1. introduction, scope, definitions
- This document ("Agreement on Data Processing for Linkando Cloud Services") is incorporated into the agreement between Linkando GmbH, Ostbahnstr. 17, 76829 Landau ("Contractor") and the customer ("Client") and is part of a written (also concluded in electronic form) main contract, the Terms of Use for the Linkando Portal, between Linkando and the customer. This agreement governs the rights and obligations of the client and contractor (hereinafter referred to as the "parties") in the context of the processing of personal data on behalf of Linkando and its sub-processors in connection with the provision of cloud services.
- Annexes 1 and 2 are part of this DPA. They define the technical and organizational measures to be applied and the approved subcontractors.
- This agreement applies to all activities in which employees of the contractor or subcontractors commissioned by the contractor process personal data of the client on the client's behalf.
- Terms used in this agreement are to be understood in accordance with their definition in the EU General Data Protection Regulation. In this sense, the client is the "controller" and the contractor is the "processor". Insofar as declarations are to be made "in writing" in the following, the written form pursuant to Section 126 BGB is meant. Otherwise, declarations may also be made in another form, provided that appropriate verifiability is guaranteed.
2. object and duration of the processing
2.1 Object
The contractor undertakes the following processing:
- E-mail communication
- Customer management
- Website operation
- Contact forms
- Chat Tool
- Video conferences
- Cloud rooms
The processing is based on the terms of use existing between the parties (hereinafter referred to as the "main contract").
2.2 Duration
The processing begins at the start of the main contract and continues indefinitely until this agreement or the main contract is terminated by one of the parties.
3. type, purpose and data subjects of the data processing:
3.1 Type of processing
The processing is of the following nature: collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data
3.2 Purpose of the processing
The processing serves the following purpose:
Provision of the Linkando Cloud platform for the client and the associated commercial processing and provision of end-user support.
3.3 Type of data
The following data is processed:
- Salutation
- First name and surname
- E-mail address
- Address
- Communication data
- Usage data (IP addresses, login time, login name)
3.4 Categories of data subjects
affected by the processing:
- Customers of the client
- Interested parties of the client
- Employees of the client
4. obligations of the contractor
- The Contractor shall process personal data exclusively as contractually agreed or as instructed by the Client, unless the Contractor is legally obliged to carry out specific processing. If such obligations exist for the Contractor, the Contractor shall inform the Client of these prior to processing, unless the notification is prohibited by law. Furthermore, the Contractor shall not use the data provided for processing for any other purposes, in particular not for its own purposes.
- The Contractor confirms that it is aware of the relevant general data protection regulations. He observes the principles of proper data processing.
- The Contractor undertakes to maintain strict confidentiality during processing.
- Persons who may gain knowledge of the data processed in the order must undertake in writing to maintain confidentiality, unless they are already subject to a relevant confidentiality obligation by law.
- The Contractor warrants that the persons employed by it for processing have been familiarized with the relevant provisions of data protection and this Agreement prior to the start of processing. Appropriate training and awareness-raising measures shall be repeated at regular intervals. The Contractor shall ensure that persons deployed for commissioned processing are appropriately instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.
- In connection with the commissioned processing, the Contractor shall support the Client to the extent necessary in fulfilling its obligations under data protection law, in particular in drawing up and updating the list of processing activities, in carrying out the data protection impact assessment and in consulting the supervisory authority if necessary. The required information and documentation shall be kept available and forwarded to the Client immediately upon request.
- If the client is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against the client, the contractor undertakes to support the client to the extent necessary, insofar as the processing in the order is affected.
- The Contractor may only provide information to third parties or the data subject with the prior consent of the Client. The Contractor shall forward any requests addressed directly to it to the Client without delay.
- Where required by law, the contractor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the data protection officer. In cases of doubt, the client may contact the data protection officer directly. The contractor shall inform the client immediately of the contact details of the data protection officer or explain why no officer has been appointed. The contractor shall inform the client immediately of any changes in the person or internal tasks of the officer.
- The order processing takes place exclusively within the EU or the EEA.
- If the Contractor is not established in the European Union, it shall appoint a responsible contact person in the European Union in accordance with Art. 27 of the General Data Protection Regulation. The contact details of the contact person as well as any changes in the person of the contact person must be communicated to the Client without delay.
5. safety of processing
- The data security measures described in Annex 1 are defined as binding. They define the minimum owed by the Contractor. The description of the measures must be so detailed that a knowledgeable third party can recognize beyond doubt at any time what the minimum owed should be on the basis of the description alone. Reference to information that cannot be taken directly from this agreement or its annexes is not permitted.
- The data security measures can be adapted in line with further technical and organizational developments as long as they do not fall below the level agreed here. The Contractor shall implement any changes required to maintain information security without delay. The Client must be informed of any changes without delay. Significant changes shall be agreed between the parties.
- If the security measures taken do not or no longer meet the Client's requirements, the Contractor shall notify the Client immediately.
