Mandate pursuant to Art. 28 GDPR
Agreement
between
faktoora GmbH
Amselweg 1
89231 Neu-Ulm
- Contractors –
and - Client –
1. General information
(1) The Contractor processes personal data on behalf of the Client within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This contract governs the rights and obligations of the parties in connection with the processing of personal data.
(2) Insofar as the term “data processing” or “processing” (of data) is used in this contract, the definition of “processing” within the meaning of Art. 4 No. 2 GDPR shall apply.
2. Object and duration of the order
The subject matter and duration of the order are determined in full by the information provided in the respective contractual relationship. The contractor processes personal data for the client within the meaning of Art. 4 No. 2 and Art. 28 GDPR on the basis of this contract.
3. Scope, type and purpose of the collection, processing or use of data
The scope, nature and purpose of any collection, processing or use of the data
personal data, the type of data and the group of data subjects are set out in Annex
1, insofar as this does not result from the contractual content of the services described in section 1.
contractual relationships.
The provision of the contractually agreed data processing shall take place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
4. Technical and organisational measures in accordance with Art. 32 GDPR (Art. 28 para. 3 sentence 2 lit. c GDPR)
(1) The Contractor shall document the implementation of the technical and organisational measures set out and required prior to the award of the contract before the start of processing, in particular with regard to the specific execution of the contract, and submit them to the Client for review (see Annex 2). If accepted by the client, the documented measures shall form the basis of the contract.
(2) The Contractor shall establish security in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account.
(3) The technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor shall be permitted to implement alternative adequate measures. In doing so, the security level of the specified measures may not be undercut. Significant changes must be documented.
5. Correction, blocking and deletion of data
(1) The Contractor may not delete or restrict the processing of data processed on behalf of the Client without authorisation. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay.
(2) If included in the scope of services, the erasure concept, right to be forgotten, rectification, data portability and information shall be ensured directly by the Contractor in accordance with the documented instructions of the Client.
6. Quality assurance and other obligations of the contractor
In addition to complying with the provisions of this contract, the Contractor has legal obligations pursuant to Art. 28 to 33 GDPR; in this respect, the Contractor guarantees compliance with the following requirements in particular:
• Mr Dominik Fünkner has been appointed data protection officer at the contractor. Contact details
PROLIANCE GmbH
Leopoldstr. 21
80802 Munich
dsb@datenschutzexperte.de
Phone: +49 89 2500 392 20
• The client must be informed immediately of any change of data protection officer. The data protection officer’s current contact details are easily accessible on the contractor’s website.
• Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor shall only use employees who have been obliged to maintain confidentiality and who have previously been familiarised with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the authorisations granted in this contract, unless they are legally obliged to process it.
• The implementation of and compliance with all technical and organisational measures necessary for this order comply with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR and Annex 2.
• The Client and the Contractor shall cooperate with the supervisory authority in the fulfilment of their tasks upon request.
• Immediate information of the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies if a competent authority investigates the processing of personal data in the context of administrative offence or criminal proceedings relating to the processing of personal data by the contractor.
• If the Client is subject to an inspection by the supervisory authority, misdemeanour or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.
• The Contractor shall regularly monitor the internal processes and the technical and organisational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
7. Subcontracting relationships
Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service. This does not include ancillary services which the Contractor utilises, e.g. as telecommunications services, postal/transport services, maintenance and user services as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the Client’s data, even in the case of outsourced ancillary services.
A list of subcontractors is attached as Annex 3.
8. Control rights of the client
(1) The Client shall have the right to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be named in individual cases after prior notification.
(2) The Contractor shall ensure that the Client can satisfy itself of the Contractor’s compliance with its obligations under Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request insofar as this is not evident from the existing and accessible documents.
(3) Proof of such measures, which do not only concern the specific order, can be provided either by compliance with approved rules of conduct in accordance with Art. 40 GDPR, certification in accordance with an approved certification procedure in accordance with Art. 42 GDPR, current certificates, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors, quality auditors) and/or suitable certification by IT security or data protection audit (e.g. in accordance with BSI basic protection).
