Contract for the Processing of Personal Data on Behalf (Order Processing Contract)

regarding

Contract for the Provision of the kroot Application, Posting of Job Advertisements, and Processing of Responses from Job Seekers Based on the Terms and Conditions of the Contractor.

concluded on the basis of the General Terms and Conditions,

– hereinafter referred to as "Main Contract" –

agreed between

kroot GmbH, Hochfeldstrasse 9, 86159 Augsburg, Germany

– hereinafter referred to as "Processor"–

and the

Customer of the Main Contract.

– hereinafter referred to as "Controller" –

– both hereinafter referred to as "the Contracting Parties" –

Preamble and Scope

The processor processes personal data on behalf of the controller. The order processing contract specifies the order processing with regard to its subject matter and the claims and obligations arising from the order processing relationship between the contracting parties.

1. Terminology and Definitions

1. "Order Processing" - "Order processing" within the meaning of Article 4(8) GDPR means processing of personal data by a processor on behalf of the controller in accordance with the subject matter of this order processing contract, regardless of the number of intermediate processors involved.
2. "Main Contract" - The term Main Contract encompasses all types of ongoing business relationships between the controller and the processor, within the framework of which the processor processes personal data on behalf of and in accordance with the instructions of the controller in line with the specifications of the subject matter of order processing in this order processing contract. If the applicability of this order processing contract has been otherwise limited (i.e., within this agreement or outside, in other contracts or regulations) to specific types, kinds, or specific business relationships, contracts, etc., these are understood to be the Main Contract. The term Main Contract also includes ongoing individual orders from the controller to the processor, which are issued by the controller within the framework of the Main Contract (e.g., in the case of framework contracts).
3. "Controller" - A controller is a person or entity that alone or jointly with others determines the purposes and means of the processing (Article 4(7) GDPR).
4. "Personal Data" - "Personal data" (hereinafter also briefly referred to as "data") are, pursuant to Article 4(1) GDPR, all information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
5. "Affected Persons" - According to Art. 4 No. 1 GDPR, persons who are at least identifiable by means of personal data are referred to as affected persons (short "Affected"). The persons affected by this processing on behalf, result from the subject of the processing on behalf.
6. "Third Parties" - According to Art. 4 No. 10 GDPR, "Third Parties" are natural or legal persons, authorities, institutions or other bodies, except for the affected person, the controller, the processor, and the persons who are authorized to process the personal data under the direct responsibility of the controller or the processor;
7. "Sub-processing" - If a processor is not directly commissioned by the controller, but by a processor of the controller, "sub-processing" exists and the processors following the first processor are referred to as "sub-processors".
8. "Electronic Format" - Declarations are considered to be made in "electronic format" according to Art. 28 Para. 9 GDPR if the declaring person is recognizable and the electronic declaration format is suitable for proving the declaration. "Electronic format" includes, in particular, text form, an agreement stored on durable media (e.g., email), digital signing procedures, or the use of dedicated online functions (e.g., in user accounts).

2. Subject of Processing on Behalf

1. The processing on behalf is carried out within the framework of the following legal relationship (main contract): Contract for the provision of the kroot application, posting of job advertisements and processing of responses from job applicants based on the terms and conditions of the contractor.
2. Details of the subject of processing on behalf, the personal data processed, the persons affected by the processing, as well as the type, scope, and purpose of the processing, are determined by the provisions of the annex "Subject of Processing on Behalf".

3. Type of Processing on Behalf

Insofar as the client acts as the controller of processing on behalf, he is responsible for compliance with the provisions of data protection laws, in particular for the legality of the data processing as well as the legality of commissioning the processor, within the framework of this processing on behalf contract. Insofar as the client acts as a processor himself, he commissions the processor as a sub-processor. The controller of the processing may directly invoke the rights to which the client is entitled against the sub-processor on the basis of this processing on behalf contract.

