Data protection agreement for the processing of personal data by order
according to Art. 28 DSGVO
between the controller:
(hereinafter referred to as the Client)
and the processor:
Käthe Niederkirchner Street 22 10407 Berlin
(hereinafter referred to as the contractor)
This Agreement sets out in concrete terms the obligations of the Parties under data protection law arising from the commissioned processing described in this Agreement and in Annex A “Order Details”. It applies to all activities related to the service in which employees of the Contractor or third parties commissioned by the Contractor may come into contact with personal data of the Customer.
The Parties are aware that the EU Data Protection Regulation (DSGVO: EU Regulation 2016/679) will apply as of 25.05.2018 and that the requirements for commissioned processing are generally based on Article 28 DSGVO.
Individual agreements in this data protection agreement take precedence over the general terms and conditions (GTC) of the contractor.
§ 1 Definitions
- personal data
According to Article 4 (1) of the GDPR, personal data is any information relating to an identified or identifiable natural person (hereinafter “data subject”). An identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics. The assignment is made on the basis of the physical, physiological, genetic, psychological, economic, cultural or social identity of this natural person.
According to Art. 4(8) GDPR, a processor is a natural or legal person, public authority, agency or other body that processes personal data on behalf of the controller.
Instruction is the order of the Principal, usually in writing, for the Contractor to handle personal data in a specific manner in accordance with data protection requirements (e.g. storage, pseudonymization, deletion, disclosure). The instructions shall be issued by the Customer and may be amended, supplemented or replaced by individual instructions (individual instructions). The instructions of the Customer shall be issued in writing or by e-mail.
§ 2 Scope of application and responsibility
- The Contractor processes personal data on behalf of the Client or it cannot be excluded in connection with the provision of the service that the Contractor obtains access to or knowledge of personal data. Pursuant to Art. 28 of the GDPR, the conclusion of a processing agreement is therefore required. 2.
- The Client has selected the Contractor as a service provider within the scope of the due diligence requirements of Art. 28 GDPR. A prerequisite for the admissibility of data processing by order is that the client gives the contractor the order in writing or electronically. According to the will of the parties and in particular of the Client, this contract contains the order for commissioned processing within the meaning of Article 28 (3) of the GDPR and regulates the rights and obligations of the parties with regard to data protection in connection with the provision of the service. 3.
- the ownership of the personal data lies exclusively with the client as the “responsible party” within the meaning of the GDPR. Based on this responsibility, the Client may also demand the correction, deletion, blocking and surrender of personal data during the term of the contract and after termination of the contract.
§ 3 Subject and duration of the order
The subject matter of the order is set out in Annex A “Details of the order”.
This agreement shall enter into force upon signature by both parties and shall normally end upon termination of the underlying main contract. The right to extraordinary termination remains unaffected.
§ 4 Description of processing, data and data subjects
The scope, nature and purpose of the processing as well as the type of data and the group of data subjects are described in Annex A “Details of the order”.
§ 5 Technical and organizational measures for data protection
The Contractor undertakes vis-à-vis the Customer to comply with the technical and organizational measures that are appropriate and necessary to comply with the applicable data protection provisions.
- Since the Contractor also performs the services for the Client outside the Client’s business premises, the technical and organizational measures taken by the Contractor within the meaning of Art. 28 (3) letter C DSGVO, Art. 32 DSGVO in conjunction with Art. 5 (1) and (2) DSGVO shall be mandatory. Art. 5 Para. 1 and Para. 2 DSGVO for this purpose and to hand them over to the Client for inspection.
- The measures serve to ensure data security and to guarantee a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems associated with this order. In this context, the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the different probability and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR shall be taken into account.
- The status of the technical and organizational measures existing at the time of the conclusion of the agreement is attached to this agreement as Annex B “Technical and Organizational Measures for Data Protection”. The parties agree that changes to the technical and organizational measures may become necessary in order to adapt to technical and legal circumstances. The Contractor shall agree in advance with the Customer on any significant changes that may affect the integrity, confidentiality or availability of the personal data. Measures that involve only minor technical or organizational changes and do not negatively affect the integrity, confidentiality and availability of the personal data may be implemented by the Contractor without coordination with the Customer. The Customer may at any time request a current assessment of the technical and organizational measures taken by the Contractor.
