Addition for job processing
The regulations for order processing supplement the General Terms and Conditions of Jungherz GmbH as operator of the brand AppConfector (hereinafter referred to as "Contractor"). As a fixed link to these, you as a customer (hereinafter referred to as principal) automatically agree to the addition within the scope of a business relationship. In the event of a contradiction between these regulations and the general terms and conditions, these regulations take precedence for order processing.
The Contractor and the Customer are hereinafter referred to under the common term "The Parties".
The Parties agree that at the same time as this Agreement on commissioned processing begins, the existing Agreement on commissioned data processing between the Parties pursuant to Section 11 of the German Federal Data Protection Act and any other agreements on commissioned data processing shall be terminated by mutual consent and replaced by this new Agreement on commissioned processing.
(1) The processor processes personal data on behalf of the Client within the meaning of Article 4 No. 8 and Article 28 of Regulation (EU) 2016/679 - Basic Data Protection Regulation (DSGVO). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.
(2) Insofar as the term "data processing" or "processing" (of data) is used in this contract, the definition of "processing" within the meaning of Art. 4 No. 2 DSGVO shall apply.
(3) All references in this Agreement to the DSGVO (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (Basic Data Protection Regulation)) shall apply to the DSGVO in its current version.
2. Gegenstand des Auftrags
Der Gegenstand der Verarbeitung, Art und Zweck der Verarbeitung, die Art der personenbezogenen Daten und die Kategorien betroffener Personen sind in Anlage 1 zu diesem Vertrag festgelegt.
3. Rights and duties of the client
(1) The client is the responsible party within the meaning of Art. 4 No. 7 DSGVO for the processing of data on behalf of processors. In accordance with Art. 4 (5) of this Agreement, the latter shall be entitled to inform the client if data processing which in his opinion is legally unacceptable is the subject of the order and/or an instruction.
(2) The client is responsible for the protection of the rights of the persons concerned. The processor shall inform the customer without delay if data subjects assert their data subject rights against the processor.
(3) The client has the right to issue additional instructions to the processor at any time regarding the type, scope and procedure of data processing. Instructions can be given in text form (e.g. e-mail).
(4) Regulations concerning a possible remuneration of additional expenses incurred by the order processor as a result of supplementary instructions given by the customer shall remain unaffected.
5. The contracting authority shall inform the processor without delay if it detects errors or irregularities in connection with the processing of personal data by the processor.
(6) In the event that there is an obligation to inform third parties in accordance with Art. 33, 34 DSGVO or any other legal obligation to notify applicable to the client, the client is responsible for compliance with this obligation.
4. General obligations of the processor
(1) The processor processes personal data exclusively within the scope of the agreements made and/or in compliance with any supplementary instructions issued by the client. Excepted from this are legal regulations which may oblige the processor to process the data in another way. In such a case, the processor shall notify the principal of these legal requirements prior to processing, unless the law in question prohibits such notification for an important public interest. The purpose, nature and scope of the data processing shall otherwise be governed solely by this Agreement and/or the instructions of the principal. Any processing of data deviating from this is prohibited for the processor unless the processor has given its written consent.
(2) The processor undertakes to carry out the data processing only in member states of the European Union (EU) or the European Economic Area (EEA).
(3) In the area of processing of personal data in accordance with the order, the processor guarantees the contractual execution of all agreed measures.
(4) The processor is obliged to design his company and his operating procedures in such a way that the data processed by the processor on behalf of the customer are secured to the extent necessary in each case and protected from unauthorized access by third parties. The latter shall agree changes in the organization of the data processing on behalf of the client, which are significant for the security of the data, with the client in advance.
(5) The order processor shall inform the customer without delay if, in his opinion, an instruction issued by the customer violates statutory regulations. The processor shall be entitled to suspend the execution of the instruction in question until it is confirmed or amended by the principal. If the processor is able to demonstrate that processing in accordance with the customer's instructions may lead to liability of the processor pursuant to Art. 82 DSGVO, the processor shall be entitled to suspend further processing in this respect until clarification of the liability between the parties.
(6) The processing of data on behalf of the Client outside the business premises of the processor or subcontractor is only permitted with the consent of the Client in written or text form. Processing of data for the client in private homes is only permitted with the consent of the client in written or text form in individual cases.
