Agreement on order processing
according to § 28 GDPR
Rohit Mathur & Martin Blume
- hereinafter referred to as the processor -
the person responsible for processing (licensee)
- hereinafter referred to as the person responsible or the client -
§ 1 Subject matter and duration of the order
The subject matter of the order results from the general terms and conditions to which reference is made here (hereinafter service agreement).
The processor collects / processes / uses personal data on behalf of the person responsible.
The subject of the order is the collection, transfer, processing, storage and presentation of the data of the person responsible within the framework of the OptiOffice software.
The scope, type and purpose of data collection, transmission, processing and use result from the current functional scope of the OptiOffice software.
The type of data includes both personal data of the person responsible and his employees, as well as personal data of his contacts. This data includes personal information such as contact details including place of residence, birthday, email address and working hours, as well as information on the state of health.
The group of those affected consists of the person responsible and his employees who use the OptiOffice software, as well as the employees of the processor and his vicarious agents.
The duration of this order (duration) corresponds to the duration of the service agreement.
§ 2 Specification of the order content
(1) Type and purpose of the intended processing of data
The type and purpose of the processing of personal data by the contractor for the client are specifically described in the general terms and conditions.
The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 ff. GDPR are met. The appropriate level of protection is established through binding internal data protection regulations (Art. 46 Para. 2 lit. b in conjunction with 47 GDPR)
(2) Type of data
The subject of the processing of personal data is the following data types / categories (list / description of the data categories)
Personal master data
Communication data (e.g. telephone, email)
Contract master data (contractual relationship, product or contract interest)
Contract billing and payment data
Planning and control data
(3) Categories of data subjects
The categories of persons affected by the processing include:
§ 3 Technical and organizational actions
(1) The contractor must document the implementation of the technical and organizational actions set out in the run-up to the award of the contract and hand them over to the client for review before the start of processing, in particular with regard to the specific execution of the contract. If accepted by the client, the documented actions become the basis of the order. If the client's test / audit reveals a need for adjustment, this must be implemented by mutual agreement.
(2) The contractor must provide security in accordance with Art. 28 Paragraph 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 Paragraph 1, Paragraph 2 GDPR. Overall, the actions to be taken are data security actions and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR must be taken into account.
(3) The technical and organizational action are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative, adequate measures. The security level of the specified measures must not be undercut. Significant changes are to be documented.
§ 4 Correction, restriction and deletion of data
(1) The contractor may not correct, delete or restrict the processing of the data processed in the order without authorization, but only in accordance with documented instructions from the client. If a data subject contacts the contractor directly in this regard, the contractor will immediately forward this request to the client.
(2) As far as included in the scope of services, the deletion concept, right to be forgotten, correction, data portability and information must be ensured directly by the contractor in accordance with documented instructions from the client.
§ 5 Quality assurance and other obligations of the contractor
In addition to complying with the provisions of this order, the contractor has legal obligations in accordance with Art. 28 to 33 GDPR; in this respect, he particularly guarantees compliance with the following requirements:
Maintaining confidentiality in accordance with Art. 28 Paragraph 3 Sentence 2 Letter b, 29, 32 Paragraph 4 GDPR. When carrying out the work, the contractor will only use employees who are bound to confidentiality and who have previously been familiarized with the data protection provisions that are relevant to them. The contractor and every person subordinate to the contractor who has access to personal data may only process this data in accordance with the instructions of the client, including the powers granted in this contract, unless they are legally obliged to process them.
The implementation of and compliance with all technical and organizational measures required for this order in accordance with Article 28 Paragraph 3 Sentence 2 Letter c, 32 GDPR.
The client and the contractor work together on request with the supervisory authority in the performance of their tasks.
The immediate information of the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies if a competent authority investigates the processing of personal data in the course of order processing at the contractor's in the context of an administrative offense or criminal proceeding.
If the client is in turn exposed to a control by the supervisory authority, an administrative offense or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with the order processing at the contractor, the contractor must support him to the best of his ability.
The contractor regularly checks the internal processes as well as the technical and organizational measures to ensure that the processing in his area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the rights of the data subject are protected.
Verifiability of the technical and organizational measures taken vis-à-vis the client within the scope of his control powers according to section 7 of this contract.
§ 6 Subcontracting relationships
(1) For the purposes of this regulation, subcontracting relationships are to be understood as those services that relate directly to the provision of the main service. This does not include ancillary services that the contractor uses, e.g. as telecommunications services, post / transport services, maintenance and user service or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the contractor is obliged to ensure the data protection and data security of the client's data, even in the case of outsourced ancillary services, to take appropriate and legally compliant contractual agreements and control measures.
(2) The transfer of personal data of the client to the subcontractor and its initial activity are only permitted if all requirements for subcontracting are met.
(3) If the subcontractor provides the agreed service outside of the EU / EEA, the contractor shall ensure admissibility under data protection law by taking appropriate measures. The same applies if service providers within the meaning of Paragraph 1 Clause 2 are to be used.
§ 7 Control rights of the client
(1) The client has the right, in consultation with the contractor, to carry out inspections or to have them carried out by inspectors who are to be named on a case-by-case basis. He has the right to convince himself of the compliance with this agreement by the contractor in his business operations by means of random checks, which are usually to be announced in good time.
(2) The contractor ensures that the client can convince himself of the compliance with the obligations of the contractor according to Art. 28 GDPR. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
(3) Evidence of such measures, which do not only relate to the specific order, can be provided by
compliance with approved rules of conduct in accordance with Art. 40 GDPR;
the certification according to an approved certification procedure according to Art. 42 GDPR;
Current attestations, reports or report excerpts from independent bodies (e.g. auditors, auditors, data protection officers, IT security departments, data protection auditors, quality auditors);
Appropriate certification through IT security or data protection audits (e.g. according to BSI basic protection).
(4) The contractor can assert a claim for remuneration to enable the client to carry out checks.
§ 8 Notification of violations by the contractor
(1) The contractor supports the client in complying with the obligations for the security of personal data specified in Articles 32 to 36 of the GDPR, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations. These include, among others
ensuring an appropriate level of protection through technical and organizational measures
the obligation to report violations of personal data to the client immediately
the obligation to support the client within the scope of his obligation to provide information to the data subject and to provide him with all relevant information immediately in this context
the support of the client for its data protection impact assessment
the support of the client in the context of prior consultations with the supervisory authority
(2) The contractor can claim remuneration for support services that are not included in the service description or that cannot be traced back to misconduct on the part of the contractor.
§ 9 Authority of the client to issue instructions
(1) Verbal instructions are immediately confirmed by the client (at least in text form).
(2) The contractor must inform the client immediately if he is of the opinion that an instruction violates data protection regulations. The contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or changed by the client.
§ 10 Deletion and return of personal data
(1) Copies or duplicates of the data will not be made without the knowledge of the client. Exceptions to this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that are necessary with regard to compliance with statutory retention requirements.
(2) After completion of the contractually agreed work or earlier upon request by the client - at the latest with the termination of the service agreement - the contractor has all documents, created processing and usage results as well as databases in connection with the contractual relationship to the Hand over to the client or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material.
(3) Documentation that serves as evidence of orderly and proper data processing must be kept by the contractor beyond the end of the contract in accordance with the respective retention periods. He can hand them over to the client for his relief at the end of the contract.
As of May 18, 2018