Order processing contract CCM19 / AVV

You can also download the text below as a PDF file here. Simply send the completed document to info@ccm19.de.

Agreement between the
client

and the

Papoo Software & Media GmbH
Manufacturer CCM19
Auguststr. 4
53229 Bonn
(hereinafter "Contractor")

on the processing of personal data. Definitions in the GTC or the service description also apply in this Data Processing Agreement DPA.

1.Subject matter and duration of the order
1.1 Subject matter of the order
The subject matter of the order processing agreement is the performance of the following tasks by the Contractor in accordance with the service description in the offer: collection, administration, documentation and transfer of the consent of the Client's users to the processing of data and, if applicable, other services.
The Contractor processes personal data for the Client within the meaning of Art. 4 No. 2 and Art. 28 GDPR on the basis of the GTC.

1.2. duration of the order
The duration of this order (term) corresponds to the term of the contract.

2.Content of the order
2.1 Scope, type and purpose
The scope, type and purpose of the collection, processing and/or use of personal data by the contractor for the client are specifically described in the service description in the offer.

2.2. type of data
The subject of the collection, processing and/or use of personal data is the following data:
- Customer data: Settings and login data
- User data:
- Consent data (Consent ID, time of consent, opt-in. Opt-out, banner language, customer settings in the banner - Consent data, template)
- Device data (HTTP agent, HTTP referrer, HTTP page)
- anonymized IP data, IP address in 24h rollover in log files
- When using extended statistics or other statistical plugins: browser data (version)
2.3 Who is affected
The following persons are affected:
1. website visitors or app users,
2. customers / registered users

3.Authority of the client to issue instructions / place of data processing
3.1. The specified data will only be handled within the framework of the agreements made and in accordance with the documented instructions of the client (cf. Art. 28 para. 3 lit. a GDPR). The client reserves the right to issue comprehensive instructions regarding the type, scope and procedure of data processing within the scope of the order description set out in this agreement, which it may specify in individual instructions. Changes to the object of processing and procedural changes must be agreed and documented. Any additional expenses incurred shall be remunerated by the client. The Contractor may only provide information to third parties or the data subject with the prior written consent of the Client.

3.2. the contractor shall process personal data exclusively within the scope of the agreements made and in accordance with the client's instructions. Any further processing is only permitted to the
extent that the Contractor is obliged to process the data differently under the law of the European Union or the Member States to which the Contractor is subject. In such a case, the Contractor shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification.

3.3. the contractor must inform the client immediately in accordance with Art. 28 para. 3 subpara. 2 GDPR if he is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the controller at the Client. 4.

3.4. the processing of the client data by the contractor takes place within the EU. The processing and/or transfer to a third country outside the territory of the EU or to an international organization requires the prior written consent of the client. In such a case, the Contractor is additionally obliged to ensure an adequate level of data protection at the place of data processing in accordance with the legally applicable requirements and judicial and official interpretations thereof, or - at the Client's discretion - to give the Client the opportunity to ensure an adequate level of data protection, including by concluding or acceding to EU standard contractual clauses.

3.5 Recipients of instructions at the Contractor are employees of the Company.

4.Confidentiality
The Contractor guarantees that the employees involved in the processing of personal data and other persons working for the Contractor are prohibited from processing the personal data outside the instructions. Furthermore, the Contractor warrants that the persons authorized to process the personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/secrecy obligation shall continue to apply even after termination of the order.

5. Technical and organizational measures
5.1 The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall take appropriate technical and organizational measures to protect the Client's personal data that meet the requirements of Art. 32 GDPR. In particular, the technical and organizational measures must be taken in such a way that the confidentiality, integrity, availability and resilience of the systems and services in connection with the data processing are ensured in the long term. These technical and organizational measures are described in Annex 1 of this Agreement. The Contractor is aware of these technical and organizational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed.

5.2. the technical and organizational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures may not be undercut. Significant changes must be documented.

Dr. Carsten Euwens, 0228 2805668, has been appointed as the Contractor's data protection officer. The client must be informed immediately of any change of data protection officer.

6.Subcontracting
6.1 The involvement and/or modification of subcontractors by the Contractor is only permitted with the consent of the Client. The Client hereby consents to the use of subcontractors as follows:
6.1.1 The Client hereby consents to the use of the subcontractors listed in Annex 2 to this Agreement.

6.1.2 The Client agrees to the change or addition of further subcontractors if the Contractor notifies the respective Client in writing (e-mail is sufficient) of the use or change 1 month / (30) days before the start of data processing. The client may object to the use of a new/changed subcontractor. If no objection is made within the deadline, consent to the use or change shall be deemed to have been given. The client acknowledges that in certain cases the service can no longer be provided without the use of a specific subcontractor. In such cases, either party shall be entitled to terminate the contract without notice.
If there is an important reason under data protection law for the objection and no mutually acceptable solution can be found between the parties, the client shall be granted a special right of termination. The Client must declare its intention to terminate the contract in writing to the Contractor within one week of the failure to negotiate an amicable solution. The Contractor may remedy the objection within two weeks of receipt of the declaration of intent. If the objection is not remedied, the Client may declare special termination, which shall take effect upon receipt.

