1.1 The contractor processes personal data on behalf of the client within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 — General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.
1.2 If the term “data processing” or “processing” (of data) is used in this contract, the definition of “processing” within the meaning of Art. 4 No. 2 GDPR is used as a basis.
2.1 The subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are set out in Appendix 1 to this contract.
2.2 The subject of the contract is not the original use or processing of personal data by the contractor. However, access to personal data cannot be ruled out as part of the contractor's provision of services in accordance with Appendix 1 to this contract.
3.1 The client is responsible within the meaning of Art. 4 No. 7 GDPR for the processing of data on behalf of the contractor. According to Section 4 (5), the contractor has the right to inform the client if, in his opinion, legally inadmissible data processing is the subject of the order and/or an instruction.
3.2 As the person responsible, the client is responsible for upholding the rights of data subjects. The contractor will immediately inform the client if data subjects assert their data subject rights against the contractor.
3.3 The client has the right to issue additional instructions to the contractor on the type, scope and procedure of data processing at any time. Instructions can be made in text form (e.g. e-mail).
3.4 Rules on any remuneration of additional expenses arising from supplementary instructions from the client to the contractor remain unaffected.
3.5 The client shall immediately inform the contractor if it discovers errors or irregularities in connection with the processing of personal data by the contractor.
3.6 In the event that there is an obligation to provide information to third parties in accordance with Articles 33, 34 GDPR or any other legal reporting obligation applicable to the client, the client is responsible for compliance with this obligation.
4.1 The contractor processes personal data exclusively within the framework of the agreements made and/or in compliance with any additional instructions given by the client. This does not apply to legal regulations which may oblige the contractor to process otherwise. In such a case, the contractor shall inform the client of these legal requirements before processing, unless the relevant law prohibits such notification due to an important public interest. The purpose, nature and scope of data processing are otherwise governed exclusively by this contract and/or the instructions of the client. The contractor is prohibited from processing data in any other way, unless the client has agreed to this in writing.
4.2 Personal data is processed both in data centers within the European Union and in third countries. Your data will only be transferred to countries outside the European Union if the special requirements of Articles 44 — 49 GDPR are met. In such a case, the contractor ensures data protection admissibility by taking appropriate measures.
4.3 In the area of processing personal data in accordance with the order, the contractor guarantees the contractual implementation of all agreed measures.
4.4 The contractor is obliged to design his company and its operating processes in such a way that the data that it processes on behalf of the client is secured to the extent necessary and protected against unauthorised access by third parties. The contractor will coordinate changes in the organization of data processing on behalf with the client in advance that are significant for the security of the data.
4.5 The contractor will immediately inform the client if, in its opinion, an instruction issued by the client violates legal regulations. The contractor is entitled to suspend execution of the relevant instruction until it is confirmed or amended by the client. If the contractor can demonstrate that processing in accordance with the client's instructions may result in liability on the part of the contractor in accordance with Article 82 GDPR, the contractor is free to suspend further processing in this respect until liability between the parties has been clarified.
4.6 The contractor will process the data that it processes on behalf of the client separately from other data. Physical separation is not absolutely necessary.
4.7 The contractor may name to the client the person (s) who are entitled to receive instructions from the client. If persons authorized to receive instructions are to be named, they are named in Appendix 1. In the event that the contractor's persons authorized to receive instructions change, the contractor will inform the client of this in writing.
5.1 The contractor confirms that he has appointed a data protection officer in accordance with Article 37 GDPR. The contractor shall ensure that the data protection officer has the necessary qualifications and expertise. The contractor will provide the client with the name and contact details of its data protection officer separately in text form.
5.2 The obligation to appoint a data protection officer in accordance with paragraph 1 may be waived at the client's discretion if the contractor can prove that he is not legally obliged to appoint a data protection officer and the contractor can prove that there are operational regulations which ensure the processing of personal data in compliance with the legal provisions, the provisions of this contract and any further instructions from the client.
6.1 The contractor is obliged to immediately notify the client of any violation of data protection regulations or of the contractual agreements made and/or the instructions given by the client in the course of processing data by him or other persons involved in the processing. The same applies to any breach of personal data protection that the contractor processes on behalf of the client.
6.2 Furthermore, the contractor will immediately inform the client if a supervisory authority acts vis-à-vis the contractor in accordance with Article 58 GDPR and this may also include monitoring of the processing carried out by the contractor on behalf of the client.
6.3 The contractor is aware that the client may be subject to a reporting obligation under Articles 33, 34 GDPR, which provides for a notification to the supervisory authority within 72 hours of becoming aware. The contractor will support the client in implementing the reporting requirements. In particular, the contractor will notify the client of any unauthorised access to personal data processed on behalf of the client immediately, but at the latest within 48 hours of becoming aware of the access. The contractor's report to the client must include in particular the following information:
7.1 The contractor supports the client in its obligation to answer requests for the exercise of data subject rights in accordance with Articles 12-23 GDPR. The provisions of Section 11 of this contract apply.
7.2 The contractor is involved in the preparation of records of processing activities by the client. He must provide the client with the required information in an appropriate manner.