(7) The processor will process the data which it processes on behalf of the customer separately from other data. A physical separation is not mandatory.
5. Data protection officer of the order processor
(1) The processor confirms that he has appointed a data protection officer in accordance with Art. 37 DSGVO. The data processor shall ensure that the data protection officer has the necessary qualifications and expertise. The data processor shall inform the customer separately in text form of the name and contact details of its data protection officer.
(2) The obligation to appoint a data protection officer pursuant to paragraph 1 may be waived at the discretion of the principal if the processor can prove that it is not legally obliged to appoint a data protection officer and the processor can prove that operational arrangements exist which ensure that personal data are processed in compliance with the legal provisions, the provisions of this agreement and any further instructions of the principal.
6. reporting obligations of the order processor
(1) The processor shall be obliged to notify the customer without delay of any violation of data protection regulations or of the contractual agreements made and/or the instructions given by the customer which has occurred in the course of the processing of data by him or by other persons involved in the processing. The same applies to any violation of the protection of personal data processed by the processor on behalf of the client.
(2) Furthermore, the processor shall inform the customer without delay if a supervisory authority pursuant to Art. 58 DSGVO takes action against the processor and this may also concern a control of the processing which the processor performs on behalf of the customer.
(3) The Processor is aware that the Client may be subject to a notification obligation pursuant to Art. 33, 34 DSGVO, which provides for a notification to the supervisory authority within 72 hours of its discovery. The processor shall support the customer in the implementation of the notification obligations. In particular, the processor shall notify the client of any unauthorized access to personal data processed on behalf of the client without delay, but at the latest within 48 hours of becoming aware of such access. The notification of the processors to the client must in particular contain the following information:
- a description of the nature of the breach of personal data protection, if possible with an indication of the categories and approximate number of persons concerned, the categories concerned and the approximate number of personal data records concerned;
- a description of the measures taken or proposed by the processor to remedy the breach of personal data protection and, where appropriate, measures to mitigate its possible adverse effects.
7. Obligations of the order processor to cooperate
(1) The commissioned processor shall support the Client in its obligation to respond to applications for the exercise of data subject rights in accordance with Articles 12-23 DSGVO. The provisions of Section 11 of this Agreement shall apply.
(2) The processor shall participate in the drawing up of the lists of processing activities by the contracting entity. The processor shall provide the customer with the necessary information in a suitable manner.
(3) Taking into account the type of processing and the information available to him, the processor shall assist the customer in complying with the obligations set out in Art. 32-36 DPA.
(4) The order processor is entitled to demand an appropriate expense-related remuneration from the customer for these services.
8. Control powers
(1) The customer has the right to check at any time to the extent necessary that the processor complies with the statutory provisions on data protection and/or that the contractual provisions agreed between the parties and/or the processor complies with the customer's instructions.
Proof of compliance with the obligations incumbent on a contract processor in accordance with the DSGVO should primarily be provided by independent test reports and certification.
If the client, on the basis of factual evidence, has reasonable doubts that the test reports or certifications are insufficient or incorrect, or if special incidents within the meaning of Art. 33 para. 1 DSGVO in connection with the performance of the client's order processing justify this, the client may carry out inspections in accordance with section 8. (2).
(2) In order to enable the Client to carry out an inspection of the order and in particular to check the technical and organizational measures taken at the commissioned processor before the start of and regularly during data processing, the commissioned processor shall permit the inspection by a neutral third party (sworn auditor) commissioned by the Client. The commissioned processor shall be entitled to allocate dates for an inspection according to the operational possibilities. The examination shall be made possible within a reasonable period of time after the request. Alternatively, the processor may also comply with the right of inspection of the client by providing an inspection report prepared by an independent, sworn auditor on behalf of the processor. The exercise of the inspection right shall not unduly disturb the business operations of the processor or be abusive.
(3) The order processor is entitled to demand reasonable remuneration from the customer for inspections within the meaning of item 8. (2).
9. Subcontracting ratios
(1) The commissioning of subcontractors by the processor is only permitted with the consent of the customer in text form. The order processor shall specify all subcontracting relationships already existing at the time of conclusion of the contract in Annex 2 to this contract.