§ 6 Correction, restriction and deletion of data
- The Contractor may not correct the data processed on behalf of e-laborat
e-laborat e. The Contractor may not correct, delete or restrict the processing of the data processed under the order on its own authority, but only in accordance with the documented instructions of the Client. If a data subject contacts the Contractor directly in this regard, the Contractor shall immediately forward this request to the Client for processing by the Client.
- the implementation of the rights to deletion, correction, data portability and information shall only be ensured directly by the contractor following documented instructions from the customer.
- copies or duplicates of the data shall not be made without the knowledge of the client. This shall not apply to backup copies, insofar as they are required to
necessary to ensure proper data storage, as well as data that is required with regard to legal storage obligations or on the basis of official directives.
Data processing for compliance with legal or regulatory requirements.
- After completion of the contractually agreed work or earlier upon request by the Customer – at the latest, however, upon termination of the service agreement – the Contractor shall grant the Customer the opportunity to access and secure all documents, processing and utilization results created as well as data files in its possession which are related to the contractual relationship. The same shall apply to test and reject material. The record of the deletion shall be submitted upon request.
- Documentation which serves as proof of data processing in accordance with the contract and the rules shall be kept by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand them over to the Client at the end of the contract to relieve the Contractor.
§ 7 Duties of the Contractor
- processing of personal data that does not relate to the provision of the the provision of the commissioned service is prohibited. Unless the contractor has agreed to this. The Contractor shall inform the Client of this in writing.
- The Contractor shall confirm that it has appointed a company data protection officer within the meaning of Articles 38, 39 of the GDPR, insofar as it is required to do so by law. The Contractor has not appointed a data protection officer.
- The Contractor shall inform the Customer without delay if, in its opinion, an instruction issued by the Customer violates statutory provisions. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.
- The Contractor shall inform the Customer without delay in the event of serious disruptions to the operational process, suspected data breaches or other irregularities in the processing of the Customer’s personal data.
- In the event that the Contractor determines or facts justify the assumption that personal data processed by it for the Customer are subject to a violation of the statutory protection of personal data pursuant to Article 33 of the GDPR (data protection breach or data mishap), e.g. by unlawfully transmitting or processing such data in a way that is not permitted by law, the Contractor shall immediately inform the Customer thereof. If the data is unlawfully disclosed to third parties, the Contractor shall inform the Client immediately and in full about the time, type and scope of the incident(s) in writing or in text form (fax/e-mail). The notification to the Customer shall contain at least the following information:
- A description of the nature of the personal data breach, s o far as possible including the categories and approximate number of pers ons affected, the categories affected and the approximate number of personal data records affected.
- The name and contact details of the data protection officer or other point of contact for further inform ation.
- A description of the likely consequences of the personal data breach.
- A description of the steps taken or measures taken to address the personal data breach. personal data breach and, if applicable, mitigate its possible adverse effects.
- In addition, the Contractor shall be obliged to notify without delay what measures have been taken by the Contractor to prevent the unlawful transmission or unauthorized disclosure by third parties in the future.
- Upon request, the Contractor shall provide the Client with the information required for the directory of processing activities pursuant to Article 30 (1) of the GDPR and, as a processor, shall itself maintain a directory of processing activities pursuant to Article 30 (2) of the GDPR.
- The Contractor shall ensure that the employees involved in the processing of the Client’s personal data are obliged to maintain confidentiality in accordance with Art. 28 Para. 3 Sentence 2 lit. b, 29, 32 Para. 4 DSGVO and have been familiarized in advance with the data protection provisions relevant to them. The subcontracted pers on who has access to pers onal data may process this data exclusively in accordance with the Client’s instructions, including the powers granted in this Agreement, unless they are legally obligated to process it. This confidentiality obligation shall continue to exist after termination of the activity.
