Contract for the processing of data on behalf of Q.wiki Now! (V1.24)

1. general

(1) The Contractor processes personal data on behalf of the Client within the meaning of Article 4 No. 8 and Article 28 of Regulation (EU) 2016/679 - Basic Data Protection Regulation (DSGVO). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.

(2) Insofar as the term "data processing" or "processing" (of data) is used in this Agreement, the definition of "processing" within the meaning of Art. 4 No. 2 DSGVO shall apply.

2. subject of the contract

(1) The object of the processing, the nature and purpose of the processing, the categories of personal data and the categories of data subjects are specified in Appendix 1 to this contract.

(2) The subject of the contract is not the original use or processing of personal data by the contractor. However, access to personal data cannot be excluded in the course of the performance of the services by the contractor pursuant to Annex 1 to this contract.

3. rights and obligations of the customer

(1) The Client is the responsible party within the meaning of Article 4 No. 7 DSGVO for the processing of data on behalf of the Contractor. In accordance with Art. 4 Para. 5, the Contractor is entitled to inform the Client if, in his opinion, a legally impermissible data processing is the subject of the order and/or an instruction.

(2) As the person responsible, the principal is responsible for safeguarding the rights of the persons concerned. The contractor shall inform the principal without delay if data subjects assert their data subject rights against the contractor.

(3) The customer has the right to issue additional instructions to the contractor at any time regarding the type, scope and procedure of data processing. Instructions can be given in text form (e.g. e-mail).

(4) Regulations concerning a possible remuneration of additional expenses incurred by the Contractor as a result of supplementary instructions from the Customer remain unaffected.

(5) The Customer shall inform the Contractor without delay if it discovers errors or irregularities in connection with the processing of personal data by the Contractor.

(6) In the event that there is an obligation to inform third parties in accordance with Art. 33, 34 DSGVO or any other legal obligation to notify applicable to the Customer, the Customer shall be responsible for compliance therewith.

4. general obligations of the contractor

(1) The contractor processes personal data exclusively within the scope of the agreements made and/or in compliance with any supplementary instructions issued by the customer. Excluded from this are legal regulations which may oblige the contractor to process the data in another way. In such a case, the Contractor shall notify the Customer of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest. The purpose, type and scope of data processing shall otherwise be governed exclusively by this Agreement and/or the instructions of the Customer. The Contractor is prohibited from processing data in a manner deviating from this, unless the Customer has given its written consent.

(2) Personal data are processed both in computer centres within the European Union and in third countries. Your data will only be transferred to countries outside the European Union if the special requirements of Art. 44 - 49 DSGVO are fulfilled. In such a case, the Contractor shall ensure the admissibility under data protection law by taking appropriate measures.

(3) In the area of processing of personal data in accordance with the contract, the Contractor guarantees the contractual execution of all agreed measures.

(4) The Contractor is obliged to design his company and his operating procedures in such a way that the data which he processes on behalf of the Customer are secured to the extent necessary in each case and protected from unauthorised access by third parties. The Contractor shall agree with the Customer in advance any changes in the organisation of data processing on behalf of the Customer that are relevant to the security of the data.

(5) The Contractor shall inform the Customer immediately if, in his opinion, an instruction issued by the Customer violates statutory regulations. The contractor is entitled to suspend the execution of the instruction in question until it is confirmed or amended by the customer. If the Contractor is able to demonstrate that processing in accordance with the Client's instructions may lead to liability on the part of the Contractor pursuant to Art. 82 DSGVO, the Contractor shall be entitled to suspend further processing in this respect until clarification of the liability between the parties.

(6) The contractor shall process the data which he processes on behalf of the client separately from other data. A physical separation is not mandatory.

(7) The Contractor may designate to the Client the person(s) entitled to receive instructions from the Client. If persons authorized to receive instructions are to be named, they shall be named in Annex 1. In the event that the persons authorised to receive instructions change at the Contractor, the Contractor shall notify the Customer in text form.

5. data protection officer of the contractor

(1) The contractor confirms that he has appointed a data protection officer in accordance with Art. 37 DSGVO. The contractor shall ensure that the data protection officer has the necessary qualifications and expertise. The Contractor shall inform the Customer separately in text form of the name and contact details of its data protection officer.

