Vereinbarung zur Auftragsverarbeitung-löschen


2019_02_26 LOGO fix RGB_transp

Facebook


Youtube


Instagram


Twitter

Software for personal trainers and studios

Everything you need in one software!


Try now for 14 days free of charge!

Agreement on order processing

according to § 28 GDPR

between

Optioffice GbR
Mittelweg 149
20148 Hamburg
vertreten durch
Rohit Mathur
Martin Blume
– nachstehend Auftragsverarbeiter genannt –

and

the person responsible for processing (licensee)
- hereinafter referred to as the person responsible or the client -

§ 1 Subject matter and duration of the order

(1) Subject

  1. The subject matter of the order results from the general terms and conditions to which reference is made here (hereinafter service agreement).
  2. The processor collects / processes / uses personal data on behalf of the person responsible.
  3. Gegenstand des Auftrages ist die Erhebung, Übertragung, Verarbeitung, Speicherung und Darstellung der Daten des Verantwortlichen im Rahmen der Software OptiOffice.
  4. Umfang, Art und Zweck der Datenerhebung, -übertragung, -verarbeitung und -nutzung ergeben sich aus dem aktuellen Funktionsumfang der Software OptiOffice.
  5. Die Art der Daten umfasst sowohl personenbezogene Daten des Verantwortlichen und seiner Mitarbeiter, als auch personenbezogene Daten seiner Kontakte. Zu diesen Daten gehören sowohl persönliche Informationen wie Kontaktdaten inkl. Wohnort, Geburtstag, E-Mail Adresse und Arbeitszeiten, wie auch Informationen zum gesundheitlichen Zustand.
  6. Der Kreis der Betroffenen besteht aus dem Verantwortlichen und seinen Mitarbeitern, die die Software OptiOffice nutzen, sowie den Mitarbeitern des Auftragsverarbeiters und seinen Erfüllungsgehilfen.

(2) Duration

  1. The duration of this order (duration) corresponds to the duration of the service agreement.

§ 2 Specification of the order content

(1) Type and purpose of the intended processing of data

The type and purpose of the processing of personal data by the contractor for the client are specifically described in the general terms and conditions.

The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 ff. GDPR are met. The appropriate level of protection is established through binding internal data protection regulations (Art. 46 Para. 2 lit. b in conjunction with 47 GDPR)

(2) Type of data

  • The subject of the processing of personal data is the following data types / categories (list / description of the data categories)

    • Personal master data

    • Communication data (e.g. telephone, email)

    • Contract master data (contractual relationship, product or contract interest)

    • Customer history

    • Customer appointments

    • Contract billing and payment data

    • Planning and control data

    • Health data

(3) Categories of data subjects

The categories of persons affected by the processing include:

  • Costumer

  • Interested persons

  • Member

  • Employee

§ 3 Technical and organizational actions

(1) The contractor must document the implementation of the technical and organizational actions set out in the run-up to the award of the contract and hand them over to the client for review before the start of processing, in particular with regard to the specific execution of the contract. If accepted by the client, the documented actions become the basis of the order. If the client's test / audit reveals a need for adjustment, this must be implemented by mutual agreement.

(2) The contractor must provide security in accordance with Art. 28 Paragraph 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 Paragraph 1, Paragraph 2 GDPR. Overall, the actions to be taken are data security actions and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR must be taken into account.

(3) The technical and organizational action are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative, adequate measures. The security level of the specified measures must not be undercut. Significant changes are to be documented.

§ 4 Correction, restriction and deletion of data

(1) The contractor may not correct, delete or restrict the processing of the data processed in the order without authorization, but only in accordance with documented instructions from the client. If a data subject contacts the contractor directly in this regard, the contractor will immediately forward this request to the client.

(2) As far as included in the scope of services, the deletion concept, right to be forgotten, correction, data portability and information must be ensured directly by the contractor in accordance with documented instructions from the client.

§ 5 Quality assurance and other obligations of the contractor

Der Auftragnehmer hat zusätzlich zu der Einhaltung der Regelungen dieses Auftrags gesetzliche Pflichten gemäß Art. 28 bis 33 DSGVO; insofern gewährleistet er insbesondere die Einhaltung folgender Vorgaben:

  1. Maintaining confidentiality in accordance with Art. 28 Paragraph 3 Sentence 2 Letter b, 29, 32 Paragraph 4 GDPR. When carrying out the work, the contractor will only use employees who are bound to confidentiality and who have previously been familiarized with the data protection provisions that are relevant to them. The contractor and every person subordinate to the contractor who has access to personal data may only process this data in accordance with the instructions of the client, including the powers granted in this contract, unless they are legally obliged to process them.

  2. The implementation of and compliance with all technical and organizational measures required for this order in accordance with Article 28 Paragraph 3 Sentence 2 Letter c, 32 GDPR.

  3. The client and the contractor work together on request with the supervisory authority in the performance of their tasks.