6.2. the Contractor shall draft the contractual agreements with the subcontractor(s) in such a way that they contain the same data protection obligations as agreed in this order, taking into account the type and scope of data processing within the scope of the subcontract. The sub-processor's obligation must be in writing or in electronic format.

6.3. services that the contractor uses from third parties as an ancillary service to support the execution of the order are not to be understood as subcontracting relationships within the meaning of this regulation. These include, for example, telecommunications services, maintenance and user service of "non-IT systems", cleaning staff or inspectors. However, the contractor is obliged to enter into appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the client's data, even in the case of externally contracted ancillary services.

7. Rights of data subjects

7.1. the Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects in accordance with Chapter III of the GDPR

7.2. the contractor shall only provide information about the data processed on behalf of the client, correct or delete this data or restrict data processing accordingly in accordance with the client's instructions. If a data subject contacts the Contractor directly for information, correction or deletion of his/her data or with regard to the restriction of data processing, the Contractor shall forward this request to the Client without delay.

8.Obligations of the Contractor to cooperate
8.1 The Contractor shall support the Client in complying with the obligations set out in Art. 32 to 36 GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations.

8.2. with regard to any reporting and notification obligations of the client pursuant to Art. 33 and Art. 34 GDPR, the following applies: The Contractor is obliged (i) to inform the Principal without undue delay of any personal data breach and (ii) in the event of such a breach, to provide reasonable assistance with its obligations under Art. 33 and 34 GDPR if necessary (Art. 28 para. 3 sentence 2 lit. f GDPR). Notifications pursuant to Art. 33 or 34 GDPR (notifications and communications in the event of a personal data breach) for the Client may only be carried out by the Contractor after prior instruction in accordance with Section 3 of this Agreement.

8.3. insofar as the Client has notification or reporting obligations in the event of a security incident at the Client, the Contractor undertakes to support the Client.

9.Other obligations of the Contractor
9.1. to the extent required by law, the Contractor shall appoint a data protection officer who can perform his duties in accordance with Art. 38 and 39 GDPR, §§ 38, 6 BDSG. Currently, none of the legal regulations that require a data protection officer apply. Nevertheless, this activity is currently performed by Dr. Carsten Euwens.

9.2. the Contractor shall inform the Client immediately of any inspection activities and measures taken by the supervisory authority in accordance with Art. 58 GDPR. This shall also apply if a competent authority investigates the Contractor pursuant to Art. 83 GDPR.

9.3. the Contractor shall ensure the implementation of the order control by means of regular audits by the Contractor with regard to the execution or fulfillment of the contract, in particular compliance with and, if necessary, adaptation of regulations and measures for the execution of the order.

10.Information and inspection rights of the client
10.1 The client has the right to request the information required under Art. 28 para. 3 h) GDPR to prove compliance with the agreed obligations of the contractor and to carry out inspections in agreement with the contractor or to have them carried out by auditors to be appointed in individual cases. 2.

10.2. the parties agree that the Contractor is entitled to submit meaningful documentation to the Client as proof of compliance with its obligations and implementation of the technical and organizational measures. Meaningful documentation can be provided by submitting a current audit certificate, or reports or report extracts from independent bodies (e.g. auditor, audit, data protection officer), or a suitable certification through an IT security or data protection audit (e.g. in accordance with ISO 27001) or a certification approved by the responsible supervisory authorities.

10.3. the right of the client to carry out on-site inspections shall not be affected by this. However, the Client shall consider whether an on-site inspection is still necessary after submission of meaningful documentation, in particular taking into account the maintenance of the Contractor's proper operation.

10.4. the Client shall have the right to satisfy itself of the Contractor's compliance with this Agreement in its business operations by means of spot checks, which must generally be notified in good time. The Contractor undertakes to provide the Client on request with the information required to meet its obligation to monitor the order and to make the corresponding evidence available.

11.Deletion of data and return of data carriers
After completion of the contractual work, the Contractor shall, at its discretion, hand over to the Client or destroy in accordance with data protection regulations all data, documents and processing or usage results created in connection with the contractual relationship that have come into its possession and to subcontractors. Proof shall be provided to the client upon request.

12.Liability
The statutory provisions pursuant to Art. 82 GDPR apply to liability in the external relationship.

Bonn, 02.05.2022
Place, date, signature Client Papoo Software & Media GmbH
Dr. Carsten Euwens, Managing Director

Annex 1 - Technical and organizational measures/security concept of Papoo Software & Media GmbH
The following technical and organizational measures have been implemented by the Contractor and agreed with the Client

1.Ensuring confidentiality
Measures to implement the requirement of confidentiality include measures for access, access control and access control. The technical and organizational measures taken in this context are intended to ensure adequate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.

