Contract for order processing for hosting and remote maintenance

 

Between

ColorGATE Digital Output Solutions GmbH, Große Düwelstraße 1, 30171 Hannover

  • hereinafter referred to as "contractor" -

And

to the end customer

  • hereinafter referred to as "client" -

 

Preamble

The client would like to entrust the contractor with the services described in more detail within the scope of the contract. Part of the execution of the contract is the processing of personal data. In particular, Article 28 GDPR places certain requirements for such order processing. In order to comply with these requirements, the parties shall conclude the following agreement:

 

  1. Definitions
    1. In accordance with Article 4(7) of the GDPR, the controller is the body which decides, alone or jointly with other controllers, on the purposes and means of processing personal data.
    2. In accordance with Article 4(8) GDPR, processor is a natural or legal person, authority, body or other body that processes personal data on behalf of the controller.
    3. Personal data are, in accordance with Article 4(1) GDPR, any information relating to an identified or identifiable natural person (hereinafter referred to as the data subject); Identifiable is a natural person who can be identified, directly or indirectly, in particular by association with an identifier such as a name, identification number, location data, online identifier or one or more specific characteristics that are an expression of the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.
    4. Particularly sensitive personal data are personal data in accordance with Article 9 GDPR, which give way to racial and ethnic origin, political opinions, religious or ideological beliefs or the trade union membership of data subjects, personal data in accordance with Art. 10 GDPR about criminal convictions and criminal offences or related safeguards as well as genetic data in accordance with Art. 4 sec. 13 GDPR, biometric data in accordance with Art. 4 sec. 14 GDPR, health data in accordance with Art. 4 sec. 15 GDPR and data on the sex life or sexual orientation of a natural person.
    5. In accordance with Article 4(2) GDPR, processing is any operation or series of operations carried out with or without the aid of automated procedures in connection with personal data such as the collection, collection, organisation, ordering, storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, comparison or linking, restriction, deletion or destruction.
    6. Pursuant to Article 4(21) GDPR, the supervisory authority is an independent public body established by a Member State in accordance with Article 51 GDPR.
  1. Indication of the competent data protection supervisory authority
    1. The competent supervisory authority for the contractor and the client are the respective national representatives for data protection.
    2. The client and the contractor shall cooperate with the supervisory authority on request in the performance of their tasks.
  1. Scope of the contract
    1. The Client has instructed the Contractor to provide the software, licensed by the Contractor to the Client under a Software License Agreement via its server ("Hosting").
    2. The Contractor shall carry out only the activities necessary for the performance of the commissioned services. It shall carry them out exclusively within the framework of the agreements made and in accordance with the instructions of the client. Changes in the field of activity and procedural changes must be agreed in writing. The Contractor stores or processes personal data exclusively on behalf of and under the direction of the Client.
    3. Processing shall only take place insofar as it has been agreed between the parties. This also includes activities where data migrates from one system to another.
  1.  Right of instruction
    1. The Contractor may only collect, process or use data within the scope of the agreement with the Client; this applies in particular to the transfer of personal data to a third country or to an international organisation. If the Contractor is required by the law of the European Union or the Member States to which it is subject to further processing, it shall notify the contracting entity of these legal requirements before processing.
    2. The instructions of the client are determined by this agreement and may be amended, supplemented or replaced by the client in written form or in text form at any time by individual instructions. The client is entitled to issue appropriate instructions at any time. This includes instructions regarding the correction, deletion and blocking of data.
    3. If the Contractor considers that an instruction from the Client violates data protection regulations, he must inform the Client immediately. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. The contractor may refuse to carry out a manifestly unlawful instruction.
  1. Type of data processed and the circle of data subjects
    1. As part of the implementation of the main contract, the Contractor shall have access to the following personal data:

- full name

- country

- company name

- Email-Address

    1. The following categories of persons are affected by the processing:

- Employees of the contracting authority

 

  1. Protection measures of the contractor
    1. The Contractor is obliged to comply with the statutory provisions on data protection and not to pass on the information obtained from the customer's area to third parties or to suspend their access. Documents and data must be secured against the knowledge of unauthorized persons, taking into account the state of the art.
    2. The contractor, in his area of responsibility, will design the internal organisation in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organisational measures to adequately protect the data of the contractor in accordance with Article 32 GDPR, in particular at least the measures of the

a) entry control

b) physical access control

c) access control

d) communication control

e) input control / plausibility check

f) order supervision

g) availability check

h) data separation control

The Contractor reserves the right to change the security measures taken, ensuring that the contractually agreed level of protection is not exceeded.