- The Contractor warrants that the data processed in the order will be strictly separated from other data stocks.
- Copies or duplicates shall not be made without the knowledge of the client. This does not apply to technically necessary, temporary copies, provided that any impairment of the level of data protection agreed here is excluded.
- The processing of data in private residences is permitted. Insofar as such processing takes place, the Contractor shall ensure that a level of data protection and data security corresponding to this Agreement is maintained and that the Client's control rights specified in this Agreement can also be exercised without restriction in the private residences concerned. The processing of data on behalf of the Client using private devices is not permitted under any circumstances.
- Dedicated data carriers that originate from the client or are used for the client shall be specially marked and are subject to ongoing administration. They must be stored appropriately at all times and must not be accessible to unauthorized persons. Inputs and outputs are documented.
- The Contractor shall provide regular evidence of the fulfilment of its obligations, in particular the complete implementation of the agreed technical and organizational measures and their effectiveness.
6. regulations on the correction, deletion and blocking of data
- The Contractor shall only correct, delete or block data processed within the scope of the order in accordance with the contractual agreement made or in accordance with the Client's instructions.
- The Contractor shall comply with the corresponding instructions of the Client at all times and also beyond the termination of this Agreement.
7. subcontracting relationships
- The use of sub-processors shall be at the discretion of the Contractor, provided that the Contractor informs the Client in advance (by email or by posting on the support portal) of any planned additions or replacements within the list of sub-processors and the Client may object to such changes in accordance with the following provisions. The Contractor shall carefully select the subcontractor, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.
- If the Client has a legitimate reason under data protection law to object to the processing of personal data by the new sub-processors, it may terminate the Agreement by written notice to the Contractor with effect from a date specified by the Client, but no later than thirty days after the date of the Contractor's notification to the Client of the new sub-processor. If the Client does not terminate within this thirty-day period, the new sub-processor shall be deemed to have been approved by the Client.
- Within the thirty-day period from the date of the Contractor's notice to the Client informing the Client of the new Subprocessor, the Client may request that the parties meet in good faith to discuss a resolution of the objection. Such discussions shall not extend the notice period and shall not affect the Contractor's right to engage the new Subprocessor(s) after the thirty day period has expired. Any termination under this section shall be deemed by both parties to be without fault and subject to the terms of the Agreement.
- The commissioning of subcontractors who do not exclusively perform processing on behalf of the EU or the EEA is only possible if the conditions set out in Chapter 4 (10) and (11) of this agreement are observed. In particular, it is only permissible if and as long as the subcontractor offers appropriate data protection guarantees. The Contractor shall inform the Client of the specific data protection guarantees offered by the subcontractor and how proof of this can be obtained. Insofar as currently valid standard contractual clauses based on a decision of the EU Commission (e.g. pursuant to Commission Decision 2010/87/EU) or standard data protection clauses pursuant to Art. 46 GDPR are used as appropriate guarantees, the Client authorizes the Contractor to take all necessary actions and to make and receive declarations of intent vis-à-vis the subcontractor, exempting the Contractor from the prohibition of double representation pursuant to Section 181 BGB. Furthermore, the Contractor is authorized to exercise the rights and powers of the Client under this agreement vis-à-vis the subcontractor.
- The Contractor shall carry out an appropriate review of the subcontractor's compliance with its obligations on a regular basis, at least every 12 months. The inspection and its results must be documented in such a meaningful way that they are comprehensible to a competent third party. The documentation must be submitted to the client without being asked. The Contractor shall retain the documentation on audits carried out at least until the end of the third calendar year after the end of the commissioned processing and shall submit it to the Client at any time upon request.
- If the subcontractor fails to comply with its data protection obligations, the contractor shall be liable to the client for this.
- At present, the subcontractors specified in Annex 2 with name, address and order content are engaged in the processing of personal data to the extent specified therein and approved by the Client. The Contractor's other obligations to subcontractors set out herein shall remain unaffected.
- Subcontracting relationships within the meaning of this agreement are only those services that are directly related to the provision of the main service. Ancillary services such as transportation, maintenance and cleaning as well as the use of telecommunications services or user services are not covered. The Contractor's obligation to ensure compliance with data protection and data security in these cases remains unaffected.
8. rights and obligations of the client
- The client alone is responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
- The client shall issue all orders, partial orders or instructions in writing. In urgent cases, instructions may be issued verbally. The client shall confirm such instructions in writing without delay.
- The Client shall inform the Contractor immediately if it discovers errors or irregularities in the inspection of the order results.
- The Client shall be entitled to monitor the Contractor's compliance with the data protection regulations and the contractual agreements to an appropriate extent itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks. The persons entrusted with the inspection shall be granted access and inspection by the Contractor to the extent necessary. The Contractor shall be obliged to provide the necessary information, demonstrate processes and provide the evidence required to carry out an inspection. The Contractor shall be entitled to refuse inspections by third parties if they are in a competitive relationship with the Contractor or if there are similarly important reasons.
