Attachment to the order processing
- Subject of the contract
In the course of providing the Services pursuant to the Main Agreement, the Contractor shall process personal data provided by the Client for the purpose of providing the Services and with respect to which the Client acts as the controller in the sense of data protection law (hereinafter "Client Data"). The object of the data processing on behalf of the Client is therefore the offer provided by the Contractor for the implementation of online training courses on the subject of corporate strategies. This Annex specifies the data protection obligations and rights of the parties in connection with the processing of the Client Data for the provision of the services under the Main Agreement, specifically the provision of corresponding access to an e-learning portal.
- Scope of the assignment
2.1 The Contractor shall process the Client Data on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 DSGVO (commissioned processing). The Client shall remain the responsible party in the sense of data protection law.
2.2 The processing of Client Data by the Contractor shall be carried out in the manner, to the extent and for the purpose as set forth in Annex 1 to this Agreement; the processing concerns the types of personal data and categories of data subjects designated therein. The duration of the processing is not limited in time.
2.3 The processing of Client Data by the Contractor shall generally take place within the European Union or in another contracting state of the Agreement on the European Economic Area (EEA). The Contractor is nevertheless permitted to process Client Data outside the EEA in compliance with the provisions of this Agreement if the Contractor informs the Client in advance of the location of the data processing and the requirements of Art. 44-48 of the GDPR are met or an exception pursuant to Art. 49 of the GDPR applies.
- Powers of instruction of the principal
3.1 The Contractor may only process data within the scope of the main contract and in accordance with the Client's instructions. If the Contractor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Client of these legal requirements prior to the processing, provided that it is legally permitted to do so.
3.2 The Customer's instructions shall initially be determined by this Agreement and may thereafter be amended, supplemented or replaced by the Customer in writing or in text form by individual instructions (individual instructions). The Principal shall be entitled to issue corresponding instructions at any time. This also includes instructions with regard to the correction and deletion of data as well as the restriction of processing.
3.3 All instructions issued shall be documented by both the Client and the Contractor. Instructions that go beyond the performance agreed in the main contract shall be treated as a request for a change in performance. Regulations regarding any remuneration for additional expenses incurred as a result of supplementary instructions issued by the Client to the Contractor shall remain unaffected.
3.4 If the Contractor is of the opinion that an instruction of the Customer violates data protection provisions, it shall notify the Customer thereof without undue delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer. The Contractor may refuse to carry out an obviously illegal instruction.
- Responsibility of the client
4.1 The Customer shall be solely responsible for the lawfulness of the processing of the Customer Data as well as for the protection of the rights of the data subjects in the relationship between the parties. Should third parties assert claims against the Contractor based on the processing of Client Data in accordance with this Agreement, the Client shall indemnify the Contractor against all such claims.
4.2 The Client shall be responsible for the quality of the Client Data. The Client shall inform the Contractor immediately and in full if it discovers errors or irregularities with regard to data protection regulations or its instructions when checking the Contractor's order results.
4.3 Upon request, the Customer shall provide the Contractor with the information referred to in Article 30 (2) of the GDPR, unless the Contractor has such information itself.
4.4 If the Contractor is obliged to provide information about the processing of Client Data to a government agency or person or to otherwise cooperate with such agencies, the Client shall be obliged to support the Contractor in providing such information or in fulfilling other obligations to cooperate.
- Personnel requirements
The Contractor shall oblige all persons who process Client Data to maintain confidentiality with regard to the processing of Client Data.
- Processing safety
6.1 The Contractor shall, in accordance with Article 32 of the GDPR, take the necessary and appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing of the Client Data, as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects, to ensure a level of protection for the Client Data appropriate to the risk. This shall include, at a minimum, the measures set forth in Appendix 3 listed in Appendix 3.
6.2 The Contractor shall be permitted to modify or adapt technical and organizational measures during the term of the Agreement as long as they continue to meet the statutory requirements.
