Order processing contract in accordance with Art. 28 GDPR
The present order processing contract (” AVV “) applies to the processing measures of personal data by Dibooq GmbH, Heinrich-Mann-Allee 3b, 14473 Potsdam, Germany (also referred to as ” we ” or ” contractor “), which are made towards customers (hereinafter ” client “) In fulfillment of the main contract (= AGB DiBooq desktop app and, if applicable, AGB DiBooq mobile app).
Preamble
The contractor provides services for the client in accordance with the main contract concluded between them (hereinafter: “ main contract” ). Part of the implementation of the main contract is the processing of personal data within the meaning of the General Data Protection Regulation (“ GDPR ”). In order to meet the requirements of the GDPR for such constellations, the parties conclude the following order processing contract (also ” contract “), which comes into effect when the main contract is signed or becomes effective.
§ 1 Subject / scope of the assignment
- As part of the cooperation between the parties in accordance with the main contract, the contractor has access to the client’s personal data (hereinafter ” client data”). The contractor processes this client data on behalf of and according to the instructions of the client within the meaning of Art. 4 No. 8 and Art. 28 GDPR.
- The processing of the client data by the contractor takes place in the manner described in Appendix 1 as well as in the scope and purpose specified there. The group of persons affected by the data processing is shown. The duration of the processing corresponds to the duration of the main contract.
- Whether the services of the contractor for the processing of special categories of personal data according to Art. 9 Para. 1 GDPR are suitable, requires a risk assessment by the client.
- The contractor is prohibited from processing client data that deviates from the processing specified in Appendix 1.
- The processing of the client data takes place grds. in the territory of the Federal Republic of Germany, in a member state of the European Union or in another signatory state to the Agreement on the European Economic Area. If there is a relocation of order processing to a third country, this requires the prior consent of the client and only takes place if the special requirements of Art. 44 to 49 GDPR are met. With the conclusion of this order processing contract, the client already consents to the processing of personal data by the subcontractors named in Appendix 1.
- The provisions of this contract apply to all activities related to the main contract. The same applies to all activities in which the contractor and his employees or agents commissioned by the contractor come into contact with client data.
§ 2 Authority of the client to issue instructions
- The contractor processes the client data as part of the commissioning and on behalf of and according to the instructions of the client within the meaning of Art. 28 GDPR (order processing). The client has the sole right to issue instructions on the type, scope and method of the processing activities (hereinafter also referred to as “right to issue instructions”). If the contractor is obliged to carry out further processing by the law of the European Union or the member states to which he is subject, he shall notify the client of these legal requirements prior to processing.
- Instructions are generally given by the client in writing or in electronic form (e-mail is sufficient); Verbally issued instructions must be confirmed electronically by the contractor.
- If the contractor is of the opinion that an instruction from the client violates data protection regulations, he must inform the client accordingly. The contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or changed by the client.
§ 3 Protective measures of the contractor
- The contractor is obliged to observe the statutory provisions on data protection and not to pass on the information obtained from the client’s area to third parties or to suspend their access. Documents and data must be secured against unauthorized access, taking into account the state of the art.
- Furthermore, the contractor will oblige all persons entrusted by him with the processing and fulfillment of this contract (hereinafter referred to as “employees”) to confidentiality (obligation of confidentiality, Art. 28 Para. 3 lit. b GDPR). At the request of the client, the contractor will provide the client with evidence of the employee’s obligation in writing or in electronic form.
- The contractor will design his internal organization in such a way that it meets the special requirements of data protection. He undertakes to take all suitable technical and organizational measures to adequately protect the client’s data in accordance with. Art. 32 GDPR, in particular to take the measures listed in Annex 2 to this contract and to maintain them for the duration of the processing of the client’s data.
- The contractor reserves the right to change the technical and organizational measures taken, whereby he ensures that the contractually agreed level of protection is not undershot.
- At the request of the client, the contractor will demonstrate compliance with the technical and organizational measures to the client.