(2) The order processor shall carefully select the subcontractor and check before the order is placed that the subcontractor is able to comply with the agreements made between the customer and the order processor. In particular, the subcontractor shall check in advance and regularly during the term of the contract that the subcontractor has taken the technical and organisational measures required under Art. 32 DSGVO for the protection of personal data. The result of the check shall be documented by the subcontractor and shall be made available to the customer upon request.
(3) The processor shall be obliged to obtain confirmation from the subcontractor that the latter has appointed a company data protection officer in accordance with Art. 37 DSGVO. In the event that no data protection officer has been appointed by the subcontractor, the processor shall inform the customer of this fact and provide information on this which shows that the subcontractor is not legally obliged to appoint a data protection officer.
(4) The processor shall ensure that the provisions agreed in this contract and any supplementary instructions of the customer, if any, also apply to the subcontractor.
(5) The processor shall conclude a contract with the subcontractor which complies with the requirements of Art. 28 DSGVO. In addition, the processor shall impose on the subcontractor the same obligations for the protection of personal data as those established between the principal and the processor.
(6) In particular, the party processing the order shall be obliged to ensure by contractual provisions that the control powers (Clause 8 of this contract) of the customer and supervisory authorities also apply to the subcontractor and that corresponding control rights are agreed by the customer and supervisory authorities. Furthermore, it shall be contractually agreed that the subcontractor shall tolerate these control measures and any on-site inspections.
(7) Subcontracting relationships within the meaning of paragraphs 1 to 6 shall not be deemed to be services which the processor obtains from third parties as a purely ancillary service in order to carry out the business activity. Such services include, for example, cleaning services, pure telecommunications services without any specific reference to services which the processor provides for the principal, postal and courier services, transport services, security services. The processor is nevertheless obliged to ensure, also in the case of ancillary services provided by third parties, that appropriate precautions and technical and organizational measures have been taken to ensure the protection of personal data. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship and order processing within the meaning of Art. 28 DSGVO which requires approval if the maintenance and testing concerns such IT systems which are also used in connection with the provision of services for the client and if personal data processed on behalf of the client can be accessed during maintenance.
10. Confidentiality obligation
(1) When processing data on behalf of the Client, the processor shall be obliged to maintain the confidentiality of data which it receives or becomes aware of in connection with the order. The processor undertakes to observe the same rules of secrecy protection as those incumbent on the principal. The Principal is obliged to inform the processor of any special secrecy protection rules.
(2) The processor assures that he is aware of the applicable data protection regulations and that he is familiar with their application. The Contractor further warrants that it has familiarized its employees with the provisions of data protection applicable to them and has obligated them to maintain confidentiality. The Contractor further warrants that it has in particular obliged its employees involved in the performance of the work to maintain confidentiality and has informed them of the Client's instructions.
(3) The obligation of the employees according to paragraph 2 must be proven to the client on request.
11. Protection of the rights of those concerned
(1) The client is solely responsible for safeguarding the rights of the persons concerned. The processor is obliged to support the client in his obligation to process applications from data subjects in accordance with Art. 12-23 DSGVO. In particular, the data processor shall ensure that the information required in this respect is provided to the principal without delay, so that the principal can fulfil its obligations under Art. 12 para. 3 DSGVO.
(2) Insofar as the cooperation of the commissioned processor is necessary for the protection of data subject rights - in particular to information, correction, blocking or deletion - by the client, the commissioned processor shall take the respectively necessary measures in accordance with the client's instructions. If possible, the data processor shall support the principal with suitable technical and organizational measures in order to comply with his obligation to respond to requests to exercise data subject rights. The processor shall be entitled to demand reasonable remuneration from the client for these services.
(3) This shall be without prejudice to any provisions on the possible remuneration of additional expenses incurred by the order processor as a result of cooperation services in connection with the assertion of rights of affected persons vis-à-vis the customer.
12. Secrecy obligations
(1) Both parties undertake to treat all information received in connection with the execution of this contract as confidential for an unlimited period of time and to use it only for the execution of the contract. Neither party shall be entitled to use this information in whole or in part for purposes other than those just mentioned or to make this information available to third parties.