4. Authority to Issue Instructions

1. The processor may only process personal data within the framework of the main contract and the instructions of the client and only insofar as the processing is required within the framework of the main contract.
2. The instructions are initially established by the main contract or this processing on behalf contract and may subsequently be amended, supplemented, or replaced by the client through instructions in written form or in an electronic format (text form, e.g., email) to the processor or the entity designated by the processor.
3. Oral instructions may be given if they are necessary due to the circumstances (e.g., urgency) and must be confirmed in writing or in electronic form without delay.
4. If the processor objectively believes that an instruction from the controller violates applicable data protection law, the processor shall inform the controller without delay and substantiate its view. In this case, the processor is entitled to suspend the execution of the instruction until the instruction is expressly confirmed by the controller and to reject instructions that are obviously unlawful.
5. The processor may be subject to Union or Member State law and to orders from authorities or courts, which obligate the processor to conduct processing or provide information. In such a case, the processor shall inform the controller of the legal requirements of the mandatory legal obligation before processing, provided that the relevant law or order does not prohibit such notification due to an important public interest; in the event of a prohibition, the processor shall take all possible and reasonable measures to prevent or restrict the mandatory processing.
6. The processor shall document the instructions given to it and their implementation.
7. The processor shall designate the contact persons authorized to receive instructions and is obliged to notify immediately of any changes in the contact persons or their contact information as well as deputies in the event of a permanent absence or incapacitation.

5. Technical and Organizational Measures (Security and Protection Concept)

1. The processor shall organize its internal operations within its area of responsibility in accordance with legal requirements and shall, in particular, implement technical and organizational measures (hereinafter referred to as 'TOMs') for the adequate protection, in particular the confidentiality, integrity, and availability of the controller's data. These measures shall consider the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of the data subjects. The processor shall ensure the maintenance of these measures, in particular through regular, at least annual, evaluations. TOMs include, with regard to the protection of personal data, in particular, access control, entry control, access authorization control, transmission control, input control, order control, integration and availability control, separation control, as well as the safeguarding of data subjects' rights.
2. The TOMs communicated by the processor at the time of contract conclusion define the minimum security level owed by the processor. The TOMs may be further developed in line with technical and legal progress and replaced by adequate protective measures, provided that they do not fall below the security level of the defined measures and essential changes are communicated to the controller. The description of the measures must be detailed enough to ensure that an informed third party can recognize without any doubt that the required legal data protection level and the defined minimum security level are not undercut.
3. The processor ensures that employees, agents, and other persons working for the processor who are involved in the processing of the data are prohibited from processing the personal data outside of the instructions. The processor also ensures that persons authorized to process the controller's data are trained in the legal and contractual data protection provisions and are committed to confidentiality and secrecy, or are subject to a corresponding and appropriate legal duty of secrecy. The processor ensures that persons involved in processing are continuously and appropriately instructed and monitored regarding the fulfillment of data protection requirements.
4. The data processor ensures that the personnel employed by him for processing participate in recurring training and awareness measures with regard to the protection of personal data and compliance with legal data protection regulations at appropriate intervals.
5. The processing of personal data outside the data processor's business premises (e.g., in home or mobile offices or via remote access) is permissible provided that the necessary technical and organizational measures are taken and documented, which adequately reflect the specifics of these processing situations and in particular also enable sufficient control of data processing (e.g., concluding an agreement on data protection in the home and mobile office with employees). The data processor shall provide the client, upon request, with documentation of the implemented technical and organizational measures for such home, mobile, or other remote processing.
6. The processing of personal data on private devices of the data processor's employees and agents is only permissible with the client's consent.
7. If required by legal requirements, the data processor appoints a data protection officer who meets the legal requirements. The data processor shall provide the client with the contact information of the data protection officer and any subsequent changes.
8. The processing processes carried out for the client are documented separately by the data processor to a reasonable extent in a register of processing activities and provided to the client upon request.
9. The data and data carriers provided within the framework of the data processing contract, as well as all copies made thereof, remain the property or in the possession of the client, are subject to the client's control, must be carefully stored by the data processor, protected from access by unauthorized third parties, and may only be destroyed with the client's consent. Destruction must be carried out in compliance with data protection regulations and in such a way that restoration, even of residual information, is no longer possible and not to be expected with reasonable effort. Copies of data may only be made if they are necessary for the fulfillment of the primary and secondary obligations of the data processor to the client (e.g., backups) and provided that the contractual and legal data protection level is maintained.
10. The data processor is obliged to ensure the prompt return or deletion of data and data carriers also with sub-processors, which is to be carried out immediately according to this data processing agreement.
11. The data processor must provide proof of proper destruction or deletion of data and files within the framework of this data processing agreement and make it available to the client upon request.
12. The defense of a right of retention with regard to the data processed on behalf of the client and the associated data carriers is excluded.
13. The data processor regularly provides, to a reasonable extent, proof of fulfilling his obligations, in particular the complete implementation of the agreed technical and organizational measures and their effectiveness (e.g., through regular checks, audits, etc.). The proof must be provided to the client upon request. Proof can be provided through approved codes of conduct or an approved certification procedure.
14. If the security measures taken do not or no longer meet the requirements of the data processor or the legal requirements, the data processor shall inform the client immediately.
15. The sub-contracting relationships existing at the time of this data processing agreement's conclusion are listed by the data processor in the appendix 'Technical and Organizational Measures' and are accepted by the client.

