- General provisions and subject matter of the contract
The subject of this contract is the processing of personal data on behalf of the processor (Art. 28 GDPR). The content of the order, categories of data subjects and types of data as well as the purpose of the agreement can be found in Annex 1 .
The Client is the responsible party within the meaning of Art. 4 No. 7 DSGVO. He alone is responsible for assessing the permissibility of the data processing operations in accordance with Art. 6 DSGVO and for safeguarding the rights of the data subjects.
The processing of the data by the processor takes place exclusively on the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state of the EEA Agreement. Processing outside these states shall only take place under the conditions of Chapter 5 of the GDPR (Art. 44 et seq.) and with the prior consent of the client.
The remuneration shall be agreed upon outside of this contract.
- Contract term and termination
The present contract is concluded for an indefinite period of time and may be terminated by either contracting party with three months’ ordinary notice. The right to extraordinary termination for good cause remains unaffected.
- Instructions of the client
The client has a comprehensive right to issue instructions regarding the type, scope and modalities of data processing. to the processor. In this role, he may, in particular, demand the immediate deletion, correction, blocking or surrender of the data that is the subject of the contract. The Processor is obligated to comply with the Client’s instructions, provided that there are no legitimate contractual or legal interests to the contrary.
The Processor shall inform the Customer without undue delay if it is of the opinion that an instruction of the Customer violates statutory provisions. If an instruction is issued, the legality of which the Processor substantially doubts, the Processor shall be entitled to temporarily suspend its execution until the Customer again expressly confirms or amends it.
Instructions must always be given in writing or in an electronic format (e.g. by e-mail). Verbal instructions shall be confirmed in writing or in an electronic format by the Customer at the request of the Processor. The Processor shall record the person, date and time of the verbal instruction in an appropriate form.
At the request of the Processor, the Customer shall designate one or more persons authorized to issue instructions. The Processor must be notified of any changes without delay.
- Control powers of the client
The Customer shall be entitled to check compliance with the statutory and contractual provisions on data protection and data security prior to the commencement of data processing and during the term of the contract on a regular basis to the extent required or to have this checked by third parties. The Processor shall tolerate these controls and support them to the extent necessary. In particular, it shall provide the Customer with complete and truthful information relevant to the inspections, grant it access to the stored data and data processing programs/systems, and enable on-site inspections. If the Customer has consented to the processing of data outside the business premises (e.g. private home), the Processor shall ensure that the Customer may also enter these premises for inspection purposes.
The Customer shall ensure that the control measures are proportionate and do not affect the Processor’s operations more than necessary. In particular, on-site inspections shall generally be carried out during normal business hours and by appointment with reasonable advance notice, provided that the purpose of the inspection does not conflict with prior notice.
The results of the checks and instructions shall be recorded in an appropriate manner by both contracting parties.
- General obligations of the processor
The processing of the contractual data by the Processor shall be carried out exclusively on the basis of the contractual agreements in connection with any instructions issued by the Customer. Any processing that deviates from this is only permitted on the basis of mandatory European or member state legal provisions (e.g. in the case of investigations by law enforcement or state protection authorities). If processing is required by mandatory law, the Processor shall notify the Client thereof prior to the processing, unless the relevant law prohibits such notification due to an important public interest.
The processor shall comply with all statutory provisions when performing the contract. In particular, it shall implement the technical and organizational measures required under Art. 32 GDPR and shall comply with the data protection law required under Art. 30 Para. 2 DSGVO to keep a register of processing activities as required by law.
If the Processor is required to appoint a data protection officer in accordance with the GDPR or other statutory provisions, it confirms that it has selected such an officer in accordance with the statutory provisions and assures the Customer that it will appoint such an officer, providing its contact details (e.g. by e-mail). The Client shall be informed immediately of any changes to the person and/or contact details of the data protection officer.
Data processing outside the premises of the processor or subcontractors and / or in private residences (e.g. remote access or home office of the processor) is only permitted with the express consent of the client.
The Processor shall ensure that the persons authorized to process the Personal Data have committed themselves to confidentiality or are subject to an appropriate legal duty of confidentiality (Art. 28(3)(b) GDPR). Before submitting to the obligation of confidentiality, the persons concerned may not have access to the personal data provided by the Client.