  4. Die unverzügliche Information des Auftraggebers über Kontrollhandlungen und Maßnahmen der Aufsichtsbehörde, soweit sie sich auf diesen Auftrag beziehen. Dies gilt auch, soweit eine zuständige Behörde im Rahmen eines Ordnungswidrigkeits- oder Strafverfahrens in Bezug auf die Verarbeitung personenbezogener Daten bei der Auftragsverarbeitung beim Auftragnehmerermittelt.

  5. Soweit der Auftraggeber seinerseits einer Kontrolle der Aufsichtsbehörde, einem Ordnungswidrigkeits- oder Strafverfahren, dem Haftungsanspruch einer betroffenen Person oder eines Dritten oder einem anderen Anspruch im Zusammenhang mit der Auftragsverarbeitung beim Auftragnehmer ausgesetzt ist, hat ihn der Auftragnehmer nach besten Kräften zu unterstützen.

  6. The contractor regularly checks the internal processes as well as the technical and organizational measures to ensure that the processing in his area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the rights of the data subject are protected.

  7. Verifiability of the technical and organizational measures taken vis-à-vis the client within the scope of his control powers according to section 7 of this contract.

§ 6 Subcontracting relationships

(1) For the purposes of this regulation, subcontracting relationships are to be understood as those services that relate directly to the provision of the main service. This does not include ancillary services that the contractor uses, e.g. as telecommunications services, post / transport services, maintenance and user service or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the contractor is obliged to ensure the data protection and data security of the client's data, even in the case of outsourced ancillary services, to take appropriate and legally compliant contractual agreements and control measures.

(2) The transfer of personal data of the client to the subcontractor and its initial activity are only permitted if all requirements for subcontracting are met.

(3) If the subcontractor provides the agreed service outside of the EU / EEA, the contractor shall ensure admissibility under data protection law by taking appropriate measures. The same applies if service providers within the meaning of Paragraph 1 Clause 2 are to be used.

§ 7 Control rights of the client

(1) Der Auftraggeber hat das Recht, im Benehmen mit dem Auftragnehmer Überprüfungen durchzuführen oder durch im Einzelfall zu benennende Prüfer durchführen zu lassen. Er hat das Recht, sich durch Stichprobenkontrollen, die in der Regel rechtzeitig anzumelden sind, von der Einhaltung dieser Vereinbarung durch den Auftragnehmer in dessen Geschäftsbetrieb zu überzeugen.

(2) The contractor ensures that the client can convince himself of the compliance with the obligations of the contractor according to Art. 28 GDPR. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

(3) Evidence of such measures, which do not only relate to the specific order, can be provided by

  • compliance with approved rules of conduct in accordance with Art. 40 GDPR;

  • the certification according to an approved certification procedure according to Art. 42 GDPR;

  • Current attestations, reports or report excerpts from independent bodies (e.g. auditors, auditors, data protection officers, IT security departments, data protection auditors, quality auditors);

  • Appropriate certification through IT security or data protection audits (e.g. according to BSI basic protection).

(4) The contractor can assert a claim for remuneration to enable the client to carry out checks.

§ 8 Notification of violations by the contractor

(1) The contractor supports the client in complying with the obligations for the security of personal data specified in Articles 32 to 36 of the GDPR, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. These include, among others

  1. ensuring an appropriate level of protection through technical and organizational measures

  2. the obligation to report violations of personal data to the client immediately

  3. the obligation to support the client within the scope of his obligation to provide information to the data subject and to provide him with all relevant information immediately in this context

  4. the support of the client for its data protection impact assessment

  5. the support of the client in the context of prior consultations with the supervisory authority

(2) The contractor can claim remuneration for support services that are not included in the service description or that cannot be traced back to misconduct on the part of the contractor.

§ 9 Authority of the client to issue instructions

(1) Verbal instructions are immediately confirmed by the client (at least in text form).

(2) The contractor must inform the client immediately if he is of the opinion that an instruction violates data protection regulations. The contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or changed by the client.

§ 10 Deletion and return of personal data

(1) Kopien oder Duplikate der Daten werden ohne Wissen des Auftraggebers nicht erstellt. Hiervon ausgenommen sind Sicherheitskopien, soweit sie zur Gewährleistung einer ordnungsgemäßen Datenverarbeitung erforderlich sind, sowie Daten, die im Hinblick auf die Einhaltung gesetzlicher Aufbewahrungspflichten erforderlich sind.

(2) After completion of the contractually agreed work or earlier upon request by the client - at the latest with the termination of the service agreement - the contractor has all documents, created processing and usage results as well as databases in connection with the contractual relationship to the Hand over to the client or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material.

(3) Documentation that serves as evidence of orderly and proper data processing must be kept by the contractor beyond the end of the contract in accordance with the respective retention periods. He can hand them over to the client for his relief at the end of the contract.

As of May 18, 2018

OptiOffice

Rohit Mathur & Martin Blume

Mittelweg 149
20148 Hamburg

phone: 040 696 327 777

Email: mail@optioffice.de
www.optioffice.de

Menu

New posts

Copyright 2014 Optioffice | All Rights Reserved |


Facebook


Youtube


Instagram


Twitter

en_USEnglish
de_DEGerman en_USEnglish