6. Duties of Information and Cooperation of the Data Processor

1. The processor may only disclose information to third parties or the data subject with the prior consent of the controller, or in cases of compelling legal obligations, judicial or statutory information. If a data subject approaches the processor and asserts their data subject rights (especially rights to information or rectification, or deletion of personal data), the processor will refer the data subject to the controller, provided an assignment to the controller is possible based on the data subject's information. The processor will immediately forward the data subject's request to the controller and support the controller to a reasonable extent. The processor is not liable if the request of the data subject is not, incorrectly, or not timely answered by the controller, provided the processor is not responsible for this.
2. The processor must inform the controller immediately and fully if the processor identifies errors or irregularities in the processing of personal data in compliance with the provisions of this data processing agreement and/or relevant data protection regulations. The processor will take the necessary measures to secure personal data and mitigate potential adverse effects on data subjects, and will promptly coordinate with the controller.
3. The processor will promptly inform the controller if a supervisory authority takes action against the processor that may affect the data processed for the controller. The processor will support the controller in fulfilling its duties (especially regarding information and tolerating inspections) to supervisory authorities.
4. If the security of the controller's personal data is threatened by actions of third parties (e.g., creditors, authorities, courts, etc.) (seizure, confiscation, insolvency proceedings, etc.), the processor will promptly inform the third parties that sovereignty and ownership of the data lie exclusively with the controller and, if necessary, take appropriate protective measures in consultation with the controller (e.g., file objections, applications, etc.).
5. The processor will provide the controller with information concerning the processing of data under this data processing agreement that is necessary to fulfil the controller's legal obligations (which may especially include requests from data subjects or authorities and compliance with accountability obligations of a data protection impact assessment).
6. The processor's duty to inform initially extends to information available to the processor, its employees, and agents. Information must not be obtained from third-party sources if obtaining it by the controller within a reasonable framework is feasible and no other agreement has been made.
7. The processor must be able to demonstrate compliance with the contractual and legal obligations arising from data processing at any time by appropriate means.

7. Measures in Case of Threat or Violation of Data Protection

1. In the event that the processor identifies facts that suggest a possible violation of the protection of personal data processed for the controller within the meaning of Art. 4 No. 12 GDPR, the processor must inform the controller immediately and fully, take necessary protective measures immediately, and support the controller in fulfilling its obligations, especially in connection with notifications to competent authorities or affected individuals.
2. Information about a (possible) violation of the protection of personal data must be provided immediately, generally within 24 hours of becoming aware of it.
3. The notification of the processor must include at least the following information in accordance with Art. 33 Para. 3 GDPR:
   
   • Description of the nature of the personal data breach, where possible, indicating the categories of data affected and the approximate number of data subjects concerned and the approximate number of personal data records concerned;
   
   • the name and contact details of the data protection officer or other contact point for further information;
   
   • a description of the likely consequences of the personal data breach (e.g., providing further details: identity theft, financial loss, etc.);
   
   • a description of the measures taken or proposed by the processor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects
4. Significant disruptions in order processing as well as violations by the processor or persons employed by him or commissioned by him against data protection regulations or the stipulations made in this data processing agreement must also be reported without delay.