- Use of other processors
7.1 The Customer hereby grants the Contractor general permission to involve further processors with regard to the processing of Customer Data. The further processors consulted at the time of the conclusion of the contract result from the following Attachment 2. In general, contractual relationships with service providers whose activities do not involve commissioned processing are not subject to approval, even if access to Client data cannot be ruled out, as long as the Contractor makes appropriate arrangements to protect the confidentiality of the Client data.
7.2 The Contractor shall inform the Customer of any intended changes with regard to the involvement or replacement of further Processors. The Customer shall have the right to object to the commissioning of a potential additional Processor. If the Customer does not object within 14 days after receipt of the notification, its right to object with regard to the corresponding commissioning shall expire. If the Client raises an objection, the Contractor shall be entitled to terminate the Main Agreement and this Agreement.
7.3 The contract between the Contractor and the additional Processor shall impose the same obligations on the latter as are imposed on the Contractor by virtue of this Contract. The parties agree that this requirement is met if the contract has a level of protection corresponding to this contract or if the obligations set out in Article 28 (3) of the GDPR are imposed on the additional processor.
7.4 Subject to compliance with the requirements of Section 2.4 of this Agreement, the provisions in this Section 7 shall also apply if another Processor in a third country is involved. The Customer declares its willingness to cooperate to the necessary extent in the fulfillment of the requirements pursuant to Art. 49 DSGVO.
- Rights of the data subjects
8.1 The Contractor shall support the Client with technical and organizational measures in fulfilling its obligation to respond to requests to exercise the rights of data subjects to which they are entitled.
8.2 Insofar as a data subject asserts a request to exercise the rights to which it is entitled directly against the Contractor, the Contractor shall promptly forward this request to the Client.
8.3 The Contractor shall provide the Customer with information about the stored Customer Data, the recipients of Customer Data to whom the Contractor passes it on in accordance with the order, and the purpose of the storage, unless the Customer has this information itself or can obtain it itself.
8.4 The Contractor shall enable the Client to correct, delete or restrict the further processing of Client Data or, at the request of the Client, to carry out the correction, blocking or restriction of further processing itself if and to the extent that this is impossible for the Client itself.
8.5 Insofar as the data subject has a right to data portability with respect to the Client Data pursuant to Art. 20 DSGVO, the Contractor shall support the Client within the scope of what is reasonable and necessary in providing the Client Data in a common and machine-readable format against reimbursement of the expenses and costs to be proven incurred by the Contractor as a result, if the Client cannot procure the data otherwise.
- Notification and support obligations of the contractor
9.1 Insofar as the Customer is subject to a statutory obligation to report or notify due to a breach of the protection of Customer Data (in particular pursuant to Art. 33, 34 DSGVO), the Contractor shall inform the Customer without undue delay of any reportable events in its area of responsibility. The Contractor shall support the Client in fulfilling the reporting and notification obligations.
9.2 The Contractor shall support the Client in any data protection impact assessments to be carried out by the Client and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 DSGVO.
9.3 The Contractor shall support the Contractor in fulfilling its obligation under Art. 32 DSGVO to take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk.
- Data deletion
10.1 The Contractor shall delete the Client Data after termination of this Agreement, unless the Contractor is under a legal obligation to continue storing the Client Data.
10.2 Documentation which serves as evidence of the proper processing of Client Data in accordance with the order may be retained by the Contractor even after the end of the contract.
- Verifications and checks
11.1 The Contractor shall provide the Customer at the latter's request with all information required and available at the Contractor to prove compliance with its obligations under this Agreement.
11.2 The Customer shall be entitled to check the Contractor with regard to compliance with the provisions of this Agreement, in particular the implementation of the technical and organizational measures; including by means of inspections.
11.3 In order to carry out inspections in accordance with Section 11.2, the Customer shall be entitled to enter the Contractor's business premises where Customer Data are processed during normal business hours in accordance with Section 11.5 at its own expense and subject to strict confidentiality of the Contractor's trade and business secrets. Inspections shall generally be announced in due time, unless an inspection without prior notification appears necessary because otherwise the purpose of the inspection would be jeopardized.
