Order Processing Agreement

Annex 1: Processing in accordance with Article 28 GDPR

Agree­ment between Customer – the Controller – herein­after referred to as the Client – and BSI Busi­ness Systems Inte­gra­tion Deutsch­land GmbH – the Processor – herein­after referred to as the Supplier

1. Subject matter and duration of the Order or Contract

(1) The Subject matter of the Order or Contract results from the Service Agree­ment if the soft­ware is procured in return for payment (Prin­ciple Contract), which is referred to here (herein­after referred to as Service Agree­ment). (2) The dura­tion of this Order or Contract corre­sponds to the dura­tion of the Service Agree­ment.

2. Specification of the Order or Contract Details

(1) Nature and Purpose of the intended Proces­sing of Data. Nature and Purpose of Proces­sing of personal data by the Supplier for the Client are precisely defined in the Service Agree­ment. The under­ta­king of the contrac­tually agreed Proces­sing of Data shall be carried out exclu­si­vely within a Member State of the Euro­pean Union (EU) or within a Member State of the Euro­pean Economic Area (EEA). Each and every Transfer of Data to a State which is not a Member State of either the EU or the EEA requires the prior agree­ment of the Client and shall only occur if the specific Condi­tions of Article 44 et seq. GDPR have been fulfilled. (2) Type of Data. The Subject Matter of the proces­sing of personal data comprises the follo­wing data types/categories: Personal Master Data (Key Personal Data), Contact Data (e.g. phone, e‑mail address), Key Contract Data (Contractual/Legal Rela­ti­onships, Contrac­tual or Product Inte­rest), Contract Billing and Payments Data (banking and account data), Session Connec­tion Data (session number, session pass­word – if assi­gned, start date and time, end date and time) (3) Cate­go­ries of Data Subjects. The Cate­go­ries of Data Subjects comprise: Custo­mers, Poten­tial Custo­mers, Subscri­bers, Employees (staff, appli­cants, trai­nees), Suppliers, Autho­rised Agents, Contact Persons (at custo­mers, poten­tial custo­mers and suppliers)

3. Technical and Organisational Measures

(1) Before the commence­ment of proces­sing, the Supplier shall docu­ment the execu­tion of the neces­sary Tech­nical and Orga­ni­sa­tional Measures, set out in advance of the awar­ding of the Order or Contract, speci­fi­cally with regard to the detailed execu­tion of the contract, and shall present these docu­mented measures to the Client for inspec­tion. Upon accep­tance by the Client, the docu­mented measures become the foun­da­tion of the contract. Insofar as the inspection/audit by the Client shows the need for amend­ments, such amend­ments shall be imple­mented by mutual agree­ment. (2) The Supplier shall estab­lish the secu­rity in accordance with Article 28 Para­graph 3 Point c, and Article 32 GDPR in parti­cular in conjunc­tion with Article 5 Para­graph 1, and Para­graph 2 GDPR. The measures to be taken are measures of data secu­rity and measures that guarantee a protec­tion level appro­priate to the risk concer­ning confi­den­tia­lity, inte­grity, avai­la­bi­lity and resi­li­ence of the systems. The state of the art, imple­men­ta­tion costs, the nature, scope and purposes of proces­sing as well as the proba­bi­lity of occur­rence and the seve­rity of the risk to the rights and free­doms of natural persons within the meaning of Article 32 Para­graph 1 GDPR must be taken into account. [Details in Appendix 1] (3) The Tech­nical and Orga­ni­sa­tional Measures are subject to tech­nical progress and further deve­lo­p­ment. In this respect, it is permis­sible for the Supplier to imple­ment alter­na­tive adequate measures. In so doing, the secu­rity level of the defined measures must not be reduced. Substan­tial changes must be docu­mented.

