Data Processing Agreement (DPA)

The Client engages the Contractor with the services set out in Section 3

Part of the performance of the agreement is the processing of personal data

In particular, Article 28 GDPR imposes certain requirements on such processing on behalf of a controller

To meet these requirements, the parties enter into the following agreement, the performance of which is not remunerated separately unless expressly agreed

Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18, 91522 Ansbach

The Client and the Contractor and, where applicable, their representatives shall cooperate, on request, with the supervisory authority in the performance of its tasks

By registering, the user expressly confirms that it is not a consumer within the meaning of Section 13 BGB

This data processing agreement (hereinafter “Processing on Behalf” or “DPA”) specifies, for all processing activities, the data-protection rights and obligations of the parties arising from the agreements already existing or to be concluded in the future between the parties (hereinafter “Main Agreement”), under which the Contractor processes personal data for the Client

To specify the parties' mutual data-protection rights and obligations, the parties enter into this Agreement

In case of doubt, the provisions of this Agreement take precedence over those of the Main Agreement

The processing is carried out for an indefinite period, unless otherwise agreed in the Service Descriptions and the respective contractual agreements

The termination periods set out in the respective contractual agreements remain unaffected

The Contractor may collect, process or use Data only within the scope of the Main Agreement, the Service Description and in accordance with the instructions of the Client; this applies in particular with regard to the transfer of personal data to a third country or to an international organisation

If the Contractor is required by Union or Member State law to which it is subject to carry out further processing, it shall inform the Client of those legal requirements before processing

The instructions of the Client are initially laid down by this agreement and may thereafter be amended, supplemented or replaced by the Client in Written Form or in Text Form by individual instructions (single instruction)

Oral instructions must be confirmed by the Client without undue delay in Written Form or in an electronic format offered for this purpose by the Contractor

The Client is entitled to issue corresponding instructions at any time

This includes instructions regarding the rectification, erasure and blocking of Data

The persons authorised to issue instructions are the managing directors, authorised signatories, or partners of the Client

Where instructions of the Client are not covered by the contractually agreed scope of services, they shall be treated as a request for a change in services

When proposing changes, the Contractor shall inform the Client of the resulting impact on the agreed services, in particular on the feasibility of performance, deadlines and remuneration

If the implementation of the instruction is not reasonable for the Contractor, the Contractor is entitled to terminate the processing

In all other respects, the Service Descriptions and the respective contractual agreements apply

If the Contractor takes the view that an instruction of the Client infringes data-protection provisions, it shall notify the Client without undue delay

The Contractor is entitled to suspend the implementation of the instruction concerned until it is confirmed or amended by the Client

The Contractor may refuse to implement an instruction that is manifestly unlawful

The type of personal data comprises all kinds of personal data which the Contractor processes on behalf of the Client

With regard to the processing of personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR, the Client is obliged to ensure, on its own responsibility, that the applicable statutory requirements are complied with

In the course of performing the Service Description, the Contractor receives access to the personal data further specified in Appendix 1 “Description of the personal data processed”

These data include the special categories of personal data listed and identified as such in Appendix 1 “Description of the personal data processed”

The group of data subjects affected by the data processing is set out in Appendix 2 “Description of the Data Subjects / Categories of Data Subjects”

The Contractor is obliged to comply with the statutory provisions on data protection and not to disclose information obtained from the Client's sphere to third parties or expose it to their access

Documents and Data shall be secured against access by unauthorised persons, taking into account the state of the art

In the event of disruptions, suspected data-protection breaches or breaches of the Contractor's contractual obligations, suspected security-relevant incidents or other irregularities in the processing of personal data by the Contractor, by persons employed by it in the course of the engagement or by third parties, the Contractor shall inform the Client without undue delay in Written Form or in Text Form

The same applies to inspections of the Contractor by the data-protection supervisory authority

Before the start of data processing and once a year thereafter, the Client shall satisfy itself of the Contractor's technical and organisational measures

For this purpose, the Client may, for example, obtain information from the Contractor, have existing certifications by experts, certifications or internal audits submitted, or, after timely coordination during normal business hours, audit the Contractor's technical and organisational measures itself in person or have them audited by a competent third party, provided that such third party is not in a competitive relationship with the Contractor

The Client shall carry out audits only to the extent necessary and shall not unreasonably disrupt the Contractor's operations

The Contractor undertakes to provide the Client, upon oral or written request and within a reasonable period, with all information and evidence required to carry out an audit of its technical and organisational measures

The Client documents the audit result and communicates it to the Contractor

In the event of errors or irregularities which the Client identifies, in particular when reviewing the results of the processing, it shall inform the Contractor without undue delay

If, during the audit, facts are identified the future avoidance of which requires changes to the prescribed procedural flow, the Client shall communicate the necessary procedural changes to the Contractor without undue delay

