Data Processing Agreement according to Art. 28 General Data Protection Regulation

This Data Processing Agreement ("DPA") applies to the processing activities of personal data by Gentlent GmbH (also referred to as "we" or "Contractor"), which are provided to Controller (hereinafter referred to as "Client" or "You") in performance of the Main Contract.

Preambel

The Contractor shall provide services to the Client in accordance with the Main Contract concluded between them on the Services of the IT Service Agreement (hereinafter: “Main Contract”). Part of the performance of the Main Contract is the processing of personal data within the meaning of the General Data Protection Regulation (“GDPR”). In order to comply with the requirements of the GDPR for such constellations, the Parties conclude the following Data Processing Agreement (also “DPA” or “Agreement”), which comes into effect upon signing or entry into force of the Main Contract.

1. Object of DPA

1. Within the scope of the cooperation of the Parties in accordance with the Main Contract, the Contractor shall have access to personal data of the Client (hereinafter "Client Data"). The Contractor shall process this Client Data on behalf of and in accordance with the instructions of the Client within the meaning of Art. 4 No. 8 and Art. 28 GDPR.
2. The Client Data shall be processed by the Contractor in the manner described in the Annexes and to the extent and for the purpose specified therein. The group of persons affected by the data processing is shown. The duration of the processing shall correspond to the term of the Main Contract.
3. Whether the Contractor's services are suitable for the processing of special categories of personal data pursuant to Article 9 (1) of the GDPR requires a risk assessment by the Client.
4. The Contractor is prohibited from processing Client Data in a manner deviating from the processing specified in the Annexes.
5. The processing of the Client Data shall generally take place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state Party to the Agreement on the European Economic Area. Should there be a relocation of the commissioned processing to a third country, this shall require the prior consent of the Client and shall only take place if the special requirements of Art. 44 to 49 GDPR are met. The Client already consents to the processing of personal data by the subcontractors named in the Annexes upon conclusion of this Order Processing Agreement.
6. The provisions of this DPA shall apply to all activities related to the Main Contract. The same shall apply to all activities in which the Contractor and its employees or persons commissioned by the Contractor come into contact with Client Data.

2. Client’s power of instruction

1. The Contractor shall process the Client Data within the scope of the commission and on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 GDPR (commissioned processing). The Client shall have the sole right to issue instructions on the type, scope and method of the processing activities (hereinafter also referred to as "right to issue instructions"). If the Contractor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Client of these legal requirements prior to the processing.
2. Instructions shall generally be issued by the Client in writing or in electronic form (email is sufficient); instructions issued verbally shall be confirmed by the Contractor in electronic form.
3. If the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall notify the Client thereof. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.

3. Protective measures of the Contractor

1. The Contractor shall be obligated to observe the statutory provisions on data protection and not to disclose information obtained from the Client’s domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
2. Furthermore, the Contractor shall oblige all persons entrusted by it with the processing and fulfillment of this DPA (hereinafter referred to as “employees”) to maintain confidentiality (obligation to maintain confidentiality, Art. 28 Para. 3 lit. b GDPR). Upon request of the Client, the Contractor shall provide the Client with evidence of the obligation of the employees in writing or in electronic form.
3. The Contractor shall design its internal organization in such a way that it meets the special requirements of data protection. It undertakes to take all appropriate technical and organizational measures for the adequate protection of the Client Data pursuant to Art. 32 GDPR, in particular the measures listed in Annex 2 to this Agreement, and to maintain them for the duration of the processing of the Client Data.
4. The Contractor reserves the right to change the technical and organizational measures taken, while ensuring that the contractually agreed level of protection is not undercut.
5. At the request of the Client, the Contractor shall provide the Client with evidence of compliance with the technical and organizational measures.
6. The Contractor and the employees working for or on behalf of the Contractor shall be entitled to have the services to be rendered in accordance with the Main Contract and thus also the processing of personal data rendered from its head office, its business premises, branch offices or from the home and mobile office, provided that it is ensured that the protective measures defined in this DPA are complied with in this context.

