Skip to content

Data Processing Agreement (DPA)

Between.

Genz IT Solutions GmbH
Brückengasse 1b
78462 Konstanz
Germany

- hereinafter referred to as the "Processor" -


and

Name and address of the contract partner

- hereinafter referred to as the Customer -

- both hereinafter referred to as "the Parties" -

All terms are gender-neutral.

the following DPA is concluded:

Preamble and Scope of Application

The Processor is commissioned by the Customer to process personal data on behalf of the Customer. The DPA specifies this processing with regard to its object and the rights and obligations between the Contracting Parties arising from the Processing.

1. Terms and Definitions

  1. "Processing" - Pursuant to 4 (8) GDPR, "Processing" is understood to mean the processing of personal data as defined in Article 4 (2) GDPR carried out on behalf of the Controller, irrespective of the number of intermediary processors, by the Processor in accordance with the subject-matter of this DPA.
  2. "Principal Agreement" - The term " Principal Agreement" covers all types of ongoing business relations between the Customer and the Processor, under which the Processor processes personal data at the instruction of the Customer in accordance with the definition of the subject of the Processing in this DPA. Insofar as the validity of this DPA is otherwise limited (i.e. within this agreement or outside it, in other agreements or regulations) to certain types, categories or specific business relationships, contracts, etc., these are each to be understood as the Principal Agreement. The definition of the Principal Agreement also includes ongoing individual assignments by the Customer to the Processor, which are issued by the Customer within the scope of the Principal Agreement (e.g. in the case of framework contracts).
  3. "Controller" - "Controller" is anyone who alone or jointly with others determines the purposes and means of processing (Article 4 (7) GDPR).
  4. "Personal Data" - In accordance with Article 4 (1) GDPR, "personal data" (hereinafter also referred to briefly as "data") is all information relating to an identified or identifiable natural person ("data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
  5. "Data subjects" - In accordance with Article 4 (1) GDPR, "data subjects" are defined as Persons who are at least identifiable by means of personal data. The data subjects concerned by this Processing are determined by the subject-matter of the Processing.
  6. "Third party" - "Third party" means according to Article 4 (10) GDPR a natural or legal person, public authority, agency or body other than the data subject, controller, processor and persons who, under the direct authority of the controller or processor, are authorised to process personal data.
  7. "Sub-processing" - When a processor is not directly appointed by the Controller but by a processor who is the first processor appointed by the Controller, a "sub-processing" is present and the processors following the first processor are referred to as "sub-processors".
  8. "Electronic format" - declarations are deemed to have been made in "electronic format" in accordance with Article 28 (9) DSGVO if the declaring person is identifiable and the electronic declaration format is suitable as proof of the declaration. Electronic format" means in particular text form, an agreement stored on permanent data carriers (e.g. e-mail), digital signing procedures or the use of dedicated online functions (e.g. in user accounts).

2. Subject-Matter of the Processing

The detailed information on the subject-matter of the Processing, Data processed, the data subjects and the nature, scope and purposes of the Processing are governed by the provisions of the Annex "The Subject-Matter of the Processing".

3. Type of Processing

Insofar as the Customer acts as the Controller of the Processing, it shall be responsible within the scope of this DPA for compliance with the provisions of the data protection laws, in particular for the legality of the Data Processing as well as for the legality of the assignment of the Processor. Insofar as the Customer itself acts as a Processor, the Customer shall commission the Processor as a Sub-Processor. The controller of the processing may, on the basis of this DPA, directly invoke the rights to which the Customer is entitled to against the Sub-Processor.

