AV Vertrag Englisch

CONTRACT FOR SUBCONTRACTING PROCESSING WITHIN THE MEANING OF ART. 28 ABS. 3 GDPR

The contracting parties

 

                                                - hereinafter: Client -

and

PHI – Peter Heck
Peter Heck
Alter Schulhof 1
65375 Oestrich-Winkel

                                                - hereinafter: Processor –

 

conclude the following contract:

 

1. General provisions and subject matter of the contract

1.1 The subject of this contract is the processing of personal data on behalf of the Processor (Art. 28 GDPR). The content of the order, categories of data subjects and types of data as well as the purpose of the processing can be found in Annex 1.

1.2 The client is the responsible party in the sense of Art. 4 No. 7 GDPR. He alone is responsible for assessing the permissibility of the data processing operations in accordance with Art. 6 GDPR and for safeguarding the rights of the data subjects.

1.3 The processing of the data by the processor takes place exclusively on the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state of the EEA Agreement. Processing outside of these states shall only take place under the conditions of Chapter 5 of the GDPR (Art. 44 et seq.) and with the prior consent of the client.

1.4    The remuneration shall be agreed upon outside of this contract.

2. Contract term and termination

The present contract is concluded for an indefinite period and may be terminated by either contracting party with three months' notice. The right to extraordinary termination for good cause remains unaffected.

3. Instructions of the client

3.1 The Client has a comprehensive right to issue instructions to the Processor regarding the type, scope and modalities of data processing. In this role, he may in particular demand the immediate deletion, correction, blocking or surrender of the contractual data. The Processor is obliged to comply with the Client's instructions, provided that there are no justified contractual or legal interests to the contrary.

3.2  The Processor shall inform the Client without undue delay if it is of the opinion that an instruction of the Client violates statutory provisions. If an instruction is issued whose legality the Processor substantially doubts, the Processor shall be entitled to temporarily suspend its execution until the Client expressly confirms or amends it again.

3.3 Instructions must always be given in writing or in an electronic format (e.g. by e-mail). Verbal instructions shall be confirmed in writing or in an electronic format by the Client at the request of the Processor. The Processor shall record the person, date and time of the verbal instruction in an appropriate form.

3.4 The Client shall name one or more persons authorized to issue instructions at the request of the Processor. The Processor shall be Processor without undue delay.

4. Control powers of the client

4.1 The Client shall be entitled to check compliance with the statutory and contractual provisions on data protection and data security prior to the start of data processing and during the term of the contract on a regular basis to the extent required or to have such checks carried out by third parties. The Processor shall tolerate these checks and support them to the extent necessary. In particular, the Processor shall provide the Client with complete and truthful information relevant for the inspections, allow the Client to inspect the stored data and data processing programs/systems and enable on-site inspections. If the Client has consented to the processing of data outside the business premises (e.g. private home), the Processor shall ensure that the Client may also enter these premises for inspection purposes.

4.2 The Client shall ensure that the control measures are proportionate and do not impair the Processor's operations more than necessary. In particular, on-site inspections shall generally be carried out during normal business hours and by appointment with a reasonable lead time, provided that the purpose of the inspection does not contradict prior notice.

4.3    The results of the checks and instructions shall be recorded by both parties to the contract in an appropriate manner.

5. General obligations of the processor

5.1 The processing of the contractual data by the processor shall be carried out exclusively on the basis of the contractual agreements in conjunction with any instructions issued by the Client. Any processing deviating from this is only permitted on the basis of mandatory European or member state legal provisions (e.g. in the case of investigations by law enforcement or state protection authorities). If processing is required due to compelling law, the Processor shall notify the Client thereof prior to the processing, unless the relevant law prohibits such notification due to an important public interest.

5.2 The Processor shall comply with all statutory provisions when performing the contract. In particular, it shall implement the technical and organizational measures required under Article 32 of the GDPR and keep the register of processing activities required under Article 30 (2) of the GDPR, insofar as this is required by law.

5.3 If the Processor is obliged to appoint a data protection officer in accordance with the GDPR or other statutory provisions, it shall confirm that it has selected such an officer in accordance with the statutory provisions and shall assure the Client that it will appoint such an officer and provide its contact details (e.g. by e-mail). The Client shall be informed immediately of any changes to the person and/or contact details of the data protection officer.

5.4 Data processing outside the premises of the processor or subcontractors and / or in private residences (e.g. remote access or home office of the processor) is only permitted with the express consent of the client.