8. Audits and Inspections

1. The client has the right to monitor compliance with the statutory requirements and the regulations of this data processing agreement, especially the TOMs at the processor, at any time to the necessary extent, either by themselves or by third parties, and to carry out the necessary audits, including inspections.
2. The processor must support the client in the required scope during the audits and inspections (e.g., by providing personnel and granting access and entry rights).
3. On-site inspections take place during regular business hours and must be announced by the client with a reasonable notice period (at least 14 days). In emergencies, i.e., when waiting would endanger the rights of the data subjects and/or the client to an unreasonable extent, a reasonably shorter notice period may be chosen. Conversely, a longer notice period may be necessary (e.g., if extensive preparations have to be made or during vacation periods). Deviations from the notice period must be justified by the respective contracting party making use of them.
4. The audits are limited to the necessary scope and must respect the operational and business secrets of the processor as well as the protection of personal data of third parties (e.g., other customers or employees of the processor). Avoidable operational disruptions must be avoided. As far as the reason and purpose of the audit permit, an audit should be limited to spot checks.
5. Only qualified persons who can legitimize themselves and are obligated to confidentiality and discretion concerning the operational and business secrets as well as internal processes of the processor and personal data are allowed to carry out the audit. The processor may request proof of such an obligation. Should the inspector commissioned by the client be in a competitive relationship with the processor or otherwise have a justified reason for rejection, the processor has the right to object to this inspector.
6. Instead of on-site inspections and controls, the processor may refer the controller to an equivalent control carried out by independent third parties (e.g., neutral data protection auditors), adherence to approved codes of conduct (Art. 40 GDPR), or appropriate data protection or IT security certifications in accordance with Art. 42 GDPR. This applies only if the referral is reasonable for the controller and if the nature and scope of the review and references correspond to the nature and scope of the controller's legitimate control intent. The processor undertakes to inform the controller without delay about the exclusion of approved codes of conduct in accordance with Art. 41(4) GDPR, the revocation of a certification in accordance with Art. 42(7) GDPR, and any other form of suspension or significant changes to the aforementioned evidence.
7. The controller generally exercises its inspection right no more than every 12 months, unless a specific occasion (particularly a data protection breach, a security incident, or the result of an audit) necessitates inspections before the end of this period.

9. Subcontracting relationships

1. Notwithstanding any restrictions by the main contract, the controller expressly agrees that the processor may use subcontractors in the context of data processing. The processor shall inform the controller within a reasonable period, which is regularly 14 business days, about new subcontractors and give the controller the opportunity to reasonably review the subcontractors before their deployment and to raise objections to the use of subcontractors if there is a legitimate interest. If the controller does not raise objections within the notice period, the subcontractor may be used. The controller shall only exercise its right to object to the changes in accordance with the principles of good faith and fairness and reasonableness.
2. If the processor uses the services of a subcontractor (e.g., a sub-contractor) to perform certain processing activities on behalf of the controller, then the processor must impose the same data protection obligations on the subcontractor by means of a contract or another legally permissible legal instrument to which the processor is subject in this data processing contract (particularly with regard to the compliance with instructions, adherence to the TOMs, provision of information, and tolerate inspections).
3. The processor shall select the subcontractor with particular consideration of the suitability and reliability to fulfill the obligations from this data processing contract as well as the suitability of the TOMs taken by the subcontractor.
4. The forwarding of personal data processed on behalf of the controller to subcontractors is only permissible if the processor has convinced itself that the subcontractor has fully complied with its obligations. The review must be documented and the documentation provided to the controller upon request.
5. The processor must regularly, at least every 12 months, check the compliance of the sub-processors with their obligations, especially the Technical and Organizational Measures (TOMs), to an appropriate extent. The check and its results must be documented in such a way that they are understandable to a knowledgeable third party. The documentation must be presented to the client upon request. Instead of performing its own check, the processor may refer to a check by independent third parties (e.g., neutral data protection auditors), compliance with approved codes of conduct (Art. 40 GDPR), or appropriate data protection or IT security certifications according to Art. 42 GDPR. The processor undertakes to inform the client without delay about the exclusion from approved codes of conduct according to Art. 41(4) GDPR, the revocation of a certification according to Art. 42(7), and any other form of revocation or significant change of the aforementioned proofs at the sub-processor.
6. The responsibilities to comply with the obligations of this data processing agreement and the law must be clearly regulated and delineated between the processor and the sub-processor.
7. The rights of the client must also be effectively enforceable against the sub-processors. In particular, the client must be entitled to carry out checks at sub-processors at any time to the extent provided for in this data processing agreement or to have checks carried out by third parties.
8. If the sub-processor does not comply with its data protection obligations, the processor shall be liable for this to the client.
9. Processing of personal data that is not directly related to the provision of the main service from the main contract and for which the processor uses the services of third parties as a mere ancillary service to exercise its business activity (e.g., cleaning, security, maintenance, telecommunications, or transport services) does not constitute subcontracting within the meaning of the above provisions of this data processing agreement. Nevertheless, the processor must ensure, for example through contractual agreements or instructions and guidelines, that the security of the data is not endangered and that the provisions of this data processing agreement and data protection regulations are complied with.
10. Subcontracting relationships disclosed to the client at the conclusion of this data processing agreement are considered approved to the extent communicated under the provisions of this data processing agreement on subcontracting relationships.
11. Subcontracting relationships already existing at the conclusion of this data processing agreement are listed by the processor in the "Subcontracting Relationships" appendix and updated by the processor.