§ 4 Information and support obligations of the contractor
- In the event of disruptions, suspicion of data protection violations or breaches of contractual obligations by the contractor, suspicion of security-related incidents or other irregularities in the processing of the client’s data by the contractor, persons employed by him in the context of the order or by third parties, the contractor will inform the client immediately, at the latest inform in writing or electronically within 48 hours. The same applies to reviews of the contractor by the data protection supervisory authority. These reports should contain at least the information specified in Art. 33 Paragraph 3 GDPR.
- In the above-mentioned case, the contractor will support the client in fulfilling his related clarification, remedial and information measures within the framework of what is reasonable.
- The contractor undertakes to provide the client with all information and evidence required to carry out an inspection within a reasonable period of time at the client’s request.
§ 5 Other obligations of the contractor
- If the requirements of Art. 30 GDPR apply, the contractor is obliged to keep a list of all categories of processing activities carried out on behalf of the client in accordance with Art. 30 Paragraph 2 GDPR. The directory is to be made available to the client on request.
- The contractor is obliged to support the client in preparing a data protection impact assessment in accordance with Art. 35 GDPR and any prior consultation of the supervisory authority in accordance with Art. 36 GDPR.
- The contractor confirms that – insofar as there is a legal obligation to do so – he has appointed a data protection officer.
- If the client’s data is endangered by the contractor through seizure or confiscation, insolvency or settlement proceedings or other events or measures by third parties, the contractor must inform the client immediately, unless this is prohibited by a court or official order. In this context, the contractor will immediately inform all responsible bodies that the decision-making authority over the data lies exclusively with the client as the “person responsible” within the meaning of the GDPR.
§ 6 Subcontractor Relationships
- The contractor may have the processing of personal data carried out in whole or in part by further contract processors (hereinafter referred to as “subcontractors”). The contractor will inform the client in writing in advance about the commissioning of subcontractors or changes in the subcontracting. If there are objective reasons, the client can object to subcontracting in writing within four weeks of becoming aware of it.
- A subcontractor relationship within the meaning of these provisions does not exist if the contractor engages third parties with services that are to be regarded as purely ancillary services. These include, for example, mail, transport and shipping services, cleaning services, security services, telecommunications services without specific reference to services that the contractor provides for the client, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. The contractor’s obligation to ensure compliance with data protection and data security in these cases also remains unaffected.
- The contractor will agree with the subcontractor on the provisions made in this GCU with the same content. In particular, the TOMs to be agreed with the subcontractor must have an equivalent level of protection.
- The contractor has established subcontracting relationships with the companies named in Appendix 1, to which the client agrees with the conclusion of this order processing contract:
- With the subcontractors, the contractor has to meet the requirements of Section 6 Para. 3 corresponding order processing contracts concluded. When this GCU takes effect, the client approves the aforementioned subcontractors.
- Part of the order processing contracts with the subcontractors is in particular that the subcontractors ensure that they have taken appropriate and suitable technical and organizational measures in accordance with Art. 32 GDPR because of the processing of personal data carried out by them on behalf of them.
§ 7 Control Rights
- The client is entitled to ensure that the provisions of this contract are being observed on a regular basis. For this purpose, he can, for example, obtain information from the contractor, have existing attestations presented by experts, certifications or internal tests or have the technical and organizational measures of the contractor checked personally or by a knowledgeable third party during normal business hours, provided that this is not in a competitive relationship to the contractor.
- The client will only carry out controls to the extent necessary and take appropriate consideration of the contractor’s operational processes. The parties will come to an understanding in good time about the time and type of test.
- The client documents the control result and communicates it to the contractor. In the event of errors or irregularities that the client discovers, especially when checking the results of the order, he must inform the contractor immediately. If circumstances are found during the control, the future avoidance of which requires changes to the ordered process flow, the client shall notify the contractor of the necessary process changes without delay.
§ 8 rights of data subjects
- As far as possible, the contractor supports the client with suitable technical and organizational measures in fulfilling his obligations according to Art. 12 to 22 and Art. 32 to 36 GDPR. He will give the client the requested information about client data immediately, but no later than within 14 working days, unless the client himself has the relevant information.
- If the person concerned asserts his rights according to Art. 16 to 18 GDPR, the contractor is obliged to correct, delete or restrict the client data on the instructions of the client immediately, at the latest within a period of 7 working days. Upon request, the contractor will provide the client with written evidence of the deletion, correction or restriction of the data.