5.5 The Processor shall ensure that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality (Art. 28 (3) (b) GDPR).
Before being subject to the confidentiality obligation, the persons concerned may not have access to the personal data provided by the client.

5.6 The Processor shall regularly and independently monitor the fulfillment of its obligations and document it in an appropriate manner.

 

6. Technical and organizational measures

6.1 The Processor has defined suitable technical and organizational measures to ensure an appropriate level of protection and recorded them in Annex 2 to this Agreement. The measures described there were selected in compliance with the requirements of Art. 32 of the GDPR and coordinated with the Client.

6.2 The Processor shall review and adapt the technical and organizational measures as required and / or on an ad hoc basis. Necessary adjustments shall be documented by the Processor and made available to the Client upon request. Significant changes that could reduce the level of protection must be coordinated with the client in advance.

 

7. Support obligations of the processor

7.1 The Processor shall support the Client pursuant to Art. 28 (3) e of the GDPR in its obligations to protect the rights of data subjects under Chapter III, Art. 12 - 22 of the GDPR. This applies in particular to the provision of information and the deletion, correction or restriction of personal data. The scope of the obligation to provide support shall be determined on a case-by-case basis, taking into account the type of processing.

7.2 Furthermore, the Processor shall support the Client pursuant to Article 28 (3) (f) of the GDPR in its obligations under Articles 32 - 36 of the GDPR (in particular notification obligations). The scope of this support obligation shall be determined on a case-by-case basis, taking into account the type of processing and the information available to the Processor.

 

8. Use of subcontracted processors (subcontractors)

8.1 The Processor shall only be entitled to use subcontractors with the consent of the Client. All subcontractor relationships of the Processor already existing at the time of the conclusion of the Agreement and expressly confirmed by the Client are conclusively attached to this Agreement in Annex 3. For the subcontractors listed in Annex 3, consent shall be deemed to have been granted upon signing of this Agreement. If the Processor intends to use further subcontractors, it shall notify the Client thereof in writing or electronically so that the Client can check their use. If the Client does not give its consent, the subcontractors concerned may not be used

8.2 Subcontractors shall be selected by the Processor in compliance with the legal and contractual requirements. Ancillary services used by the Processor to perform its business activities do not constitute subcontracting relationships. Ancillary services in this sense are in particular telecommunication services without concrete reference to the main service, postal and transport services, maintenance and user service as well as other measures which are intended to ensure the confidentiality integrity of the hardware and software and have no concrete reference to the main service. However, the Processor shall also ensure compliance with the statutory data protection standards for these third-party services.

8.3 All contracts between the Processor and the Subprocessor (subcontracts) shall comply with the requirements of this Agreement and the statutory provisions on the processing of personal data on behalf; this concerns in particular the implementation of appropriate technical and organizational measures pursuant to Art. 32 GDPR in the Subcontractor's business. The subcontractor agreements shall furthermore ensure that the control and instruction powers agreed in this Agreement can also be exercised by the Principal in the same manner and in full vis-à-vis the subprocessor.

8.4 The contract with the subcontractor must specify which responsibilities the subcontractor has so that the client can check them accordingly. Furthermore, the contract with the subcontractor must ensure that the client is entitled to exercise the same control rights vis-à-vis the subcontractor as vis-à-vis the processor. The Processor must ensure that the instructions issued by the Client are also followed and recorded by the subcontractors. Compliance with these obligations shall be checked and documented by the Processor before the conclusion of the contract with the subcontractor and regularly thereafter.

8.5 The forwarding of data to the sub-processor is only permitted after the sub-contractor has fulfilled its obligations pursuant to Art. 32 (4) and Art. 29 GDPR vis-à-vis the persons subordinated to it.

8.6 The Processor shall be responsible for compliance with the data protection provisions by the sub-processors used by it. He shall be liable vis-à-vis the Client for compliance with the statutory and contractual data protection obligations.

8.7 The Processor shall obtain confirmation from its sub-processors that they have appointed a data protection officer - to the extent required by law.

8.8 The commissioning of subcontractors in third countries is only permitted if the legal requirements of Art. 44 et seq. GDPR are met and the client has given its consent.

9. Notification obligations of the processor

9.1 The Client shall be notified without undue delay of any breaches of this Agreement, of the Client's instructions or of any other provisions of data protection law; the same shall apply in the event of a corresponding justified suspicion. This obligation shall apply regardless of whether the breach was committed by the Processor itself, a person employed by it, a sub-processor or any other person it has used to fulfill its contractual obligations.

