Contract for the commissioned processing of personal data

pursuant to Art. 28 General Data Protection Regulation
 
between the Controller and

INGENIOUS TECHNOLOGIES AG
– hereinafter called the Processor
Französische Str. 48
10117 Berlin
Germany

1. Object of the Contract

(1) Within the scope of the use of the Ingenious technology pursuant to the General Terms and Conditions of Business of Ingenious (hereinafter the “Main Contract”) it is necessary for the Processor to store and process data which is collected by the Controller in the course of the use of the Ingenious technology. It cannot be ruled out that this data represents personal data within the meaning of Art. 4, no. 1, GDPR. This Commissioned Data Processing Agreement applies exclusively for this data (hereinafter “Controller Data”).

(2) This Contract sets out in concrete terms the rights and duties of the parties in relation to data protection in connection with the handling of the Controller Data by the Processor in the performance of the Main Contract.

 

2. Nature, scope, purpose and term of the commissioned processing

(1) The Processor will process the Controller Data on behalf of and in accordance with the instructions of the Controller within the meaning of Art. 28 GDPR (Commissioned Processing). The Controller remains the responsible body within the meaning of the data protection provisions in accordance with Art. 4, no. 7, GDPR.

(2) The processing of the Controller Data within the scope of the Commissioned Processing will be carried out in accordance with the stipulations concerning the nature, scope and purpose of the data processing contained in Annex 1 to this Contract. This relates to the nature of the Controller Data in Annex 1, the purpose of the data processing and the circle of data subjects specified there.

(3) The Controller Data will be processed in the territory of the Federal Republic of Germany, in any other member state of the European Union or in any other contracting state to the Agreement on the European Economic Area. Any transfer to a third country shall require the prior consent of the Controller and may only take place if the special conditions of Art. 44 et seq. GDPR are fulfilled.

(4) The term and termination of this Contract shall be governed by the provisions concerning the term and termination of the Main Contract. Any termination of the Main Contract automatically has the effect of terminating this Contract. A termination of this Contract in isolation is precluded.

 

3. Powers of the Controller to issue instructions

(1) The Controller Data will be handled by the Processor exclusively within the scope of the agreements made and in accordance with documented instructions of the Controller pursuant to Art. 28, para. 3, sentence 2 (a) GDPR unless the Processor is obliged to process the same in accordance with Union or Member State law to which it is subject. In such a case, the Processor will inform the responsible officer of these legal requirements before carrying out the processing, unless that law prohibits the provision of such information on important grounds of public interest.

(2) Within the scope of the commission description set out in this Agreement, the Controller reserves the right to issue instructions relating to the nature, scope, means and purposes of the data processing, which it may specify in more detail through individual instructions. Should the Controller issue individual instructions in relation to the handling of Controller Data which go above and beyond the contractually agreed scope of performance, the costs thereby incurred are to be borne by the Controller.

(3) Any changes to the subject-matter of the processing or any changes in processes are to be jointly agreed and documented. The Processor may only provide information to third parties or to the data subject following the prior written consent of the Controller. The Processor is not entitled to pass on Controller Data to third parties and shall use the data for no other purposes, in particular not for its own purposes.

(4) The Processor is under no obligation to check the legitimacy of the instructions of the Controller under legal (data protection) provisions. The Processor shall immediately inform the Controller pursuant to Art. 28, para. 3, sentence 3, GDPR if, in its opinion, an instruction issued by the Controller infringes legal provisions. The Processor shall be entitled to suspend the implementation of the corresponding instruction until it has been confirmed or amended by the responsible officer at the Controller.

 

4. Duties of the Controller

(1) The Controller alone is responsible for the lawfulness of the data processing by the Processor and also for safeguarding the rights of the data subjects, and is thus the “controller” within the meaning of Art. 4, no. 7, GDPR.

(2) The Controller is the proprietor of all and any rights relating to the Controller Data.

(3) The Controller shall immediately inform the Processor if it discovers any errors or irregularities in connection with the processing of Controller Data by the Processor.

(4) Should any third parties assert claims against the Processor on account of the processing of Controller Data, the Controller shall indemnify the Processor from all such claims upon first demand.

 

5. Duties of the Processor

(1) The Processor shall ensure and regularly check that the processing of the Controller Data within the scope of the provision of services under the Main Contract in its area of responsibility, which includes the sub-contractors under Clause 9 of this Contract, is carried out in compliance with the provisions of this Contract.