4. Authority to issue instructions

  1. The Processor may process Data only within the scope of the Principal Agreement and of the Customer's instructions and only insofar as Processing within the scope of the Principal Agreement is necessary.
  2. The instructions are initially set out in the Principal Agreement or this DPA may subsequently be amended, supplemented or replaced by the Customer by issuing further instructions in writing or in an electronic format (text form, e.g. e-mail) to the Processor or to the entity designated by the Processor.
  3. Oral instructions may be given if they are required by the circumstances (e.g. urgency) and must be confirmed immediately in writing or in electronical form.
  4. If, on the basis of objective circumstances, the Processor considers that an instruction of the Customer is contrary to relevant data protection law, the Processor shall without delay inform the Customer thereof and provide objective reasons for his/her opinion. In this case, the Processor shall be entitled to suspend the execution of the instruction until the Customer expressly confirms the instruction and to refuse to execute the instruction in the case of obviously illegal instructions.
  5. The Processor may be obliged to carry out processing operations or to communicate information by Union or Member State law and by administrative and judicial measures to which the Customer is subject. In such a case, the Processor shall communicate the legal requirements of the overriding legal obligation to the Customer prior to the processing, unless the law or order in question prohibits such communication on the grounds of an important public interest; in the event of a prohibition on communication, the Processor shall take possible and reasonable measures to prevent or restrict the legally overriding Processing.

5. Technical and Organisational Measures (Safety and Security Concept)

  1. The Processor shall structure the internal organisation in his area of responsibility in accordance with the legal requirements and shall in particular implement technical and organisational measures (hereinafter referred to as "TOMs") for appropriate security, in particular the confidentiality, integrity and availability of the Customer's Data, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Processing as well as the varying probability of occurrence and severity of the risk to the rights and freedoms of the persons concerned, and shall ensure that these measures are maintained, in particular by means of regular evaluation, at least once a year. With regard to the protection of the Data, the TOMs include in particular physical and logical access control, transfer control, input control, order control, integrity and availability control, separation control and the safeguarding of the rights of the Data Subjects.
  2. The TOMs declared by the Processor upon conclusion of the contract define the minimum security level guaranteed by the Processor. The TOMs may and should be further developed in accordance with technical and legal progress and replaced by adequate protective measures, provided that they do not fall below the safety level of the defined measures and that any substantial changes are notified to the Customer. The description of the measures must be so detailed that a competent third party can at all times see beyond doubt that the required legal data protection level and the defined minimum security level are not undercut.
  3. The Processor shall ensure that the employees, agents and other persons acting on behalf of the Processor are prohibited from processing the Data outside the scope of the Instruction. The Processor shall further ensure that the persons authorised to process the Client's Data have been instructed in the data protection provisions of law and of this DPA and have been bound to confidentiality and secrecy or are subject to a corresponding and appropriate legal obligation of secrecy. The Processor shall ensure that the persons employed for the Processing are with regard to the fulfilment of the data protection requirements appropriately instructed and supervised on an ongoing basis.
  4. The processing of the Data outside of the premises of the Processor (e.g. in the home or mobile office or in case of remote access) is permitted, provided that the necessary technical and organisational measures are taken and documented, which take into account the specifics of these processing situations in an appropriate manner and in particular also allow sufficient control of the Data processing (e.g. conclusion of a data protection agreement with employees in the home and mobile office). The Processor shall provide the Principal with documentation of the implemented technical and organizational measures for such home, mobile or other remote processing upon request.
  5. If required by law, the processor shall appoint a data protection officer in accordance with the legal requirements. The Processor shall inform the Customer of the contact details of the data protection officer and of any subsequent changes.
  6. The Data and data carriers and all copies made thereof, which are provided within the scope of the DPA, remain the property or ownership of the Customer, are subject to the Customer's control, must be carefully safeguarded by the Processor, protected from access by unauthorized third parties and may only be deleted, erased or disposed with the Customer's consent. Destruction must be carried out in accordance with data protection regulations and in such a way that a recovery of even residual information is no longer possible and cannot be expected with reasonable effort. Copies of data may only be made if they are necessary for the fulfilment of the principal and secondary obligations of the Processor towards the Customer (e.g. backups) and the contractual and statutory data protection level is guaranteed.
  7. The processor shall be obliged to ensure the immediate return or deletion of the Data and data carriers, including those of sub-processors, in accordance with this DPA.
  8. The Processor shall keep evidence of the destruction or deletion of Data and files properly performed within the scope of this DPA and shall make it available to the Customer upon request.
  9. The right of retention is excluded with regard to the Data processed and the associated data carriers.
  10. The Processor shall provide regular proof, to an appropriate extent, of the fulfilment of his/her obligations, in particular the full implementation of the agreed technical and organisational measures and their effectiveness (e.g. by regular checks, inspections, etc.). The proof is to be provided to the Customer upon request. The proof can be provided by approved rules of conduct or an approved certification procedure.
  11. If the security measures taken do not or no longer meet the requirements of the Customer or the statutory requirements, the Processor shall notify the Customer immediately.
  12. The technical and organizational measures already existing at the conclusion of this DPA are listed by the Processor in the Annex "Technical and Organizational Measures" and accepted by the Customer.

