The Contractor shall process personal data exclusively within the factual and temporal framework of this order and in accordance with the Client's instructions. The Contractor shall not use the data provided for data processing for any other purposes. Copies or duplicates shall not be made without the Client's knowledge.
The processing of the data, also by subcontractors, shall take place exclusively in the territory of the Federal Republic of Germany. In the latter case, the contractor shall provide evidence of the lawfulness of the corresponding contractual or other legal basis in accordance with the GDPR.
The Contractor shall take technical and organisational measures for the adequate protection of the Client's data that meet the legal requirements. In this context, the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing shall be ensured on a permanent basis. The technical and organisational measures of the Contractor shall be specified separately to this contract and shall be an integral part of the contract.
The contractor shall ensure a procedure for reviewing the technical and organisational measures. He shall be obliged to adapt the technical and organisational measures to the state of the art insofar as this is necessary and economically reasonable. The Client shall be informed in advance of any significant changes. The changes shall be recorded in writing and shall become part of the contract. The contractor shall examine the client's proposals for changes. The Client shall be informed of the result.
If the Contractor commissions a subcontractor to fulfil its contractual obligations, it shall ensure that the necessary technical and organisational measures are taken by the subcontractor and correspond to the state of the art.
The Contractor shall correct, delete or block the data in accordance with the Client's instructions. If a data subject contacts the contractor directly for the purpose of correcting, blocking or deleting his/her data, the contractor shall forward this request to the principal without delay. The same shall apply to requests for information.
The contractor is obliged to maintain data secrecy and any professional confidentiality obligations. He shall only use employees for the processing who are appropriately committed and trained. In particular, he shall ensure that all persons entrusted by him with the processing or fulfilment of this contract are carefully selected, observe the statutory data protection provisions and do not disclose the information obtained from the Client to third parties without authorisation or use it in any other way.
The Contractor shall be obliged to keep a processing directory pursuant to Art. 30 (2) DSGVO. The contractor shall grant the State Data Protection Commissioner access to the working premises and shall submit to inspection in accordance with the State Data Protection Act in its respective version. The Contractor shall inform the Client without delay about control and investigative actions of the supervisory authority.
The Client shall approve the separately listed subcontracting relationships which the Contractor has established prior to the conclusion of this Agreement. The Contractor shall inform the Client immediately of any changes. The conclusion of new subcontracting relationships requires the prior consent of the Client.
The contractor shall impose the same obligations on the subcontractor as he himself has to fulfil towards the client. The subcontractor shall be selected carefully. The contractor shall be fully liable to the client for data breaches by its subcontractors.
The Client shall have the right to check compliance with the technical and organisational measures taken by the Contractor and the subcontractors before the start of and during data processing or to have them checked by auditors to be appointed. The result shall be documented.
The contractor shall ensure the possibility of control. To this end, he shall provide the Client with evidence of the implementation of the technical and organisational measures pursuant to Art. 32 of the GDPR upon request. Proof can be provided by submitting current audits or reports by independent auditors (e.g. auditors, auditing, data protection officers, data protection auditors, quality auditors).
If the contractor and the subcontractors commissioned by it have subjected themselves to codes of conduct or successfully undergone a certification procedure, they are obliged to prove this to the client. Certificates shall be updated.
The Client shall be entitled to carry out spot checks. These shall be announced. If the announcement would jeopardise the purpose of the inspection or if there is an urgent reason for the inspection, an announcement is not required.
The Contractor shall immediately notify the Client of all breaches of obligations under this contract. This shall apply in particular in the event of serious disruptions of the operational process, suspected other violations of regulations on the protection of personal data or other irregularities in the handling of personal data. In consultation with the Client, the Contractor shall take appropriate measures to secure the data and to mitigate or exclude possible adverse consequences for the data subjects.
The Client shall be entitled to issue instructions to the Contractor at any time, in particular with regard to the type, scope and time of the processing of data. The Client's instructions shall be given in text form.
If the Contractor considers an instruction of the Client to be unlawful, it shall notify the Client thereof without delay. He shall be entitled to suspend the implementation of the instruction until it is confirmed or amended by the Client.
If the Client issues individual instructions regarding the handling of personal data that go beyond the contractually agreed scope of services, e.g. changes to technical and organisational measures, they shall be treated as a request for a change in services.
The Contractor shall hand over to the Client all personal data in its possession, processing results produced as well as data files related to the contractual relationship without undue delay after fulfilment of the contract or upon request by the Client, at the latest upon termination of the cooperation, or destroy them in accordance with data protection law after prior consent of the Client. The record of the deletion shall be submitted upon request. A right of retention is excluded.
Documentation which serves as proof of the orderly and proper data processing shall be retained by the Contractor in accordance with the applicable retention periods beyond the end of the contract.