(4) The Contractor may claim remuneration for enabling the Client to carry out inspections.
9. Notification of violations by the contractor
(1) The Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. This includes, inter alia
a) ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential breach through security vulnerabilities and enable the immediate detection of relevant breach events
b) the obligation to report personal data breaches to the client without delay
c) the obligation to support the client within the scope of its duty to inform the data subject and to provide it with all relevant information in this context without delay
d) Supporting the client for its data protection impact assessment
e) supporting the client in the context of prior consultations with the supervisory authority
(2) The Contractor may claim remuneration for support services that are not included in the service description or are not attributable to misconduct on the part of the Contractor.
10. Authorisation of the client to issue instructions
(1) The client shall confirm verbal instructions without delay (at least in text form).
(2) The Contractor shall inform the Client immediately if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be authorised to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Client.
11. Deletion and return of personal data
(1) Copies or duplicates of the data shall not be created without the client’s knowledge. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that is required in order to comply with statutory retention obligations.
(2) After completion of the contractually agreed work or earlier at the request of the Client – at the latest upon termination of the service agreement – the Contractor shall hand over to the Client all documents, processing and utilisation results and data pertaining to the contractual relationship that have come into its possession or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. Upon request, the Contractor shall provide the Client with information on the nature and time of the deletion.
(3) Documentation that serves as proof of proper data processing in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand them over to the Client at the end of the contract in order to discharge the Client.
12. Other agreements
12.1 Charges
No fee shall be charged for this order. If the Client requires support in accordance with Section 5 to respond to enquiries from data subjects, it shall reimburse the costs incurred as a result. If the Client exercises control rights in accordance with Section 8, the amount of the fee to be agreed in advance shall be based on an hourly rate to be determined for the employee assigned by the Contractor to provide support. If the Client issues instructions to the Contractor in accordance with clause 10, the Client shall reimburse any costs incurred as a result of such instructions.
12.2 Contract duration
This agreement is dependent on the existence of a main contractual relationship in accordance with clause 2. The cancellation or other termination of the main contractual relationship in accordance with clause 2 shall simultaneously terminate this agreement. The right to isolated, extraordinary termination of this agreement and the exercise of statutory rights of cancellation specifically for the agreement remain unaffected by this
12.3 Choice of law
The law of the Federal Republic of Germany applies
12.4 Place of jurisdiction
The parties agree that the place of jurisdiction shall be the court having jurisdiction for Neu-Ulm.
Annex 1 to the order pursuant to Art. 28 GDPR:
List of personal data and purpose of their processing
I. Type of data
The following types of data are regularly processed:
• Company name with names of contact persons and address of the company
• Contact details
• Payment data
• Customer data of the company for invoicing
• Product and service names of the company
II. Circle of those affected
Group of persons affected by the data processing:
• Employees and customers of the client
• Partner and service provider of the client
• Suppliers of the client
Annex 2 to the order pursuant to Art. 28 GDPR:
Technical and organisational measures pursuant to Art. 32 GDPR and Annex
Note: Special measures for working from home are based on the measures recommended by the BSI (https://www.bsi.bund.de/SharedDocs/Downloads/DE/BSI/Cyber-Sicherheit/Themen/empfehlung_home_office.html)
I. Confidentiality (Art. 32 para. 1 lit. b GDPR)
a. Access control
Computer centre
Our servers are located in the German data centres of Hetzner Online GmbH.
• Electronic access control system with logging
• High security fence around the entire data centre park
• Guidelines for escorting and labelling guests in the building
• 24/7 staffing of the data centres
• Video surveillance at entrances and exits, security gates and server rooms
• Access to the premises for external persons (e.g. visitors) is restricted as follows: only when accompanied by a Hetzner Online GmbH employee
Administration/home office
• Access to systems that could be used to access servers and applications must be in lockable rooms or in a separate lockable room (e.g. for home offices).