(2) The Processor has appointed the data protection officer
Walter Meng, Ingenious Technologies AG, Französische Strasse 48, 10117 Berlin, Germany.
The Processor must inform the Controller immediately in the event of a change of the data protection officer.

(3) Pursuant to Art. 28, para. 3, sentence 2 (b), GDPR, the Processor shall impose an obligation of data secrecy by written agreement on all persons authorised to access personal data of the Controller, and shall advise them of the particular data protection obligations arising from this commission and also of the existing commitment to observe instructions and of the restriction to the specified purpose.

(4) Without the prior consent of the Controller, the Processor may not make any copies or duplicates of Controller Data within the scope of the Commissioned Processing. However, excepted herefrom are copies which are necessary in order to ensure orderly data processing and the orderly provision of services in accordance with the Main Contract (including data back-ups), and also copies which are necessary to comply with statutory obligations of retention.

(5) Within the scope of that which is conscionable and necessary and in return for reimbursement of the expenses and costs thereby incurred by the Processor, the latter shall be obliged to support the Controller in the performance of its statutory obligations. This includes compliance with the technical and organisational measures, the notification of data mishaps to the supervisory authority and to data subjects, the performance of data protection impact assessments and also prior consultation with the competent supervisory authority.

(6) The Processor shall be obliged to provide the Controller with all necessary information, including certifications and the results of reviews and inspections, which serve as documentary proof of compliance with the duties laid down in this Contract.

 

6. Technical and organisational measures

(1) Before beginning with the processing of the Controller Data, the Processor shall implement the technical and organisational measures listed in Annex 2 of this Contract and maintain the same in force during the term of the Contract.

(2) Since the technical and organisational measures will be governed by technical progress and further technological development, the Processor is permitted to implement alternative and adequate measures, provided that the level of security does not fall below the measures stipulated in Annex 2. The Processor is to document any such changes. Significant changes to the measures require the prior consent of the Controller and are to be documented by the Processor and provided to the Controller upon request.

 

7. Reportable breaches by the Processor

(1) The Processor shall inform the Controller promptly if it discovers that it or any employee has contravened data protection provisions or stipulations under this Contract in processing the Controller Data where the risk exists of a breach of the personal data of the Controller within the meaning of Art. 4, no. 12, GDPR.

(2) Where the Controller is under a statutory duty to provide information following an incident under para. (1) on account of an unlawful disclosure of Controller Data (in particular under Arts. 33 and 34 GDPR), the Processor shall, at the request of the Controller, support the latter, within the scope of that which is conscionable and necessary, in fulfilling its duties of providing information, subject to reimbursement of the expenses and costs thereby incurred by the Processor.

 

8. Control rights of the Controller

(1) Prior to the commencement of the data processing and then at regular intervals, the Controller shall, at its own expense, satisfy itself of the technical and organisational measures taken by the Processor in accordance with Annex 2, and shall document the result. For this purpose, it may obtain information from the Processor itself, request the submission of an attestation from an expert or, following the agreement of an appointment upon due notice, satisfy itself personally, without disrupting business operations and subject to observing strict secrecy in relation to industrial and business secrets of the Processor. The Processor undertakes to support the inspections of the Controller in an appropriate manner and to tolerate all necessary control measures.

(2) The Processor undertakes upon the written request of the Controller to give the latter, within a reasonable period, all information necessary for carrying out an inspection.

(3) The Processor shall at its own discretion be entitled, having consideration for the statutory obligations of the Controller, to withhold information which is sensitive in regard to the business of the Processor, or if the Processor would contravene statutory or other contractual provisions through disclosure of such information. The Controller shall not be entitled to be granted access to data or information about other customers of the Processor, to information relating to costs, quality control and contract management reports or to any other confidential data of the Processor which is not directly relevant for the agreed control purposes.

(4) The Controller shall inform the Processor in due time (as a rule, at least two weeks beforehand) of all circumstances relating to the performance of the inspection. As a rule, the Controller may perform one inspection per calendar year. The right of the Controller to carry out further inspections in the case of special incidents remains unaffected hereby.

(5) Should the Controller instruct a third party to perform the inspection, the Controller shall, by written agreement, impose the same obligations on the third party as the Controller itself has towards the Processor under this Clause 8 of this Contract. The Controller shall furthermore impose an obligation of confidentiality and secrecy on the third party unless the third party is bound by a duty of professional secrecy. At the request of the Processor, the Controller shall promptly submit to the Processor the agreements made with the third party containing these commitments. The Controller may not instruct any competitor of the Processor to carry out the inspection.