6. Information and cooperation obligations of the processor

  1. The Processor may only provide information to third parties or the data subjects with the prior approval of the Customer. If a data subject contacts the Processor and asserts his or her rights as data subject (in particular rights of access or rectification or deletion of personal data), the Processor shall refer the data subject to the Customer, provided that, according to the data subject, an attribution to the Customer is possible. The Processor shall immediately forward the request of the data subject to the Customer and shall support the Customer within the scope of reasonableness and possibility. The Processor shall not be liable if the request of the data subject is not, not correctly or not timely answered by the principal, unless the Processor is responsible for this shortcoming.
  2. The Processor shall immediately and fully inform the Customer if, with regard to the Processing, the Processor discovers errors or irregularities in the compliance with the requirements of this DPA and/or relevant data protection provisions. The Processor shall take the necessary measures to secure the Data and to mitigate any adverse consequences for the data subjects and shall consult with the Customer without delay.
  3. The Processor shall inform the Customer without delay if a supervisory authority takes action against the Processor and whose activities may affect the Data processed for the Customer. The processor shall support the Customer in the fulfilment of his/her obligations (in particular to provide information and allow inspections) with regard to supervisory authorities.
  4. Should the security of the Data be endangered (seizure, confiscation, insolvency proceedings, etc.) by measures taken by third parties (e.g. creditors, authorities, courts, etc.), the Processor shall inform the third parties without delay that the sovereignty and ownership of the Data lies exclusively with the Customer and, after consultation with the Customer, shall take appropriate protective measures (e.g. lodge objections, applications, etc.) if necessary.
  5. The Processor shall provide the Customer with information relating to the Processing which is necessary for the fulfilment of the Customer's legal obligations (which may include, in particular, requests from data subjects or authorities and compliance with the Customer's accountability obligations of a data protection impact assessment) and shall assist the Customer in complying with the obligations set out in Articles 32-36 GDPR.
  6. The obligations of the Processor to provide certain information shall initially extend to information available to the Processor, his/her employees and agents. The information need not be obtained from third sources if the procurement by the Customer could be carried out within reasonable limits and no other agreement has been made.

7. Measures in the Event of a threat to Data Protection or Data Breach

  1. In the event that the Processor becomes aware of facts which give rise to the assumption that the protection of the processed Data may have been breached within the meaning of Article 4 (12) GDPR, the Processor shall inform the Customer without delay and in full, take the necessary protective measures without delay, and assist the Customer in the performance of the Customer's obligations, in particular in relation to the notification of competent authorities or data subjects.
  2. Information about a (possible) violation of the protection of the Data must be provided without undue delay, in general within 24 hours from the time of obtaining knowledge.
  3. The notification from the Processor must according to Article 33 (3) GDPR contain at least the following information:
    • description of the nature of the data breach or threat, specifying, where possible, the categories of data concerned and the approximate number of persons and personal data sets concerned;
    • the name and contact details of the data protection officer or any other known contact point for further information;
    • a description of the likely consequences of the data breach or threat (e.g. with further details: identity theft, financial loss, etc.);
    • a description of the measures taken or proposed by the Processor to remedy the data breach and, where appropriate, measures to mitigate its possible adverse effects
  4. Also to be reported immediately are significant disruptions, failures or troubles in the Processing as well as violations of data protection regulations or of this DPA by the Processor or the Processor's employees or agents.

