The General Data Protection Regulation (GDPR), particularly Article 28, places certain requirements on processing of personal data carried out on behalf of a controller. To comply with these requirements, the Parties hereby enter into the following agreement.
In the course of the fulfillment of the contract between Lateral GmbH, Köthener Str. 38,10963 Berlin (the "Processor") and the Controller (the "Controller", together with the Processor the "Parties") regarding the provision of the Processor's software to the Controller(the "Contract"), it might be necessary, that the Processor deals with personal data pursuant to Art. 4 no. 1 GDPR, This agreement specifies the data protection obligations and rights of the Parties in connection with the Processor's use of Customer Data to render the services under the Contract.
Terms used in this Agreement which are defined by Article 4, 9 and 10 GDPR shall have the same meaning as those established by the relevant GDPR provision.
(1) On behalf of the Controller and based on the Principal Agreement, the Processor shall carry out services for the Controller:
In doing so, the Processor shall gain access to personal data and shall process said data exclusively on behalf of and according to the instructions given by the Controller, unless otherwise required by EU law or a legal provision of one of the Member States applicable to the Processor. The scope and purpose of the Processor’s data processing are as concluded in the Principal Agreement (and, if applicable, the corresponding service description), as well as described in Annex 1 to this Agreement. The Controller shall be the sole judge of the lawfulness of the processing under Article 6 (1) GDPR.
(2) The Parties have agreed to the following in order to specify their mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall supersede the provisions of the Principal Agreement.
(3) The provisions laid out by this Agreement shall be applicable to all activities which are performed in connection with the Principal Agreement and by the Processor, their employees or agents when encountering personal data originating from, collected for or otherwise processed on behalf of the Controller.
(4) The duration of this Agreement shall be the same as the duration of the Principal Agreement, unless the following provisions stipulate further obligations or rights of termination.
(1) The Processor may only collect, use or otherwise process data within the scope of the Principal Agreement and according to the Controller’s instructions; this is particularly applicable with regard to transfer of personal data to a Third country or to an international organisation. If the Processor must carry out further processing due to EU law or the law in an EU Member State applicable to the Processor, the Processor shall notify the Controller of these legal requirements before any such processing takes place.
(2) The Controller’s instructions shall be initially determined by this Agreement, though it may be changed, amended or replaced by individual instructions in written or documented electronic format (“Individual Instruction”). The Controller shall have the right to issue such instructions at any time. Changes may include instructions regarding the rectification, erasure and blocking of data.
(3) Should the Processor suspect that an instruction given by the Controller goes against data protection requirements; the Processor shall notify the Controller accordingly without undue delay. The Processor is entitled to suspend execution of the instruction in question until confirmation or change by the Controller is received. The Processor is entitled to refuse execution of an evidently unlawful instruction.
(1) The Processor shall comply with legal data protection requirements and shall not transfer or make accessible to third parties information originating in the Controller’s sphere. Taking into account the state of the art, documents and data shall be appropriately secured against accessibility by unauthorised persons.
(2) In regards to its area of responsibility, the Processor shall shape its internal organisation in a manner that is compliant with the special requirements of data protection. The Processor shall also ensure that it has implemented all necessary technical and organisational measures under Article 32 GDPR; particularly in regards to the measures specified in Annex 2. Insofar as the processing includes special categories of personal data, the Processor shall additionally implement the adequate and specific measures laid down by para. 22 sect. 2 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Upon the Controller’s request, the Processor shall disclose the particulars of how these measures are determined and implemented.
The Processor reserves the right to change the implemented security measures, provided that it ensures that these do not fall short of the contractually agreed upon level of protection.
(3) Our Data Protection Officer is Bitkom Servicegesellschaft mbH, Albrechtstraße 10, 10117 Berlin.
(4) The persons tasked with data processing and employed by the Processor are prohibited from collecting, using or otherwise processing personal data without authorisation. The Processor shall ensure that all persons (hereafter referred to as “personnel”) tasked with processing and fulfilling this Agreement have committed themselves according to the obligation of confidentiality under Article 28 (3) lit. b GDPR). The Processor has a duty to instruct personnel about the special data protection obligations arising from this Agreement, as well as the existing purpose limitation and binding commitment to instructions. The Processor shall take due care to ensure compliance with the abovementioned obligation. Obligations shall be composed to remain in force beyond the termination of this Agreement or of the employment relationship between the employee and the contractor. Upon the Controller’s request, the Processor shall provide proof of these obligations in an adequate manner.
(1) In case of disturbances, suspected data breaches, breaches of contractual obligations on the part of the Processor, suspected security incidents or other irregularities with regards to the processing of personal data by the Processor, by persons tasked within the framework of the Agreement or by third persons, the Processor shall inform the Controller accordingly in writing or in a documented electronic format without undue delay.
(2) The Processor shall take all necessary measures to secure the data and mitigate possible adverse effects on the data subject(s) without undue delay. The Processor shall also inform the Controller of these measures and request further instructions.
(3) Additionally, insofar as the Controller’s data is concerned by a breach outlined in § 7 (1) of this Agreement, the Processor shall provide details to the Controller at any time.