7.3 The contractor supports the client in complying with the obligations set out in Articles 32-36 GDPR, taking into account the type of processing and the information available to it.
8.1 The client has the right to check compliance with legal regulations on data protection and/or compliance with the contractual regulations made between the parties and/or compliance with the client's instructions by the contractor at any time to the extent necessary.
8.2 The contractor is obliged to provide the client with information insofar as this is necessary to carry out the inspection within the meaning of paragraph 1.
8.3 The client may request access to the data processed by the contractor for the client and to the data processing systems and programs used.
8.4 After prior notification, the client may, within a reasonable period of time, carry out the inspection within the meaning of paragraph 1 at the contractor's premises during normal business hours. The client will ensure that the checks are carried out only to the extent necessary so as not to disproportionately disrupt the contractor's operations as a result of the checks.
8.5 In the event of measures taken by the supervisory authority vis-à-vis the client within the meaning of Article 58 GDPR, in particular with regard to information and control obligations, the contractor is obliged to provide the client with the necessary information and to enable the respective competent supervisory authority to carry out an on-site inspection. The client must be informed of appropriate planned measures by the contractor.
9.1 The client gives the contractor general permission to use further subcontractors within the meaning of Art. 28 GDPR to perform its contractually agreed services. The contractor will specify all subcontracting relationships that already existed at the time of conclusion of the contract in Appendix 2 to this contract. The client must be informed in advance of any intended addition or replacement of subcontractors.
The client may object in writing or in text form to the establishment of further or replacement of subcontracting relationships within a period of 2 (two) weeks after receipt of information about the change. In the event of an objection, the contractor may, at its own discretion, provide the service without the intended change or — if the provision of the service is not possible without the contractor's intended change — terminate the services affected by the change vis-à-vis the client for good cause.
9.2 The contractor must carefully select the subcontractor and check before commissioning that the subcontractor is able to comply with the agreements made between client and contractor. In particular, the contractor must check in advance and regularly during the term of the contract that the subcontractor has taken the technical and organizational measures required in accordance with Article 32 GDPR to protect personal data. The results of the inspection must be documented by the contractor and transmitted to the client upon request.
9.3 The contractor is obliged to have the subcontractor confirm that the subcontractor has appointed a company data protection officer in accordance with Article 37 GDPR. In the event that no data protection officer has been appointed by the subcontractor, the contractor must inform the client of this and provide information that shows that the subcontractor is not legally obliged to appoint a data protection officer.
9.4 The contractor must ensure that the regulations agreed in this contract and any additional instructions from the client also apply to the subcontractor.
9.5 The contractor must conclude an order processing contract with the subcontractor that meets the requirements of Article 28 GDPR. In addition, the contractor must impose on the subcontractor the same personal data protection obligations as defined between client and contractor. A copy of the order processing contract must be sent to the client upon request.
9.6 In particular, the contractor is obliged to ensure through contractual regulations that the supervisory powers (Section 8 of this contract) of the client and supervisory authorities also apply vis-à-vis the subcontractor and that corresponding control rights are agreed by the client and supervisory authorities. It must also be contractually agreed that the subcontractor must tolerate these control measures and any on-site checks.
9.7 Services that the contractor uses from third parties as purely ancillary services in order to carry out the business activity are not regarded as subcontracting relationships within the meaning of paragraphs 1 to 6. These include, for example, cleaning services, pure telecommunications services without specific reference to services provided by the contractor for the client, postal and courier services, transport services, security services. However, even in the case of ancillary services provided by third parties, the contractor is obliged to ensure that appropriate precautions and technical and organizational measures have been taken to ensure the protection of personal data. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship and order processing subject to consent within the meaning of Art. 28 GDPR, if the maintenance and testing concerns IT systems which are also used in connection with the provision of services to the client and that personal data processed on behalf of the client can be accessed during maintenance.
10.1 When processing data for the client, the contractor is obliged to maintain confidentiality about data that he receives or becomes aware of in connection with the order. The contractor undertakes to comply with the same rules of secrecy as incumbent on the client. The client is obliged to inform the contractor of any special confidentiality rules.
10.2 The contractor assures that he is aware of the applicable data protection regulations and that he is familiar with the application of them. The contractor also assures that he familiarizes his employees with the data protection provisions that apply to them and has committed them to confidentiality. The contractor also assures that he has committed, in particular, the employees involved in carrying out the work to confidentiality and has informed them of the client's instructions.
10.3 The obligation of employees in accordance with paragraph 2 must be proven to the client upon request.
11.1 The client is solely responsible for upholding the rights of data subjects. The contractor is obliged to assist the client in its obligation to process applications from data subjects in accordance with Art. 12-23 GDPR. In particular, the contractor must ensure that the necessary information is immediately provided to the client so that the client can fulfill his obligations under Article 12 (3) GDPR in particular.
11.2 Insofar as the cooperation of the contractor is necessary for the protection of data subject rights - in particular to information, correction, blocking or deletion - by the client, the contractor will take the necessary measures in accordance with the client's instructions. Where possible, the contractor will support the client with appropriate technical and organizational measures to comply with its obligation to answer requests for the exercise of data subject rights.