9.2 The Processor is obligated to support the Client in fulfilling its legal information obligations pursuant to Art. 33 and 34 GDPR. The Processor may only make independent notifications to authorities or data subjects pursuant to Art. 33 and 34 of the GDPR after prior instruction by the Principal.

9.3 If a data subject, an authority or another third party requests the Processor to provide information, correction, blocking or deletion, the Processor shall immediately forward the request to the Client; in no case shall the Processor comply with the data subject's request without the Client's consent.

9.4 The Processor shall inform the Client without undue delay if supervisory actions or other measures of an authority are imminent which could also affect the processing, use or collection of the personal data provided by the Client. In addition, the Processor shall inform the Client without undue delay of any events or measures by third parties that could endanger or impair the data that is the subject of the contract.

10. Termination of contract, deletion and return of data

After completion of the contractual data processing or after termination of this Agreement, the Processor shall delete or return all personal data at the discretion of the Client, provided that there is no longer a legal obligation to store the data in question (e.g. statutory retention periods). The Client shall be entitled to review the measures taken by the Processor in an appropriate manner. For this purpose, it shall in particular be entitled to inspect the relevant deletion logs and the data processing systems concerned on site.


11. Data secrecy and confidentiality

11.1 The Processor shall be obligated for an unlimited period of time and beyond the end of this Agreement to treat the personal data obtained within the scope of this contractual relationship as confidential and to comply with relevant secrecy protection rules to which the Client is subject (e.g. Section 203 of the German Criminal Code). The Client shall be obligated to inform the Processor of any special secrecy protection rules that may exist when placing the order.

11.2 The Processor undertakes to familiarize its employees with the relevant data protection provisions and secrecy rules and to oblige them to maintain confidentiality before they commence their activities with the Processor.

11.3 The Processor shall document compliance with the measures specified in this clause in a suitable manner. The documentation shall be presented to the Client upon request.

12. Final provisions

12.1 Amendments to this Agreement and ancillary agreements must be made in writing or electronically and must clearly indicate that and which amendment or supplement to these Terms and Conditions they are intended to effect.

12.2 Should the GDPR or other legal regulations referred to change during the term of the contract, the references here shall also apply to the respective successor regulations.

12.3 Should individual parts of this agreement be or become invalid, this shall not affect the validity of the remaining provisions.

12.4 All annexes to this contract are part of the contract.

  

Annex 1 - Order details

 

The present contract includes (if applicable in connection with the Main contract) the following services:

 

  • Development and support of Clients websites as well as services in the field of search engine optimization (SEO)
  • Setup and support of Microsoft 365 services
  • General IT consulting

The following types of data are regularly processed as part of the contractual provision of services:

  • Contact details of the client in the accounting department (name, address, e-mail addresses, telephone numbers, bank details)
  • Contact details of the client in the E-Recht24 tool for the creation of the imprint and the data protection agreement (name, address, e-mail addresses, telephone numbers)
  • Visitor data of the website visitors in:
    • The analysis tool Matomo (country of origin / area, operating system, browser data, shortened IP address, referrer, search terms).
    • The Cookie Consent tool Usercentric (Consent data (Consent ID, Consent Number, Time of Consent submission, Opt-in or Opt-out, Banner Language, customer setting, template version, Device data (HTTP agent, HTTP referrer) IP address) 
    • The Anti-Spam Tool Cleantalk (IP Address,  contact form content like E-Mail, Name, Message) 
  • Data of the Clients within the IONOS Partner Portfolio (name, address of the Client's website)

The group of persons concerned by the data processing are:

 

  • Employees of the client
  • Visitors of the client's website

  

Annex 2 - List of existing technical and organizational measures of the processor according to Art. 32 GDPR

The Processor shall implement the following technical and organizational measures to protect the Personal Data that are the subject of the Contract. The measures have been defined in accordance with Art. 32 GDPR and agreed with the Client.

 

I.        Earmarking and separability

The following measures ensure that data collected for different purposes are processed separately:

  • Physically separate storage on separate systems or data carriers
  • Logical client separation (on the software side)
  • Authorization concept
  • Encryption of data records that are processed for the same purpose
  • Providing data records with purpose attributes / data fields / signatures
  • For pseudonymized data: Separation of the assignment file and storage on a separate and secured IT system Separation of productive and test system


II.        Confidentiality and integrity

The following measures ensure the confidentiality and integrity of the Processor's systems:

  1. Encryption

The data or data carriers processed in the order are encrypted in the following manner:
Encryption of the hard disk used on Apple Mac systems by means of Apple's own encryption     

  1. Pseudonymization

"Pseudonymization" means that personal data are processed in a way that excludes identification of the data subject without the addition of further information (e.g., use of fantasy names that cannot be assigned to a specific person without additional information).