(4) If necessary, the Processor shall, in an adequate manner, assist the Controller in ensuring compliance with the Controller’s obligations under Articles 33 and 34 GDPR (Article 28 (3) sent. 2 lit. f GDPR). The Processor shall only execute notifications under Articles 33 or 34 GDPR on behalf of the Controller upon the Controller’s prior instruction as outlined in § 5 of this Agreement.
(5) In case the Controller’s data is put at risk due to seizure or confiscation taking place at the Processor’s, because of insolvency or composition proceedings or because of other events or measures taken by third parties, the Processor shall inform the Controller accordingly and without undue delay, unless prohibited from doing so by court or administrative order. In this context, the Processor shall, without undue delay, inform all competent entities that, as “Controller” under the GDPR, the Controller bears sole decision-making authority with regard to the data.
(6) In case of substantial changes to the security measures under § 6 (2) of this Agreement, the Processor shall notify the Controller accordingly, without undue delay.
(1) Prior to the start of the data processing, and then on a regular basis, the Controller shall convince himself of the technical and organisational measures taken by the Processor. To this end, he can, for example, obtain information from the Processor or require seeing existing attestations by experts, certifications or of internal audits. The Controller may, after timely coordination and during normal business hours, also personally check the Processor's technical and organisational measures or have them checked by an expert third party, unless the latter is in a competitive relationship with the Processor. The Controller shall conduct controls only to the extent necessary so as to not unduly disturb the Processor’s business operations.
(2) Upon the Controller’s verbal, written or electronic request, the Processor shall, in a timely manner, provide him with all information and records necessary for controlling the Processor’s technical and organisational measures.
(3) The Controller shall document the control result and notify the Processor accordingly. In case of mistakes or irregularities detected by the Controller, particularly when assessing order results, the Controller shall inform the Processor accordingly without undue delay. If the control reveals issues to be avoided in the future that require changes to the ordered process, the Controller shall, without undue delay, notify the Processor of the necessary changes.
(4) Upon request, the Processor shall provide the Controller with a comprehensive and up-to-date data protection and security concept for the data processing and regarding authorised persons for access.
(1) The contractually agreed-upon services, or the parts of the services described hereafter, will be executed by involving the subcontractors named in Annex 3. Within the scope of his contractual obligations, the Processor shall be entitled to establish further subcontracting relationships. The Processor shall, without undue delay, notify the Controller thereof. The Processor shall carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Processor shall ensure their commitment to confidentiality in line with the provisions of this Agreement and ensure that the Controller is able to directly exercise its rights under the Agreement (particularly the rights of audit and control) against the subcontractors. If subcontractors from a third country are involved, the Processor shall ensure that an adequate level of data protection is guaranteed by the subcontractor in question (for example, by establishing an agreement according to the EU standard data protection clauses). Upon request, the Processor shall demonstrate the conclusion of the aforementioned agreements with his subcontractors.
(2) When the Processor charges a third party with a purely ancillary service, this shall not constitute a subcontractor relationship within the meaning of these provisions. Such ancillary services include, but are not limited to, postal, transport and shipping services, cleaning services, security services, and telecommunications services without concrete reference to services provided by the Processor provides to the Controller. Maintenance and testing services constitute subcontractor relationships requiring approval insofar as they are provided for IT systems also used in connection with the Processor’s provision of services on behalf of the Controller.
(1) The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligations as established under Articles 12-22, 32, and 36 GDPR.
(2) If a data subject asserts her rights regarding to her data directly against the Processor, the Processor shall not react independently. Rather, the Processor shall refer the data subject to the Controller without undue delay and wait on the Controller for instructions on how to proceed.
(1) The Controller and the Processor shall be liable to the data subjects in accordance with the provisions of Article 82 GDPR. The Processor shall coordinate with the Controller regarding any possible fulfilment of liability claims.
(2) The Parties shall each release themselves from liability if/insofar as one Party proves that they are in no way responsible for the circumstance through which the damage occurred to a data subject. Apart from that, Article 82 (5) GDPR shall apply.
(3) Unless otherwise stipulated above, the liability within the scope of this Agreement shall correspond to that of the Principal Agreement.
The Controller may terminate the Principal Agreement, in whole or in part, without notice if the Processor fails to fulfil his obligations under this Agreement, intentionally or through gross negligence violates the provisions of the DS-GVO or other applicable data protection provisions, is unable or unwilling to execute an instruction given by the Controller, or opposes the Controller’s rights of control in a manner contrary to the contractual terms. In particular, failure to comply with the obligations agreed in this contract and derived from Art. 28 DS-GVO constitutes a serious infringement.
(1) The Parties agree that the Processor’s right to assert retention under Section 273 of the German Civil Code (Bürgerliches Gesetzbuch, BGB) is excluded with regard to the data to be processed and the corresponding data carriers.
(2) To be valid, any changes and amendments to this Agreement must be rendered in writing in a documented electronic format. This also applies to a change in this formal requirement.
This shall not apply to the priority of individual contract agreements.
(3) Should any provision of this Agreement be invalid or become partially or entirely invalid or unenforceable, the remainder of this Addendum shall remain valid and in force.
(4) This agreement shall be governed by and construed in accordance with German Law.