• Business-critical documents that allow conclusions to be drawn about customer relationships and/or their customer data (contracts, printed correspondence, etc.) are archived exclusively in secure filing cabinets
• Workplace devices are always locked when leaving the workplace
• Only personnel trained and sensitised to data protection law access personal data for support purposes
• No data processing in the presence of third parties
b. Access control
Computer
centre
• Server passwords are only known to the responsible employees of the contractor for the purpose of maintenance and control of the infrastructure.
Home office
• All passwords for accessing accounts or systems are stored locally exclusively in encrypted password management programmes (e.g. KeePass).
c. Access control
infrastructure
• In the case of the infrastructure provider’s internal management systems, regular security updates (in accordance with the current state of the art) ensure that unauthorised access is prevented.
• Audit-proof, binding authorisation allocation procedure for employees of the infrastructure provider
• the responsibility for access control lies with the contractor’s employees.
Applications / internal administration systems
• are ensured by regular security updates (according to the current state of the art) to prevent unauthorised access.
• are only accessible via password-protected, personalised accesses
• with access to customer data are additionally only accessible via a VPN or SSH tunnel
• Regular review and adjustment of access authorisations
d. Data carrier check
Computer centre
• Hard drives are overwritten (erased) several times by the infrastructure provider using a defined procedure. After checking, the hard disks are reinserted.
• Defective hard drives that cannot be securely deleted are destroyed (shredded) directly in the infrastructure provider’s data centre.
General / Home office
• Employees’ data carriers that are no longer required or defective are overwritten (deleted) several times and destroyed.
• Sensitive data is only stored locally in encrypted form on data carriers.
e. Separation control
• Customer data is stored physically or logically separated from other data.
• Customer data is also backed up on logically and/or physically separate systems.
II. Integrity (Art. 32 para. 1 lit. b GDPR)
a. Transfer control
General
• All employees are instructed within the meaning of Art. 32 para. 4 GDPR and are obliged to ensure that personal data is handled in compliance with data protection regulations.
• Data protection-compliant deletion of data after order completion.
• Data is only transmitted in encrypted form (TLS)
Home office
• Employees are instructed to create confidential documents/printouts only in exceptional cases and to destroy them immediately after use. The necessary hardware will be provided (e.g. document shredder).
• Employees are instructed and trained to ensure that data carriers that are no longer required are destroyed appropriately.
III. Availability and resilience (Art. 32 para. 1 lit. b GDPR)
a. Availability control
Server
• Our servers are located in a Hetzner data centre in Germany, which is ISO 27001 certified and meets the highest standards of availability.
• Data is backed up regularly.
• Use of uninterruptible power supply, emergency power system.
• Permanently active DDoS protection.
Home office
• Locally stored data is continuously backed up to a central backup server.
b. Rapid recoverability (Art. 32 para. 1 lit. c GDPR)
Server
• An escalation chain is defined for all systems, which specifies who is to be informed in the event of a fault in order to restore the system as quickly as possible.
Home office
• Employee data can be restored from the central backup server.
IV. Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
a. Order control
Measures that ensure that personal data processed on behalf of the client can only be processed in accordance with the client’s instructions. These include
• Careful selection of subcontractors/processors, especially with regard to data protection
• Conclusion of necessary agreements with any subcontractors/processors and their review
b. Organisational control
The internal organisation must be designed in such a way that it meets the special requirements of data protection. This includes the following measures
• Regular training of all persons who come into contact with personal data to ensure compliance with legal regulations
• A review of the effectiveness of the technical protective measures is carried out at least once a year.
• Customer-specific documentation of instructions and activities within the scope of order processing
• Data protection incidents are documented and analysed immediately.
Annex 3 Subcontractors
For the processing of data on behalf of the client, the contractor utilises the services of third parties who process data on its behalf (“subcontractors”).
These are the following company(ies):
• storyx AG, Seestrasse 87, CH-6052 Hergiswil – IT service provider
• Product Fruits s.r.o., Rozdelovska 1999/7, 169 00 Praha 6, Czech Republic – Product Guide