Last update: 17.05.2024
see information about the customer
product kitchen GmbH
Rehsteige 12
D-73035 Göppingen
The Controller would like to task the Processor with the services outlined in § 3 of this Agreement. Contract implementation also includes the processing of personal data. The General Data Protection Regulation (GDPR), particularly Article 28, places certain requirements on processing of personal data carried out on behalf of a controller. To comply with these requirements, the Parties hereby enter into the following agreement. The implementation of the Agreement shall not be compensated separately, unless explicitly stated otherwise.
Terms used in this Agreement which are defined by Article 4, 9 and 10 GDPR shall have the same meaning as those established by the relevant GDPR provision.
As representative under Article 27 (1) GDPR, the Processor has appointed
Claudius Eisele
(1) On behalf of the Controller and based on the rental contract (“Principal Agreement”), the Processor shall carry out services in the area of a digital whistleblowing system. In doing so, the Processor shall gain access to personal data and shall process said data exclusively on behalf of and according to the instructions given by the Controller, unless otherwise required by EU law or a legal provision of one of the Member States applicable to the Processor. The scope and purpose of the Processor’s data processing are as concluded in the Principal Agreement (and, if applicable, the corresponding service description), as well as described in Annex 2 to this Agreement. The Controller shall be the sole judge of the lawfulness of the processing under Article 6 (1) GDPR.
(2) The Parties have agreed to the following in order to specify their mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall supersede the provisions of the Principal Agreement.
(3) The provisions laid out by this Agreement shall be applicable to all activities which are performed in connection with the Principal Agreement and by the Processor, their employees or agents when encountering personal data originating from, collected for or otherwise processed on behalf of the Controller.
(4) The duration of this Agreement shall be the same as the duration of the Principal Agreement, unless the following provisions stipulate further obligations or rights of termination.
(5) Any agreed-upon data processing shall take place solely in a Member State of the European Union or in the state of another Contracting Party to the Agreement about the European Economic Area or in a state for which the European Commission has taken an adequacy decision. Any relocation of partial services or the entire service to a third country for which there is no adequacy decision requires the prior consent of the Controller in writing or documented electronic format and may only take place if the special requirements of Art. 44 et seq. GDPR are met.
In applying the Principal Agreement, the Processor shall receive access to the personal data specified in Annex 2, belonging to the group(s) of data subjects also specified in Annex 2. This data includes as specified in Annex 2 and marked as such.
(1) The Processor may only collect, use or otherwise process data within the scope of the Principal Agreement and according to the Controller’s instructions; this is particularly applicable with regard to transfer of personal data to a Third country or to an international organization. If the Processor must carry out further processing due to EU law or the law in an EU Member State applicable to the Processor, the Processor shall notify the Controller of these legal requirements before any such processing takes place.
(2) The Controller’s instructions shall be initially determined by this Agreement, though it may be changed, amended or replaced by individual instructions in written or documented electronic format (“Individual Instruction”). The Controller shall have the right to issue such instructions at any time. Changes may include instructions regarding the rectification, erasure and blocking of data. Persons authorized to give, or respectively receive, instructions are specified in Annex 5. In case of a change or longer-term hindrance of the designated persons, the successor or substitute shall be made known to the other Contracting Party without undue delay. Text form notification as mandated by Sect. 126b German Civil Code shall be sufficient.
(3) The Controller and Processor shall document all instructions given and keep such documentation for the duration of their validity, and for three full calendar years thereafter. Instructions going beyond the service as agreed-upon by the Principal Agreement shall be deemed a Change Request. Arrangements regarding possible compensation of additional expenses resulting from supplementary instructions given to the Processor by the Controller shall remain unaffected.
(4) Should the Processor suspect that an instruction given by the Controller goes against data protection requirements; the Processor shall notify the Controller accordingly without undue delay. The Processor is entitled to suspend execution of the instruction in question until confirmation or change by the Controller is received. The Processor is entitled to refuse execution of an evidently unlawful instruction.
(1) The Processor shall comply with legal data protection requirements and shall not transfer or make accessible to third parties information originating in the Controller’s sphere. Taking into account the state of the art, documents and data shall be appropriately secured against accessibility by unauthorised persons.