11.3 Rules on any remuneration of additional expenses arising from cooperation in connection with the assertion of data subject rights against the client with the contractor remain unaffected.
12.1 Both parties agree to keep all information they receive in connection with the execution of this contract confidential for an unlimited period of time and to use it only to execute the contract. Neither party is entitled to use this information in whole or in part for purposes other than those just mentioned or to make this information available to third parties.
12.2 The above obligation does not apply to information that one of the parties has verifiably received from third parties without being bound to secrecy or that is publicly known.
The contractor's remuneration is agreed separately.
14.1 The contractor undertakes vis-à-vis the client to comply with the technical and organizational measures necessary to comply with the applicable data protection regulations. In particular, this includes the requirements of Article 32 GDPR.
14.2 The current state of technical and organizational measures at the time of conclusion of the contract is attached as Appendix 3 to this contract. The parties agree that changes to technical and organizational measures may be necessary to adapt to technical and legal circumstances. The contractor will coordinate significant changes that may affect the integrity, confidentiality or availability of personal data with the client in advance. Measures that involve only minor technical or organizational changes and do not adversely affect the integrity, confidentiality and availability of personal data can be implemented by the contractor without consultation with the client. The client may request an up-to-date version of the technical and organizational measures taken by the contractor at any time.
14.3 The contractor will check the effectiveness of the technical and organizational measures taken by him regularly and as appropriate. In the event that there is a need for optimization and/or change, the contractor will inform the client
15.1 The contract starts with the conclusion of the Q.wiki main contract and is concluded for an indefinite period of time.
15.2 The contract automatically ends upon termination of the Q.wiki main contract.
15.3 The contract can be amended 14 days in advance. Any changes will be notified in advance, at least in text form.
15.4 The client may terminate the contract at any time without notice if there is a serious breach by the contractor of the applicable data protection regulations or of obligations under this contract, the contractor cannot or does not want to carry out instructions from the client or the contractor refuses access by the client or the competent supervisory authority in breach of contract.
16.1 After termination of the contract, the contractor must return or delete all documents, data and processing or use results created in connection with the contractual relationship as well as any copies made, at the client's discretion. The deletion must be documented in an appropriate manner. Any legal storage obligations or other obligations to store the data remain unaffected. Data carriers must be destroyed in the event of deletion requested by the client, with at least security level 3 of DIN 66399 being complied with; the destruction must be proven to the client with reference to the security level in accordance with DIN 66399.
16.2 The client has the right to check that the contractor has returned and deleted the data in full and in accordance with the contract. This can also be done by inspecting the data processing systems at the contractor's premises. The on-site inspection should be announced by the client within a reasonable period of time.
The parties agree that the objection of the right of retention by the contractor within the meaning of Section 273 BGB with regard to the processed data and the associated data carriers is excluded.
18.1 Should the client's property at the contractor be endangered as a result of measures taken by third parties (such as seizure or seizure), insolvency proceedings or other events, the contractor must immediately inform the client. The contractor will immediately inform creditors of the fact that the data is processed on behalf of the contractor.
18.2 Additional agreements must be made in writing.
18.3 Should individual parts of this contract be ineffective, this does not affect the effectiveness of the remaining provisions of the contract.
The client's assignment to the contractor comprises the following work and/or services:
The purpose of data processing is to install and maintain an internal company wiki (interactive management system software Q.wiki) on the client's server and to provide support and consulting services for the client.
All data that the client processes as part of the interactive management system software Q.wiki can be considered as the type of personal data processed on behalf of the client. This usually includes personal master data, communication data, and usage and content data.
The number of persons affected by data processing depends on the group of people to whom the client provides access to the interactive management system software Q.wiki. In particular, this may include employees and customers of the client as well as other third parties (technical service providers/interested parties).
Within the meaning of this agreement, all persons who can represent the client as a legal entity are entitled to issue instructions. In the case of corporations, these are usually the board of directors or management as well as authorized signatories and in the case of partnerships, the shareholders.
Dr. Carsten Behrens, managing director
To process data on behalf of the client, the contractor uses services from third parties who process data on its behalf (“subcontractors”).
These are the following companies:
companies:
Freshworks Inc.
2950 S. Delaware Street
San Mateo, CA 94403, United States
Benefits:
Ticketing system & knowledge base for Q.wiki support
Companies:
Productboard Inc. (from 15.1.2024)
333 Bush Street
San Francisco, CA 94104 United States
Benefits:
Managing and editing customer feedback
Companies:
360 Learning SA (from 15.1.2024)
37 rue des Mathurins
Paris, France
Benefits:
Administration and Implementation of User Training
The contractor shall take the following technical and organizational measures for data security within the meaning of Art. 32 GDPR.
The separation of data (multi-client capability or differentiation of production and test systems) must be ensured by the client, as the system is operated by the client.
The transfer control of the data must be ensured by the client, as the system is operated by the client.
The availability and reliability of the data must be guaranteed by the client, as the system is operated by the client.
We are happy to provide you with inspiring content, current events and news.