8. Audits and Inspections

  1. The Client has the right to control compliance with the legal requirements and the provisions of this DPA, in particular the TOMs at the Processor's premises at any time to the necessary extent, either himself or through third parties, and to carry out the necessary audits, including inspections.
  2. The Processor shall support the Customer in the audits and inspections to the extent necessary (e.g. by providing personnel and granting access and access rights).
  3. On-site inspections shall be carried out within normal business hours, shall be announced by the Customer within a reasonable period of time (at least 14 days). In emergencies, i.e. if waiting would endanger the rights of data subjects and/or the Customer to an unreasonable extent, an appropriately shorter period may be chosen. In the opposite case, a longer period may be necessary (e.g. if extensive preparations have to be made or during holiday periods). Deviations from the notice period must be justified by the Contracting Party requesting them.
  4. The audits are limited to the necessary scope and must take into account the business and trade secrets of the Processor and the protection of personal data of third parties (e.g. other customers or employees of the Processor). Any interruptions to operations that are preventable must be avoided. Insofar as sufficient for the reason and purpose of the audit, an audit shall be limited to spot checks.
  5. Only qualified personnel who are able to prove their identity and who are obliged to maintain confidentiality and secrecy with regard to the company and business secrets, other personal data and internal processes of the Processor are permitted to carry out the audit. The Processor may request proof of an appropriate commitment of the auditors. If the auditor appointed by the Customer is in a competitive relationship with the Processor or if there is any other justified reason for his/her refusal, the Processor shall have the right to object the appointment of the auditor.
  6. Instead of audits and on-site inspections, the Processor may refer the Customer to an equivalent audit by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct ( Article 40 GDPR) or appropriate data protection or IT security certifications pursuant to Article 42 GDPR. This shall only apply if the reference is reasonable for the client and the nature and scope of the audit and references correspond to the nature and scope of the client's legitimate audit and inspection intentions. The Processor shall immediately notify the Client of the exclusion of approved rules of conduct pursuant to Article 41(4) GDPR, the revocation of a certification pursuant to Article 42(7) GDPR and any other form of revocation or substantial modification of the above-mentioned proofs.
  7. As a rule, the client does not exercise his right of audit more frequently than every 12 months, unless a specific reason (in particular a violation of data protection, a security incident or the result of an other audit) makes it necessary to carry out audits before the end of this period.