10. Territorial Scope of Data Processing

1. Personal data will be processed as part of the data processing in a member state of the European Union (EU) or in another contracting state of the Agreement on the European Economic Area (EEA).
2. Processing may take place in third countries, provided the specific requirements of Art. 44 et seq. GDPR are met, i.e., in particular if the EU Commission has determined an adequate level of data protection; b) based on effective standard protection clauses (so-called Standard Contractual Clauses, SCC); or c) based on recognized binding corporate rules.
3. The client's approval of subcontracting relationships within the framework of this data processing agreement also extends to the territorial scope of data processing.
4. The processing of orders in a country other than those mentioned above, even by subcontractors, requires the prior approval of the client.

11. Obligations of the Client

1. The client must promptly and fully inform the processor if he/she discovers errors or irregularities in the order results, instructions, or processing procedures with regard to data protection regulations.
2. The client designates the contact persons authorized to receive instructions and is obliged to promptly notify any changes in contact persons or their contact information as well as representatives in the event of non-temporary absence or inability.
3. In the event of claims against the processor by data subjects, third-party companies, entities or authorities regarding any claims due to the processing of personal data within the framework of this data processing contract, the client is obliged to support the processor in repelling the claim to the best of his/her ability and taking into account the degree of fault of the contracting parties.

12. Liability

The statutory liability regulations apply, in particular Art. 82 GDPR and in the case of the use of a subcontractor Art. 28 Para. 4 S. 2 GDPR.

13. Duration, Continuation after Contract Termination and Data Deletion

1. This data processing contract becomes effective upon signing, or conclusion in electronic format.
2. The duration and termination of this data processing contract are governed by the duration and termination of the main contract.
3. The right to extraordinary termination remains reserved for the contracting parties, particularly in the event of a serious breach of the duties and provisions of this data processing contract and the applicable data protection laws. A serious breach is particularly present if the processor fails to a significant extent to meet the obligations specified in the data processing contract and the agreed technical and organizational measures.
4. Extraordinary termination for minor breaches requires a warning of the breaches with an appropriate period for rectification, whereby the warning is not necessary if it is not expected that the criticized breaches will be corrected, or if they are so severe that holding on to the data processing contract is unreasonable for the terminating party.
5. Termination of this data processing contract, as well as the cancellation of this formal clause, must be done at least in electronic format.
6. Upon completion of the processing services under this Data Processing Agreement, the processor will either destroy or return all personal data and its copies (as well as any documents, processing and usage results, and data sets acquired in connection with the contractual relationship), at the client's discretion, unless there is a legal obligation to retain the personal data. Notwithstanding the above, applicant data will be deleted or pseudonymized no later than 6 months after the completion of the respective application process, unless there is a different legal retention requirement. Deletion will be carried out in a data protection-compliant manner, ensuring that restoration is no longer possible.
7. The obligations arising from the data processing agreement to protect confidential information also apply after the end of the data processing agreement, provided that the data processor continues to process the personal data covered by the data processing agreement and compliance with the obligations is reasonable for the data processor even after the end of the contract.
8. Documentation that serves to prove proper data processing and ensure TOMs must be retained by the data processor in accordance with the respective retention and deletion periods (or those that should be known to him) applicable to the client for at least three years beyond the end of the contract. The data processor can hand over the documentation to the client at the end of the contract to relieve himself.