(2) The obligation to appoint a data protection officer pursuant to paragraph 1 may be waived at the discretion of the Customer if the Contractor can prove that it is not legally obliged to appoint a data protection officer and the Contractor can prove that operational regulations exist which guarantee that personal data are processed in compliance with the statutory provisions, the provisions of this Agreement and any further instructions of the Customer.

6. notification obligations of the contractor

(1) The Contractor is obliged to notify the Client without delay of any violation of data protection regulations or of the contractual agreements made and/or the Client's instructions issued in the course of the processing of data by him or by other persons involved in the processing. The same applies to any violation of the protection of personal data which the Contractor processes on behalf of the Customer.

(2) Furthermore, the Contractor shall inform the Customer without delay if a supervisory authority pursuant to Art. 58 DSGVO takes action against the Contractor and this may also concern a control of the processing which the Contractor performs on behalf of the Customer.

(3) The Contractor is aware that the Customer may be subject to an obligation to notify in accordance with Articles 33, 34 DSGVO, which provides for notification to the supervisory authority within 72 hours of becoming known. The Contractor will support the Customer in implementing the notification obligations. In particular, the Contractor shall notify the Customer of any unauthorized access to personal data processed on behalf of the Customer without delay, but at the latest within 48 hours of becoming aware of such access. The notification of the Contractor to the Customer must in particular contain the following information:

  • a description of the nature of the personal data protection breach, specifying, where possible, the categories and approximate number of persons concerned, the categories and approximate number of personal data sets concerned
  • a description of the measures taken or proposed by the contractor to remedy the breach of personal data protection and, where appropriate, measures to mitigate its possible adverse effects

7. duties of cooperation of the contractor

(1) The Contractor shall support the Client in its obligation to respond to applications to exercise the rights of the persons concerned in accordance with Articles 12-23 DSGVO. The provisions of section 11 of this Agreement shall apply.

(2) The contractor shall participate in the preparation of the lists of processing activities by the customer. He must provide the customer with the necessary information in a suitable manner.

(3) The Contractor shall support the Customer in complying with the obligations specified in Art. 32-36 DSGVO, taking into account the type of processing and the information available to him.

8. powers of control

(1) The Customer shall have the right to monitor compliance with the statutory provisions on data protection and/or compliance with the contractual provisions agreed between the parties and/or compliance with the Customer's instructions by the Contractor at any time to the extent necessary.

(2) The Contractor is obliged to provide information to the Customer to the extent necessary to carry out the inspection within the meaning of paragraph 1.

(3) The Customer may demand an inspection of the data processed by the Contractor for the Customer and of the data processing systems and programs used.

(4) The customer may, after prior notification with a reasonable period of notice, carry out the inspection within the meaning of paragraph 1 at the premises of the contractor during normal business hours. In doing so, the customer shall ensure that the checks are only carried out to the extent necessary so that the checks do not disproportionately disturb the contractor's operations.

(5) In the event of measures taken by the supervisory authority vis-à-vis the Customer within the meaning of Article 58 DSGVO, in particular with regard to duties of information and control, the Contractor shall be obliged to provide the Customer with the necessary information and to enable the respective competent supervisory authority to carry out an on-site inspection. The Customer shall be informed by the Contractor of any corresponding planned measures.

9. subcontracting relationships

(1) The Client shall grant the Contractor general permission to use further subcontractors within the meaning of Art. 28 DSGVO to perform his contractually agreed services. The Contractor shall list all subcontracting relationships already existing at the time of conclusion of the contract in Annex 2 to this Agreement. The Customer shall be informed in advance of any intended involvement or replacement of subcontractors. The Customer may object in writing or in text form to the establishment of further or replacement subcontracting relationships within a period of 2 (two) weeks after receipt of the information about the change. In the event of an objection, the Contractor may, at its own discretion, either provide the service without the intended change or - if the provision of the service is not possible without the intended change by the Contractor - terminate the services affected by the change vis-à-vis the Customer for good cause.

(2) The Contractor shall carefully select the subcontractor and check before the order is placed that the subcontractor is able to comply with the agreements made between the Client and the Contractor. In particular, the Contractor shall check in advance and regularly during the term of the contract that the subcontractor has taken the technical and organisational measures required under Art. 32 DSGVO to protect personal data. The result of the check must be documented by the contractor and sent to the client on request.