(2) In regards to its area of responsibility, the Processor shall shape its internal organisation in a manner that is compliant with the special requirements of data protection. The Processor shall also ensure that it has implemented all necessary technical and organisational measures under Article 32 GDPR; particularly in regards to the measures specified in Annex 2. Insofar as the processing includes special categories of personal data, the Processor shall additionally implement the adequate and specific measures laid down by para. 22 sect. 2 of the German Federal Data Protection Act (Bundesdatenschutzgesetz, BDSG). Upon the Controller’s request, the Processor shall disclose the particulars of how these measures are determined and implemented. The Processor reserves the right to change the implemented security measures, provided that it ensures that these do not fall short of the contractually agreed upon level of protection.
(3) As Advisor for data protection (if the Processor is not obligated to appoint a Data Protection Officer under Article 37 (1) GDPR) the Processor has appointed:
Claudius Eisele, privacy@hintcatcher.com
(4) The persons tasked with data processing and employed by the Processor are prohibited from collecting, using or otherwise processing personal data without authorisation. The Processor shall ensure that all persons (hereafter referred to as “personnel”) tasked with processing and fulfilling this Agreement have committed themselves according to the obligation of confidentiality under Article 28 (3) lit. b GDPR). The Processor has a duty to instruct personnel about the special data protection obligations arising from this Agreement, as well as the existing purpose limitation and binding commitment to instructions. The Processor shall take due care to ensure compliance with the abovementioned obligation. Obligations shall be composed to remain in force beyond the termination of this Agreement or of the employment relationship between the employee and the contractor. Upon the Controller’s request, the Processor shall provide proof of these obligations in an adequate manner.
(1) In case of disturbances, suspected data breaches, breaches of contractual obligations on the part of the Processor, suspected security incidents or other irregularities with regards to the processing of personal data by the Processor, by persons tasked within the framework of the Agreement or by third persons, the Processor shall inform the Controller accordingly in writing or in a documented electronic format without undue delay. The same applies to audits of the Processor carried out by the Data Protection Authority. To the extent possible, notification about a personal data breach shall contain the following information:
a) a description of the nature of the personal data breach including, where possible, the categories and number of data subjects potentially affected, and the categories and number of personal data records concerned;
b) a description of the likely consequences of the personal data breach, and
c) a description of the measures taken or proposed by the Processor to address the personal data breach, including, where appropriate, measures to mitigate any possible adverse effects.
(2) The Processor shall take all necessary measures to secure the data and mitigate possible adverse effects on the data subject(s) without undue delay. The Processor shall also inform the Controller of these measures and request further instructions.
(3) Additionally, insofar as the Controller’s data is concerned by a breach outlined in § 7 (1) of this Agreement, the Processor shall provide details to the Controller at any time.
(4) The Processor shall, in an adequate manner, assist the Controller in ensuring compliance with the Controller’s obligations under Articles 33 and 34 GDPR (Article 28 (3) sent. 2 lit. f GDPR). The Processor shall only execute notifications under Articles 33 or 34 GDPR on behalf of the Controller upon the Controller’s prior instruction as outlined in § 5 of this Agreement.
(5) In case the Controller’s data is put at risk due to seizure or confiscation taking place at the Processor’s, because of insolvency or composition proceedings or because of other events or measures taken by third parties, the Processor shall inform the Controller accordingly and without undue delay, unless prohibited from doing so by court or administrative order. In this context, the Processor shall, without undue delay, inform all competent entities that, as “Controller” under the GDPR, the Controller bears sole decision- making authority with regard to the data.
(6) In case of substantial changes to the security measures under § 6 (2) of this Agreement, the Processor shall notify the Controller accordingly, without undue delay.
(7) In case of a change of the person fulfilling the role of the Advisor for data protection the Processor shall, without undue delay, notify the Controller accordingly.
(8) The Processor, and if applicable, his representative, shall maintain a record of all processing activities carried out on behalf of the Controller, containing all specifications required under Article 30 (2) GDPR. The record shall be made available to the Controller upon request.
(9) The Processor shall, to adequate extent, also contribute to the record the Controller establishes regarding the processing activities. The Processor shall also contribute to any data protection impact assessment the Controller establishes under Article 35 GDPR, and if applicable, when a prior consultation of supervisory authorities under Article 36 GDPR takes place. The Processor shall in each case convey the necessary specifications to the Controller in an appropriate manner.
