Order processing contract
1. subject of the order, data categories, data subjects, nature, scope and purpose of the processing (Art. 28 (3), 30 (2) GDPR)
- The subject matter of the GC Contract, the personal data processed within the scope of the Order (Art, 4 No. 1 DSGVO; hereinafter referred to as "Data" for short), the persons affected by the processing (hereinafter referred to as "Data Subjects" for short) as well as the type, scope and purposes of the processing, are determined by the following legal relationship(s) between the Contracting Parties (hereinafter referred to as the Main Contract):
The Contracting Parties shall cooperate on the basis of individual orders placed by the Customer with the Contractor or within the framework of individual contracts concluded by the Customer with the Contractor.
The provisions of this AV agreement shall have priority over the main agreement.
- Type of data:
- Inventory data (e.g., names, addresses)
- Contact details (e.g., email, phone numbers)
- Content data (e.g., text input, photographs, videos)
- Image and/ or video recording.
- Contract data (e.g., subject matter of the contract, term)
- Payment data and billing data (e.g., bank details,
- Payment history, accounts receivable).
- Creditworthiness data
- Usage data (e. B., functions used, web pages visited,
- purchasing behavior, interests).
- Location data (geographical positions or movements).
- Data of lottery participants. (e.g. names, addresses, competition entries)
- Log data (e.g. log files concerning logins, retrieval of data or access times)
- Meta and connection data (e.g., connection or retrieval partner, duration, type)
- Telemetry data (system or software measurement data)
- Employee master data and contact data (e.g., names, addresses, e-mail addresses)
- Data concerning contracts with employees (content, salary, tax characteristics, conditions)
- Data regarding performance and behavior (e.g. evaluations, references, grades)
- Applicant data (e.g., names, contact data, application documents)
- Data concerning contracts with business partners (content, fees, conditions, payment transactions)
- Member data (names, membership status, contribution payments)
- Categories of affected persons:
- Website visitors
- Software users and operators
- Recipients of marketing measures (e.g. advertising target groups, newsletter recipients).
- Interested parties in the offered services
- Consumers / private end customers
- Business customers
- Business partner
- Employees (i.e. workers)
- Pupils/ Students
- Purpose of processing:
- Consulting services
- Support & management of websites, online stores, social media, etc.
- Creation & processing of personal profiles (e.g. user profiles)
- Bookkeeping, payroll and / or payroll accounting
- Email marketing
- Setup, maintenance, support of IT equipment & systems
- Installation, maintenance, support of telecommunication equipment & systems
- Disposal of files or data carriers
- Provision of services in the field of IT security
- Acquisition as well as processing of contact information, addresses and leads
- Debt collection and enforcement
- Customer management and / or customer support
- Planning, implementation and / or supervision of events and functions
- Software-as-a-Service (SaaS) services
- Services in the field of telecommunications
- Services in the field of software development and / or maintenance
- Corporate communications (internal / external)
- Administrative, administrative and / or management services
- Video surveillance and / or room security
- Web and Cloud Hosting
- Advertising and marketing (consulting, conception, implementation and execution)
- Analysis & evaluation of visitors to the website / online stores
2. responsibility and right to issue instructions
- The client is the responsible person according to In accordance with Art. 4 No. 7 of the GDPR, we are responsible for compliance with data protection requirements, in particular for the selection of the contractor, the data transferred to the contractor and the instructions issued (Art. 28 Para. 3 lit. a, 29 and 32 Para. 4 of the GDPR).
- The Contractor may only process data within the scope of the main contract as well as the Client’s instructions (which also applies in particular to their correction, deletion or restriction of processing) and only insofar as the processing is necessary for this purpose, unless the Contractor is required to process by the law of the Union or the Member States to which the Contractor is subject; in such a case, the Contractor shall notify the Client of these legal requirements prior to the processing, unless the law in question prohibits such notification due to an important public interest (Article 28 (3) sentence 2 lit. a DSGVO).
- The Client has the right to issue supplementary instructions at any time with regard to the processing of the data and the security measures.
- If the Contractor is of the opinion that an instruction of the Customer violates applicable data protection law, it shall notify the Customer thereof without undue delay. In this case, the Contractor shall be entitled to suspend the execution of the instruction until the Client confirms the instruction and to refuse in the case of obviously unlawful instructions.
- If the Customer’s supplementary instructions go beyond the Contractor’s obligation to perform under the main contract and if they are not based on any misconduct on the part of the Contractor, the Customer shall compensate the Contractor separately for the additional expenses incurred as a result.
- The Contracting Parties may designate persons authorized to give and receive instructions (in particular, if these do not already arise from the main contract) and are obliged to notify their change without delay.