(3) The Contractor shall be obliged to obtain confirmation from the subcontractor that the latter has appointed an in-house data protection officer in accordance with Art. 37 DSGVO. In the event that no data protection officer has been appointed by the subcontractor, the Contractor shall draw the attention of the Customer to this fact and provide information on this from which it follows that the subcontractor is not legally obliged to appoint a data protection officer.

(4) The Contractor shall ensure that the provisions agreed in this Agreement and any supplementary instructions of the Customer shall also apply vis-à-vis the subcontractor.

(5) The Contractor shall conclude a contract with the sub-contractor which meets the requirements of Art. 28 DSGVO. In addition, the contractor shall impose the same obligations on the subcontractor with regard to the protection of personal data as those laid down between the principal and the contractor. A copy of the processing contract shall be sent to the principal upon request.

(6) In particular, the Contractor shall be obliged to ensure by contractual provisions that the control powers (Section 8 of this Agreement) of the Customer and supervisory authorities also apply vis-à-vis the subcontractor and that corresponding control rights are agreed by the Customer and supervisory authorities. In addition, it shall be contractually regulated that the subcontractor must tolerate these control measures and any on-site inspections.

(7) Subcontracting relationships within the meaning of paragraphs 1 to 6 shall not include services which the contractor obtains from third parties as a purely incidental service in order to carry out the business activity. These include, for example, cleaning services, pure telecommunications services without any specific reference to services which the contractor provides for the customer, postal and courier services, transport services, security services. The contractor is nevertheless obliged to ensure, also in the case of ancillary services provided by third parties, that appropriate precautions and technical and organisational measures have been taken to guarantee the protection of personal data. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship and order processing within the meaning of Art. 28 DSGVO requiring approval if the maintenance and testing relates to such IT systems that are also used in connection with the provision of services for the Customer and personal data processed on behalf of the Customer can be accessed during maintenance.

10. confidentiality obligation

(1) When processing data for the Client, the Contractor shall be obliged to maintain the confidentiality of data which it receives or becomes aware of in connection with the order. The Contractor undertakes to observe the same rules of secrecy protection as those incumbent on the Client. The Customer shall be obliged to inform the Contractor of any special secrecy protection rules.

(2) The Contractor warrants that he is aware of the applicable data protection regulations and is familiar with their application. The Contractor further warrants that he has familiarized his employees with the data protection regulations applicable to them and has obligated them to maintain confidentiality. The Contractor further warrants that he has in particular obligated his employees to confidentiality and has informed them of the Customer's instructions.

(3) The obligation of the employees according to paragraph 2 must be proven to the customer on request.

11. protection of rights of the persons concerned

(1) The contracting entity shall be solely responsible for safeguarding the rights of the persons concerned. The Contractor is obliged to support the Client in its obligation to process applications from affected persons in accordance with Art. 12-23 DSGVO. In particular, the Contractor shall ensure that the information required in this respect is provided to the Client without delay, so that the Client can fulfil its obligations under Art. 12 para. 3 DSGVO.

(2) Insofar as the cooperation of the Contractor is necessary for the protection of the rights of the persons concerned - in particular with regard to information, correction, blocking or deletion - by the Customer, the Contractor shall take the respectively necessary measures in accordance with the instructions of the Customer. The Contractor shall, if possible, support the Customer with suitable technical and organizational measures in order to comply with its obligation to respond to requests for the exercise of rights of data subjects.

(3) This shall be without prejudice to any provisions on the remuneration of additional expenses incurred by the Contractor as a result of cooperation services in connection with the assertion of rights of affected persons vis-à-vis the Customer.

12. secrecy obligations

(1) Both parties undertake to treat all information received in connection with the execution of this contract as confidential for an unlimited period of time and to use it only for the execution of the contract. Neither party shall be entitled to use this information in whole or in part for purposes other than those just mentioned or to make this information available to third parties.

(2) The above obligation shall not apply to information which one of the parties has demonstrably received from third parties without being obliged to maintain secrecy or which is publicly known.

13. remuneration

The remuneration of the contractor is agreed separately.

14. technical and organizational measures for data security

(1) The Contractor undertakes vis-à-vis the Customer to comply with the technical and organisational measures required to comply with the applicable data protection regulations. This includes in particular the requirements of Art. 32 DSGVO.