4. Rectification, restriction and erasure of data

(1) The Supplier may not on its own autho­rity rectify, erase or rest­rict the proces­sing of data that is being processed on behalf of the Client, but only on docu­mented instruc­tions from the Client. Insofar as a Data Subject cont­acts the Supplier directly concer­ning a recti­fi­ca­tion, erasure, or rest­ric­tion of proces­sing, the Supplier will imme­dia­tely forward the Data Subject’s request to the Client. (2) Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, recti­fi­ca­tion, data porta­bi­lity and access shall be ensured by the Supplier in accordance with docu­mented instruc­tions from the Client without undue delay.

5. Quality assurance and other duties of the Supplier

In addi­tion to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statu­tory requi­re­ments referred to in Articles 28 to 33 GDPR; accor­dingly, the Supplier ensures, in parti­cular, compli­ance with the follo­wing requi­re­ments: a) Appointed Data Protec­tion Officer, who performs his/her duties in compli­ance with Articles 38 and 39 GDPR. The Supplier has appointed Mr. Sascha Weller, Lawyer, IDR Weller – Institut für Daten­schutz­recht (Address: Ziegel­bräu­straße 7 in 85049 Ingol­stadt, Germany, phone: +49–89-5880–1133‑8, e‑mail: dsb@snapview.de) as Data Protec­tion Officer. The Client shall be informed imme­dia­tely of any change of Data Protec­tion Officer. b) Confi­den­tia­lity in accordance with Article 28 Para­graph 3 Sentence 2 Point b, Articles 29 and 32 Para­graph 4 GDPR. The Supplier entrusts only such employees with the data proces­sing outlined in this contract who have been bound to confi­den­tia­lity and have previously been fami­lia­rised with the data protec­tion provi­sions rele­vant to their work. The Supplier and any person acting under its autho­rity who has access to personal data, shall not process that data unless on instruc­tions from the Client, which includes the powers granted in this contract, unless required to do so by law. c) Imple­men­ta­tion of and compli­ance with all Tech­nical and Orga­ni­sa­tional Measures neces­sary for this Order or Contract in accordance with Article 28 Para­graph 3 Sentence 2 Point c, Article 32 GDPR [details in Appendix 1]. d) The Client and the Supplier shall coope­rate, on request, with the super­vi­sory autho­rity in perfor­mance of its tasks. e) The Client shall be informed imme­dia­tely of any inspec­tions and measures conducted by the super­vi­sory autho­rity, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under inves­ti­ga­tion or is party to an inves­ti­ga­tion by a compe­tent autho­rity in connec­tion with infrin­ge­ments to any Civil or Criminal Law, or Admi­nis­tra­tive Rule or Regu­la­tion regar­ding the proces­sing of personal data in connec­tion with the proces­sing of this Order or Contract. f) Insofar as the Client is subject to an inspec­tion by the super­vi­sory autho­rity, an admi­nis­tra­tive or summary offence or criminal proce­dure, a liabi­lity claim by a Data Subject or by a third party or any other claim in connec­tion with the Order or Contract data proces­sing by the Supplier, the Supplier shall make every effort to support the Client. g) The Supplier shall peri­odi­cally monitor the internal processes and the Tech­nical and Orga­niza­tional Measures to ensure that proces­sing within his area of respon­si­bi­lity is in accordance with the requi­re­ments of appli­cable data protec­tion law and the protec­tion of the rights of the data subject. h) Veri­fia­bi­lity of the Tech­nical and Orga­ni­sa­tional Measures conducted by the Client as part of the Client’s super­vi­sory powers referred to in item 7 of this contract.