Measures implemented by Papoo Software & Media GmbH to prevent unauthorized access to data processing systems:

- Access of employees to the office premises only with an individual key
- Access of visitors only with individual accompaniment by appropriately authorized employees and only to approved visitor areas.
- Personal and individual user login when logging into the system
- Password procedure (specification of password parameters with regard to complexity and update interval)
- Additional system login for certain applications - Automatic login for certain applicationsLogin for certain applications
- Automatic blocking of clients after a certain period of time without user activity (also password-protected screen saver or automatic pause)
- Electronic documentation of all passwords and encryption of this documentation to protect against unauthorized access
- Two-factor authentication if technically possible
- Regular software updates
- Regular vulnerability scans

The servers are hosted by OVH GmbH in Frankfurt, Germany or by Hetzner Online GmbH in Gunzenhausen, Germany. Both hosters guarantee reliability and protection against unauthorized access to the physical infrastructure. Measures implemented by the subcontractors can be viewed here:
https://www.ovh.de/support/agb/Auftragsverarbeitungsvertrag.pdf
https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/#auftragsverarbeitung

2.Ensuring the integrity of
Measures to protect against unauthorized or unlawful processing, destruction or accidental damage.

2.1 Transfer control
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and establish to which bodies personal data are intended to be transmitted by data transmission equipment:
- Encryption of e-mail if possible
- Encryption of CD/DVD-ROM, external hard disks and/or laptops (~ directory)
- Secure WLAN
- SSL/TLS encryption
- Data protection-compliant destruction of data, data carriers and printouts
- Logging of data transfer if possible
- VPN where necessary or possible possible

2.2 Input control
Measures that ensure that it is possible to subsequently check and determine whether, at what time and by whom personal data has been entered, changed or removed in data processing systems:
- Legally compliant drafting of contracts for data processing of personal data with subcontractors with corresponding regulation of control mechanisms
- Obtaining self-disclosure from service providers regarding their measures to implement data protection requirements
- Written confirmation of verbal instructions
- Recording and keeping appropriate records of actions carried out on systems (e.g. log files) as required. E.g. log files)
- Use of logging and log evaluation systems
- Determination of authorized persons for the creation of data carriers and the processing of data

3.Measures for the pseudonymization of personal data
Pseudonymization is the replacement of the name and other identification features with an identifier for the purpose of excluding or significantly complicating the identification of the data subject. Measures in connection with the pseudonymization of personal data are:
- Privacy-by-design
- All IDs of a user (consentID, processorID, consentID) are pseudonymized with a sha-256 cryptographic hash
- A pseudonymization concept is available in program form (including definition of the data to be replaced; pseudonymization rules, description of procedure, etc.)

4.Guarantee of availability
Measures to ensure that personal data is protected against accidental destruction or loss:
- Use of centrally tested and approved standard software from secure sources
- Regular data backups or use of mirroring procedures
- Decommissioning of hardware (especially servers) takes place after a check of the data carriers used and, if necessary, after backing up the relevant data records. after the relevant data records have been backed up
- Uninterruptible power supply (UPS) in the server room
- Separate storage of data sets collected for different purposes
- Multi-layer virus protection and firewall architecture
- Emergency planning (emergency plan for security and data protection breaches with specific instructions for action)
- Fire/water and temperature early warning system in the server rooms
- Fire doors

5.Procedures for restoring the availability of personal data after a physical or technical incident
To ensure recoverability, sufficient backups are required, as well as action plans that can restore ongoing operations in the event of disaster scenarios.
To this end, the following measures are taken, partly by subcontractors OVH GmbH / Hetzner Online GmbH:
- Daily backup of the entire server
- Service Level Agreements (SLAs) with service providers
- Backup procedures
- Redundancy (e.g. mirroring of hard disks)
- Firewall, IDS/IPS
- Fire protection and extinguishing water protection
- Monitoring of alarms
- Plans for failure, emergency and recovery

6.Procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures
A regular review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of processing is carried out as part of the implementation of:
- Regular revisions of the security concept
- Information on newly emerging vulnerabilities and other risk factors, revision of the risk analysis and assessment if necessary
- Audits by the data protection officer and the information security officer, process controls by quality management.

7. Guarantee of separation requirement
Multi-client capable systems are used in all areas to isolate all personal data from each other. The data is separated logically and in some cases physically. The CCM19 system itself is also multi-client capable and multi-user capable - which ensures complete separation of the personal data used in each case due to logical division by users and authorization concepts.

Appendix 2 to the order processing agreement AVV
Approved subcontractors

OVH GmbH
St. Johanner Str. 41-43
66111 Saarbrücken
Germany
Server in Germany
Hoster Website, service and databases.

ALL-INKL.COM - Neue Medien Münnich
Owner: René Münnich
Hauptstraße 68 | D-02742 Friedersdorf
E-mail and other server services

Telekom Deutschland GmbH
Landgrabenweg 151
53227 Bonn
Telephone / Internet access

NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9,
50829 Köln
Telephone / Internet access

Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany
Hoster Website, service and databases.

Disposal of electrical appliances
bonnorange AöR
Lievelingsweg 110
53119 Bonn

Disposal of data storage media
Shred-it GmbH
Klausnerring 3,
85551 Kirchheim bei München