14. Final Provisions

1. The applicable law is determined according to the main contract.
2. The place of jurisdiction is determined according to the main contract.
3. The present data processing agreement constitutes the entire agreement between the contracting parties. There are no ancillary agreements.
4. Upon the conclusion of this data processing agreement, any previous agreements that were concluded between the contracting parties of this agreement and that regulate the processing of personal data on behalf are terminated, insofar as and to the extent that these pertain to the same subject matter as the data processing and unless otherwise expressly agreed in writing between the contracting parties.
5. Amendments and additions to this data processing agreement, as well as the rescission of this form clause, must at least be in electronic format.
6. In the event of any contradictions, the provisions of this data processing agreement on data protection shall take precedence over the provisions of the main contract.
7. Should one or more provisions of this data processing agreement be or become invalid or unenforceable, the validity of the remaining provisions shall not be affected. The invalid provisions shall be replaced by a supplementary interpretation that comes as close as possible to the economic purpose pursued by the contracting parties with the invalid provision(s). If the aforementioned supplementary interpretation is not possible due to mandatory legal requirements, the contracting parties shall agree on a corresponding provision.
8. This data processing agreement is part of the main contract and becomes effective upon its conclusion.

15. Appendix: Subject Matter of the Data Processing

Purposes of the Data Processing

Personal data of the client is processed on the basis of this data processing agreement for the following purposes:

1. Collection of feedback from job applicants, their storage, and forwarding to the client.

Note: The personal data of the client disclosed in the context of publishing job advertisements (e.g. names of company owners or contact persons and their contact information) are processed by kroot GmbH not as a data processor, but as a controller within the meaning of Art. 4 No. 7 GDPR.

Types and Categories of Data

The types and categories of personal data processed on the basis of this data processing agreement include:

1. First and last names of job applicants
2. Email addresses of job applicants
3. Phone numbers of job applicants
4. Other information entered or voluntarily provided by job applicants (e.g., cover notes).
5. Assignment to the relevant job advertisements.
6. Timestamps of the data records.

Categories of Data Subjects

The categories of data subjects affected by the processing of personal data based on this data processing agreement include:

1. Job applicants

Sources of processed data

The data processed on the basis of this order processing contract is collected or otherwise received from the sources mentioned below, or in the context of the procedures mentioned:

1. Collection from affected persons.
2. Collection as part of advertising and marketing campaigns.

Appendix: Technical-organizational measures (TOMs)

A level of protection appropriate to the risk to the rights and freedoms of natural persons affected by the processing of personal data processed under the specific order processing is ensured. In particular, the protection goals of confidentiality, integrity, and availability of systems and services as well as their resilience concerning the nature, scope, circumstances, and purpose of the processing are taken into account in such a way that the risk is permanently mitigated by appropriate technical and organizational remedial measures.

Organizational measures

Organizational measures have been taken to ensure an adequate level of data protection and its maintenance.