3. safety concept and related duties
- The Contractor shall design the internal organization in its area of responsibility in accordance with the legal requirements and shall, in particular, take technical and organizational measures (hereinafter referred to as "TOMs") to adequately safeguard, in particular, the confidentiality, integrity and availability of data of the Client, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, and shall ensure their maintenance (Art. 28 (3) and 32 – 39 in conjunction with Art. 5 GDPR). TOMs include, in particular, access control, access control, transfer control, input control, order control, availability control, separation control, and the safeguarding of data subject rights.
- The TOMs underlying this AV contract result from Annex 1 "Safety Concept". They may be further developed in accordance with technical progress and replaced by adequate protective measures, provided that they do not fall below the safety level of the specified measures and the customer is notified of any significant changes.
- The Contractor shall ensure that the persons authorized to process the Client’s data are bound to confidentiality and secrecy (Art. 28 (3) sentence 2 lit. b and 29, 32 (4) DSGVO) and have been instructed in the protective provisions of the DSGVO or are subject to an appropriate statutory duty of confidentiality.
- The data provided within the scope of the AV Agreement as well as data carriers and all copies made thereof shall remain the property of the Customer, shall be carefully stored by the Contractor, shall be protected against access by unauthorized third parties and may only be destroyed with the consent of the Customer, and then only in accordance with data protection law. Copies of data may only be made if they are necessary for the fulfillment of the Contractor’s main and ancillary obligations to the Contractor (e.g. backups).
- If required by the GDPR or supplementary, in particular national regulations, the Contractor shall appoint a data protection officer in accordance with the statutory requirements and inform the Client accordingly (Art. 37 to 39 GDPR).
4. duties to provide information and to cooperate
- The rights of the data subjects shall be exercised vis-à-vis the Customer, whereby the Contractor shall represent the Customer in this respect pursuant to Sec. Art. 28 par. 3 p. 2 lit. e. GDPR and, in particular, inform him about the requests he receives from data subjects.
- The Customer shall inform the Contractor immediately and in full if it discovers any errors or irregularities with regard to the processing of the data with regard to compliance with the provisions of this AV Agreement or relevant data protection regulations.
- In the event that the Contractor discovers facts that give reason to believe that the protection of the data processed for the Client has been violated, the Contractor shall immediately and fully inform the Client, immediately take any necessary protective measures, and assist in the fulfillment of the obligations incumbent upon the Client pursuant to Section 2. Art. 33 and 34 GDPR to support.
- If the security of the Client’s data is endangered by measures taken by third parties (e.g. creditors, authorities, courts, etc.) (attachment, seizure, insolvency proceedings, etc.), the Contractor shall immediately inform the third parties that sovereignty and ownership of the data lie exclusively with the Client and, after consultation with the Client, take appropriate protective measures if necessary (e.g. file objections, applications, etc.).
- The Contractor shall inform the Client without undue delay if a supervisory authority takes action against the Contractor and its activity may affect the data processed for the Contractor. The Contractor shall support the Client in the performance of its obligations (in particular to provide information and tolerate inspections) vis-à-vis supervisory authorities (Art. 31 GDPR).
- The Contractor shall provide the Customer with information regarding the processing of data within the scope of this CA Agreement which is necessary for the Customer to fulfill its legal obligations (which may include, in particular, requests from data subjects or authorities and compliance with its accountability obligations pursuant to Article 5 (2) of the GDPR, as well as the performance of a data protection impact assessment pursuant to Article 35 of the GDPR), unless the Customer is able to obtain such information itself. The information must be available to the contractor and need not be obtained from third parties, and employees, agents and subcontractors of the client are not considered third parties.
- If the provision of the necessary information and the cooperation go beyond the Contractor’s obligation to perform under the main contract and are not based on any misconduct on the part of the Contractor, the Customer shall compensate the Contractor separately for the additional expenses incurred as a result.
5. control powers
- The Customer shall have the right to monitor the Contractor’s compliance with the statutory requirements and the provisions of this CA Agreement, in particular the TOMs, to the extent necessary at any time (Art. 28 (3) lit. h DSGVO).
- On-site inspections shall take place within normal business hours, shall be notified by the Customer with a reasonable period of notice (at least 14 days, except in emergencies) and shall be supported by the Contractor (e.g. by providing personnel).
- The controls are limited to the necessary scope and must take into account the Contractor’s trade and business secrets as well as the protection of personal data of third parties (e.g. other customers or employees of the Contractor). Only competent persons who can legitimize themselves and who are bound to secrecy with regard to the Contractor’s trade and business secrets as well as processes and personal data of third parties are permitted to carry out the inspection.