4. Information and support obligations of the Contractor

1. In the event of disruptions, suspicion of data protection violations or violations of contractual obligations of the Contractor, suspicion of security-relevant incidents or other irregularities in the processing of the Client Data by the Contractor, persons employed by it within the scope of the DPA or by third parties, the Contractor shall inform the Client in writing or electronically without undue delay, but no later than within 48 hours. The same shall apply to audits of the Contractor by the data protection supervisory authority. These notifications should in each case contain at least the information specified in Art. 33(3) GDPR.
2. In the aforementioned case, the Contractor shall support the Client in the fulfillment of its educational, remedial and informational measures in this regard to the extent reasonable.
3. The Contractor undertakes to provide the Client, at the latter's request and within a reasonable period of time, with all information and evidence required to carry out an inspection.

5. Other obligations of the Contractor

1. If the requirements of Art. 30 GDPR apply to the Contractor, the Contractor shall be obliged to keep a register of all categories of processing activities carried out on behalf of the Client pursuant to Art. 30 (2) GDPR. The directory shall be made available to the Client upon request.
2. The Contractor shall be obliged to support the Client in the preparation of a data protection impact assessment pursuant to Art. 35 GDPR and any prior consultation with the supervisory authority pursuant to Art. 36 GDPR.
3. The Contractor confirms that – insofar as there is a legal obligation to do so – it has appointed a data protection officer.
4. Should the Client Data at the Contractor be endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client thereof without undue delay, unless it is prohibited from doing so by court or administrative order. In this context, the Contractor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Client as the “Responsible Party” within the meaning of the GDPR.

6. Subcontractor relationships

1. The Contractor may have the Processing of Personal Data performed in whole or in part by additional Processors (hereinafter "Subcontractors"). The Contractor shall inform the Client in text form in good time in advance about the commissioning of subcontractors or changes in the subcontracting. The Client may object to the subcontracting in text form within four weeks of becoming aware of it if there are objective reasons for doing so.
2. A subcontractor relationship within the meaning of these provisions shall not exist if the Contractor commissions third parties with services which are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, guarding services, telecommunication services without any specific reference to services provided by the Contractor to the Client as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. The obligation of the Contractor to ensure compliance with data protection and data security also in these cases shall remain unaffected.
3. The Contractor shall agree with the subcontractor on the content of the provisions made in this DPA. In particular, the TOM to be agreed with the subcontractor must provide an equivalent level of protection.
4. The Contractor has established subcontractor relationships with the companies listed in Annex 1, to which the Client agrees upon conclusion of this data processing agreement. The companies listed in Annex 1 may be amended by the Contractor, either by addition or removal. If the Contractor intends to add an additional subcontractor, they shall include the subcontractor in Annex 1 and inform the Client no later than four weeks before the intended use of the subcontractor. If the Client does not agree to the addition of the new subcontractor, they may object to the addition within four weeks after being notified. If the Client objects to the addition of the new subcontractor, the Contractor has the right to terminate the main agreement, including all annexes, within two weeks, provided that no alternative solution for continued cooperation can be found and the addition of the subcontractor is of particular importance to the Contractor's business.
5. The Contractor has concluded order processing agreements with the subcontractors in accordance with the requirements of Section 6 (3). The Client shall approve the aforementioned subcontractors upon this DPA becoming effective.
6. Part of the order processing agreements with the subcontractors is in particular that the subcontractors ensure that they have taken appropriate and suitable technical and organizational measures in accordance with Art. 32 GDPR for the processing of personal data carried out by them on behalf.

7. Control rights

1. The Client shall be entitled to regularly assure itself of compliance with the provisions of this DPA. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or have the Contractor’s technical and organizational measures inspected personally or by a competent third party during normal business hours, provided the third party is not in a competitive relationship with the Contractor.
2. The Client shall carry out inspections only to the extent necessary and take reasonable account of the Contractor’s operating procedures. The Parties shall agree on the time and type of inspection in good time.
3. The Client shall document the results of the inspection and notify the Contractor thereof. In the event of errors or irregularities discovered by the Client, in particular during the inspection of order results, the Client shall inform the Contractor without delay. If facts are discovered during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall inform the Contractor of the necessary procedural changes without delay.

