between the client and the
INGENIOUS TECHNOLOGIES AG
-hereinafter referred to as the processor
Französische Str. 48
10117 Berlin
Germany
1. subject matter of the contract
(1) As part of the use of Ingenious technology, it is necessary for the processor to store and process data collected by the client in the course of using Ingenious technology. It cannot be ruled out that this data is personal data within the meaning of Art. 4 No. 1 GDPR. This Data Processing Agreement applies exclusively to this data (hereinafter referred to as "Client Data").
(2) This contract specifies the rights and obligations of the parties under data protection law in connection with the processor's handling of the client data in fulfillment of the main contract.
2. type, scope, purpose and duration of the order processing
(1) The Processor shall process the Client Data on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 GDPR (commissioned processing). The Client shall remain the controller within the meaning of data protection law pursuant to Art. 4 No. 7 GDPR.
(2) The processing of the Client Data within the scope of commissioned data processing shall be carried out in accordance with the provisions on the type, scope and purpose of data processing contained in Annex 1 to this Agreement. It relates to the type of client data specified in Annex 1, the purpose of the data processing and the group of data subjects specified therein.
(3) The processing of the client data shall take place in the territory of the Federal Republic of Germany, in another member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
(4) The term and termination of this contract are governed by the provisions on the term and termination of the main contract. Termination of the main contract shall automatically result in termination of this contract. Isolated termination of this contract is excluded.
3. authority of the client to issue instructions
(1) The processor shall handle the client data exclusively within the framework of the agreements made and in accordance with the documented instructions of the client pursuant to Art. 28 para. 3 sentence 2 lit. a GDPR, unless the processor is obliged to process the data under Union law or the law of the Member States to which it is subject. In such a case, the processor shall notify the controller of these legal requirements prior to processing, unless the law in question prohibits such notification on grounds of important public interest.
(2) The client reserves the right to issue comprehensive instructions regarding the type, scope, means and purposes of data processing within the scope of the order description set out in this agreement, which it may specify in individual instructions. If the client issues individual instructions regarding the handling of client data that go beyond the contractually agreed scope of services, the resulting costs shall be borne by the client.
(3) Changes to the object of processing and procedural changes must be jointly agreed and documented. The Processor may only provide information to third parties or the data subject with the prior written consent of the Client. The Processor shall not be entitled to disclose the Client Data to third parties and shall not use the data for any other purposes, in particular not for its own purposes.
(4) The Processor is under no obligation to review the Client's instructions in terms of (data protection) law. The Processor shall inform the Controller immediately in accordance with Art. 28 para. 3 sentence 3 GDPR if, in its opinion, an instruction issued by the Controller violates statutory provisions. The Processor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Controller at the Principal.
4. obligations of the client
(1) The client is solely responsible for the lawfulness of the data processing by the processor and for safeguarding the rights of the data subjects and is therefore the "controller" within the meaning of Art. 4 No. 7 GDPR.
(2) The client is the owner of all possible rights relating to the client data.
(3) The Client shall inform the Processor immediately if it discovers errors or irregularities in connection with the processing of Client Data by the Processor.
(4) Should third parties assert claims against the Processor due to the processing of Client Data, the Client shall indemnify the Processor against all such claims upon first request.
5 Obligations of the processor
(1) The Processor shall ensure and regularly monitor that the processing of the Client Data within the scope of the provision of services under the Main Agreement in its area of responsibility, which includes the subcontractors pursuant to Section 9 of this Agreement, is carried out in accordance with the provisions of this Agreement.
(2) The data protection officer of the processor is
Walter Meng, Ingenious Technologies AG, Französische Strasse 48, 10117 Berlin, Germany
has been appointed. The Client must be informed immediately of any change of data protection officer.
(3) Pursuant to Art. 28 para. 3 sentence 2 lit. b GDPR, the processor must oblige all persons who may access personal data of the client in accordance with the order to maintain data secrecy in writing and inform them of the special data protection obligations arising from this order and of the existing instruction or purpose limitation.
(4) The Processor may not make any copies or duplicates of the Client Data without the prior consent of the Client within the scope of the commissioned processing. However, this does not apply to copies that are necessary to ensure proper data processing and the proper provision of services in accordance with the main contract (including data backup), as well as copies that are necessary to comply with statutory retention obligations.
(5) The processor shall be obliged to support the controller in the fulfillment of its obligations under Articles 12 to 22 and 32 to 36 GDPR to the extent reasonable and necessary and against reimbursement of the expenses and costs incurred thereby. The support shall be provided taking into account the nature of the processing and the information available to the processor and, as far as possible, appropriate technical and organizational measures, in particular in responding to requests to exercise the rights of the data subject referred to in Articles 12 to 22 GDPR.
(6) The Processor is obliged to provide the Client with all necessary information, including certifications as well as review and inspection results, which serve as proof of compliance with the obligations set out in this Agreement.
6. technical and organizational measures
(1) The Processor shall implement the technical and organizational measures listed in Annex 2 of this Agreement prior to the commencement of the processing of the Client Data and maintain them during the term of the Agreement.
(2) Since the technical and organizational measures are subject to technical progress and technological development, the Processor is permitted to implement alternative and adequate measures, provided that the security level of the measures set out in Annex 2 is not undercut. The Processor shall document such changes. Significant changes to the measures shall require the prior consent of the Client and shall be documented by the Processor and made available to the Client upon request.
7 Notification of breaches by the processor
(1) The Processor shall inform the Client promptly if it discovers that it or an employee has violated data protection regulations or provisions of this Agreement when processing Client data, provided that there is a risk of a breach of the protection of the Client's personal data within the meaning of Art. 4 No. 12 GDPR.