(1) Prior to the start of the data processing, and then on a regular basis, the Controller shall convince himself of the technical and organisational measures taken by the Processor. To this end, he can, for example, obtain information from the Processor or require seeing existing attestations by experts, certifications or of internal audits. The Controller may, after timely coordination and during normal business hours, also check the Processor’s technical and organisational measures via remote audit (e.g. via phone) or have them checked by an expert third party, unless the latter is in a competitive relationship with the Processor. The Controller shall conduct controls only to the extent necessary so as to not unduly disturb the Processor’s business operations.
(2) Upon the Controller’s verbal, written or electronic request, the Processor shall, in a timely manner, provide him with all information and records necessary for controlling the Processor’s technical and organisational measures.
(3) The Controller shall document the control result and notify the Processor accordingly. In case of mistakes or irregularities detected by the Controller, particularly when assessing order results, the Controller shall inform the Processor accordingly without undue delay. If the control reveals issues to be avoided in the future that require changes to the ordered process, the Controller shall, without undue delay, notify the Processor of the necessary changes.
(4) Upon request, the Processor shall provide the Controller with a comprehensive and up-to-date data protection and security concept for the data processing and regarding authorised persons for access.
(5) Upon request, the Processor shall provide the Controller with the employee obligation under § 6 (4) of this Agreement.
(6) The Controller shall reimburse the Processor for the expenses incurred in the course of the control.
(1) The contractually agreed-upon services, or the parts of the services described hereafter, will be executed by involving the subcontractors named in Annex 4. Within the scope of his contractual obligations, the Processor shall be entitled to establish further subcontracting relationships. The Processor shall, without undue delay, notify the Controller thereof. The Processor shall carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Processor shall ensure their commitment to confidentiality in line with the provisions of this Agreement. If subcontractors from a third country are involved, the Processor shall ensure that an adequate level of data protection is guaranteed by the subcontractor in question (for example, by establishing an agreement according to the EU standard data protection clauses). Upon request, the Processor shall demonstrate the conclusion of the aforementioned agreements with his subcontractors.
(2) When the Processor charges a third party with a purely ancillary service, this shall not constitute a subcontractor relationship within the meaning of these provisions. Such ancillary services include, but are not limited to, postal, transport and shipping services, cleaning services, security services, and telecommunications services without concrete reference to services provided by the Processor provides to the Controller. Maintenance and testing services constitute subcontractor relationships requiring approval insofar as they are provided for IT systems also used in connection with the Processor’s provision of services on behalf of the Controller.
(1) The Processor shall assist the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligations as established under Articles 12-22, 32, and 36 GDPR.
(2) If a data subject asserts her rights regarding to her data directly against the Processor, the Processor shall not react independently. Rather, the Processor shall refer the data subject to the Controller without undue delay and wait on the Controller for instructions on how to proceed.
(1) The Controller and the Processor shall be liable to the data subjects in accordance with the provisions of Article 82 GDPR. The Processor shall coordinate with the Controller regarding any possible fulfilment of liability claims.
(2) At first request, the Processor shall exempt the Controller from all claims data subjects assert against the Controller due to the breach of an obligation imposed on the Processor by the GDPR, or due to the Processor’s failure to comply with an instruction outlined in this Agreement or given separately by the Controller.
(3) The Parties shall each release themselves from liability if/insofar as one Party proves that they are in no way responsible for the circumstance through which the damage occurred to a data subject. Apart from that, Article 82 (5) GDPR shall apply.
(4) Unless otherwise stipulated above, the liability within the scope of this Agreement shall correspond to that of the Principal Agreement.
The Controller may terminate the Principal Agreement, in whole or in part, without notice if the Processor fails to fulfil his obligations under this Agreement, intentionally or through gross negligence violates the provisions of the DS-GVO or other applicable data protection provisions, is unable or unwilling to execute an instruction given by the Controller, or opposes the Controller’s rights of control in a manner contrary to the contractual terms. In particular, failure to comply with the obligations agreed in this contract and derived from Art. 28 DS-GVO constitutes a serious infringement.
(1) After termination of the Principal Agreement, or at any time upon the Controller’s request, the Processor shall return to the Controller all documents, data and data carriers made available to him or - unless a return is expressly requested - delete them at the Customer’s request, unless such deletion is prohibited by EU law or the laws of the Federal Republic of Germany. This also applies to any data backups made by the Processor. The Processor must provide documentation of proper deletion of any data still available.
(2) The Controller has the right to verify that the Processor has completed the contractually correct return or deletion of the data in an appropriate manner. Conversely, the Controller may have such verification done through an expert third party, provided that the third party is not in a competitive relationship with the Processor.