11.4 The Contractor shall be entitled, at its own discretion, taking into account the Customer's legal obligations, not to disclose information if the Contractor would violate legal or other contractual regulations by disclosing it. The Customer shall not be entitled to have access to data or information on customers of the Contractor, to information regarding costs, to quality review and contract management reports as well as to all other confidential data of the Contractor which are not directly relevant for the agreed review purposes.
11.5 The Customer shall inform the Contractor in due time (as a rule at least two weeks in advance) about all circumstances related to the performance of the review. Reviews shall be carried out after consultation with the Contractor.
11.6 If the Customer commissions a third party to carry out the inspection, the Customer shall obligate the third party in writing in the same way as the Customer is obligated to the Contractor on the basis of this Section 11 of this Agreement. In addition, the Customer shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. Upon request of the Contractor, the Customer shall immediately submit to the Contractor the obligation agreements with the third party. The Customer may not commission any competitor of the Contractor with the inspection.
- Contract duration and termination
12.1 The term of this contract corresponds to the term of the main contract.
12.2 The Customer may terminate the main contract in whole or in part without notice if the Contractor fails to fulfill its obligations under this contract, violates provisions of the GDPR intentionally or with gross negligence, or is unable or unwilling to carry out an instruction of the Customer. In the case of simple - i.e. neither intentional nor grossly negligent - violations, the Customer shall set the Contractor a reasonable deadline within which the Contractor can remedy the violation.
- Liability
13.1 The Contractor's liability under this Agreement for ordinary negligence is excluded. Insofar as third parties assert claims against the Contractor which have their cause in a culpable breach by the Client of this Agreement or of one of its obligations as a data protection officer, the Client shall indemnify the Contractor against such claims.
13.2 The Customer undertakes to indemnify the Contractor also against any fines imposed on the Contractor to the extent that the Customer bears a share of the responsibility for the violation sanctioned by the fine.
- Final provisions
14.1 If individual provisions of this Agreement are or become invalid or contain a loophole, this shall not affect the remaining provisions. The parties undertake to replace the invalid provision with a legally permissible provision that comes as close as possible to the purpose of the invalid provision and meets the requirements of Article 28 of the GDPR.
14.2 In case of contradictions between this Agreement and other agreements between the Parties, the provisions of this Agreement shall prevail.
|
... |
... |
|
(place, date) |
(place, date) |
|
... |
... |
|
(Client's signature) |
(Contractor's signature) |
Attachments:
Annex 1: Purpose, nature and scope of data processing, type of data and categories of data subjects
|
Purpose of data processing |
The purpose of data processing is to provide online training. In addition, the collection of personal data enables reporting for the management and the improvement of the support of the participating persons at the workplace or granting of a company-wide standard. |
|
Nature and scope of data processing |
Storing and editing user data within the scope of the StartegyFrame training portal, providing online training. |
|
Type of data |
Login data (username and password), first and last name, language, validity date (from/to), greeting formula (male/female), group name, date of call, duration and status of call, comments, notes, likes of content, favorites, learning plan, SSO |
|
Categories of persons concerned |
Employees of the client |
Annex 2: Other processors
|
Company |
Address |
Processing description |
|
Know How! AG |
Magellanstr. 1 70771 Leinfelden-Echterdingen |
Provision of a so-called Workflow Learning Tool, with which the Contractor's offer is realized. The description of the processing activity in Annex 1 also applies to the Sub-Processor. |
Appendix 3: Technical and organizational measures
|
1. confidentiality |
|
1.1 Access control |
|
|
1.2 Access control |
|
|
1.3 Access control |
|
|
1.4 Separation control |
|
Measures are in place for the separate processing of data:
|
|
1.5 Pseudonymization |
|
|
2. integrity |
|
2.1 Transfer control |
|
|
2.2 Input control |
|
|
3. confidentiality and resilience |
|
3.1 Availability control |
|
|
4. procedures for regular review, assessment and evaluation. |
|
4.1 Data protection management |
|
|
5. order control |
|
☒ Procedure for the selection of subcontractors ☒ Written contracts (AVV) |
|
6. general requirements |
|