(2) Insofar as the Principal is subject to statutory information obligations due to the unlawful acquisition of Principal data (in particular pursuant to Art. 33 and 34 GDPR) as a result of an incident pursuant to paragraph (1), the Processor shall support the Principal in fulfilling the information obligations at the Principal's request within the scope of what is reasonable and necessary against reimbursement of the expenses and costs incurred by the Processor as a result.
8. control rights of the client
(1) The Client shall satisfy itself at its own expense of the technical and organizational measures of the Processor in accordance with Annex 2 before commencing data processing and then regularly thereafter and document the result. For this purpose, it may obtain information from the Processor itself, obtain a certificate from an expert or, after making an appointment in good time, convince itself personally without disrupting operations and under strict confidentiality of the Processor's trade and business secrets. The Processor undertakes to support the Client's inspections in an appropriate manner and to tolerate all necessary inspection measures.
(2) The Processor undertakes to provide the Client, upon written request and within a reasonable period of time, with all information required to carry out an inspection.
(3) The Processor shall be entitled, at its own discretion, taking into account the Client's legal obligations, not to disclose information that is sensitive with regard to the Processor's business or if the Processor would be in breach of statutory or other contractual provisions by disclosing it. The Client shall not be entitled to obtain access to data or information about other clients of the Processor, to information regarding costs, to quality audit and contract management reports and to any other confidential data of the Processor that is not directly relevant to the agreed control purposes.
(4) The Client shall inform the Processor in good time (generally at least two weeks in advance) of all circumstances related to the performance of the inspection. As a rule, the Client may carry out one inspection per calendar year. This does not affect the right of the Client to carry out further inspections in the event of special incidents.
(5) If the Client commissions a third party to carry out the inspection, the Client shall obligate the third party in writing in the same way as the Client is obligated to the Processor under this Section 10 of this Agreement. In addition, the Principal shall bind the third party to secrecy and confidentiality, unless the third party is subject to a professional obligation of confidentiality. At the request of the Processor, the Principal shall immediately submit the obligation agreements with the third party to the Processor. The client may not commission a competitor of the processor with the inspection.
(6) At the processor's discretion, proof of compliance with the technical and organizational measures in accordance with Annex 2 may also be provided instead of an on-site inspection by submitting a suitable, current certificate, reports or report extracts from independent bodies (e.g. auditors, data protection officers, IT security department, data protection auditors or quality auditors) or a suitable certification by means of an IT security or data protection audit - e.g. in accordance with BSI-Grund. auditor, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g. in accordance with BSI basic protection - ("audit report"), if the audit report reasonably enables the Client to satisfy itself of compliance with the technical and organizational measures in accordance with Annex 2 to this Agreement.
9. subcontracting relationships
(1) The Processor may only establish subcontracting relationships with regard to the processing of Client Data with the prior written consent of the Client. Such prior consent may only be refused by the Client for good cause to be proven to the Processor. Upon request, the Processor shall provide the Client with an up-to-date overview of the sub-processors engaged. In the event of written consent, the Processor shall always inform the Client of any intended change with regard to the involvement or replacement of other processors.
(2) The sub-processors named in Annex 3 shall be deemed to have already been approved by the Client.
(3. Where a sub-processor is engaged, the processor shall impose on the sub-processor, by means of a contract or other legal instrument under Union law or the law of the Member State concerned, the same data protection obligations as those laid down in this contract. If a sub-processor does not fulfill the obligations laid down in this contract or violates data protection regulations, the processor shall be liable to the client for compliance with the obligations of the sub-processor.
(4) Services that the Processor uses from third parties as an ancillary service to support the execution of the order are not to be understood as subcontracting relationships within the meaning of this provision and therefore do not require the consent of the Client. These include, in particular, telecommunications services, security services, maintenance and user services, cleaning staff, auditors and the disposal of data carriers. However, the processor is obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the client's data, even in the case of outsourced ancillary services.
10. rights of the data subjects
(1) The rights of the persons affected by the data processing shall be asserted against the client.
(2) If a data subject should contact the Processor directly to exercise their rights under Articles 12 to 22 GDPR in relation to the data concerning them, the Processor shall refer the data subject to the Controller.
(3) In the event that a data subject asserts their rights pursuant to Art. 12 to 22 GDPR, the Processor shall support the Controller in fulfilling these claims to an extent that is reasonable and necessary for the Controller, unless the Controller can fulfill the claims without the cooperation of the Processor. The Client shall reimburse the Processor for any additional expenses.
(4) The Processor shall enable the Client to correct, delete or block Client Data or, at the request of the Client, carry out the correction, blocking or deletion itself if and to the extent that this is impossible for the Client itself.
11. return and deletion of client data provided
(1) The Processor shall, at the Client's discretion, return or delete all Client data after the end of the contractual service provision (in particular in the event of termination or other termination of the main contract) and destroy existing copies, unless there is a legal obligation to store the data.
(2) The Processor shall prepare a record of the deletion or destruction of Client Data, which shall be submitted to the Client upon request.
(3) Documentation that serves as proof of proper data processing in accordance with the order or statutory retention periods shall be retained by the processor beyond the end of the contract in accordance with the respective retention periods.
12. relationship to the main contract
Insofar as no special provisions are contained in this contract, the provisions of the main contract shall apply. In the event of contradictions between this contract and provisions from other agreements, in particular from the main contract, the provisions from this contract shall take precedence insofar as the processing of client data is concerned.