  • Yes, and here's how:
    • The IP addresses of the website visitors in Matomo are anonymized (shortened).
  1. The following measures have been taken to prevent unauthorized persons from gaining access to the data processing systems with which personal data are processed or used (access control):
  • Manual locking system
  1. The following measures have been taken to prevent unauthorized third parties from using the data systems (access control):
    • Assignment of user rights
    • Creation of user profiles
    • Password assignment
    • Password policies (regular change, minimum length, complexity, etc.)
    • Authentication with biometric methods
    • Authentication with user name / password / 2nd factor (where possible)
    • Assignment of user profiles to IT systems
    • Use of VPN technology for data transfer
    • Encryption of mobile IT systems
    • Encryption of mobile data carriers
    • Encryption of data backup systems
    • Manual locking system
    • Use of anti-virus software
    • Encryption of data carriers in laptops / notebooks
    • Use of a hardware firewall Use of a software firewall

  1. The following measures have been taken to ensure that those authorized to use a data processing system can only access the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage (access control):
    • Authorization concept
    • Administration of rights by system administrator
    • Regular checking and updating of access rights (especially when employees leave the company or similar)
    • Number of administrators is reduced to the "bare minimum
    • Password policy incl. password length, password change
    • Secure storage of data media
    • Physical deletion of data media before reuse
    • Proper destruction of data media (DIN 66399)
    • Use of document shredders or service providers (if possible with data protection seal of approval)
    • Logging of destruction Encryption of data media

  1. The following measures can be used to subsequently check and determine whether and by whom personal data have been entered into, modified or removed from data processing systems (input control).
    • Logging the entry, modification and deletion of data.
    • Creation of an overview showing which applications can be used to enter, change and delete which data.
    • Traceability of data entry, modification and deletion through individual user names (not user groups).
    • Retention of forms from which data has been transferred to automated processes
    • Assignment of rights to enter, change, and delete data based on an authorization concept

  1. The following measures ensure that personal data processed by subcontractors / sub-subcontractors of the Processor can only be processed in accordance with the instructions of the Client and the Processor (order control).
    • Prior review and documentation of the security measures taken by the subcontractor.
    • Selection of the subcontractor under due diligence aspects (in particular with regard to data security)
    • Written instructions to the subcontractor (e.g. by order processing contract)
    • Obligation of the subcontractor's employees to maintain data secrecy
      Subcontractor has appointed data protection officer
    • Ensuring the destruction of data from the subcontractor's systems after completion of the order
    • Effective control rights over the subcontractor agreed upon
    • Ongoing monitoring of the subcontractor and its activities Contractual penalties in the event of violations

  1. The following measures ensure that personal data cannot be obtained or viewed by unauthorized persons during transfer (physical and/or digital) (transport or transfer control):
    • Use of VPN tunnels
    • Encryption of communication paths (e.g., encryption of e-mail traffic)
    • Encryption of physical data carriers during transport

III.      Availability, recoverability and resilience of the systems

 

The following measures ensure that the data processing systems used function properly at all times and that personal data are protected against accidental destruction or loss

    • Uninterruptible power supply (UPS)
    • Creation of a backup & recovery concept
    • Testing data recovery
    • Keeping backup data in a secure, off-site location

  

IV.      Review, evaluation and adaptation of the present measures

The Processor shall review, evaluate and, if necessary, adapt the technical and organizational measures set forth in this Annex at intervals of 1 year and on an ad hoc basis.

Annex 3 - List of existing subcontractors at the time of the conclusion of the contract.

Haufe Service Center GmbH
Munzinger Straße 9
79111 Freiburg
Contact the data protection officer: dsb@haufe-lexware.com

eRecht24 GmbH & Co. KG
Lietzenburger Str. 94

10719 Berlin
Contact the data protection officer::  datenschutz@legaltrust.de

IONOS SE
Elgendorfer Str. 57
56410 Montabaur Deutschland
Contact the data protection officer:  datenschutz@ionos.de

Usercentrics GmbH
Sendlinger Str. 7
80331 München
Contact the data protection officer: legal@usercentrics.com

CleanTalk Inc.
711 S Carson street, suite 4,
Carson city, NV. 89701