Order processing contract CCM19
Agreement between the
Papoo Software & Media GmbH
on the processing of personal data. Definitions in the GTC or the service description shall also apply in this order processing agreement.
1.Subject Matter and Duration of theOrder
1.1 Subject Matter of the Order
Thesubject matterof the Order Processing Agreement is the performance of the following tasks by the Contractor in accordance with the service description in the offer: collection, administration, documentation and transfer of the consent of the Client's users as well as other services, if applicable.
In doing so, the Contractor processes personal data for the Client within the meaning of Art. 4 No. 2 and Art. 28 DSGVO on the basis of the GTC.
1.2. duration of the order
The duration of this order (term) corresponds to the term of the contract.
2. Content of the order
2.1 Scope, type and purpose
The scope, type and purpose of the collection, processing and / or use of personal data by the
contractor for the client are specifically described in the service description in the offer and / or
or under section 2.2.
2.2. type of data
Subject of the collection, processing and / or use of personal data are the following data:
- Customer data: Settings and login data
- User data:
- Consent data (Consent ID, time of consent, opt-in or opt-out, banner language, customer settings in the banner - Consent data, template)
- Device data (HTTP Agent, HTTP Referrer, HTTP Page)
- anomysed IP data, IP address in 24h rollover in log files
- When using advanced statistics or other statistical plugins: Browser data (version)
2.3. who is affected
The following persons are affected:
1. Website visitors or app users,
2. Customers / Registered Users
3.Client's authority to issue instructions / place of data processing
3.1 The specified data will only be handled within the framework of the agreements made and in accordance with documented instructions from the client (cf. Art. 28 Para. 3 lit. a DSGVO). Within the scope of the order description made in this agreement, the Client reserves a comprehensive right to issue instructions regarding the type, scope and procedure of the data processing, which it may specify by means of individual instructions. Changes to the object of processing and changes to procedures must be agreed and documented. Any additional expenses incurred shall be reimbursed by the Customer. The Contractor may only provide information to third parties or the person concerned with the prior written consent of the Customer. 2.
3.2. verbal instructions of the client are to be confirmed immediately in writing or by e-mail (in text form). The Contractor shall not use the data for any other purposes and shall in particular not be entitled to pass them on to third parties. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that is necessary with regard to compliance with legal obligations under Union law or the law of an EU member state, as well as to comply with retention obligations.
3.the Contractor shall inform the Client without undue delay in accordance with Art. 28 (3) subpara. 2 DSGVO if it is of the opinion that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Responsible Party at the Client. 4.
3.the processing of the Customer's data by the Contractor shall take place within the EU. The Contractor shall be obliged to notify the Client prior to commencement of the processing of any legal obligation of the Contractor to carry out the processing of the Client Data at another location, unless such notification is prohibited by law. Processing and / or transfer to a third country outside the territory of the EU or to an international organization requires the prior written consent of the Client. In such case, the Contractor shall additionally be obliged, in accordance with the legally applicable requirements as well as judicial and official interpretations thereof, to ensure an adequate level of data protection at the place of data processing or - at the Customer's option - to grant the Customer the option to ensure an adequate level of data protection, inter alia by concluding or acceding to EU standard contractual clauses.
The Contractor warrants that employees involved in the processing of personal data and other persons working for the Contractor are prohibited from processing the personal data outside the scope of the instruction. Furthermore, the Contractor warrants that the persons authorized to process the Personal Data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality. The confidentiality / secrecy obligation shall continue to exist after termination of the order.
5.Technical and organizational measures
5.1 The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall ensure appropriate technical and organizational measures for the protection of the Customer's personal data that meet the requirements of Art. 32 DSGVO. In particular, the technical and organizational measures shall be such that the confidentiality, integrity, availability and resilience of the systems and services related to the data processing are ensured on a permanent basis. These technical and organizational measures are described in Annex 1 to this Agreement. The Customer is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.
5.the technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor shall be permitted to implement alternative adequate measures. In doing so, the security level of the specified measures may not be undercut. Significant changes shall be documented.
6.1 The involvement and/or modification of subcontractors by the Contractor shall in principle only be permitted with the consent of the Customer. The Customer agrees to the use of subcontractors as follows:
6.1.1 The Customer agrees to the use of the subcontractors listed in Annex 2 to this Agreement already now.
6.1.2 The Customer agrees to the change or addition of further subcontractors if the Contractor notifies the respective Customer in writing (e-mail is sufficient) of the use or change 1 month / (30) days before the start of the data processing. The Customer may object to the use of a new / changed subcontractor. If no objection is made within the time limit, the consent to the use or change shall be deemed given. The Customer acknowledges that in certain cases the service can no longer be provided without the use of a specific subcontractor. In such cases, either party shall be entitled to terminate without notice.