6. Subcontracting

(1) Subcon­trac­ting for the purpose of this Agree­ment is to be unders­tood as meaning services which relate directly to the provi­sion of the prin­cipal service. This does not include ancil­lary services, such as tele­com­mu­ni­ca­tion services, postal / trans­port services, main­ten­ance and user support services or the disposal of data carriers, as well as other measures to ensure the confi­den­tia­lity, avai­la­bi­lity, inte­grity and resi­li­ence of the hard­ware and soft­ware of data proces­sing equip­ment. The Supplier shall, however, be obliged to make appro­priate and legally binding contrac­tual arran­ge­ments and take appro­priate inspec­tion measures to ensure the data protec­tion and the data secu­rity of the Client’s data, even in the case of outsourced ancil­lary services. (2) The Client agrees to the commis­sio­ning of the follo­wing subcon­trac­tors on the condi­tion of a contrac­tual agree­ment in accordance with Article 28 para­graphs 2–4 GDPR: 
Name of subcontractor City of registration/Country Services
PlusS­erver GmbH Cologne, Germany Server Hosting
filoo GmbH Gütersloh, Germany Server Hosting
gridscale GmbH Cologne, Germany Managed Service/PaaS & IaaS Cloud Hosting
(3) The outsour­cing to subcon­trac­tors or the change of the exis­ting subcon­tractor are permis­sible, provided that a contrac­tual agree­ment is based between the contractor and the subcon­tractor in accordance with Article 28 para­graphs 2–4 GDPR and the contractor noti­fies the client of such outsour­cing to subcon­trac­tors in writing or in text form in advance and the client does not object to the planned outsour­cing within 14 days in writing or in text form for important reasons. Failure by the client to lodge an objec­tion within the afore­men­tioned period shall be deemed to consti­tute consent to the assign­ment of the new subcon­tractor. The client is aware that the non-assign­ment of a new subcon­tractor can lead to a delay or non-perfor­mance of the services and increased remu­ne­ra­tion. The contractor shall inform the client in writing or in text form of any impair­ment of the services or increase in remu­ne­ra­tion resul­ting from an objec­tion by the client to the commis­sio­ning of the new subcon­tractor. The client may then either conclude a written amend­ment to the contract in order to comply with the change or termi­nate the contract in accordance with the provi­sions of the contract. Such termi­na­tion shall not consti­tute termi­na­tion for good cause or for breach of contract. (4) The transfer of personal data from the Client to the subcon­tractor and the subcon­trac­tors’ commence­ment of the data proces­sing shall only be under­taken after compli­ance with all requi­re­ments has been achieved. (5) If the subcon­tractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compli­ance with EU Data Protec­tion Regu­la­tions by appro­priate measures. The same applies if service provi­ders are to be used within the meaning of Para­graph 1 Sentence 2. (6) Further outsour­cing by the subcon­tractor requires the express consent of the Supplier (at the minimum in text form); all contrac­tual provi­sions in the contract chain shall be commu­ni­cated to and agreed with each and every addi­tional subcon­tractor.

7. Supervisory powers of the Client

(1) The Client has the right, after consul­ta­tion with the Supplier, to carry out inspec­tions or to have them carried out by an auditor to be desi­gnated in each indi­vi­dual case. It has the right to convince itself of the compli­ance with this agree­ment by the Supplier in his busi­ness opera­tions by means of random checks, which are ordi­na­rily to be announced in good time. (2) The Supplier shall ensure that the Client is able to verify compli­ance with the obli­ga­tions of the Supplier in accordance with Article 28 GDPR. The Supplier under­takes to give the Client the neces­sary infor­ma­tion on request and, in parti­cular, to demons­trate the execu­tion of the Tech­nical and Orga­niza­tional Measures. (3) Evidence of such measures, which concern not only the specific Order or Contract, may be provided by compli­ance with approved Codes of Conduct pursuant to Article 40 GDPR; or by certi­fi­ca­tion accor­ding to an approved certi­fi­ca­tion proce­dure in accordance with Article 42 GDPR; or by current auditor’s certi­fi­cates, reports or excerpts from reports provided by inde­pen­dent bodies (e.g. auditor, Data Protec­tion Officer, IT secu­rity depart­ment, data privacy auditor, quality auditor); or by a suitable certi­fi­ca­tion by IT secu­rity or data protec­tion audi­ting (e.g. accor­ding to BSI-Grund­schutz (IT Base­line Protec­tion certi­fi­ca­tion deve­loped by the German Federal Office for Secu­rity in Infor­ma­tion Tech­no­logy (BSI)) or ISO/IEC 27001). (4) The Supplier may claim remu­ne­ra­tion for enab­ling Client inspec­tions.