- Inspections at the Contractor's premises shall be carried out without avoidable disruption to its business operations. Unless otherwise indicated for urgent reasons to be documented by the Client, inspections shall take place after reasonable advance notice and during the Contractor's business hours, and no more frequently than every 12 months. Insofar as the Contractor provides evidence of the correct implementation of the agreed data protection obligations as provided for in Section 5 (8) of this Agreement, checks shall be limited to spot checks.
9 Notification obligations
- The Contractor shall notify the Client immediately of any breaches of the protection of personal data processed on behalf of the Client. Reasonable suspicions of this must also be reported. The notification must be sent to an address specified by the client within 24 hours of the contractor becoming aware of the relevant event. It must contain at least the following information:
- a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data records concerned;
- the name and contact details of the data protection officer or other contact point for further information;
- a description of the likely consequences of the personal data breach;
- a description of the measures taken or proposed to be taken by the contractor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects
- Significant disruptions in the execution of the order and violations of data protection regulations or the provisions of this agreement by the Contractor or its employees must also be reported immediately.
- The Contractor shall inform the Client immediately of any inspections or measures by supervisory authorities or other third parties insofar as these relate to order processing.
- The Contractor assures to support the Client in its obligations under Art. 33 and 34 of the General Data Protection Regulation to the extent necessary.
10. instructions
- The client reserves the right to issue comprehensive instructions with regard to the processing of the order.
- The Client and Contractor shall designate the persons exclusively authorized to issue and accept instructions. If no persons authorized to issue instructions are named, only the persons authorized to represent the respective party shall be authorized to issue instructions.
- In the event of a change or a longer-term absence of the named persons, the other party must be informed immediately of any successors or representatives.
- The Contractor shall notify the Client immediately if, in its opinion, an instruction issued by the Client violates statutory provisions. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the person responsible at the Client.
- The Contractor shall document any instructions issued to it and their implementation.
11. termination of the order
- If, upon termination of the contractual relationship, data processed in the order or copies thereof are still in the Contractor's power of disposal, the Contractor shall, at the Client's discretion, either destroy the data or hand it over to the Client. The Client must make this choice within 2 weeks of being requested to do so by the Contractor. The destruction must be carried out in such a way that it is no longer possible to restore even residual information with reasonable effort. Physical destruction shall be carried out in accordance with DIN 66399.
- The Contractor is obliged to arrange for the immediate destruction or return of the goods, including by subcontractors.
- The Contractor shall provide proof of proper destruction and submit it to the Client without delay.
- Documentation that serves as proof of proper data processing shall be retained by the Contractor at least until the end of the third calendar year after the end of the contract. The Contractor may hand them over to the Client for the Client's discharge.
12. liability
- The client and contractor are jointly and severally liable for compensation for damages suffered by a person due to unauthorized or incorrect data processing within the scope of the contractual relationship.
- The Contractor shall bear the burden of proof that damage is not the result of a circumstance for which it is responsible, insofar as the relevant data was processed by it under this Agreement. As long as this proof has not been provided, the Contractor shall indemnify the Client on first demand against all claims asserted against the Client in connection with the commissioned processing. Under these conditions, the Contractor shall also reimburse the Client for all legal defense costs incurred.
- The Contractor shall be liable to the Client for damage culpably caused by the Contractor, its employees or those commissioned by it to perform the contract or the subcontractors used by it in connection with the provision of the commissioned contractual service.
- Points (2) and (3) shall not apply if the damage was caused by the correct implementation of the commissioned service or an instruction issued by the client.
13. special right of termination
- The Client may terminate the main contract and this Agreement at any time without notice ("extraordinary termination") in the event of a serious breach by the Contractor of data protection regulations or the provisions of this Agreement, if the Contractor is unable or unwilling to carry out a lawful instruction from the Client or if the Contractor refuses to comply with the Client's rights of control in breach of contract.
- A serious breach exists in particular if the Contractor does not or has not fulfilled the obligations specified in this Agreement, in particular the agreed technical and organizational measures, to a significant extent.
- In the event of insignificant violations, the Client shall set the Contractor a reasonable deadline for remedial action. If the remedy is not provided in good time, the client shall be entitled to extraordinary termination as described in this section.
- The Contractor shall reimburse the Client for all costs incurred by the Client due to the premature termination of the main contract or this agreement as a result of extraordinary termination by the Client.
14. other
- Both parties are obliged to treat as confidential all knowledge of business secrets and data security measures of the other party obtained in the course of the contractual relationship, even after the termination of the main contract. If there is any doubt as to whether information is subject to the confidentiality obligation, it shall be treated as confidential until written release by the other party.
- If the Client's property is jeopardized by third-party measures (such as seizure or confiscation), insolvency or composition proceedings or other events, the Contractor must inform the Client immediately.
- Any ancillary agreements must be in writing and make express reference to this agreement.
- The defense of the right of retention within the meaning of § 273 BGB is excluded with regard to the data processed in the order and the associated data carriers.
- Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.