- The fulfillment of the aforementioned obligations shall be monitored by the Contractor and proven in a suitable manner.
- Furthermore, the Contractor undertakes to support the Client in accordance with Art. 28 Para. 3 lit. f DSGVO in complying with the obligations set out in Art. 34 – 36 DSGVO:
- Within the scope of its duty to inform the persons concerned and the Client in this context, to provide all relevant information without delay.
- In carrying out its data protection impact assessment.
- Within the framework of prior consultation with the
- The Client and the Contractor shall, upon request, cooperate with the Supervisory Authority in the performance of its duties.To the extent that the Customer is subject to control by the supervisory authority, administrative or criminal proceedings, liability claims by a data subject or a third party or other claims in connection with the processing of the order by the Contractor, the Contractor shall support the Customer to the best of its ability.
- The Contractor shall regularly monitor the internal processes as well as the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
§ 8 Rights and Duties of the Customer
- The Client shall have the right to issue supplementary instructions to the Contractor at any time regarding the type, scope and procedure of the commissioned processing. Instructions may be given –
- in writing
- by fax
- by e-mail
- – be given. The Customer shall immediately confirm verbal instructions to the Contractor in text form (e.g. by fax or e-mail).
- The Client shall inform the Contractor immediately and in full if it discovers errors or irregularities with regard to data protection provisions during the review of the order results.
- The client is responsible for the notification obligations resulting from Art. 33 (1) DSGVO.
- The Customer shall determine the measures for the return of the data carriers provided and/or the deletion of the stored personal data after the end of the order by contract or by instruction.
- If the Client issues individual instructions that go beyond the contractually agreed scope of services, the costs incurred as a result shall be borne by the Client.
§ 9 Safeguarding of rights of the data subject
- The Client shall be responsible for safeguarding the rights of the data subject.
- Insofar as the cooperation of the Contractor is necessary for the protection of the rights of the data subject – in particular the right to information, correction, restriction, data transferability or deletion – by the Customer, the Contractor shall take the measures required in each case in accordance with the instructions of the Customer.
- Insofar as a data subject should contact the Contractor directly for the purpose of correction, deletion or restriction or data portability of his data, the Contractor shall forward this request to the Client without delay.
- This shall be without prejudice to any provisions regarding the remuneration of additional expenses incurred by the Contractor as a result of cooperation in connection with the assertion of data subject rights vis-à-vis the Customer.
§ 10 Control powers
- The Customer shall have the right to monitor the Contractor’s compliance with the statutory provisions on data protection and the contractual provisions agreed between the Parties as well as the Contractor’s compliance with the Customer’s instructions at any time to the extent required.
- The Contractor shall be obligated to provide the Customer with information to the extent that this is necessary to carry out the control within the meaning of Paragraph
- the Customer may carry out the inspection within the meaning of para. 1 at the Contractor’s premises during normal business hours after prior notification with a reasonable period of notice. The Customer shall ensure that the inspections are only carried out to the extent necessary, insofar as the Contractor’s operating processes are disrupted by the inspections.
- The Contractor shall be obligated to provide the Client with the necessary information in the event of measures taken by the supervisory authority against the Client within the meaning of Article 58 of the GDPR, in particular with regard to information and control obligations.
- The Contractor shall provide evidence of technical and organizational measures that do not only relate to the specific order. This can be done by:
- compliance with approved rules of conduct pursuant to Art. 40 GDPR,
- certification in accordance with a certification procedure pursuant to Art. 42 GDPR,
- current test certificates, reports or report excerpts from independent bodies (e.g. data protection officer, auditor, IT security officer).
- appropriate data protection audit certification (e.g. ISO 27001).
- the costs for expenses of an inspection at the Contractor’s premises pursuant to paras. 3 and 4 may be claimed from the Customer.
§ 11 Subcontracting relationships
- The contractor is permitted to work on an as-needed basis.