- Instead of the inspections and the on-site inspections, the Contractor may request the Client to carry out an equivalent inspection by independent third parties (e.g. neutral data protection auditors), compliance with approved codes of conduct (Art. 40 GDPR) or suitable data protection or IT security certifications pursuant to. Article 42 of the GDPR. This applies in particular if company and business secrets of the contractor or personal data of third parties would be endangered by the checks.
- If the toleration of and cooperation in the inspections or adequate alternative measures of the Customer exceed the performance obligation of the Contractor under the main contract and are not based on any misconduct of the Contractor, the Customer shall compensate the Contractor separately for the additional expenses incurred as a result.
6. subcontracting relationships
- If the Contractor uses the services of a sub-processor (i.e. subcontractor or sub-subcontractor) to carry out certain processing activities on behalf of the Principal, then the Contractor must impose the same data protection obligations on the sub-processor by way of a contract or other legal instrument permitted under the GDPR to which the Contractor has committed itself in this GC Contract (in particular with regard to compliance with instructions, compliance with TOMs, provision of information and toleration of checks). Furthermore, the Contractor shall carefully select the sub-processor, check its reliability and monitor it, as well as its compliance with the contractual and legal requirements (Art. 28 (2) and (4) GDPR).
Notwithstanding any restrictions imposed by the main contract, the Customer expressly agrees that the Contractor may use sub-processors within the scope of the commissioned processing.
- The subcontracting relationships already existing at the time of the conclusion of this GC Agreement shall be specified by the Contractor in Annex 2 "Subcontracting Relationships" and shall be deemed approved by the Contractor.
- The Contractor shall inform the Client with regard to changes in the sub-processors that are relevant for the commissioned processing. The Customer shall exercise its right to object with regard to the changes or new sub-processors only in compliance with the principles of good faith and reasonableness and fairness.
- Contractual relationships in which the Contractor uses the services of third parties purely as an ancillary service in order to carry out its business activities (e.g. cleaning, security or transport services) do not constitute subcontracted processing within the meaning of the above provisions of this GC Agreement. Nevertheless, the Processor shall ensure, e.g. by means of contractual agreements or notices and instructions, that the security of the data is not jeopardized in the process and that the requirements of this CA Agreement and the data protection regulations are complied with.
7. processing in third countries
- The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area (EEA).
- Commissioned processing in a third country, including by sub-processors, shall require the prior consent of the Client and may only be carried out if the specific requirements of Art. 44 et seq. GDPR are met, unless the Contractor is required to process in the third country by the law of the Union or the Member States to which the Contractor is subject; in such a case, the Contractor shall notify the Client of these legal requirements prior to the processing, unless the relevant law prohibits such notification due to an important public interest (Art. 28 (3) sentence 2 lit. a GDPR).
- The Customer’s consent to processing in the Third Country shall be deemed to have been given with regard to the processing operations listed in Annex 2 "Subcontracting relationships".
8. duration of the order, termination of the contract and data deletion
- This AV Agreement shall become valid upon its conclusion, shall be concluded for an indefinite period of time and shall end no later than the term of the Main Agreement.
- The contracting parties reserve the right to extraordinary termination, in particular in the event of a serious breach of the provisions of this AV Agreement and applicable data protection law. The extraordinary termination shall generally be preceded by a warning of the violations with a reasonable period of notice, whereby such warning shall not be required if it is not to be expected that the violations complained of will be remedied or if such violations are so serious that the terminating party cannot reasonably be expected to continue the AV agreement.
- Upon completion of the provision of the Processing Services under this CA Agreement, the Contractor shall, at the option of the Customer, either delete or return all Personal Data and copies thereof (as well as all documents, created processing and usage results and data files that have come into its possession in connection with the contractual relationship), unless there is an obligation to store the Personal Data under Union law or the law of the Member States (Article 28 (1) sentence 2 lit. g DSGVO). The defense of a right of retention is excluded with regard to the processed data and the associated data carriers. With regard to the deletion or return, the Customer’s rights to information, proof and control shall apply in accordance with this GC Agreement.
- In all other respects, the obligations under this AV Agreement with regard to the data processed on behalf of the Customer shall continue to apply after termination of the AV Agreement.
- If the deletion or return of the data exceeds the Contractor’s obligation to perform under the main contract and is not due to any misconduct on the part of the Contractor, the Customer shall compensate the Contractor separately for the additional expense incurred as a result.
- The remuneration agreed upon according to this AV contract also includes an expense allowance for the working time of the personnel engaged by the Contractor as well as necessary expenses (e.g. travel or material costs). If possible, foreseeable and reasonable, the Contractor shall inform the Client of the amount of the remuneration by way of a proper estimate.