(2) The above obligation shall not apply to information which one of the parties has demonstrably received from third parties without being obliged to maintain secrecy or which is publicly known.
The processor shall not receive separate remuneration for this contract.
14. Technical and organizational measures for data security
(1) The processor undertakes to the customer to comply with the technical and organizational measures required to comply with the applicable data protection regulations. This includes in particular the requirements of Art. 32 DSGVO.
(2) The status of the technical and organizational measures existing at the time of the conclusion of the contract is attached to this contract as Annex 3. The parties agree that changes to the technical and organizational measures may be necessary to adapt to technical and legal conditions. Significant changes that may affect the integrity, confidentiality or availability of personal data will be agreed upon in advance by the processor with the client. Measures that involve only minor technical or organizational changes and do not negatively affect the integrity, confidentiality and availability of the personal data may be implemented by the data processor without consulting the customer. The client can request an up-to-date version of the technical and organizational measures taken by the processor at any time.
(3) The Contractor shall check the technical and organizational measures taken by him for their effectiveness on a regular basis and also as required. In the event that there is a need for optimisation and/or modification, the commissioned processor shall inform the customer.
15. Duration of the order
(1) The contract shall commence upon assignment and shall be concluded for an indefinite period of time.
(2) The contract ends upon termination of the main contract (an app package or any service) without the need for a separate termination.
Any deletion and return obligations after termination of this Agreement are governed by Section 16.
(3) The principal may terminate the contract at any time without notice if there is a serious breach of the data protection provisions applicable to the processor or of obligations under this contract, if the processor is unable or unwilling to carry out an instruction given by the principal or if the processor refuses access to the principal or the competent supervisory authority in breach of the contract.
(1) After termination of the contract, the commissioned processor shall return to the customer or delete all documents, data and created processing or usage results that have come into his possession in connection with the contractual relationship, at the customer's option. The deletion shall be documented in a suitable manner. Any statutory retention obligations or other obligations to store the data shall remain unaffected. In the case of data carriers, these must be destroyed in the event of a deletion requested by the client, whereby at least security level 3 of DIN 66399 must be complied with; the client must provide evidence of the destruction with reference to the security level in accordance with DIN 66399.
(2) The client has the right to control the complete and contractual return and deletion of the data at the order processor. This can also be done by inspecting the data processing equipment at the premises of the processor. The on-site inspection shall be announced by the client with a reasonable period of notice.
17. Right of retention
The parties agree that the objection of the right of retention by the processor in terms of § 273 BGB (German Civil Code) with regard to the processed data and the associated data carriers is excluded.
18. Final provisions
(1) If the property of the customer is endangered at the processor's premises by measures of third parties (such as seizure or confiscation), by insolvency proceedings or by other events, the processor shall inform the customer without delay. The processor shall inform the creditors without delay of the fact that the data are being processed in the order.
(2) The written form is required for collateral agreements.
(3) Should individual parts of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract.
Annex 1 - Object of the order
1. object and purpose of processing
The order of the client to the processor comprises the following work and/or services: Provision of mobile applications (described in more detail in the respective valid service description), as well as web pages with similar content. This includes the collection, processing and forwarding of recorded data.
2. Type(s) of personal data
The following types of data are regularly processed: Traffic data, content data, contact data, personal master data and communication data (name, address, telephone number, fax number, e-mail address).
3. Circle of affected persons
Circle of the persons concerned by the data processing: Users of your account, calling and called participants or sender/receiver of SMS/fax, employees, customers, business partners, interested parties and service providers of the client.
If the client is a partner of the processor: Contact, personal master and communication data (name, address, telephone number, fax number, e-mail address) of the contractors/companies referred by the Partner who has placed the order.
The client is obliged to inform the users of the account and - if necessary - the works council or comparable representatives about the processing of the data mentioned in 2.
4. Place of data processing:
All data is processed on servers in Germany.
Annex 2 - Subcontractor
For the processing of data on behalf of the Principal, the processor uses the services of third parties who process data on his behalf ("subcontractors").
The processor uses various subcontractors to provide its services.
These subcontractors are initially the following companies of the processor and provide preliminary work for the realization of the processor's services. The necessary contractual agreements are in place between the companies for processing these data.