The Processor shall regularly and independently monitor the fulfillment of its obligations and document it in an appropriate manner.
- Technical and organizational measures
The Processor has defined appropriate technical and organizational measures to ensure an adequate level of protection and recorded them in Annex 2 to this Agreement. The measures described there were selected in compliance with the requirements of Art. 32 DSGVO and agreed with the client.
The Processor shall review and adapt the technical and organizational measures as required and / or as the occasion arises. Any necessary adjustments shall be documented by the Processor and made available to the Client upon request. Significant changes that could reduce the level of protection must be agreed in advance with the client.
- Support obligations of the processor
The Processor shall notify the Client pursuant to. Art. 28 par. 3 lit. e GDPR in its obligations to protect the rights of data subjects under Chapter III, Art. 12 – 22 GDPR. This applies in particular to the provision of information and the deletion, correction or restriction of personal data. The scope of the duty to provide assistance is determined on a case-by-case basis, taking into account the nature of the processing.
The Processor shall further notify the Customer pursuant to. Art. 28 par. 3 lit. f DSGVO with its obligations according to Art. 32 – 36 DSGVO (in particular notification obligations). The scope of this duty to assist shall be determined on a case-by-case basis, taking into account the nature of the processing and the information available to the processor.
- Use of subcontractors (subcontractors)
The Processor shall be entitled to use sub-processors (subcontractors) only with the consent of the Customer. All subcontractor relationships of the Processor already existing at the time of the conclusion of the Agreement and expressly confirmed by the Customer are conclusively attached to this Agreement in Annex 3 . For the subcontractors listed in Annex 3 , consent shall be deemed to have been granted upon signature of this Agreement. If the Processor intends to use additional subcontractors, it shall notify the Customer thereof in writing or electronically so that the Customer can check their use. If no approval is given by the client, the subcontractors concerned may not be used.
Subcontractors are selected by the Processor in compliance with legal and contractual requirements. Ancillary services used by the Processor for the performance of its business activities do not constitute subcontracting relationships. Ancillary activities in this sense include, in particular, telecommunications services without any specific reference to the main service, postal and transport services, maintenance and user services as well as other measures intended to ensure the confidentiality integrity of the hardware and software and which have no specific reference to the main service. However, the Processor shall also ensure compliance with the statutory data protection standards for these third-party services.
All contracts between Processor and Subprocessor (subcontracts) must comply with the requirements of this Agreement and the statutory provisions on the processing of personal data on behalf; this concerns in particular the implementation of appropriate technical and organizational measures in accordance with Art. 32 GDPR in the Subcontractor’s business. The subcontractor agreements shall furthermore ensure that the control and instruction powers agreed in the present agreement can also be exercised by the Client in the same manner and to the full extent vis-à-vis the subcontracted processor. In the event of a corresponding request by the Customer, the Processor shall be obliged to provide information on the obligations of the subcontractor relevant under data protection law and, if necessary, to inspect the corresponding contractual documents or control and supervision results as well as corresponding documentation, protocols and directories of the Processor or to request the transmission of copies of these documents.
The contract with the subcontractor shall specify the responsibilities of the subcontractor so that the client can verify them accordingly. Furthermore, the contract with the subcontractor must ensure that the client is not liable for any damages. the subcontractor to exercise the same rights of control as vis-à-vis the customer. the processor is entitled to. The Processor shall ensure that the instructions issued by the Customer are also followed and recorded by the subcontractors. Compliance with these obligations shall be checked and documented by the Processor prior to the conclusion of the contract with the subcontractor and regularly thereafter.
The forwarding of data to the sub-processor is permitted only after the sub-contractor has fulfilled its obligations under Art. 32 para. 4 and 29 GDPR vis-à-vis. has fulfilled to the persons subordinated to him.
The Processor shall be responsible for the compliance with the data protection provisions by the sub-processors it uses. He is liable vis-à-vis the client for compliance with the legal and contractual data protection obligations.
The Processor shall obtain confirmation from its sub-processors that they have appointed a data protection officer – to the extent required by law.
The commissioning of subcontractors in third countries is only permitted if the legal requirements of Art. 44 et seq. DSGVO are met and the client has given its consent.