9. Sub-Processing

  1. Without prejudice to any restrictions imposed by the Principal Agreement, the Customer expressly agrees that the Processor may use sub-processors in the context of the Processing. The Processor shall inform the Customer of any new sub-processors within a reasonable period of time, which shall normally be 14 working days, and shall give the Customer the opportunity to reasonably inspect the sub-processors before using them and to object to the use of sub-processors if the Customer has a legitimate interest. If the Customer does not raise an objection within the preliminary period, the authorisation shall be deemed to have been granted. The Customer shall exercise the right to object to the changes only in accordance with the principles of good faith and of reasonableness and fairness.
  2. If the processor uses the services of a sub-processor (e.g. a subcontractor) in order to carry out certain Processing activities on behalf of the Customer, it must impose on the sub-processor, by means of a contract or any other legal instrument permitted by law, the same data protection obligations as those to which the Processor has committed him/herself in this DPA (in particular as regards following instructions, complying with the TOMs, providing information and allowing audits).
  3. The sub-processor shall be carefully selected by the Processor, having particular regard to the suitability and reliability of the sub-processor to comply with the obligations under this DPA for Processing and the adequacy of the TOMs implemented by the sub-processor.
  4. The Processor shall be required to document the verification of the reliability of sub-processors and the legality of their assignment and to submit it to the Customer on request.
  5. The Processor shall audit compliance with the obligations of the sub-processors, in particular the TOMs, on a regular basis and at least every 12 months, to an appropriate extent. The inspection and its results shall be documented in a comprehensible manner so that they are comprehensible to a competent third party. The documentation shall be presented to the Customer on request. Instead of his own audit, the Customer may refer to an audit by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct ( Article 40 GDPR) or suitable data protection or IT security certifications in accordance with Article 42 GDPR. The Customer shall immediately notify the Customer of the exclusion of approved rules of conduct pursuant to Art. 41 (4) GDPR, the revocation of a certification pursuant to Art. 42 (7) GDPR and any other form of revocation or substantial modification of the above-mentioned proofs.
  6. The responsibilities for performing the obligations under this DPA and under the law must be clearly defined and allocated between the processor and the sub-processor.
  7. The Customer must be able to exercise effectively his/her rights towards the Processor, also towards the sub-processor. In particular, the Customer must be entitled to carry out audits on sub-processors at any time to the extent laid down in this DPA.
  8. The Processor shall be liable to the Customer in the event that the sub-processor fails to comply with his/her data protection duties.
  9. Processing of personal data which is not directly related to the provision of the main contractual obligation and where the Processor uses the assistance of third parties as a mere ancillary service in order to carry out its business activity (e.g. cleaning, security, maintenance, telecommunications or transport services) does not constitute sub-processing within the meaning of the above provisions of this DPA. Nevertheless, the processor shall ensure, e.g. by contractual agreements or notices and instructions, that the security of the data is not endangered and that the provisions of this processing contract and the data protection regulations are observed.
  10. Sub-processing relationships of which the Customer was notified at the time of the conclusion of this DPA shall be deemed approved to the extent of the notification and subject to the provisions of this DPA on sub-processing.
  11. The sub-processing relationships already in existence at the time of the conclusion of this DPA are listed by the Processor in the Annex "Sub-Processors" and updated by the Processor.
  12. The current list of sub-processors is available at the following web address: https://capawesome.io/subprocessors/

10. Spatial Area of the Processing

  1. Processing may take place in third countries provided that the special conditions laid down in Article 44 et seq. GDPR are fulfilled, i.e. in particular a) the EU Commission has established an adequate level of data protection; or b) on the basis of so-called Standard Contractual Clauses (SCC); or c) on the basis of binding corporate rules.
  2. The authorisation of sub-contractingessing relationships by the Customer within the scope of this DPA, shall also extend to the spatial area of the Processing.
  3. Processing in a country other than those referred to in the preceding paragraphs, including by sub-processors, shall be subject to the prior consent of the Customer.

11. Obligations of the Customer

  1. The Customer must inform the Processor without delay and in full if he/she discovers errors or irregularities in the Processing results, instructions or processing procedures with regard to data protection regulations.
  2. In the event of a claim against the Processor by data subjects, third parties, bodies or authorities with regard to possible entitlements arising from the processing of the Data within the scope of this DPA, the Customer undertakes to support the Processor in the defence of the claim within the scope of its possibilities and taking into account the degree of fault of the Contracting Parties.

12. Liability

The statutory liability provisions apply, in particular Article 82 GDPR and, in the case of the use of a sub-processor, Article 28 (4) S. 2 GDPR.