- If a person concerned asserts rights, for example to provide information, correction or deletion with regard to his data, directly against the contractor, the contractor will forward this request to the client and await his instructions. Without corresponding individual instruction, the contractor will not come into contact with the person concerned.
§ 9 Term and Termination
The duration of this contract corresponds to the duration of the main contract. It ends automatically with the termination of the main contract. If the main contract can be properly terminated, the regulations for ordinary termination apply accordingly to this contract. If the contractor no longer processes client data before the main contract expires, this contract also ends automatically.
§ 10 deletion and return after the end of the contract
- After termination of the main contract or at any time upon request, the contractor will return all documents, data and data carriers to the customer or, at the request of the customer, if there is no statutory retention period, delete them completely and irrevocably. This also applies to copies of the client’s data at the contractor’s, such as data backups, but not to documentation that serves to prove that the client’s data has been properly processed in accordance with the order. Such documentation must be kept by the contractor for a period of 6 months and returned to the client on request. Personal data shared by the client to other DiBooq desktop app or DiBooq mobile app users are not covered by an obligation to delete or surrender.
- The contractor will electronically confirm the deletion to the client. The client has the right to check the complete and contractual return or deletion of the data at the contractor in a suitable manner.
- The contractor is obliged to treat the data that has become known to him in connection with the main contract confidentially, even after the end of the main contract.
§ 11 liability
- The liability of the parties is based on Art. 82 GDPR. A liability of the contractor towards the client due to breach of obligations from this contract or the main contract remains unaffected.
- The parties exempt themselves from liability if one party can prove that it is in no way responsible for the circumstance that caused the damage to a person concerned. This applies accordingly in the case of a fine imposed on one party, with the exemption being granted to the extent that the other party shares responsibility for the violation sanctioned by the fine.
§ 12 confidentiality & data secrecy
- The contractor undertakes to observe the same rules for secrecy protection as are incumbent on the client.
- There is an obligation of confidentiality for the employees of the contractor and third parties commissioned by him. The contractor must inform the persons employed in the processing of client data in accordance with Art. 28 Para. 3 lit. b GDPR to commit to confidentiality in writing. This is not necessary if the employed persons are already subject to an appropriate statutory obligation of confidentiality. The contractor will document the obligation set out in this section in writing and present it to the client at the request of the client.
- The contractor confirms that he is aware of the relevant data protection regulations. The contractor guarantees that he will familiarize the employees involved in the execution of the work with the relevant data protection provisions and that he will oblige them to comply with the applicable data protection regulations. He monitors compliance with data protection regulations.
- The confidentiality obligations regulated in this section continue to exist even after the termination of the contractual relationship.
- In addition to the applicable statutory provisions (in particular § 88 TKG, § 203 StGB, §§ 4, 23 GeschGehG and, if applicable, special professional confidentiality obligations), the contractor is also obliged to provide all information and data that it receives in the context of the contractually agreed services come to knowledge, to keep secret and not to pass on to third parties (confidential information). Confidential information is in particular business and trade secrets, the conclusion of contracts, technical or commercial information of any kind or other information that is designated as confidential or is to be regarded as confidential by its nature. This also applies in particular to:
Names, addresses as well as the personal, legal and economic circumstances of all customers of the client and the personal, legal and economic circumstances of the client and all other persons working for the client.
Information is not to be regarded as confidential if it was already publicly known at the time at which the contractor became aware of the information. Information that has become publicly known or has been made known at a later time with the consent of the client is also to be regarded as non-confidential. - The contractor undertakes to commit itself to all employees who gain knowledge of the aforementioned confidential information from the client while working for the client.
- If the contractor engages third parties, he must ensure that the requirements of paragraphs 1 to 6 are implemented accordingly.
§ 13 final provisions
- The parties agree that the contractor’s right of retention within the meaning of Section 273 of the German Civil Code (BGB) with regard to the data to be processed and the associated data carriers is excluded.
- Changes and additions to this agreement must be made electronically.