At the Client's request, the Contractor shall make available to the Client a comprehensive and up-to-date data-protection and security concept for the processing on behalf, as well as for the persons authorised to access the Data

Upon request, the Contractor shall provide the Client with evidence of the commitment of employees pursuant to Paragraph 6 of this Agreement “Type of Personal Data and Categories of Data Subjects”

The Contractor and any person acting under its authority may process the personal data only within the scope of the Service Description and the respective contractual agreements between the Contractor and the Client and the instructions of the Client, unless an exception within the meaning of Article 28(3) second sentence (a) GDPR applies

The Contractor receives instructions of the Client in Written Form as well as through the electronic formats offered by the Contractor for this purpose

Oral instructions must be confirmed by the Client without undue delay in Written Form or in an electronic format offered for this purpose by the Contractor

The Contractor shall inform the Client without undue delay if it considers that an instruction infringes applicable laws

The Client may suspend the implementation of the instruction until it has been confirmed or amended by the Client

Where instructions of the Client are not covered by the contractually agreed scope of services, they shall be treated as a request for a change in services

When proposing changes, the Contractor shall inform the Client of the resulting impact on the agreed services, in particular on the feasibility of performance, deadlines and remuneration

If the implementation of the instruction is not reasonable for the Contractor, the Contractor is entitled to terminate the processing

In all other respects, the Service Descriptions and the respective contractual agreements apply

The contractually agreed services or the subservices described below shall be performed with the involvement of the Subcontractors listed in Appendix 4 “Approved Subcontractors”

The Contractor is entitled, within the scope of its contractual obligations, to enter into further sub-processing relationships with Subcontractors (“Subcontractor Relationship”)

It shall inform the Client thereof without undue delay

The Contractor is obliged to select Subcontractors carefully based on their suitability and reliability

When engaging Subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and shall ensure that the Client can also exercise its rights under this Agreement (in particular its audit and inspection rights) directly against the Subcontractors

Where Subcontractors are to be engaged in a third country, the Contractor shall ensure that an adequate level of data protection is guaranteed at the respective Subcontractor (for example by entering into an agreement based on the EU standard data protection clauses)

Upon request, the Contractor shall provide the Client with evidence of the conclusion of the aforementioned agreements with its Subcontractors

A Subcontractor Relationship within the meaning of these provisions does not exist where the Contractor engages third parties for services that are to be regarded as mere ancillary services

These include, for example, postal, transport and dispatch services, cleaning services, telecommunications services without specific reference to services that the Contractor provides for the Client, and security services

Maintenance and inspection services constitute Subcontractor Relationships requiring approval insofar as they are provided for IT systems that are also used in connection with the provision of services to the Client

The Contractor shall, as far as possible, assist the Client by appropriate technical and organisational measures in fulfilling its obligations under Articles 12 to 22 as well as 32 and 36 GDPR

The Client is entitled to demand reasonable remuneration from the Contractor for these services

If a Data Subject asserts rights, such as the right to information, rectification or erasure of his or her Data, directly vis-à-vis the Contractor, the Contractor shall not respond independently, but shall refer the Data Subject without undue delay to the Client and await the Client's instructions

In the internal relationship with the Contractor, the Client alone is responsible vis-à-vis the Data Subject for the compensation of damages suffered by a Data Subject due to processing or use of Data within the scope of the Processing on Behalf that is impermissible or incorrect under data-protection laws

The parties shall indemnify each other from liability if one party demonstrates that it is in no way responsible for the circumstance through which the damage to a Data Subject occurred

After termination of the Main Agreement or at any time upon the Client's request, the Contractor shall return to the Client all documents, Data and Data Carriers entrusted to it or — at the Client's request, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany — erase them

This also covers any backups held by the Contractor

The Contractor shall provide documented evidence of the proper erasure of any remaining Data

Documents to be disposed of shall be destroyed using a paper shredder in accordance with DIN 32757-1; Data Carriers to be disposed of shall be destroyed in accordance with DIN 66399

The Client has the right to verify, in an appropriate manner, the complete and contractually compliant return or erasure of the Data at the Contractor

The Contractor has the right to anonymise the personal data covered by this Agreement and to carry out beforehand the processing steps necessary for anonymisation

While preserving anonymity, the Contractor may process and use all data thus generated for its own purposes such as the creation of operational or industry benchmarks or other purposes of an economic or operational information nature, statistical evaluations, benchmarking, product improvements, new product developments and other comparable purposes

This also includes anonymised disclosure to users and third parties, in particular to associations, organisations or research institutions as well as for publications

The parties agree that the Contractor's plea of a right of retention within the meaning of Section 273 BGB with regard to the Data to be processed and the associated Data Carriers is excluded

Amendments and additions to this Agreement must be made in Written Form; this also applies to a waiver of this formal requirement

The precedence of individual contractual agreements remains unaffected

Should individual provisions of this Agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions

This Agreement is governed by German law; the exclusive place of jurisdiction is Munich