13. Term, Continuation after Termination of the DPA and Deletion of Data

  1. This DPA becomes effective upon its signature or conclusion in an electronic format.
  2. The DPA may be terminated by either Contractual Party by giving three months' notice.
  3. The right of extraordinary termination is reserved to the Contractual Parties, in particular in the event of a serious breach of the obligations and specifications of this DPA and the applicable data protection law. A serious breach shall be deemed to have occurred in particular if the Processor fails or has failed to perform to a considerable extent the duties specified in the DPA and the agreed technical and organisational measures.
  4. In the case of non-material breaches of duty, the termination for good cause must be preceded by a warning notice of the breaches with a reasonable period of notice to remedy them, whereby the warning notice is not required if it is not to be expected that the breaches complained of will be remedied or if they are so substantial that the terminating Contractual Party cannot reasonably be expected to adhere to the DPA.
  5. The termination of the Agreement, as well as the termination of this clause must be made at least in electronic format.
  6. Upon completion of the Processing under this DPA, the Processor shall, at the Customer's discretion, either destroy or return all Data and copies thereof (as well as all documents, processing and usage results and data files coming into its possession in connection with the contractual relationship), unless there is a legal obligation to store the Data, in which case the Processor shall inform the Customer of the obligation and its scope, unless the Customer can be expected to be aware of the obligation. The destruction or deletion must be carried out in accordance with data protection regulations and in such a way that a recovery of even residual information is no longer possible or cannot be expected with reasonable effort. The objection of a right of retention is excluded with regard to the processed Data and the associated data carriers. With regard to the deletion or return, the rights of the Customer to information, proof and audit apply in accordance with this DPA.
  7. The obligations to protect confidential information arising from the DPA shall continue to apply after the end of the DPA, provided that the Processor continues to process the Personal Data covered by the DPA and that compliance with the obligations can reasonably be expected of the Processor even after the end of the DPA.

14. Final Provisions

  1. The legal relations between the Customer and the Processor shall be governed exclusively by the laws of the Federal Republic of Germany.
  2. The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA shall be the residential domicile or the (registered) office of the Processor and insofar as mandatory by applicable law, the Customer is a merchant, a legal entity under public law or a special fund under public law or if the the Customer has no place of jurisdiction within the jurisdiction of the applicable law. The Processor reserves the right to assert claims at the statutory place of jurisdiction.
  3. The DPA constitutes the entire agreement concluded between the Contractual Parties. There are no additional agreements.
  4. With the conclusion of this DPA, all previous contracts, if any, concluded between the parties to this contract and which regulate the Processing of the Data on behalf of the Customer are revoked, if and insofar as they relate to the same subject-matter of this DPA and if and insofar as the parties have not expressly agreed otherwise in writing.
  5. Amendments and additions to this DPA, as well as the termination of this clause must be made at least in electronic format.
  6. In the event of a conflict with the Principal Agreement, the DPA shall take precedence.
  7. Should one or more provisions of this DPA be invalid or unenforceable, this shall not affect the validity of the remaining provisions. Rather, the invalid provisions shall be replaced by way of a supplementary interpretation by such a provision which comes as close as possible to the economic purpose visibly pursued by the parties with the invalid provision(s). If the above-mentioned supplementary interpretation is not possible due to legally binding requirements, the Contracting Parties shall agree on a corresponding provision.

The DPA is concluded in electronic format and is effective without the signatures of the parties.

15. Annex: Subject-Matter of the Processing

The following information on the nature and purposes of the Processing, the nature of the Data and the categories of Data Subjects determine the subject matter of the Processing governed by the DPA. Changes to the subject-matter of the Processing and other procedural changes must be jointly agreed between the Contracting Parties and must be documented.

Purposes of Processing

Personal data of the Customer shall be processed on the basis of this Data Processing Agreement for the following purposes:

  1. Software-as-a-Service (SaaS).
  2. Services in the field of software development and / or maintenance.
  3. Web and Cloud Hosting.

Types and Categories of Data

The types and categories of personal data processed on the basis of this DPA include:

  1. Master/ Inventory data.
  2. Contact information.
  3. Contract details.
  4. Payment data and billing data.
  5. Log data.
  6. Telemetry data.

Sources of the Processed Data

The categories of data subjects affected by the processing of personal data on the basis of this DPA include:

  1. Website visitors.
  2. Software users.
  3. Business customers.
  4. Business partners.

Sources of the Processed Data

The data processed on the basis of this DPA are collected or otherwise received from the sources or within the framework of the procedures mentioned below:

  1. Collection from data subjects.
  2. Inputs or information provided by the Customer.
  3. Collection in the context of the use of software, websites and other online services.
  4. Collection via interfaces to services of other providers.
  5. Reception by means of transmission or other communication by or on behalf of the Customer.