- In case of doubt, the provisions of this contract take precedence over the provisions of the main contract. Should individual provisions of this agreement prove to be ineffective or unenforceable in whole or in part or become ineffective or unenforceable as a result of changes in legislation after the conclusion of the contract, this shall not affect the validity of the remaining provisions. The ineffective or unenforceable provision should be replaced by the effective and enforceable provision that comes as close as possible to the meaning and purpose of the invalid provision.
- This agreement is subject to German law. The exclusive place of jurisdiction is the seat of the contractor.
Investments
Appendix 1 Specifications for the contract
Appendix 2 Technical and organizational measures of the contractor (Art. 32 GDPR)
Appendix 1 – Specifications for the contract
Subject and duration of the order Overview of requirements and specifications |
|
Main contract | Terms and conditions for licensing the Dibooq software |
Subject of the order | The client uses the Dibooq software. The Dibooq software offers holiday home rental agencies (“agencies”) the possibility of managing occupancy calendars for holiday properties and sharing availabilities in real time (“booking calendars”). Booking conditions can be defined under which it is possible to enter bookings in the calendar (“Direct Booking”) or to make booking inquiries that can be confirmed or rejected within the system (“Booking inquiry”). |
Purpose of data collection, data processing or data use | In order to fulfill the obligations of the contractor from the main contract, personal data from the area of control of the client will be processed by the contractor in full in accordance with Art. 4 No. 2 GDPR, in particular collected, stored, changed, read out, queried, used, disclosed, compared where necessary , linked and deleted. The purpose of the processing therefore depends on the order described in the main contract. |
Type of data | The categories of personal data affected by the processing depend on the use of the contractor’s services by the client. Categories of data that can be considered as the subject of processing are possible • Master data (e.g. names, addresses, dates of birth), • Contact details (e.g. e-mail addresses, telephone numbers), • content data (e.g. photographs, videos, content of documents), • Contract data (e.g. subject of the contract, terms, customers), • Payment data (e.g. bank details, payment service provider), • Usage data (e.g. history of web services, access times), • Connection data (e.g. device ID, IP addresses, URL referrer), and • Location data (eg GPS data, IP geolocation). |
Circle of those affected | The categories of data subjects affected by the processing depend on the use of the contractor’s services by the client. The following categories of data subjects come into consideration:
• employees |
Subcontractors
No. | Subcontractor Name Address / Country | Subject of the order | Type and scope of the data |
1 | e-pixler NEW MEDIA GmbH Lamp factory staircase E Edisonstrasse 63 12459 Berlin Germany |
Server administration | Hosting the software and databases |
2 | united-domains AG Gautinger Strasse 10 82319 Starnberg Germany |
Hosting domains and website | Website with contact form |
3 | Microsoft Ireland Operations Ltd, One Microsoft Place, South County Business Park Leopardstown Dublin 18 D18 P521 Ireland | Microsoft 365 Business, Cloud storage, email providers, teams |
Emails and document filing |
Appendix 2 – Technical and organizational measures
Those responsible for data processing are in accordance with Art. 32 GDPR obliges to take technical and organizational measures to guarantee the security of the processing of personal data. Measures must be chosen in such a way that they ensure an appropriate level of protection overall. Against this background, this overview explains which specific measures have been taken by the contractor with regard to the processing of personal data in a specific case.