8. Communication in the case of infringements by the Supplier

(1) The Supplier shall assist the Client in complying with the obli­ga­tions concer­ning the secu­rity of personal data, reporting requi­re­ments for data brea­ches, data protec­tion impact assess­ments and prior consul­ta­tions, referred to in Articles 32 to 36 of the GDPR. These include: a) Ensu­ring an appro­priate level of protec­tion through Tech­nical and Orga­niza­tional Measures that take into account the circum­s­tances and purposes of the proces­sing as well as the projected proba­bi­lity and seve­rity of a possible infrin­ge­ment of the law as a result of secu­rity vulnerabi­li­ties and that enable an imme­diate detec­tion of rele­vant infrin­ge­ment events. b) The obli­ga­tion to report a personal data breach imme­dia­tely to the Client c) The duty to assist the Client with regard to the Client’s obli­ga­tion to provide infor­ma­tion to the Data Subject concerned and to imme­dia­tely provide the Client with all rele­vant infor­ma­tion in this regard. d) Supporting the Client with its data protec­tion impact assess­ment e) Supporting the Client with regard to prior consul­ta­tion of the super­vi­sory autho­rity (2) The Supplier may claim compen­sa­tion for support services which are not included in the descrip­tion of the services and which are not attri­bu­table to fail­ures on the part of the Supplier.

9. Authority of the Client to issue instructions

(1) The Client shall imme­dia­tely confirm oral instruc­tions (at the minimum in text form). (2) The Supplier shall inform the Client imme­dia­tely if he considers that an instruc­tion violates Data Protec­tion Regu­la­tions. The Supplier shall then be entitled to suspend the execu­tion of the rele­vant instruc­tions until the Client confirms or changes them.

10. Deletion and return of personal data

(1) Copies or dupli­cates of the data shall never be created without the know­ledge of the Client, with the excep­tion of back-up copies as far as they are neces­sary to ensure orderly data proces­sing, as well as data required to meet regu­la­tory requi­re­ments to retain data. (2) After conclu­sion of the contracted work, or earlier upon request by the Client, at the latest upon termi­na­tion of the Service Agree­ment, the Supplier shall hand over to the Client or – subject to prior consent – destroy all docu­ments, proces­sing and utiliza­tion results, and data sets related to the contract that have come into its posses­sion, in a data-protec­tion compliant manner. The same applies to any and all connected test, waste, redun­dant and discarded mate­rial. The log of the destruc­tion or dele­tion shall be provided on request. (3) Docu­men­ta­tion which is used to demons­trate orderly data proces­sing in accordance with the Order or Contract shall be stored beyond the contract dura­tion by the Supplier in accordance with the respec­tive reten­tion periods. It may hand such docu­men­ta­tion over to the Client at the end of the contract dura­tion to relieve the Supplier of this contrac­tual obli­ga­tion.