These are the following companies:
Young heart GmbH, prince Leopold place 1, 46284 Dorsten,
Mailjet GmbH, c/o Mindspace, Friedrichstrasse 68, 10117 Berlin,
Google Cloud Products, Google LLC, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA
netcup GmbH, Daimlerstrasse 25, D-76185 Karlsruhe
Digistore24 GmbH, St.-Godehard-Str. 32, 31139 Hildesheim
CopeCart GmbH, Ufnaustrasse 10, 10553 Berlin
Annex 3 - Technical and organizational measures of the order processor
The order processor shall take the following technical and organizational measures for data security within the meaning of Art. 32 DSGVO.
In order to prevent unauthorized access to the data processing systems with which data is processed or used, the processor and its subcontractors, such as Netcup and the Google Cloud Division, have implemented extensive formal access control processes.
The locations used accommodate server rooms and a server technology room. For access, electronic keys are issued to selected employees of the subcontractor. The keys only authorize the respective subcontractor's employee to open/close individual doors that have been approved for this purpose. All opening and closing operations of a key are electronically logged together with the unique ID of the key. Only employees of the subcontractor directly authorized by the management are responsible for the administration of the keys.
The server room is locked at all times and can only be entered by selected employees of the subcontractor.
Within the building of the respective location, the access rights of the subcontractor's employees - even those who have a key - are limited to the extent necessary for the specific task to be performed.
During business hours, a check on persons entering the building is carried out at the permanently manned reception desk. Outside business hours, all entrances to the building are locked and alarm-secured. The building is additionally secured by a security service. All alarms of the alarm system are reported directly to a security service.
Standard security measures are applied in all data centers. These correspond to the state of the art and the (best practices) of the IT industry. These include electronic access control systems with logging, whereby only authorized persons are allowed to enter the building, alarm systems, video surveillance inside/outside, 24/7 security personnel, alarm systems, securing the building with barbed wire, protection by external security services who are automatically informed via a dedicated alarm line in the event of an alarm.
The keys to the individual rooms and cages in the data center must always be collected from security personnel.
In order to ensure that those authorized to use a system for processing data can only access the data subject to their access authorization and that stored data or data being processed cannot be read, copied, changed or removed by unauthorized persons, the order processor uses a central system for managing access authorizations. All accesses are stored locally and in the central log server. Administrative rights can only be executed via a central administration program.
Access to all data is restricted to the extent necessary for all authorized persons to fulfill their specific tasks. The legal data protection requirements, in particular those of the basic data protection regulation (DSGVO) and the TKG are observed.
The processor processes the data on server systems that are logically separated by a system of logical and physical access controls on the network.
To ensure that the order processor can subsequently check and determine whether and by whom data has been entered, changed or removed in the data processing systems, all accesses to the stored data of the customer are logged locally and in the central log server.
In order to ensure that data cannot be read, copied, changed or removed by unauthorized persons during electronic transmission, transport or storage, and that it is possible to verify where data is intended to be transferred by data transfer systems, access to all systems that process customer data is subject to effective access controls. These access control mechanisms are already described in more detail above under 3.
3. Availability and resilience
The Processor uses a combination of redundant systems and backup solutions in all systems in order to protect the stored data and to be able to restore it if necessary. These systems are operated exclusively in premises secured and equipped in accordance with the current state of the art, which have the necessary air conditioning, fire and smoke alarm systems and for which detailed emergency plans exist.
4. Procedures for regular review, assessment and evaluation
All our own employees and those of the subcontractor are regularly trained on data protection issues. These trainings are realized completely inhouse, so that an exact adjustment to the questions relevant for the order processor is possible. Individual questions are also dealt with in detail during these training sessions.
All employees of the processor who come into contact with the processing of personal data in the course of their work are obliged to treat personal data confidentially. This is regularly done when new employees are hired by means of a contractual declaration of commitment, which each employee must make.
The processor has appointed a data protection officer. Together with his or her deputies, the data protection officer shall ensure that inquiries from data subjects are answered in a timely manner.
The processor shall maintain a register of processing activities within the meaning of Art. 30 para. 1 and 2 DSGVO. This list of processing activities is not public.
(as of March 19, 2020)