Instructions on technical and organizational measures |
1. Organization of information security Policies, processes and responsibilities are to be defined with which information security can be implemented and controlled. |
Measures:
☒ Information Security Policy. ☐ Definition of roles and responsibilities for the operation of applications and systems, data protection and information security. ☐ Employees’ obligation to maintain secrecy and data secrecy. |
2. Privacy by Design Privacy by design includes the idea that systems should be designed and constructed in such a way that the amount of personal data processed is minimized. Essential elements of data economy are the separation of personal identifiers and content data, the use of pseudonyms and anonymization. In addition, personal data must be deleted in accordance with a configurable retention period. |
Measures:
☒ No more personal data is collected than is necessary for the respective purpose. ☒ The processing and systems are designed in such a way that you enable and ensure GDPR-compliant deletion of the processed personal data. |
3. Privacy by Default Privacy by Default refers to the privacy-friendly default settings. To what extent did you do this? Example: When visiting a website, the visitor can expect that all programs that collect personal data are initially deactivated. |
Measures:
☒ Tracking functions that monitor the person concerned are deactivated by default. ☒ All pre-assignments of selection options meet the requirements of the GDPR with regard to data protection-friendly default settings (e.g. no pre-assignments of opt-ins). |
4. Access control and access control Measures that ensure that those authorized to use the data processing procedures can only access the personal data subject to their access authorization or information and data requiring protection (description of system-immanent security mechanisms, encryption procedures according to the state of the art. In the case of online access, it must be clarified which side is responsible for issuing and managing access security codes.). The contractor guarantees that the users authorized to use the IT infrastructure can only access content for which they are authorized and that personal data cannot be copied, changed or deleted without authorization during processing and after storage. |
Measures:
☒ Documentation of authorization concepts. ☒ Access to data is restricted and only possible for authorized persons. ☒ Blocking of the user account in the event of unsuccessful attempts / inactivity. ☐ Blocking of the end device when leaving the workplace or inactivity. ☒ Number of administrators reduced to the “bare minimum”. ☒ Logging of access to applications, especially when entering, changing and deleting data. |
5. Cryptography and / or pseudonymization Use of encryption procedures to ensure the proper and effective protection of the confidentiality, authenticity or integrity of personal data or information in need of protection. Measures that are suitable for making it more difficult to identify the person concerned. |
Measures:
☒ Encryption of access to network access and connections. |
Further implemented measures for cryptography: In the AVV incl. TOM between the contractor and e-pixler NEW MEDIA GmbH, Leuchtenfabrik Aufgang E, Edisonstraße 63, 12459 Berlin, Germany. AVV incl. TOM between the contractor and e-pixler can be made available if required. |
6. Protection of buildings Prevention of unauthorized physical access to the information and information processing facilities of the organization as well as their damage and impairment. The contractor takes measures to prevent unauthorized persons from gaining access (to be understood spatially) to data processing systems with which personal data is processed. |
Further implemented measures to protect buildings: In the AVV incl. TOM between the contractor and e-pixler NEW MEDIA GmbH, Leuchtenfabrik Aufgang E, Edisonstraße 63, 12459 Berlin, Germany. AVV incl. TOM between the contractor and e-pixler can be made available if required. |
7. Protection of operating resources / information assets Prevention of loss, damage, theft or impairment of assets and interruptions in the organization’s operations. |
Measures:
☒ Secure placement of the systems so that protection against theft is guaranteed. ☒ Protection of equipment from fire, water or overvoltage. ☒ Accommodation of the server and network components in secure rooms, cabinets, etc. ☒ Regular maintenance of the equipment. ☒ Secure deletion, destruction and disposal of operating resources. |
Further implemented measures to protect equipment: In the AVV incl. TOM between the contractor and e-pixler NEW MEDIA GmbH, Leuchtenfabrik Aufgang E, Edisonstraße 63, 12459 Berlin, Germany. AVV incl. TOM between the contractor and e-pixler can be made available if required. |
8. Operating procedures and responsibilities Ensuring the proper and secure operation of systems and procedures for processing information. |
Measures:
☒ Documented system configurations and operating procedures, operational management manuals. ☒ Clear allocation of responsibilities for system and application support. ☐ Separation of the processing of data from the individual clients. ☒ Separation of development, test and production systems. ☒ Monitoring of system operation and facilities. ☐ Maintenance contracts with a suitable response time |
9. Data backups Measures to ensure that personal data or sensitive information and data are protected against accidental destruction or loss. |
Measures:
☒ Data backup concept with regular backups. ☒ Outsourcing of the backup to other fire zones. ☒ Outsourcing of backups to other buildings. |