(2) The status of the technical and organisational measures existing at the time of conclusion of the contract is attached as Annex 3 to this contract. The parties agree that changes to the technical and organisational measures may be necessary to adapt to technical and legal conditions. The Contractor shall agree with the Customer in advance on any significant changes that may affect the integrity, confidentiality or availability of the personal data. Measures that involve only minor technical or organizational changes and do not negatively affect the integrity, confidentiality and availability of the personal data can be implemented by the Contractor without coordination with the Customer. The Customer can request an up-to-date version of the technical and organizational measures taken by the Contractor at any time.

(3) The Contractor shall check the technical and organisational measures taken by him regularly and also on an ad hoc basis for their effectiveness. In the event that there is a need for optimisation and/or modification, the Contractor shall inform the Customer.

15. duration of the order

(1) The contract begins with the conclusion of the Q.wiki main contract and is concluded for an indefinite period.

(2) The Contract ends automatically with the termination of the Q.wiki Main Contract.

(3) The contract can be changed with a notice period of 14 days. Any changes are communicated in advance at least in text form.

(4) The Client may terminate the contract at any time without notice if there is a serious breach by the Contractor of the applicable data protection regulations or obligations under this contract, if the Contractor cannot or does not wish to carry out an instruction from the Client or if the Contractor refuses access to the Client or the competent supervisory authority in breach of the contract.

16. termination

(1) After termination of the contract, the Contractor shall return to the Client or delete all documents, data and any processing or usage results that have come into its possession and are connected with the contractual relationship, as well as any copies that may have been made, at the Client's discretion. The deletion shall be documented in a suitable manner. Any statutory retention obligations or other obligations to store the data shall remain unaffected. In the case of data carriers, these must be destroyed in the event of deletion requested by the Client, whereby at least security level 3 of DIN 66399 must be complied with; the Client must provide evidence of the destruction with reference to the security level in accordance with DIN 66399.

(2) The Customer has the right to check that the data are returned to the Contractor in full and in accordance with the contract and that they are deleted. This can also be done by inspecting the data processing equipment at the contractor's premises. The on-site inspection shall be announced by the Customer with a reasonable period of notice.

17. right of retention

The parties agree that the defence of the right of retention by the contractor within the meaning of § 273 BGB (German Civil Code) with regard to the processed data and the associated data carriers is excluded.

18. final provisions

(1) If the property of the Customer at the Contractor is endangered by measures of third parties (such as seizure or confiscation), by insolvency proceedings or by other events, the Contractor shall inform the Customer immediately. The Contractor shall inform the creditors without delay of the fact that the data in question are processed in the order.

(2) Ancillary agreements must be made in writing.

(3) Should individual parts of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract.

 


Annex 1: Subject of the order

1. object and purpose of the processing

The customer's order to the contractor includes the following work and/or services:

The purpose of the data processing is the provision and maintenance of an internal company wiki (interactive management system software Q.wiki) on a server hosted by a third party provider (see Appendix 2 Subcontractor) as well as the provision of support and consulting services for the Customer.

2. type(s) of personal data

The type of personal data processed in the order is all data that the customer processes within the framework of the interactive management system software Q.wiki. Usually this is especially personal master data, communication data as well as usage and content data.

3. categories of persons concerned

The group of persons affected by the data processing depends on the group of persons to whom the Customer provides access to the interactive management system software Q.wiki. These can be in particular employees and customers of the Customer as well as other third parties (technical service providers/interested parties).

4. persons of the ordering party authorized to give instructions

Authorized to give instructions in the sense of this agreement are all persons who can represent the client as a legal entity. In the case of corporations these are usually the board of directors or the management as well as authorized signatories and in the case of partnerships the partners.

5. persons of the contractor entitled to receive instructions

Dr. Carsten Behrens, Managing Director

 


Annex 2: Subcontractor

For the processing of data on behalf of the Principal, the Contractor uses the services of third parties who process data on his behalf ("subcontractors").

These are the following companies:

 

 Company  Description

 Freshworks Inc.