- Notification obligations of the processor
Violations of this Agreement, of the Client’s instructions or of other provisions of data protection law shall be reported to the Client without undue delay; the same shall apply in the event of a corresponding justified suspicion. This obligation shall apply regardless of whether the breach was committed by the Processor itself, a person employed by it, a sub-processor or any other person it has used to fulfill its contractual obligations.
The Processor is obligated to support the Client in fulfilling its statutory information obligations pursuant to Art. 33 and 34 of the GDPR. Independent notifications to authorities or data subjects pursuant to Art. 33 and 34 GDPR may only be carried out by the Processor after prior instruction by the Principal.
If a data subject, an authority or another third party requests the Processor to provide information, correction, blocking or deletion, the Processor shall immediately forward the request to the Customer; in no case shall the Processor comply with the data subject’s request without the Customer’s consent.
The Processor shall inform the Customer without undue delay if supervisory actions or other measures of an authority are imminent which could also affect the processing, use or collection of the personal data provided by the Customer. In addition, the Processor shall inform the Customer without undue delay of any events or measures taken by third parties that could jeopardize or impair the data that is the subject of the contract.
- Termination of contract, deletion and return of data
After completion of the contractual data processing or after termination of this Agreement, the Processor shall delete or return all personal data at the discretion of the Customer, provided that there is no longer a legal obligation to store the data in question (e.g. statutory retention periods). The Customer shall be entitled to review the measures taken by the Processor in an appropriate manner. For this purpose, it shall in particular be entitled to inspect the relevant deletion logs and the data processing systems concerned on site.
- Data secrecy and confidentiality
The Processor shall be obligated for an unlimited period of time and beyond the end of this Agreement to treat the personal data obtained within the scope of this contractual relationship as confidential and to comply with relevant secrecy regulations to which the Client is subject (e.g. Section 203 of the German Criminal Code). The Customer shall be obliged to inform the Order Processor of any special rules for the protection of secrets that may exist when the order is placed.
The Processor undertakes to familiarize its employees with the relevant data protection provisions and secrecy rules and to oblige them to maintain confidentiality before they commence their activities with the Processor.
The Processor shall document compliance with the measures specified in this clause in an appropriate manner. The documentation shall be presented to the Client upon request.
- Final provisions
Amendments to this Agreement and ancillary agreements must be made in writing or electronically and must clearly indicate that and which amendment or supplement to these Terms and Conditions they are intended to effect.
Should the GDPR or other legal regulations referred to change during the term of the contract, the references here shall also apply to the respective successor regulations.
Should individual parts of this agreement be or become invalid, this shall not affect the validity of the remaining provisions.
All annexes to this contract are part of the contract.
Annex 1 – Order details
This contract includes (in connection with the main contract, if applicable) the following services:
The client is a trade that operates intermediation in the tourist sector of any kind. It is agreed between the parties that the client arranges city tours, assistance services, travel services and special tours (including geocaching, culinary tours, Christmas hikes) with independent tour guides. Services beyond the brokerage service are not perceived by the client and are also not owed. In this respect, the contractor is free in its performance and is not in any instruction relationship with the client with regard to the type of execution.
The Contractor shall carry out all guided tours in accordance with the order and the additional agreements made on its own responsibility and independently. The tour guide must adhere to the general conditions of the order, but is free in the specific design of the tour, unless otherwise expressly agreed.
In the context of the contractual provision of services, the following types of data are regularly the following types of data are processed:
- First name
- Phone number
- Email address
- Food preferences
- Payment data
The group of persons concerned by the data processing are:
- Customers employees
- Subcontractors of customers
The access to the data concerned happens in the following way:
- App Humanity
- Google Spreadsheets
The Client is subject to the following special secrecy protection rules, which must also be observed by the Processor:
- 203 StGB
Annex 2 – List of existing technical and organizational measures of the processor according to Art. 32 GDPR
The Processor shall implement the following technical and organizational measures to protect the Personal Data subject to the Contract. The measures were defined in accordance with Art. 32 GDPR and coordinated with the client.