Further implemented measures for data backup: In the AVV incl. TOM between the contractor and e-pixler NEW MEDIA GmbH, Leuchtenfabrik Aufgang E, Edisonstraße 63, 12459 Berlin, Germany. AVV incl. TOM between the contractor and e-pixler can be made available if required. |
10. Protection against malware and patch management Prevention of exploitation of technical weaknesses through the use of up-to-date virus protection software and the implementation of patch management. |
Measures:
☒ Regular monitoring of the status of security updates and system vulnerabilities. ☒ Use of anti-malware software. ☒ Regular installation of security patches and updates. |
11. Logging and monitoring Measures that ensure that it can be subsequently checked and determined whether and by whom personal data has been entered, changed or removed in IT systems. (All system activities are logged; the logs are kept by the contractor for at least 3 years.) |
Measures:
☒ Logging of accesses. ☒ Evaluation of log files. |
12. Network security management Adequate protection must be implemented for the network so that the information and the infrastructure components are protected. |
Measures:
☒ Use of network management software. ☒ Use of firewall systems. ☒ Use of intrusion detection / intrusion prevention systems. ☒ User authentication and encryption of external access. |
13. Transfer of information Measures that ensure that personal data or sensitive information and data cannot be read, copied, changed or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it can be checked and determined where a transfer of personal data or sensitive information as well as data is provided by data transfer devices. (Description of the facilities and transmission protocols used, e.g. identification and authentication, state-of-the-art encryption, automatic callback, etc.) |
Measures:
☒ Transfer of data to third parties only after checking the legal basis. ☒ Legality and written specification of the transfer of data to third countries. ☒ Secure data transfer between client and server. ☒ Use of encrypted external access. ☒ Safe transport and dispatch of data carriers, data and documents. |
14. Acquisition, development and maintenance of systems Measures that ensure that information security is an integral part of the life cycle of information systems. |
Measures:
☒ Guidelines for safe system development. ☒ Protection of test data. |
15. Supplier relationships Measures relating to information security to reduce risks in connection with the access of suppliers to the company’s values should be agreed with and documented with sub-suppliers / subcontractors. |
Measures:
☒ Selection of the contractor taking due care aspects (especially with regard to data security). ☒ Written instructions to the contractor (e.g. through an order processing contract) within the meaning of the GDPR, the contractor has appointed data protection officers. ☒ Effective control rights vis-à-vis the contractor agreed. ☒ Prior examination and documentation of the security measures taken by the contractor. ☒ Obligation of the contractor’s employees to maintain data secrecy. ☒ Ensuring the destruction of data after completion of the order. ☒ Ongoing review of the contractor and his activities. |
16. Management of information security incidents Consistent and effective measures for the management of information security incidents (theft, system failure, etc.) must be implemented. |
Measures:
☒ Documented procedure for dealing with security incidents ☒ Immediate notification of the client in the event of data protection incidents. |
17. Information security aspects of business continuity management / emergency management The maintenance of system availability in difficult situations such as crises or damage. An emergency management must ensure this. Information security requirements should be specified in business continuity and disaster recovery planning. |
Measures:
☒ Informing the client at an early stage in the event of an emergency. |
Further implemented measures for business continuity management and emergency management: In the AVV incl. TOM between the contractor and e-pixler NEW MEDIA GmbH, Leuchtenfabrik Aufgang E, Edisonstraße 63, 12459 Berlin, Germany. AVV incl. TOM between the contractor and e-pixler can be made available if required. |
18. Compliance with legal and contractual requirements Implementation of measures to avoid violations of legal, official or contractual obligations as well as any security requirements. |
Measures:
☒ Ensuring compliance with legal obligations in the context of cooperation. ☒ Return of all data, resources and information values to the client at the end of the contract. ☒ Establishment of a license management. ☒ Confidentiality obligations with employees as well as sub-suppliers and service providers. |
19. Data protection requirements and data protection management Privacy and the protection of personal data should be ensured in accordance with the requirements of the relevant legal regulations, other provisions and contractual provisions. |
Measures:
☐ Establishment of a data protection organization. ☐ Directory of processing activities. ☐ Implementation of data protection training. ☐ Establishment of a data protection management system. ☐ Documented data protection concept. ☐ Implemented guidelines on data protection. |
20. Information security reviews It must be checked regularly whether the information processing is carried out in accordance with the defined security measures. For this purpose, the contractor will carry out regular checks. The contractor grants the client the right to carry out regular audits / reviews on him. |
Measures:
☒ Regular implementation of internal audits on the subjects of data protection and information security. ☒ Carrying out penetration tests. |