 2950 S. Delaware Street

 San Mateo, CA 94403, USA

 Ticketing & knowledge-database used for customer support 

 Google EMEA Limited

 70 Sir John Rogerson's Quay

 Dublin 2, Irland

 Infrastructure as a Service (IaaS)

 Used regions:

  • Germany: FRANKFURT europe-west3
  • Belgium: BELGIEN europe-west1

 Google LLC

 1600 Amphitheatre Parkway

 Mountain View, CA 94043, USA

 Usage of Google Analytics for optimization of Q.wiki

 Mailgun Technologies Inc.

 112 E. Pecan Street

 San Antonio, TX 78205, USA

 Q.wiki mailing (e.g. tasks, password-reset)

 Relaix Networks GmbH

 Kackertstraße 10

 52072 Aachen

 Colocation & data center

 Userlane GmbH

 Rosenheimer Straße 143c

 81671 München

 Digital assistent for software-supported user training

 Hotjar Limited

 Dragonara Business Centre

 5th Floor, Dragonara Road

 Paceville St. Julian's STJ 3141, Malta

Analysis and optimization of user behavior of the Q.wiki through traffic analysis and user feedback.

 Productboard Inc. (begin 15.1.2024)

 333 Bush Street

 San Francisco, CA 94104

 USA

Management and processing of customer feedback

 360 Learning SA (begin 15.1.2024)

 37 Rue des Mathurins

 Paris, France

Management and implementation of user training

 


Annex 3: Technical and organisational measures of the contractor

 

1. confidentiality

Access control (building)

  • Chip card/transponder locking system controlled by the lessor
  • Video surveillance of parking spaces and building entrances
  • Key issuance is regulated by the landlord
  • Careful selection of cleaning personnel (service provider is external cleaning company)
  • Careful selection of security personnel (service provider is the landlord)

 

Access control (hardware)

  • Chip card/transponder locking system controlled by the lessor
  • Video surveillance of parking spaces and building entrances
  • Key issuance is regulated by the landlord
  • Careful selection of cleaning personnel (service provider is external cleaning company)
  • Careful selection of security personnel (service provider is the landlord)

 

Access control (software)

  • Implementation of a regularly audited authorization concept
  • Administration of rights by system administrators/employee operations
  • Number of administrators reduced to the "bare minimum
  • Password policy including password length, password change
  • Logging of accesses to applications, in particular during the input, modification and deletion of data
  • Internal physical deletion of data carriers before reuse or discarding by means of common software
  • proper internal destruction of data carriers (DIN 66399)
  • Logging of the destruction (process inventory)

 

Separation

  • Logical client separation (on the software side)
  • Strict separation of production and test system

 

Pseudonymisation & Encryption

  • Encrypted access to the Q.wiki via https
  • Pseudonymisation not required due to system requirements

 

2. integrity

Input control

  • Logging of the input, modification and deletion of data
  • Traceability of input, modification and deletion of data through individual user names (not user groups)
  • Retention of forms from which data have been transferred to automated processing
  • Allocation of rights to enter, change and delete data on the basis of an authorisation concept

 

Passing on control

  • Installation of dedicated lines or VPN tunnels
  • As part of the cancellation and backup process, the customer Q.wiki is permanently deleted together with the customer data within 4 months
  • The deactivation is logged via a service ticket, the subsequent backup and deletion process is automated and traceable

 

3. availability and resilience

Availability and resilience is guaranteed by the service providers in the data center area

  • 14-day daily backups, which are kept for 14 days
  • weekly backups, which are kept for 3 months
  • Storage of backups at different locations and service providers
  • A defined and tested recovery process ensures that in case of an emergency the availability is guaranteed in a timely manner

 

4. procedures for periodic review, assessment and evaluation

  • The company management has formulated guidelines on data protection and information security and communicated them to all employees
  • The employees are demonstrably trained by the data protection officer with regard to data protection and information security when they are hired and regularly thereafter
  • In the course of the training, the obligations of data confidentiality are renewed
  • The implementation of data protection is regulated by the guidelines and by process instructions. In the event of data protection violations, employees are required to inform the data protection officer. If necessary, the data protection officer will take the necessary steps
  • There is a data protection management system (DSMS) in the sense of an integrated management system. There is therefore a directory of processes in which personal data is processed
  • Since customer data is only entered into the Q.wiki by the customer, Art. 25 DSGVO is not relevant in this context
  • There is a regular data protection risk assessment of the Q.wiki. If necessary, measures are taken to minimise the risk