- The amount of the remuneration is determined by the main contract. If the main contract does not contain any remuneration regulations or correspondingly applicable rates for services that are relevant for the AV contract, the Contractor’s usual rates shall apply or, if these cannot be determined, the rates customary in the industry.
- for the compensation of damages suffered by a data subject due to inadmissible or incorrect data processing or use within the scope of commissioned processing in accordance with the data protection laws, the client alone shall be responsible vis-à-vis the data subject in the internal relationship with the contractor.
- The contracting parties shall each release themselves from liability if one of the contracting parties proves that it is not responsible in any respect for the circumstance as a result of which the damage occurred to an affected party.
11. final provisions, order of precedence, amendments, form of communication, choice of law, place of jurisdiction
- Amendments, collateral agreements and supplements to this AV Agreement and its annexes require a written agreement and the express indication that it is an amendment or supplement to this AV Agreement. This also applies to the waiver of this formal requirement.
- This GC Agreement only obligates the Contractor to the extent necessary to fulfill the statutory obligations, in particular pursuant to Art. 28 et seq. DSGVO and does not impose any further obligations on the Contractor.
- Subject to an obligation for the written form in this AV Agreement and in the Main Agreement, the communication between the Contractor and the Customer within the scope of this AV Agreement (in particular with regard to instructions and the provision of information) shall take place at least in text form (e.g. e-mail). A lesser form (e.g. verbal) may be permissible under the circumstances instead of text form (e.g. in an emergency situation), but must be confirmed immediately at least in text form. Insofar as the written form is required, the written form within the meaning of the GDPR is meant.
- The law of the Federal Republic of Germany shall apply. The exclusive place of jurisdiction for all disputes arising from or in connection with this GC Agreement shall be the Contractor’s registered office, provided that the Customer is a merchant, a legal entity under public law or a special fund under public law or the Customer has no place of jurisdiction in the Federal Republic of Germany. The Contractor reserves the right to assert its claims at the statutory place of jurisdiction.
Order for the processing of personal data
Appendix 1 – Safety concept
Technical and organizational measures according to Art. 32 GDPR
Fundamental measures that serve to safeguard the rights of data subjects, respond immediately in emergencies, meet the requirements of technology design, and protect data at the employee level:
- There is an internal data protection management system, compliance with which is constantly monitored and evaluated on an ad hoc basis and at least semi-annually.
- A concept is in place to ensure that the rights of the data subjects (information, rectification, deletion or restriction of processing, data transfer, revocations & objections) are safeguarded within the statutory time limits. It includes forms, guidance, and established implementation procedures, as well as designation of persons responsible for implementation.
- A concept is in place to ensure immediate response to personal data breaches (audit, documentation, notification) in accordance with legal requirements. It includes forms, guidance, and established implementation procedures, as well as designation of persons responsible for implementation
- The protection of personal data shall be taken into account, taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of the processing, as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons associated with the processing, already during the development or selection of hardware, software as well as procedures, in accordance with the principle of data protection by design and by default settings (Art. 25 GDPR).
- The software used is always kept up to date, as are virus scanners and firewalls.
- Employees are bound to secrecy with regard to data protection, are instructed and briefed, and are made aware of possible liability consequences. If employees work outside the company’s internal premises or use private devices for company activities, special regulations exist to protect data in these constellations and to safeguard the rights of clients of commissioned processing.
- Keys, access cards or codes issued to employees, as well as authorizations granted with regard to the processing of personal data, shall be withdrawn or revoked after their departure from the company or change of responsibilities.
- The cleaning staff, security guards and other service providers used to perform ancillary tasks are carefully selected and it is ensured that they observe the protection of personal data.
- Access control
- Access control / Access control
- Always up-to-date virus protection.
- Always current software versions.
- Minimum password lengths and password managers.
- Transfer control
- Encryption of data carriers and connections.
- Input control
- Order control
- Selection of contractors from a due diligence perspective.
- Written determination of the instructions.
- Checking compliance with contractors.
- Ensuring the destruction of data after the completion of the order.
- Availability control/ integrity
- Constantly controlled backup and recovery concept.
- Guarantee of the earmarking/separation requirement
- Logical client separation (on the software side).
- Separation of productive and test system.
Order for the processing of personal data
Appendix 2 – Subcontracting relationships
We use dirverse portals to engage our subcontractors. We have direct contact with these people, however, the assignment goes through the following portals:
- Fiverr International Ltd.
- Upwork Global Inc.
- Freelancer Limited
- freelance.de GmbH
Thus, we have no contact information on the individuals themselves to provide here.