(6) At the option of the Processor, the documentary proof of compliance with the technical and organisational measures in accordance with Annex 2 may also, instead of an on-the-spot inspection, be provided through the submission of a suitable current attestation, of reports or extracts from reports of independent bodies (e.g. of certified public accountants, auditors, data protection officers, an IT security department, data protection auditors or quality auditors) or a suitable certification through an IT security or data protection audit – e.g. under BSI baseline protection [baseline protection issued by the German Federal Office for Information Security] – (“Audit Report”), provided the audit report enables the Controller to satisfy itself in an appropriate manner of compliance with the technical and organisational measures in accordance with Annex 2 to this Contract.

 

9. Sub-contracting

(1) The Processor may only establish sub-contractor relationships in regard to the processing of Controller Data following the prior written consent of the Controller. Such prior consent may only be refused by the Controller for cogent reasons, of which evidence is to be produced to the Processor. The Processor will, upon request, deliver to the Controller an up-to-date overview of the sub-processors involved. Where written authorisation has been granted, the Processor will always inform the Controller of any intended change in regard to the enlistment or replacement of other processors.

(2) The Sub-Processors named in Annex 3 are deemed as approved by the Controller.

(3) In the event of the enlistment of a sub-processor, the Processor shall, by contract or any other legal instrument under European Union law or the law of the relevant member state, impose the same data protection obligations upon the sub-processor as are stipulated in this Contract. Should a sub-processor fail to fulfil the obligations stipulated in this Contract or contravene any data protection provisions, the Processor shall be liable to the Controller for compliance with the obligations of the sub-processor.

(4) Services of which the Processor avails itself from third parties as an ancillary service for the purpose of support in the performance of the commission are not understood to be sub-contractor relationships within the meaning of this provision and thus do not require the consent of the Controller. These include, in particular, telecommunications services, security services, maintenance and user service, cleaning personnel, auditors and the disposal of data carriers. However, in order to ensure the protection and security of the data of the Controller, the Processor shall, also in the case of outsourced ancillary services, be obliged to enter into contractual agreements in conformity with the law and to implement control measures.

 

10. Rights of the data subjects

(1) The rights of persons affected by the data processing are to be asserted against the Controller.

(2) Should a data subject apply directly to the Processor to protect his rights pertaining to personal data in accordance with Arts. 12 to 22 GDPR, the Processor will refer the data subject to the Controller.

(3) In the event that a data subject asserts his rights under Arts. 12 to 22 GDPR, the Processor shall support the Controller in satisfying these claims within a reasonable scope and within the scope necessary for the Controller in so far as the Controller is unable to satisfy the claims without the co-operation of the Processor. The Controller shall reimburse the Processor for any additional expenditure.

(4) The Processor shall enable the Controller to rectify, erase or block Controller Data or, at the request of the Controller, shall carry out the rectification, blockage or erasure itself if and in so far as the Controller is unable to do so itself.

 

11. Return and erasure of the Controller Data provided

(1) Following the end of the provision of services covered by the Contract (in particular in the case of termination or any other ending of the Main Contract) the Processor shall, at the option of the Controller, return or erase all Controller Data and destroy any existing copies, except where an obligation to store the data exists under a legal provision.

(2) The Processor shall prepare a protocol of the erasure or destruction of the Controller Data and provide the same to the Controller upon request.

(3) Documentation which serves as documentary proof of the orderly data processing in accordance with the terms of the commission or which is to be retained for the statutory retention periods is to be stored by the Processor beyond the end of the Contract in compliance with the respective retention periods.

 

12. Relationship to the Main Contract

Except where special provisions are contained in this Contract, the provisions of the Main Contract shall apply. In the event of any discrepancies between this Contract and provisions under other agreements, in particular under the Main Contract, the provisions of this Contract shall take precedence in so far as the processing of Controller Data is concerned.

 

PDF-Download of the data processing agreement:

Contract for the Commissioned Processing of Personal Data pursuant to Art. 28 General Data Protection Regulation (as of February 2018)pdf

APPENDIX 1: Controller Data (as of May 2018) pdf

APPENDIX 2: Technical and Organisational Measures (as of February 2018) pdf

APPENDIX 3: Approved Sub-Processors (as of February 2018)