1. The processor has implemented an adequate data protection management system or data protection concept and ensures its implementation.
2. An appropriate organizational structure for data security and data protection is in place, and information security is integrated into company-wide processes and procedures.
3. Internal security guidelines have been defined and are communicated internally to employees as binding rules.
4. The processor carries out a review, evaluation, and assessment of the effectiveness of the technical and organizational measures to ensure the security of processing as necessary, but at least annually. The process is structured according to the PDCA cycle and consists of continuous monitoring of the technical and organizational measures, establishing the actual state, as well as the desired state to be achieved, followed by an implementation phase and subsequent review and evaluation of the implementation and derivation of the experience gained for future optimizations and approaches regarding security standards.
5. The technical and organizational measures are regularly, at least annually, reviewed and adjusted according to the PDCA cycle (Plan-Do-Check-Act).
6. The development of the state of the art, developments, threats, and security measures are continuously monitored and appropriately incorporated into the own security concept.
7. There is a concept to ensure the protection of data subjects' rights by the controller (especially concerning information, correction, deletion or restriction of processing, data transfer, revocations & objections). The concept includes informing employees about the information obligations to the controller, setting up implementation procedures, appointing responsible persons, and regularly monitoring and evaluating the measures taken.
8. There is a concept to ensure an immediate and legally compliant response to threats and breaches of the protection of personal data. The concept includes informing employees about the information obligations to the controller, setting up implementation procedures, appointing responsible persons, and regularly monitoring and evaluating the measures taken.
9. Consultation and involvement of the data protection officer in security issues and procedures that affect the protection of personal data.
10. Sufficient professional qualification of the data protection officer for security-related issues and opportunities for further training in this area.
11. Sufficient professional qualification of the IT security officer for security-related issues and opportunities for further training in this area.
12. Service providers engaged to fulfill ancillary tasks (maintenance, security, transport and cleaning services, freelancers, etc.) are carefully selected and it is ensured that they respect the protection of personal data. If the service providers gain access to personal data of the client in the context of their activities or if there is otherwise a risk of access to the personal data, they are specifically obligated to confidentiality and secrecy.
13. The protection of personal data is taken into account considering the state of the art, implementation costs, and the nature, scope, circumstances and purposes of the processing as well as the varying likelihood and severity of the risks to the rights and freedoms of natural persons associated with the processing, from the development or selection of hardware, software and procedures, in accordance with the principle of data protection by design and by default.
14. Deployed software and hardware is always kept up to date and software updates are carried out without delay within an appropriate period given the level of risk and any necessary checks. No software or hardware is used that is no longer updated by the providers with regard to data protection and data security concerns (e.g. expired operating systems).
15. Standard software and corresponding updates are only obtained from trusted sources.
16. A “paperless office” is maintained, i.e., documents are generally stored only digitally and only kept in paper form in exceptional cases.
17. Documents in paper form are only kept if there is no adequate digital copy available regarding order processing, its purpose, and the interests of the persons affected by the contents of the documents, or if storage has been agreed with the client or is required by law.
18. A deletion and disposal concept that meets the data protection requirements of order processing and the state of the art is in place. The physical destruction of documents and data carriers is carried out in compliance with data protection and in accordance with legal requirements, industry standards and the state of the art industrial norms (e.g., according to DIN 66399). Employees have been informed about legal requirements, deletion periods and, where applicable, requirements for data or device destruction by service providers.

Contract for the Processing of Personal Data on Behalf (Data Processing Agreement)

Data Protection at Employee Level

Measures have been taken to ensure that employees involved in the processing of personal data have the necessary expertise and reliability required by data protection laws.

1. Employees are obligated to confidentiality and secrecy (data protection confidentiality).
2. Employees are sensitized and informed about data protection according to the requirements of their function. Training and sensitization are repeated at appropriate intervals or when circumstances require.
3. Relevant policies, e.g., on the use of email/internet, handling of malware reports, use of encryption techniques, are kept up to date and are easily accessible (e.g., on the intranet).
4. If employees work outside of company premises (home and mobile office), employees are informed about the specific security requirements and protection obligations in these scenarios, and are obligated to comply with them subject to control and access rights.
5. If employees use private devices for business activities, employees are informed about the specific security requirements and protection obligations in these scenarios, and are obligated to comply with them subject to control and access rights.
6. Keys, access cards or codes issued to employees, as well as permissions granted regarding the processing of personal data, are revoked after they leave the services of the processor or change their responsibilities.
7. Employees are required to leave their work environment tidy and thus especially prevent access to documents or data carriers containing personal data (Clean Desk Policy).

Access Control

Measures have been taken for physical access control, which prevent unauthorized persons from physically approaching the systems, data processing equipment or procedures with which personal data is processed.

1. Except for workstation computers and mobile devices, no data processing equipment is maintained in the company's own business premises. The client's data is stored at external server providers in compliance with the regulations for order processing.
2. Visitors are not allowed to move freely, but only accompanied by employees.
3. Access is secured by a manual locking system.
4. Employees are required to lock devices or secure them in a special way when they leave their work environment or the devices.
5. Documents (files, documents, etc.) are stored securely, e.g. in filing cabinets or other suitably secured containers, and are adequately protected from access by unauthorized persons.
6. Data carriers are stored securely and adequately protected from access by unauthorized persons.

Access Control

Measures have been taken for electronic access control to ensure that access (i.e., the mere possibility of use, application or observation) by unauthorized persons to systems, data processing equipment or procedures is prevented.

1. A password policy ensures that passwords must have a minimum length and complexity that corresponds to the state of the art and security requirements.
2. All data processing equipment is password protected.
3. Passwords are generally not stored in plain text and are only transmitted hashed or encrypted.
4. Password management software is used.
5. Access data is deleted or deactivated when their users leave the company or organization of the processor.
6. Up-to-date anti-virus software is used.
7. Use of software firewall(s).
8. Backups are stored encrypted.