Annex: Technical and Organisational Measures (TOMs)

An adequate level of protection is ensured for the Processing and the Data processed, which is appropriate to the risks for the interests or fundamental rights and freedoms of data subjects concerned. To this end, especially the protection objectives of confidentiality, integrity and availability of the systems and services and their resilience with respect to the nature, extent, circumstances and purposes of the Processing shall be taken into account in such a way that the risk is mitigated on a lasting basis by appropriate technical and organisational remedial measures.

Organisational Measures

Organisational measures have been taken to ensure an adequate level of data protection and its maintenance.

  1. The Processor has implemented an appropriate data protection management system (also referred to as data protection concept) and ensures its implementation.
  2. A suitable organizational structure for data security and data protection is in place and information security is integrated into company-wide processes and procedures.
  3. A suitable organizational structure for data security and data protection is in place and information security is integrated into company-wide processes and procedures.
  4. System and security tests, such as code scans and penetration tests, are carried out regularly and also without cause.
  5. The development of the state of the art as well as developments, threats and security measures are continuously monitored and derived in a suitable manner to the own security concept.
  6. An adequate procedure is in place to ensure that the rights of data subjects are respected (in particular as regards access, rectification, erasure or limitation of processing, data transfer, revocations & objections). The procedure includes informing employees of their duties to inform the Customer, setting up implementation procedures and designating people responsible, as well as regular monitoring and evaluation of the measures taken.
  7. An adequate procedure is in place to ensure an immediate and legally compliant response to threats and violations of data protection. The procedure includes informing employees of their duties to inform the Customer, setting up implementation procedures and designating people responsible, as well as regular monitoring and evaluation of the measures taken.
  8. Security incidents are consistently documented, even if they do not lead to an external notification (e.g. to the supervisory authority, affected persons) (so-called "security reporting").
  9. Service providers who are engaged to perform ancillary tasks (maintenance, security, transport and cleaning services, freelancers, etc.) are carefully selected and it is ensured that they respect the protection of personal data. If the service providers are given access to the Data processed for the Customer in the course of their activities or if there is any other risk of access to the personal data, they have to be specifically bound to secrecy and confidentiality.
  10. The protection of personal data shall be taken into account, taking into account the state of the art, implementation costs and the nature, scope, context and purposes of the Processing, as well as the varying likelihood and severity of risks for rights and freedoms of natural persons posed by the Processing, already at the stage of development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by using privacy friendly presets.
  11. Software and hardware used shall always be kept up to date and software updates shall be carried out without delay within a reasonable period of time in consideration of the degree of risk and any need for review. No software and hardware is used which is no longer updated by their providers or makers with regard to data protection and data security issues (e.g. expired operating systems).
  12. Standard software and corresponding updates are only obtained from trusted sources.
  13. A erasure, deletion and disposal concept corresponding to the data protection requirements of the Processing and the state of the art is in place. The physical destruction of documents and data carriers is carried out in compliance with data protection regulations and in accordance with legal requirements, industry standards and state-of-the-art industry norms (e.g. DIN 66399). Employees have been informed about legal requirements, deletion periods and, where applicable, about specifications for data deletion or equipment destruction by appropriate service providers.
  14. The Processing of the Customer's Data that has not been deleted in accordance with the agreements of this DPA (e.g. as a result of statutory archiving obligations) shall be restricted to the extent necessary by restriction flags and/or segregation.

Data Protection at Employee Level

Measures have been taken to ensure that employees involved in the processing of personal data have the necessary expertise and reliability required by data protection law.

  1. Employees are bound to confidentiality and secrecy with regard to data protection.
  2. The keys, access cards or codes issued to employees, as well as authorisations granted with regard to the processing of the Data, shall be collected or revoked after they leave the services of the Processor or after the change of their responsibilities.
  3. Employees are obliged to leave their working environment tidy and thus in particular to prevent access to documents or data carriers containing personal data (Clean Desk Policy).

