Order processing
agreement

The client commissions the contractor to provide the services specified in § 3. Part of the execution of the contract is the processing of personal data. In particular, Article 28 GDPR places certain requirements on such order processing. In order to meet these requirements, the parties conclude the following agreement, the fulfilment of which is not paid separately unless this is expressly agreed.

In accordance with Article 4 (7) GDPR, the person responsible is the body that alone or jointly with other controllers decides on the purposes and means of processing personal data.

In accordance with Article 4 (8) GDPR, the processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.

According to Article 4 (1) GDPR, personal data is all information relating to an identified or identifiable natural person (hereinafter “data subject”); an identifiable natural person is considered to be a natural person who, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special characteristics, expresses the physical, physiological, genetic, psychological, economic, cultural or social The identity of this natural person can be identified.

Personal data in particular need of protection are personal data in accordance with Article 9 GDPR, which reveal the racial and ethnic origin, political opinions, religious or ideological beliefs or trade union membership of persons concerned, personal data in accordance with Article 10 GDPR on criminal convictions and criminal offences or related security measures as well as genetic data in accordance with Article 4 (13) GDPR, biometric data in accordance with Article 4 (14) GDPR, Health data in accordance with Article 4 (15) GDPR and data on the sex life or sexual orientation of a natural person.

According to Article 4 (2) GDPR, processing is any process carried out with or without the aid of automated procedures or any such series of processes in connection with personal data, such as collection, recording, organization, organization, organization, organization, storage, adjustment or alteration, reading, querying, use, disclosure through transmission, dissemination or any other form of provision, reconciliation or linking, restriction, deletion or destruction.

According to Article 4 Paragraph 21 GDPR, the supervisory authority is an independent government body set up by a Member State in accordance with Article 51 GDPR.

The competent supervisory authority for the contractor is the Bavarian State Office for Data Protection Supervision (BayLDA), Promenade 18 91522 Ansbach.

Upon request, the client and the contractor and, where applicable, their representatives shall cooperate with the supervisory authority in carrying out their duties.

By registering, the user expressly assures that he is not a consumer within the meaning of Section 13 of the German Civil Code. (A consumer is a natural person who concludes a legal transaction for purposes that can primarily be attributed neither to their commercial nor to their independent professional activity).

This contract for order processing (hereinafter “order processing” or “AVV”) specifies the data protection rights and obligations of the parties for all processing operations, which result from the contracts already existing or to be concluded between the parties (hereinafter “main contract”), under which personal data is processed by the contractor for the client.

To specify the mutual data protection rights and obligations, the parties conclude the present agreement. In case of doubt, the provisions of this agreement take precedence over the provisions of the main contract.

Processing is carried out for an unlimited period of time, unless otherwise agreed in the service descriptions and the respective contractual agreements. The notice periods stipulated in the respective contractual agreements remain unaffected.

The contractor may only collect, process or use data within the framework of the main contract in the service description and in accordance with the instructions of the client; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the contractor is required to carry out further processing under the law of the European Union or the Member States to which he is subject, he shall notify the client of these legal requirements before processing.

The client's instructions are initially defined by this contract and can then be amended, supplemented or replaced by the client in writing or in text form with individual instructions (individual instruction). Verbal instructions must be confirmed by the customer immediately in writing or in an electronic format offered by the contractor for this purpose.

The client is entitled to issue appropriate instructions at any time. This includes instructions with regard to the correction, deletion and blocking of data. The persons authorized to issue instructions are the managing directors, authorized signatories, or partners of the client.

If the client's instructions are not covered by the contractually agreed scope of services, these will be treated as a request for a change of service. In the event of proposed changes, the contractor shall inform the client of the effects on the agreed services, in particular the possibility of providing services, deadlines and remuneration. If it is not reasonable for the contractor to implement the instruction, the contractor is entitled to stop processing. In addition, the service descriptions and respective contractual agreements apply.

If the contractor is of the opinion that an instruction from the client violates data protection regulations, he must immediately notify the client of this. The contractor is entitled to suspend implementation of the relevant instruction until it is confirmed or amended by the client. The contractor may refuse to implement a manifestly illegal instruction.

The type of personal data is all types of personal data that the contractor processes on behalf of the contractor. This also includes special categories of personal data.

With regard to the processing of personal data relating to criminal convictions and offences within the meaning of Article 10 GDPR, the client is obliged to ensure, on his own responsibility, that the applicable legal requirements are met.