If there is an important reason under data protection law for the objection and if a mutually agreeable solution has not been found between the parties, the Customer shall be granted a special right of termination. The Customer shall declare its intention to terminate in writing to the Contractor within one week after the failure to negotiate a mutually agreeable solution. The Contractor may remedy the objection within two weeks after receipt of the declaration of intent. If the objection is not remedied, the Customer may declare the special termination, which shall become effective upon receipt. 2.
6.2. the Contractor shall draft the contractual agreements with the subcontractor(s) in such a way that they contain the same data protection obligations as agreed in this order, taking into account the type and scope of the data processing under the subcontract. The commitment of the subcontracted processor(s) must be in writing or in electronic format.
6.(3) Subcontracting relationships within the meaning of this provision shall not include services which the Contractor uses from third parties as an ancillary service to support the performance of the order. These include, for example, telecommunication services, maintenance and user service, cleaning staff, auditors or the disposal of data carriers. However, the contractor is obligated to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the customer's data, even in the case of ancillary services contracted out to third parties.
7. Data subject rights
7.(1) The Contractor shall support the Customer within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR.
7.(2) The Contractor shall only provide information about the data processed on behalf of the Customer, correct or delete such data or restrict data processing accordingly in accordance with the Customer's instructions. Insofar as a data subject should contact the Contractor directly for the purpose of information, correction or deletion of his/her data as well as with regard to the restriction of data processing, the Contractor shall forward this request to the Customer without delay.
8.Duties of the Contractor to cooperate
8.1 The Contractor shall support the Client in complying with the obligations regarding the security of personal data, notification obligations in the event of data breaches, data protection impact assessments and prior consultations set out in Articles 32 to 36 of the GDPR.
8.(2) With regard to any reporting and notification obligations of the Principal pursuant to Art. 33 and Art. 34 GDPR, the following shall apply: The Contractor is obliged to (i) notify the Client without undue delay of the personal data breach and (ii) in the event of such a breach, to provide appropriate assistance, if necessary, in its obligations under Art. 33 and 34 DSGVO (Art. 28 (3) sentence 2 lit. f DSGVO). Notifications pursuant to Art. 33 or 34 of the GDPR (notifications and notices in the event of a personal data breach) for the Customer may only be carried out by the Contractor after prior instruction pursuant to Section 3 of this Agreement. 3.
8.insofar as the Customer has notification or notification obligations in the event of a security incident, the Contractor undertakes to support the Customer.
9.Other Duties of the Contractor
9.1 To the extent required by law, the Contractor shall appoint a data protection officer who can perform his duties in accordance with Art. 38 and 39 DSGVO, §§ 38, 6 BDSG new. The contact details of the latter shall be provided to the Client for the purpose of direct contact upon request. Currently CCM19 is not legally obliged to appoint a data protection officer, nevertheless the function is currently filled by Dr. Carsten Euwens, email@example.com.
9.2. the contractor will inform the client without delay about control actions and measures of the supervisory authority according to Art. 58 DSGVO. This shall also apply insofar as a competent authority investigates the Contractor pursuant to Art. 83 DSGVO.
9.the Contractor shall ensure the implementation of the order control by means of regular audits by the Contractor with regard to the execution or fulfillment of the contract, in particular compliance with and, if necessary, adjustment of regulations and measures for the implementation of the order.
10. Principal's right to information and review
10.1 The Principal shall have the right to request the information required pursuant to Art. 28 (3) h) GDPR to prove the Contractor's compliance with the agreed obligations and to carry out reviews in agreement with the Contractor or to have them carried out by auditors to be named in the individual case.
10.(2) The Parties agree that the Contractor shall be entitled to submit meaningful documentation to the Customer to prove compliance with its obligations and implementation of the technical and organizational measures. Meaningful documentation may be provided by the submission of a current audit certificate, reports or report extracts from independent bodies (e.g. auditors, auditing, data protection officers), suitable certification by IT security or data protection audit (e.g. in accordance with ISO 27001) or certification approved by the relevant supervisory authorities.
10.3. the right of the client to carry out on-site inspections shall not be affected by this. However, the Customer shall consider whether an on-site inspection is still necessary after submission of meaningful documentation, in particular taking into account the maintenance of the proper operation of the Contractor.
10.(4) The Customer shall have the right to satisfy itself of the Contractor's compliance with this Agreement in the Contractor's business operations by means of spot checks, which as a rule shall be notified in due time. The Contractor undertakes to provide the Customer, upon request, with the information required to comply with its obligation to monitor the order and to make the relevant evidence available.
11.Deletion of data and return of data carriers
After completion of the contractual work, the Contractor shall hand over to the Customer or destroy in accordance with data protection requirements all data, documents and processing or utilization results created in connection with the contractual relationship that have come into its possession or to subcontractors. Proof of this shall be handed over to the client on request.
