if it is of the opinion that an instruction violates applicable laws. The Client may suspend the implementation of the instruction until it has been confirmed or amended by the Client.

If the Client's instructions are not included in the contractually agreed scope of services, they shall be treated as a request for a change in services. In the case of proposed changes, the Contractor shall inform the Client of the effects on the agreed services, in particular the possibility of providing the service, deadlines and remuneration. If the Contractor cannot reasonably be expected to implement the instruction, the Contractor shall be entitled to terminate the processing. In all other respects, the service descriptions and respective contractual agreements shall apply.

The contractually agreed services or the partial services described below shall be performed using the subcontractors named in Appendix 4 "Approved Subcontractors".

Within the scope of its contractual obligations, the Contractor is authorised to establish further subcontracting relationships with subcontractors ("subcontractor relationship"). He shall inform the Client of this without delay. The Contractor is obliged to carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Contractor shall commit them in accordance with the provisions of this Agreement and shall ensure that the Client can also exercise its rights under this Agreement (in particular its inspection and monitoring rights) directly against the subcontractors. If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). Upon request, the Contractor shall provide the Client with evidence of the conclusion of the aforementioned agreements with its subcontractors.

A subcontractor relationship within the meaning of these provisions does not exist if the contractor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the contractor for the client and security services. Maintenance and testing services constitute subcontractor relationships requiring consent insofar as they are provided for IT systems that are also used in connection with the provision of services for the principal.

The Contractor shall support the Client as far as possible with suitable technical and organisational measures in the fulfilment of the Client's obligations pursuant to Articles 12-22 as well as 32 and 36 of the GDPR. The Client is entitled to demand reasonable remuneration from the Contractor for these services.

If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the contractor, the contractor shall not react independently, but shall immediately refer the data subject to the client and await the client's instructions.

In the internal relationship with the contractor, the client alone shall be responsible to the data subject for compensation for damages suffered by a data subject due to inadmissible or incorrect data processing or use within the scope of commissioned processing in accordance with the data protection laws.

The parties shall each release themselves from liability if a party proves that it is not responsible in any respect for the circumstance which caused the damage to an affected person.

The Contractor shall return to the Client after termination of the main contract or at any time upon the Client's request all documents, data and data carriers provided to the Contractor or - at the Client's request, unless there is an obligation under Union law or the law of the Federal Republic of Germany to store the personal data - delete them. This also applies to any data backups at the contractor's premises. The Contractor shall provide documented proof of the proper deletion of any data still in existence. Documents to be disposed of shall be destroyed using a document shredder in accordance with DIN 32757-1. Data carriers to be disposed of shall be destroyed in accordance with DIN 66399.

The Client shall have the right to control the complete and contractually compliant return or deletion of the data at the Contractor in an appropriate manner.

The contractor has the right to anonymise the personal data covered by this agreement and to carry out the processing steps required for anonymisation beforehand. While maintaining anonymity, the contractor may process and use all data thus created for its own purposes such as the preparation of company or industry comparisons or other purposes with an economic or business information character, statistical evaluations, benchmarking, product improvements, new product developments and other comparable purposes. This also includes anonymised disclosure to users and third parties, in particular to associations, organisations or research institutions, as well as for publications.

The parties agree that the defence of the right of retention by the Contractor within the meaning of Section 273 of the German Civil Code (BGB) is excluded with regard to the data to be processed and the associated data carriers.

Amendments and supplements to this agreement must be made in writing. This also applies to the waiver of this formal requirement. The priority of individual contractual agreements remains unaffected.

Should individual provisions of this agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions in each case.

This agreement is subject to German law. The exclusive place of jurisdiction is Munich.