As part of carrying out the service description, the contractor has access to the personal data specified in more detail in Appendix 1 “Description of processed personal data”.

This data includes the special categories of personal data listed in Appendix 1 “Description of processed personal data” and identified as such.

The group of people affected by data processing is shown in Appendix 2 “Description of data subjects/groups of data subjects”.

The contractor is obliged to comply with the legal provisions on data protection and not to pass on the information obtained from the client's area to third parties or to suspend their access. Documents and data must be secured against access by unauthorised persons, taking into account the state of the art.

Within his area of responsibility, the contractor will design the internal organization in such a way that it meets the special requirements of data protection. It takes all necessary technical and organizational measures to adequately protect the client's data in accordance with Article 32 GDPR, in particular at least the measures listed in Appendix 3 “Technical and Organizational Measures of the Contractor” of

The contractor reserves the right to change the safety measures taken, ensuring that the contractually agreed level of protection does not fall below the contractually agreed level of protection.

The contractor has appointed as data protection officer:

PROLIANCE GmbH
www.datenschutzexperte.de
Leopoldstraße 21
80802 Munich
datenschutzbeauftragter@datenschutzexperte.de

When contacting the data protection officer, please name the company to which your request relates. Please refrain from including sensitive information, such as a copy of your ID, with your request.

Persons engaged in data processing by the contractor are prohibited from collecting, processing or using personal data without authorization. The contractor will oblige all persons who are entrusted by him with the processing and fulfilment of this contract (hereinafter referred to as employees) accordingly (obligation to confidentiality, Art. 28 para. 3 lit. b GDPR) and ensure compliance with this obligation with due care. These obligations must be drafted in such a way that they remain in force even after the termination of this contract or the employment relationship between the employee and the contractor. The obligations must be proven to the client in an appropriate manner upon request.

The client can view the currently applicable technical and organizational measures via the following website: https://www.top.legal/toms. The client informs himself about these technical and organizational measures before concluding the order processing agreement and then at regular intervals. The client is responsible for ensuring that the currently applicable, contractually agreed technical and organizational measures provide an appropriate level of protection for the risks of the data to be processed.

In the event of disruptions, suspicion of data breaches or breaches of contractual obligations by the contractor, suspicion of security-related incidents or other irregularities in the processing of personal data by the contractor, persons employed by him within the scope of the contract or by third parties, the contractor will immediately inform the client in writing or text form. The same applies to inspections of the contractor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

The contractor immediately takes the necessary measures to secure the data and to reduce possible adverse consequences for those affected, informs the client of this and requests further instructions.

The contractor is also obliged to provide the client with information at any time insofar as his data is affected by an infringement in accordance with paragraph 1.

Should the client's data be endangered by the contractor as a result of seizure or seizure, insolvency or settlement proceedings, or by other events or measures taken by third parties, the contractor must immediately inform the client of this, unless he is prohibited from doing so by court or official order. In this context, the contractor will immediately inform all competent authorities that decision-making authority over the data lies exclusively with the client as the “responsible person” within the meaning of the GDPR.

The contractor must immediately inform the client of any significant changes to the safety measures in accordance with Section 6 Paragraph 2.

The client must be notified immediately of a change in the person of the data protection contact person for data protection.

The contractor and, where applicable, his representative keep a list of all categories of processing activities carried out on behalf of the client, which contains all information in accordance with Article 30 (2) GDPR. The directory must be made available to the client upon request.

The contractor must participate to an appropriate extent in the preparation of the list of procedures by the client. He must provide the client with the required information in an appropriate manner.

Before starting data processing and then once a year, the client is convinced of the contractor's technical and organizational measures. For this purpose, he can, for example, obtain information from the contractor, have existing certificates, certifications or internal tests submitted by experts, certifications or internal tests, or have the contractor's technical and organizational measures personally checked by an expert third party after timely coordination during normal business hours, provided that the contractor is not in a competitive relationship with the contractor. The client will only carry out checks to the extent necessary and will not disproportionately disrupt the contractor's operational processes.

At the client's oral or written request, the contractor undertakes to provide the client with all information and evidence necessary to carry out an inspection of the contractor's technical and organizational measures within a reasonable period of time.

The client documents the inspection results and communicates them to the contractor. In the event of errors or irregularities, which the client discovers, in particular when examining contract results, he must immediately inform the contractor. If, during the inspection, facts are identified whose future prevention requires changes to the ordered procedural sequence, the client shall immediately notify the contractor of the necessary procedural changes.