Internal Access Control and Entry Control (Permissions for user rights to access and modify data)

Measures have been taken for access control to ensure that authorized persons to use a data processing system can only access the data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing. Furthermore, measures have been taken for entry control to ensure that it can be subsequently checked and determined whether and by whom personal data has been entered, modified, removed or otherwise processed in data processing systems.

1. A rights and roles concept (authorization concept) ensures that access to personal data is only possible for a select group of persons according to need-to-know criteria and only to the necessary extent.
2. The rights and roles concept (authorization concept) is regularly evaluated and updated as necessary within a reasonable period and when necessary (e.g. breaches of access restrictions).
3. Logins in the data processing systems or processing systems are logged.
4. The activities of the administrators are appropriately monitored and logged within the framework of legally permissible possibilities and within the scope of technically acceptable effort.

Transmission Control

Measures have been taken to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission, transport, or storage on data carriers, and that it can be checked and determined to which locations personal data is intended to be transmitted by data transmission facilities.

1. When accessing internal systems from outside (e.g., remote maintenance), encrypted transmission technologies are used (e.g., VPN).
2. Mobile storage media are encrypted.
3. The transmission and processing of the client's personal data via online services (websites, apps, etc.) is protected by using TLS/SSL or an equivalently secure encryption.

Order Control, Purpose Limitation, and Separation Control

Measures have been taken to ensure that personal data processed on behalf of the client are only processed in accordance with the client's instructions. These measures guarantee that personal data collected for different purposes is processed separately and that there is no mixing, blending, or other conflicting joint processing of these data.

1. The processing activities carried out for the client are documented separately to an adequate extent in a record of processing activities.
2. Careful selection of sub-processors and other service providers.
3. Employees and agents are clearly informed and instructed about the client's instructions and the permissible framework for processing. Separate information and instruction are not required if compliance with the permissible framework can be reliably expected anyway, such as due to other agreements or company practice.
4. Compliance with the client's instructions and the permissible framework for processing personal data by employees and agents is reviewed at appropriate intervals.
5. The retention periods applicable to the processing of the client's personal data are documented within the data processor's deletion concept, if necessary, separately.
6. Required evaluations and analyses of the processing of the client's personal data are processed anonymously (i.e., without any personal reference) as far as possible and reasonable, or at least processed pseudonymously in accordance with Art. 4 No. 5 GDPR (i.e., in such a way that the personal data can no longer be attributed to a specific data subject without the addition of further information, whereby this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data is not assigned to an identified or identifiable natural person).
7. The client's personal data is processed separately from other processing procedures of the data processor and is protected from unauthorized access, connection, or merging with other data (e.g., in different databases or with appropriate attributes).

Ensuring Data Integrity and Availability as well as the Resilience of Processing Systems

Measures have been taken to ensure that personal data is protected against accidental destruction or loss and can be quickly restored in emergencies.

1. The availability of the data processing systems is constantly monitored and controlled, particularly for availability, errors, and security incidents.
2. The personal data is stored with external hosting providers. The hosting providers are carefully selected and meet the requirements of the state of the art, regarding protection from damage caused by fire, moisture, power failures, disasters, unauthorized access, as well as data security and patch management, and also building security.
3. The processing of personal data takes place on data processing systems that are subject to regular and documented patch management, i.e., in particular, they are regularly updated.
4. The server systems used for processing have protection against denial of service (DoS) attacks.
5. Server systems and services are used that maintain a backup system in other locations, on which the current data is kept and thus make a running system available even in the event of a disaster.
6. The client’s datasets are protected against accidental modification or deletion by the system (e.g., through access restrictions, security queries, and backups).
7. Server systems and services are used that have an appropriate, reliable, and controlled backup and recovery concept.
8. Recovery tests are regularly conducted at appropriate intervals to verify that data backups can actually be restored (data integrity of the backups).

Appendix: Sub-processors

The processor uses the following sub-processors in the context of processing data for the client:

1. HETZNER: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/legal/privacy-policy; Data processing agreement: concluded with the provider.
2. STRATO: Services in the field of providing information technology infrastructure and related services (e.g., storage space and/or computing capacity); Service provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Website: https://www.strato.de; Privacy policy: https://www.strato.de/datenschutz; Data processing agreement: concluded with the provider.