Physical Access Control

Physical access control measures have been taken to prevent unauthorised persons from physically approaching the systems, data processing equipment or procedures by which the Data are processed.

  1. With the exception of the workstation computers and mobile devices, no data processing systems are maintained on the Processor's own business premises. The client's data is stored with external server providers in compliance with the requirements for Processing.
  2. Employees are required to lock or specially secure equipment when they leave their work environment or the equipment.
  3. Records (files, documents, etc.) will be stored in a secure manner, e.g. in filing cabinets or other adequately secured containers and adequately protected against physical access by authorised persons.
  4. Data carriers are stored securely and adequately protected against access by unauthorised persons.

Electronic Access Control

Electronic access control measures have been put in place to ensure that access (i.e. already the possibility of exploitation, use or observation) by unauthorised persons to systems, data processing equipment or procedures is being prevented.

  1. A password concept specifies that passwords must have a minimum length and complexity in line with the state of the art and security requirements.
  2. All data processing systems are password protected.
  3. Passwords are generally not stored in plain text and are only transmitted hashed or encrypted.
  4. A password management software is used.
  5. A two-factor authentication is used for the access to Data of the Customer.
  6. Access credentials are deleted or deactivated when their users have left the company or organization of the Processor.
  7. Up-to-date anti-virus software is used.
  8. Use of software firewall(s).
  9. Backups are stored in encrypted form.

Internal Access Control (permissions for user rights of access to and amendment of data)

Internal access control measures have been put in place to ensure that persons authorised to use a data processing system can only access the Data covered by their access authorisation and that personal data cannot be read, copied, modified or removed without authorisation during the Processing. Furthermore, input control measures have been taken to ensure that it is possible to subsequently check and establish whether and by whom the Data have been input, modified, removed or otherwise processed in data processing systems.

  1. A rights and roles concept (authorisation concept) ensures that access to personal data is only possible for a group of people selected according to necessity and only to the extent necessary.
  2. The rights and roles concept (authorisation concept) is evaluated regularly, within a reasonable time frequency and when required by an occasion (e.g. violations of access restrictions), and updated as necessary.

Transmission Control

Measures have been taken to control the transmission of the Data to ensure that the Data cannot be read, copied, modified or deleted by unauthorised persons during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment.

  1. When accessing internal systems from outside (e.g. for remote maintenance), encrypted transmission technologies are used (e.g. VPN).
  2. E-mails are encrypted during transmission. E-mails are encrypted during transit, which means that the emails are protected against being read by someone with access to the networks through which the email is travelling, on its way from the sender to the destination.
  3. The transmission and processing of the client's personal data via online offers (websites, apps, etc.) is protected by TLS or equivalent secure encryption.

Adherence to Instructions, Purpose Limitation and Separation Control

Measures have been taken to ensure that Data processed on behalf of the Customer are only processed in accordance with the instructions of the Customer. The measures ensure that the Data collected for different purposes are processed separately and that there is no merging, combining or other combined processing of the Data contrary to the instructions.

  1. Careful selection of sub-processors and other service providers.
  2. Production and test data are stored strictly separately from each other in different systems. The productive systems are operated separately and independently of the development and test systems.

Ensuring the integrity and availability of data as well as the resilience of processing systems

Measures have been taken to ensure that personal data are protected against accidental destruction or loss and can be quickly restored in an emergency.

  1. Fail-safe server systems and services are used, which are designed as redundant dual or multiple systems.
  2. The Data is stored with external hosting providers. The hosting providers are carefully selected and comply with the state of the art in terms of protection against damage caused by fire, moisture, power failures, disasters, unauthorized access, data backup and patch management as well as facility security.
  3. The server systems used for processing have protection against Denial of Service (DoS) attacks.
  4. Server systems and services are used which have an appropriate, reliable and controlled backup & recovery concept.
  5. Recovery tests are carried out regularly at appropriate intervals to check that the backups can actually be restored (data integrity of the backups).