The statutory provisions pursuant to Art. 82 of the GDPR shall apply to liability within the framework of the GCU.
Appendix 1 - Technical-organizational measures/security concept of Papoo Software & Media GmbH
The following technical and organizational measures have been implemented by the contractor and agreed with the client.
Measures to implement the requirement of confidentiality include measures for access, access control or access control. The technical and organizational measures taken in this context are intended to ensure appropriate security of personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage.
Measures implemented by Papoo Software & Media GmbH that prevent access by unauthorized persons to data processing systems:
- Personal and individual user login when logging into the system
- Password procedure (specification of password parameters in terms of complexity and update interval)
- Additional system login for certain applications
- Automatic locking of clients after a certain period of time without user activity (also password-protected screen saver or automatic pause)
- Electronic documentation of all passwords and encryption of this documentation to protect against unauthorized access
- Two-factor authentication if technically possible
- Regular software updates
- Regular vulnerability scans
The servers are hosted by OVH GmbH in Frankfurt, Germany. This hoster ensures fail-safety and protection against unauthorized access to the physical infrastructure. Measures implemented by the subcontractor OVH can be viewed here:
Measures to protect against unauthorized or unlawful processing, destruction or accidental damage.
2.1 Transfer control
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to verify and establish to which entities personal data are intended to be transmitted by data transmission equipment:
- Encryption of e-mail if possible
- Encryption of CD/DVD-ROM, external hard disks and/ or laptops (~ directory)
- Secured WLAN
- SSL/TLS encryption
- Data protection-compliant destruction of data, data carriers and printouts
- Logging of data transfer
2.2 Input control
Measures to ensure that it is possible to check and establish retrospectively whether, at what time and by whom personal data has been entered into, modified or removed from data processing systems:
- Legally compliant drafting of contracts for the processing of personal data with subcontractors with corresponding regulation of control mechanisms
- Obtaining self-disclosure from service providers regarding their measures for implementing data protection requirements
- Written confirmation of verbal instructions
- Recording and storing as required of corresponding actions performed on systems (e.g., log files) E.g. log files)
- Use of logging and log evaluation systems
- Determination of authorized persons for the creation of data carriers and the processing of data
3.Measures for pseudonymization of personal data
Pseudonymization is the replacement of the name and other identifying characteristics by a mark for the purpose of excluding or making it significantly more difficult to determine the data subject. Measures in connection with the pseudonymization of personal data are:
- All IDs of a user (consentID, processorID, consentID) are pseudonymized with a sha-256 cryptographic hash
- A pseudonymization concept is available in program form (including definition of the data to be replaced; pseudonymization rules, description of procedure, etc.)
Measures to ensure that personal data is protected against accidental destruction or loss:
- Use of centrally tested and approved standard software from secure sources
- Regular data backups or use of mirroring procedures
- Decommissioning of hardware (in particular servers) is carried out after a check of the data carriers used therein and, if applicable after the relevant data records have been backed up
- Uninterruptible power supply (UPS) in the server room
- Separate storage of data sets collected for different purposes
- Multi-layered virus protection and firewall architecture
- Emergency planning (emergency plan for security and data protection breaches with concrete
- instructions for action)
- Fire/water and temperature early warning system in the server rooms
- Fire protection doors
5.Procedures for restoring the availability of personal data after a physical or technical incident
To ensure recoverability, sufficient backups are required on the one hand, but also action plans that can restore ongoing operations in terms of disaster case scenarios.
To this end, the following measures are taken, in part by subcontractor OVH GmbH:
- Daily backup of the entire server
- Service Level Agreements (SLAs) with service providers
- Backup procedures
- Redundancy (e.g., mirroring of hard disks)
- Firewall, IDS/IPS
- Fire protection and extinguishing water protection
- Monitoring of alarms
- Plans for failure, emergency and recovery
6.Procedures for regular review, assessment and evaluation of the effectiveness of technical and organizational measures
Regular review, assessment and evaluation of the effectiveness of technical and organizational measures to ensure the security of processing shall be carried out as part of the implementation of:
- regular revisions of the security concept
- information on emerging vulnerabilities and other risk factors, revision of risk analysis and assessment if necessary
- audits of the data protection officer and the, information security officer, process controls by quality management.
Appendix 2 to the Order Processing Agreement
St. Johanner Str. 41-43
Server in Germany
Hoster Website, Service and Databases.
ALL-INKL.COM - Neue Medien Münnich
Owner: René Münnich
Hauptstraße 68 | D-02742 Friedersdorf
E-Mail and other server services
Telekom Deutschland GmbH
Telephone / Internet access
NetCologne Gesellschaft für Telekommunikation mbH
Am Coloneum 9,
Telephone / Internet access
Hetzner Online GmbH