Appendix 1 – Technical and Organisational Measures

1. Confi­den­tia­lity (Article 32 Para­graph 1 Point b GDPR) • Physical Access Control. No unaut­ho­rised access to Data Proces­sing Faci­li­ties. o Offices and data centres are only acces­sible to autho­rized persons and other persons accom­pa­nied by them o Lockable rooms with a manual locking system where only staff and clea­ning staff have a key o Key recep­tion on entry and exit from the company will be acknow­ledged o Careful selec­tion of clea­ning personnel • Elec­tronic Access Control. No unaut­ho­rised use of the Data Proces­sing and Data Storage Systems. o Assign­ment of user rights o Pass­word assign­ment, authen­ti­ca­tion with user name and pass­word, confi­den­tial hand­ling of pass­words o Pass­word crea­tion policy for servers o Key control o Use of anti-virus soft­ware o Crea­tion of user profiles, use of VPN tech­no­logy; use of a soft­ware fire­wall o Assign­ment of autho­riza­tions and their docu­men­ta­tion by the Manager IT Opera­tions in accordance with manage­ment instruc­tions • Internal Access Control (permis­sions for user rights of access to and amend­ment of data). No unaut­ho­rised Reading, Copying, Changes or Dele­tions of Data within the system. o Autho­riza­tion concept o Number of admi­nis­tra­tors reduced to the bare minimum o Physical erasure of data carriers before reuse; use of shred­ders o Admi­nis­tra­tion of rights by system admi­nis­tra­tors o Proper destruc­tion of data carriers • Isola­tion Control. The isolated Proces­sing of Data, which is coll­ected for diffe­ring purposes. o Logi­cally sepa­rated storage on sepa­rate systems or data carriers o Crea­tion of an autho­riza­tion concept o Sepa­ra­tion of produc­tion and test system • Pseud­ony­mi­sa­tion (Article 32 Para­graph 1 Point a GDPR; Article 25 Para­graph 1 GDPR). The proces­sing of personal data in such a method/way, that the data cannot be asso­ciated with a specific Data Subject without the assis­tance of addi­tional Infor­ma­tion, provided that this addi­tional infor­ma­tion is stored sepa­ra­tely, and is subject to appro­priate tech­nical and orga­ni­sa­tional measures. o The systems described in the service agree­ment can be used by the parties with pseud­onyms (“Privacy by Default”). 2. Inte­grity (Article 32 Para­graph 1 Point b GDPR) • Data Transfer Control. No unaut­ho­rised Reading, Copying, Changes or Dele­tions of Data with elec­tronic transfer or trans­port. o Instal­la­tion of VPN tunnels (Virtual Private Networks) o For physical trans­port: careful selec­tion of trans­port personnel and trans­port vehicles and confir­ma­tion of coll­ec­tion and receipt o Personal data is only trans­mitted in encrypted form • Data Entry Control. Veri­fi­ca­tion, whether and by whom personal data is entered into a Data Proces­sing System, is changed or deleted. o Accesses, espe­ci­ally during the entry, modi­fi­ca­tion and dele­tion of data, as well as failed login attempts are logged o A multi-level autho­riza­tion concept ensures that diffe­rent users have diffe­rent rights to enter, change and delete data o Access is via indi­vi­dual user names and pass­words 3. Avai­la­bi­lity and Resi­li­ence (Article 32 Para­graph 1 Point b GDPR) • Avai­la­bi­lity Control. Preven­tion of acci­dental or wilful destruc­tion or loss. o Regular testing of data reco­very o Storage of data backups in a secure, outsourced loca­tion o Crea­tion of a backup & reco­very concept • Rapid Reco­very (Article 32 Para­graph 1 Point c GDPR) (Article 32 Para­graph 1 Point c GDPR); o Redun­dant systems o Load balan­cing o Conti­nuous backups o Ongoing moni­to­ring of the systems with noti­fi­ca­tion of fail­ures 4. Proce­dures for regular testing, assess­ment and evalua­tion (Article 32 Para­graph 1 Point d GDPR; Article 25 Para­graph 1 GDPR) • Data Protec­tion Manage­ment; • Inci­dent Response Manage­ment; • Data Protec­tion by Design and Default (Article 25 Para­graph 2 GDPR); • Order or Contract Control. No third-party data proces­sing as per Article 28 GDPR without corre­spon­ding instruc­tions from the Client. o Careful selec­tion of subcon­trac­tors (in parti­cular with regard to data secu­rity) o Instruc­tions in writing to the contractor (e.g. by data proces­sing contracts) o Obli­ga­tion of the contractor’s employees to data secrecy o Assign­ment of rights to input o Forma­lised order manage­ment o Duty of pre-evalua­tion o Super­vi­sory follow-up checks Date: 2022-08-05