At the client's request, the contractor provides the client with a comprehensive and up-to-date data protection and security concept for order processing and via persons with access rights.

The contractor shall notify the client of the employees' obligations under paragraph 6 of this agreement “Type of personal data and categories of data subjects” upon request.

The contractor and any person subordinate to it - may only process the personal data within the framework of the service description and the respective contractual agreements between the contractor and the client and the client's instructions, unless there is an exceptional case within the meaning of Article 28 (3) sentence 2 lit. a GDPR. The contractor receives instructions from the contractor in writing and via the electronic formats offered by the contractor for this purpose. Verbal instructions must be confirmed by the client immediately in writing or in an electronic format offered by the contractor for this purpose.

The contractor shall immediately inform the client if it is of the opinion that an instruction violates applicable laws. The client may suspend implementation of the instruction until it has been confirmed or amended by the client.

If the client's instructions are not covered by the contractually agreed scope of services, these will be treated as a request for a change of service. In the event of proposed changes, the contractor shall inform the client of the effects on the agreed services, in particular the possibility of providing services, deadlines and remuneration. If it is not reasonable for the contractor to implement the instruction, the contractor is entitled to stop processing. In addition, the service descriptions and respective contractual agreements apply.

The contractually agreed services or the partial services described below are provided using the services described in Appendix 4”Approved subcontractors“named subcontractors carried out.

As part of its contractual obligations, the contractor is authorized to establish further subcontracting relationships with subcontractors (“subcontractor relationship”). He shall immediately inform the client of this. The contractor is obliged to carefully select subcontractors based on their suitability and reliability. When involving subcontractors, the contractor must oblige them in accordance with the provisions of this agreement and ensure that the client can also exercise its rights under this agreement (in particular its audit and control rights) directly vis-à-vis the subcontractors. If subcontractors in a third country are to be involved, the contractor must ensure that an appropriate level of data protection is guaranteed by the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). On request, the contractor will prove to the client that the aforementioned agreements have been concluded with its subcontractors.

A subcontractor relationship within the meaning of these provisions does not exist if the contractor engages third parties with services that are to be regarded as purely ancillary services. This includes, for example, postal, transport and shipping services, cleaning services, telecommunications services without specific reference to services provided by the contractor for the client and security services. Maintenance and testing services represent subcontractor relationships subject to approval, insofar as they are provided for IT systems that are also used in connection with the provision of services for the client.

Where possible, the contractor supports the client with appropriate technical and organizational measures in the fulfilment of his obligations under Articles 12—22 and 32 and 36 GDPR. The client is entitled to demand appropriate remuneration from the contractor for these services.

If a person concerned asserts rights, such as the provision of information, correction or deletion with regard to his data, directly against the contractor, the latter does not react independently, but immediately refers the person concerned to the client and waits instructions.

In the internal relationship with the contractor, the client is solely responsible to the person concerned for compensation for damage suffered by a person concerned due to data processing or use in the context of order processing that is inadmissible or incorrect under data protection laws.

The parties each release themselves from liability if a party proves that it is not responsible in any respect for the circumstances that caused the damage to a person concerned.

After termination of the main contract or at any time at the client's request, the contractor will return all documents, data and data carriers provided to him or — at the client's request, unless there is an obligation to store personal data under Union law or the law of the Federal Republic of Germany. This also applies to any data backups by the contractor. The contractor must provide documented proof of the proper deletion of any remaining data. Documents to be disposed of must be destroyed with a paper shredder in accordance with DIN 32757-1. Data carriers to be disposed of must be destroyed in accordance with DIN 66399.

The client has the right to check the complete and contractual return or deletion of the data by the contractor in an appropriate manner.

The contractor has the right to anonymize the personal data covered by this agreement and to carry out the processing steps required for anonymization beforehand. While maintaining anonymity, the contractor can process and use all resulting data for its own purposes, such as the preparation of business or industry comparisons or other purposes involving economic or business information, statistical evaluations, benchmarking, product improvements, new product developments and other comparable purposes. This also includes anonymized transfer to users and third parties, in particular to associations, organizations or research institutions, as well as for publications.

The parties agree that the objection of the right of retention by the contractor within the meaning of Section 273 of the German Civil Code with regard to the data to be processed and the associated data carriers is excluded.

Amendments and additions to this agreement must be made in writing. This also applies to the waiver of this formal requirement. The primacy of individual contractual agreements remains unaffected by this.

Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions.

This agreement is subject to German law. The exclusive place of jurisdiction is Munich.