Boost Efficiency by 80% with Automation – Free Webinar to Learn How

Order Processing Agreement According to Art. 28 GDPR

1. Subject and Duration of the Contract

(1) Subject

The subject matter of the order is derived from the Software Agreement to which reference is made here (hereinafter referred to as the "Performance Agreement").

(2) duration

The duration of this contract (term) is the duration of the service level agreement.

2. Specification of the Content of the Order

(1) Nature and purpose of the intended processing of data

The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the contracting authority and may only take place if the special conditions of Article 44 et seq. Of Regulation (EU) 2016/679 Basic Data Protection Regulation (DS-GVO) are fulfilled (in particular an adequate level of protection in the third country).

(2) Type of data

In particular, the following data types/categories are processed:

• People Master Data
• Communication data (e.g., telephone, e-mail)
• Contract master data (contractual relationship, product or contract interest)
• Customer history
• Contract settlement and payment data
• Planning and control data

(3) categories of data subjects

The categories of data subjects include in particular:

• Customer
• Employees
• Suppliers
• Contact Person
• Owner

3. Correction, Restriction and Deletion of Data

(1) The contractor may not correct, delete or restrict the data processed in the order on his own behalf, only after documented instruction (in writing or in text form, for example by e-mail) by the client. Insofar as an affected person directly addresses the contractor in this regard, the contractor will immediately forward this request to the client.

(2) Insofar as included in the scope of service, the cancellation concept, right to be forgotten, rectification, data portability and information according to documented instructions (in writing or in text form, for example by e-mail) of the client are to be ensured by the contractor.

4. Quality Assurance and Other Obligations of the Contractor

In addition to compliance with the provisions of this order, the contractor has statutory obligations under Art. 28 to 33 DS-GMOs; In particular, it ensures compliance with the following requirements:

(1) Written appointment with a data protection officer who carries out his activity in accordance with Art. 38 and 39 DS-GVO.

(2) Data protection officer, to the contractor, is Dr. med. Wilfried Röder, Institute for Applied Computer Science e. V. (InfAI) | InfAI Management GmbH, Goerdelerring 9, 04109 Leipzig, Phone: +49 341 229037 0, E-Mail: datenschutz@infai.org. A change of the data protection officer is to inform immediately to the client.

(3) The preservation of confidentiality under Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 DS-GVO. The contractor will use only employees who are committed to confidentiality and who have been previously familiarized with the data protection regulations that are relevant to them. The contractor and any person subordinated to the contractor who has access to personal data may process such data only in accordance with the instructions of the client, including the powers granted in this agreement unless they are required by law to process them.

(4) The implementation and compliance of all technical and organizational measures required for this contract in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 DS-GMO.

(5) The client and the contractor cooperate with the supervisory authority upon request in the performance of their duties.

(6) Immediate information to the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies if a competent authority in the framework of an administrative offense or criminal procedure concerning the processing of personal data during the processing of the contract by the contractor.

(7) Insofar as the client himself is subject of an inspection by the supervisory authority, an administrative offense or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with order processing by the contractor, the contractor shall support him to the best of his ability.

(8) The contractor shall regularly review the internal processes and the technical and organizational measures to ensure that the processing in his area of responsibility complies with the requirements of applicable data protection law and that the protection of the data subject's rights is ensured.

(9) Verifiability of the technical and organizational measures with respect to the client within the scope of his control powers according to Section 6 of this agreement.

5. Subcontracting

(1) For the purposes of this regulation, subcontracting means such services which directly relate to the provision of the main service. This does not include ancillary services provided by the contractor, e.g. as a telecommunications services, postal / transport services, maintenance and user service or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing facilities. However, the contractor is obliged to take appropriate and legally compliant contractual agreements and control measures in order to ensure data protection and data security of the client's data, even with outsourced ancillary services.

(2) The contractor may commission subcontractors (other processors) only after prior express written consent (in writing or in text form, for example by e-mail) from the client. The prerequisite is always that subcontracting is based on a contractual agreement in accordance with Art. 28 para. 2-4 DS-GVO.

(3) The transfer of personal data of the client to the subcontractor and its initial action shall only be permitted upon submission of all conditions for subcontracting.

(4) If the subcontractor provides the agreed service outside the EU / EEA, the contractor shall ensure that the data protection law is respected by taking appropriate measures. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.

(5) Further outsourcing by the subcontractor requires the express written consent (in writing or in text form, for example by e-mail) of the client. The contractor shall ensure that all contractual provisions in the contract chain are also imposed on the additional subcontractor and, if so requested, prove this to the client.

6. Control Rights of the Client

(1) The client has the right to carry out inspections in consultation with the contractor or to have them carried out by examiners to be named in individual cases. He shall have the right to assure compliance by the contractor in his business through spot checks, which usually have to be registered ahead of time.

(2) The contractor shall ensure that the client can satisfy himself of the compliance with the obligations of the contractor in accordance with Art. 28 DS-GVO. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to prove the implementation of the technical and organizational measures.

(3) The proof of such measures, which do not concern only the concrete order, can be carried out by:

• Compliance with approved codes of conduct pursuant to Art. 40 DS-GVO;
• The certification according to an approved certification procedure according to Art. 42 DS-GVO;
• Up-to-date certificates, reports or extracts from independent bodies (eg auditors, auditors, data protection officers, IT security departments, privacy auditors, quality auditors);
• Appropriate certification through IT security or data protection audit (eg BSI-Grundschutz).

(4) The contracting parties may agree in writing on a compensation claim of the contractor for the provision of controls by the client.

7. Notification in Case of Violations of the Contractor

1. The contractor shall assist the client in complying with the obligations on the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as referred to in Articles 32 to 36 of the GDPR. These include, among others:

• (a) ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing, as well as the predicted likelihood and severity of a possible breach of security due to security vulnerabilities, and enable the immediate detection of relevant injury events;
• b) the obligation to report violations of personal data to the client immediately;
• c) the obligation to assist the client in providing information to the person concerned, and to provide it with all relevant information immediately;
• d) the client's support for their privacy impact assessment;
• e) the assistance of the client in the context of prior consultations with the supervisory authority.

(2) The contracting parties may agree in writing on a compensation claim of the contractor for support services which are not included in the service description or which are not attributable to a wrongdoing of the contractor.

8. Authorization of the Client

(1) Verbal instructions shall be confirmed immediately by the client in a documented manner (in writing or in text form, for example by e-mail).

(2) The contractor must inform the client immediately if he believes that an instruction violates data protection regulations. The contractor is entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the client.

9. Deletion and Return of Personal Data

(1) Copies or duplicates of the data are not created without the knowledge of the client. This does not include backup copies, to the extent necessary to ensure proper data processing, and data required to comply with statutory retention requirements.

(2) After the conclusion of the contractually agreed work or sooner upon request by the client - at the latest upon termination of the service agreement - the contractor shall have all documents, processing results and utilization results as well as data sets which are related to the contract relationship to hand over to the client or to destroy it after prior consent in accordance with data protection. The same applies to test and scrap material. The log of the deletion must be submitted on request.

(3) Documentation serving as proof of orderly and proper data processing shall be kept by the contractor according to the respective retention periods beyond the end of the contractual relationship. He can hand them over to the client for his discharge at the end of the contractual relationship.

10. Liability and Right to Compensation

(1) The client and the contractor are liable to the persons concerned and to each other in accordance with the provisions of Art. 82 DS-GVO.

(2) In the case of a claim of the client by an affected person with regard to any claims under Art. 82 DS-GVO, the contractor undertakes to assist the client in defending the claims to the best of his ability. The contracting parties may agree in writing on a compensation claim of the contractor for its support.