I. Earmarking and separability
The following measures ensure that data collected for different purposes are processed separately:
- Logical client separation (software-side)
- Authorization concept
- Encryption of data sets processed for the same purpose
- Providing the records with purpose attributes / data fields / signatures
- Separation of productive and test system
II. confidentiality and integrity
The following measures ensure the confidentiality and integrity of the Processor’s systems:
The data or data carriers processed in the order are encrypted in the following manner:
- PGP Email Encryption
- End-to-end encryption of chat messages
- The following measures have been taken to prevent unauthorized persons from gaining access to the data processing systems with which personal data are processed or used(access control):
- Alarm system
- Automatic access control system
- Locking system with code lock
- Video surveillance of the entrances
- Security locks
- Key regulation (key issue etc.)
- Logging of visitors
- Careful selection of cleaning personnel
- The following measures have been taken to prevent unauthorized third parties from using the data systems(access control):
- Assignment of user rights
- Create user profiles
- Password assignment
- Assignment of user profiles to IT systems
- Encryption of mobile IT systems
- Encryption of mobile data media
- Encryption of the data backup systems
- Security locks
- Key regulation (key issue etc.)
- Logging of visitors
- Careful selection of cleaning personnel
- Obligation to carry authorization cards
- Use of central smartphone administration software (e.g. for external deletion of data)
- Use of anti-virus software
- Encryption of data carriers in laptops / notebooks
- Use of a hardware firewall
- Use of a software firewall
- The following measures have been taken to ensure that those authorized to use a data processing system can only access the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and after storage (access control) :
- Authorization concept
- Management of rights by system administrator
- Regular review and updating of access rights (especially when employees leave the company or similar)
- Number of administrators is reduced to the “bare minimum
- Logging of accesses to applications, especially when entering, changing and deleting data
- Secure storage of data media
- Physical deletion of data carriers before reuse
- Proper destruction of data carriers (DIN 66399)
- Use of document shredders or service providers (if possible with data protection seal of approval)
- Logging of the destruction
- Encryption of data carriers
- The following measures can be used to subsequently check and determine whether and by whom personal data have been entered into, modified or removed from data processing systems (input control).
- Logging of the entry, modification and deletion of data
- Create an overview showing which applications can be used to enter, change and delete which data.
- Traceability of input, modification and deletion of data through individual user names (not user groups)
- Retention of forms from which data have been transferred to automated processing operations
- Assignment of rights to enter, change and delete data on the basis of an authorization concept
- The following measures ensure that personal data processed on behalf of the customer can only be processed in accordance with the customer’s instructions (order control).
- Selection of the processor under due diligence aspects (in particular with regard to data security)
- prior verification and documentation of the security measures taken by the processor
- written instructions to the processor (e.g. by order processing contract)
- Obligation of the employees of the processor to maintain data secrecy
- Ensuring the destruction of data after the completion of the order
- Effective control rights agreed with the processor
- ongoing review of the processor and its activities
- Contractual penalties for violations
- The following measures ensure that personal data cannot be obtained or viewed by unauthorized persons during transfer (physical and/or digital)(transport or transfer control):
- Encryption of communication channels (e.g. encryption of e-mail traffic)
- Sealing of physical data carriers during transport
III. availability, recoverability and resilience of the systems
The following measures ensure that the data processing systems used function properly at all times and that personal data are protected against accidental destruction or loss
- Uninterruptible power supply (UPS)
- Air conditioning of the server rooms
- Devices for monitoring temperature and humidity in server rooms
- Protective socket strips in server rooms
- Fire and smoke detection systems in server rooms
- Fire extinguishers in server rooms
- Alarm message in case of unauthorized access to server rooms
- Creation of a backup & recovery concept
- Testing data recovery
- Creation of an emergency plan
- Keeping data backup in a secure, off-site location
- Server rooms not under sanitary facilities
- In flood zones: Server rooms above the water line
- resilient data backup and recovery concept in place
- Special data protection measures
The following are available in writing:
2. review, evaluation and adaptation of the present measures.
The Processor shall review, evaluate and, if necessary, adapt the technical and organizational measures set forth in this Annex at 12-month intervals and as required.
Annex 3 – List of existing subcontractors at the time of conclusion of the contract.
- Tax consultant Martina Essl, Hauzenberg
- Olschar Law Office, Passau