    1. The persons employed in the processing of data by the contractor are prohibited from collecting, processing or using personal data without authorisation. The Contractor will oblige all persons entrusted by him with the processing and performance of this contract (hereinafter referred to as "Employees") accordingly and shall ensure compliance with this obligation with due care. These obligations must be such that they remain in place even after the termination of this contract or the employment relationship between the employee and the contractor. The contracting authority shall prove the obligations in an appropriate manner on request.
  1. Information obligations of the contractor
    1. In the event of malfunctions, suspicion of data breaches or breaches of contractual obligations of the Contractor, suspicion of security-related incidents or other irregularities in the processing of personal data by the Contractor, persons employed by him within the scope of the contract or by third parties, the Contractor shall inform the Customer immediately in written form or text form. The same applies to audits of the contractor by the data protection supervisory authority. The notification of a breach of personal data protection shall contain at least the following information:

(a) a description of the nature of the breach of the protection of personal data, including, where possible, the categories and number of data subjects, the categories concerned and the number of personal data sets concerned;

(b) a description of the measures taken or proposed by the contractor to remedy the breach and, where appropriate, measures to mitigate its potential adverse effects.

    1. The contractor shall immediately take the necessary measures to secure the data and to reduce possible adverse consequences of the data subjects, inform the customer and request further instructions.
    2. The Contractor is also obliged to provide the Client with information at any time, insofar as his data is subject to a breach in accordance with The Third Party of The Other Than another. 7.1 are affected.
    3. Should the data of the client be endangered by attachment or seizure, by insolvency or settlement proceedings or by other events or measures of third parties, the contractor must inform the customer immediately, unless this is prohibited by court or official order. In this context, the contractor will immediately inform all competent authorities that the decision-making authority over the data rests exclusively with the contracting entity as the "responsible person" within the meaning of the GDPR.
    4. The Contractor must inform the Customer immediately of any material change in the security measures in accordance with Section 6(2).
  1. Control rights of the client
    1. The Contractor undertakes to provide the Client with, within a reasonable period of time, withall the information and evidence necessary to carry out a review of the contractor's technical and organizational measures.
    2. The client documents the result of the inspection and informs the contractor.
  1. Use of subcontractors

The contractually agreed services or the partial services described below are carried out with the assistance of the following subcontractor: ColorLogic GmbH, Robberkamp 40, 48432 Rheine. The Contractor is authorised, within the framework of its contractual obligations, to establish further subcontracting relationships with subcontractors. The contractor is obliged to carefully select subcontractors according to their suitability and reliability. The Contractor shall, when engage subcontractors, oblige them in accordance with the provisions of this Agreement, ensuring that the Client may also exercise its rights under this Agreement, in particular its audit and control rights, directly vis-a-vis the subcontractors. Where subcontractors are to be involved in a third country, the contractor shall ensure that an appropriate level of data protection is guaranteed by the subcontractor concerned.

 

  1. Liability
    1. Contractors and principals shall be jointly and severally liable for the compensation of damages suffered by a person as a result of incorrect or inadmissible data processing in the course of the execution of this agreement.
    2. If the Contractor claims that damage is not the result of a circumstance for which he is responsible, he bears the burden of proof in so far as the relevant data were processed by him in the context of the contractual relationship. The Contractor shall infree the Client from all claims made against the Contractor in connection with the Contract, as long as the Contractor has not provided the proof referred to in p. 1, and will reimburse him for all costs incurred in legal defence.
    3. In the internal relationship, the Contractor shall be liable to the Client for such damages which the Contractor or subcontractor commissioned by him culpably causes in the course of the execution of this Agreement.
  1. Duration of the contract and extraordinary right of termination
    1. The term of this Agreement shall be governed by the terms of the Software License Agreement concluded between the parties.
    2. The client may terminate the main contract in whole or in part without notice if the contractor fails to fulfil its obligations under this contract, intentionally or grossly negligently violates the provisions of the GDPR or if the customer cannot or does not want to carry out any instructions from the customer. In the event of simple infringements, i.e. neither intentional nor grossly negligent – the customer shall set the contractor a reasonable period within which the contractor may renounce the infringement.
  1. Termination of the contract
    1. The Contractor will return to the Client after termination of the contract or at any time at his request all documents, data and data carriers provided to him or – at the request of the Client, unless there is an obligation under Union or federal law of the Federal Republic of Germany to store the personal data. This also applies to any data backups at the contractor. Documents to be disposed of must be destroyed with a shreddening in accordance with DIN 32757-1. Data carriers to be disposed of must be destroyed in accordance with DIN 66399.
    2. The client has the right to check the complete and contractually appropriate return or deletion of the data at the contractor in an appropriate manner.
    3. The Contractor is obliged to treat confidentially the data known to him in connection with the main contract even after the end of the contract. This agreement shall remain valid beyond the end of the main contract as long as the Contractor has personal data which has been forwarded to him or which he has collected for him.
  1. Final provisions
    1. The parties agree that the objection of the right of retention by the contractor within the meaning of Section 273 of the German Civil Code (BGB) is excluded with regard to the processing data and the associated data carriers.
    2. Amendments and additions to this Agreement must be made in writing. This also applies to the renunciation of this formal requirement. This does not affect the primacy of individual contractual agreements.
    3. Should individual provisions of this Agreement are not or become in full or in part not legally effective or unenforceable, this shall not affect the validity of the remaining provisions.
    4. This Agreement is governed by German law. The exclusive place of jurisdiction is Hanover, Germany.