(3) The Processor must retain the confidentiality of any data that has become known to it in connection with the Principal Agreement beyond the end of the Principal Agreement. This Agreement shall remain valid beyond the end of the Principal Agreement for as long as the Processor has personal data supplied by or collected for the Controller at the Processor’s disposal.
(1) The Parties agree that the Processor’s right to assert retention under Section 273 of the German Civil Code (Bürgerliches Gesetzbuch, BGB) is excluded with regard to the data to be processed and the corresponding data carriers.
(2) To be valid, any changes and amendments to this Agreement must be rendered in writing in a documented electronic format. This also applies to a change in this formal requirement. This shall not apply to the priority of individual contract agreements.
(3) Should any provision of this Agreement be invalid or become partially or entirely invalid or unenforceable, the remainder of this Addendum shall remain valid and in force.
(4) This agreement shall be governed by and construed in accordance with German Law. Each Party agrees to submit to the sole jurisdiction of Göppingen, Germany.
Annexes:
Annex 1 - Certifications
Hosting takes currently place in ISO 27001 certified data centers of Google Cloud EMEA Ltd. Further information and a corresponding duplicate of the certification can be viewed here.
Annex 2 - Description of the data subjects/groups of data subjects as well as the data/data categories requiring special protection
Affected data subjects / groups of data subjects:
The following types/categories of data are processed:
Annex 3 - Technical and organizational measures by the Processor
The Processor’s internal organization ensures that the specific requirements of data protection are met through the application of security procedures, regardless of where personal data is processed or used. With the following procedures and measures, the Processor ensures the protection of personal data and other sensitive data categories.
Physical access control
To prevent unauthorized persons access to the data processing systems with which personal data is processed or used, the Processor leverages the following technical and organizational protection mechanisms:
To prevent unauthorized use of data processing systems, the Processor leverages the following technical and organizational protection mechanisms:
Data Transfer Control
To ensure that personal data is not read, copied or altered without authorization during electronic transmission or transport, the Processor leverages the following technical and organizational protection mechanisms:
Separation control
To ensure that data collected for different purposes can be processed separately, the Processor shall use the following technical and organizational protection mechanisms:
Availability check
To ensure that personal data is protected against accidental destruction or loss, the Processor leverages the following technical and organizational protection mechanisms:
Up-to-date control
To ensure that data protection-relevant regulations as well as the technical and organizational measures are regularly reviewed, evaluated, evaluated and, if necessary, updated, the Processor leverages the following technical and organizational protection mechanisms:
Annex 4 - Approved Subcontractors
The following companies are approved subcontractors within the meaning of § 9:
| Company | Activities | Place of data processing | Address | Contact details |
|---|---|---|---|---|
| Google Cloud | Data Center, Cloud Services | Germany, Switzerland, Worldwide | Google Cloud EMEA Ltd. 70 Sir John Rogerson's Quay Dublin 2 Ireland | Phone: +353 1 543 1000 Fax: +353 1 686 5660 support-deutschland@google.com |
| mailjet | Communication Services | Germany, Belgium | Mailjet GmbH Alt-Moabit 2 10557 Berlin Germany | contact@mailjet.com |
| Microsoft | Communication Services | European Union | Microsoft Ireland Operations Ltd. One Microsoft Place South County Business Park Leopardstown Dublin 18 Ireland | Phone: +353 1 706 3117 |
| Stripe | Payment Services | Worldwide | Stripe Payments Europe Limited One Microsoft Place 1 Grand Canal Street Lower, Grand Canal Dock, Dublin D02 H210 Ireland | privacy@stripe.com |
| Roxtra GmbH | Sales, customer support services | Germany | Roxtra GmbH Schillerstraße 21 D-73035 Göppingen Germany | privacy@roxtra.com |
| Zammad | Messaging, Communication services | Germany | Zammad GmbH Marienstraße 18 10117 Berlin Germany | support@zammad.com |
Annex 5 - Persons allowed to issue/receive instructions
The following person(s) shall be allowed to issue instructions for the Controller:
see information about the customer
For the Processor, shall be recipient(s) of instructions:
Claudius Eisele
Communication channels to be used for the instructions:
product kitchen GmbH, Rehsteige 12, 73035 Göppingen, Germany
privacy@hintcatcher.com