8. Rights of Data Subjects

1. The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling its obligations pursuant to Articles 12 to 22 and Articles 32 to 36 of the GDPR. The Contractor shall provide the Client with the requested information on Client Data without undue delay, but within 14 working days at the latest, unless the Client has the relevant information itself.
2. If the Data Subject asserts its rights pursuant to Articles 16 to 18 of the GDPR, the Contractor shall be obligated to correct, delete or restrict the Client Data without undue delay, at the latest within a period of 7 working days, upon instruction of the Client. The Contractor shall provide the Client with written evidence of the deletion, correction or restriction of the data upon request.
3. If a Data Subject asserts rights directly against the Contractor, such as the right to information, correction or deletion of his/her data, the Contractor shall forward this request to the Client and await the Client’s instructions. The Contractor shall not contact the Data Subject without corresponding individual instructions.

9. Term

The term of this DPA corresponds to the term of the Main Contract. It thus ends automatically upon termination of the Main Contract. If the Main Contract can be terminated with due notice, the provisions on due notice of termination shall apply accordingly to this DPA. If the Contractor no longer processes any Client Data before the Main Contract expires, this DPA shall also end automatically.

10. Deletion and return after Termination

1. The Contractor shall return to the Client after termination of the Main Contract or at any time upon the Client’s request all documents, data and data carriers provided to the Contractor or, at the Client’s request, delete them completely and irrevocably, unless there is a statutory retention period. This shall also apply to copies of the Client Data at the Contractor’s premises, such as data backups, but not to documentation that serves as proof of the proper processing of the Client Data in accordance with the order. Such documentation shall be kept by the Contractor for a period of 6 months and shall be returned to the Client upon request.
2. The Contractor shall confirm the deletion to the Client electronically. The Client shall have the right to control the complete and contractually compliant return or deletion of the data at the Contractor in an appropriate manner.
3. The Contractor shall be obligated to treat as confidential any data of which it becomes aware in connection with the Main Contract, even beyond the end of the Main Contract.

11. Liability

1. The liability of the Parties shall be governed by Art. 82 GDPR. Any liability of the Contractor towards the Client due to breach of obligations under this Agreement or the Main Contract shall remain unaffected.
2. The Parties shall each release themselves from liability if a Party proves that it is not responsible in any respect for the circumstance as a result of which the damage occurred to a Data Subject. This shall apply mutatis mutandis in the event of a fine imposed on a Party, whereby the indemnification shall be made to the extent that the respective other Party bears a share of the responsibility for the violation sanctioned by the fine.

12. Confidentiality & Data Secrecy

1. The Contractor undertakes to observe the same rules for the protection of secrets as are incumbent on the Client.
2. There shall be a duty of confidentiality for the Contractor’s employees and third parties commissioned by the Contractor. The Contractor shall impose a written confidentiality obligation on the persons employed in the processing of Client Data pursuant to Art. 28 (3) lit. b GDPR. This is not necessary if the persons employed are already subject to an appropriate statutory duty of confidentiality. The Contractor shall document the obligation set forth in this clause in writing and submit it to the Client upon the Client’s request.
3. The Contractor confirms that it is aware of the relevant data protection regulations. The Contractor warrants that it will familiarize the employees engaged in the performance of the work with the data protection provisions applicable to them and that it will oblige them to comply with the applicable data protection provisions. He shall monitor compliance with the data protection regulations.
4. The confidentiality obligations regulated in this clause shall continue to apply after termination of the contractual relationship.
5. Furthermore, in addition to the applicable statutory provisions (in particular § 3 German Telemedia-Telecommunication-Data Protection Act (TTDSG), § 203 German Criminal Code (StGB), §§ 4, 23 German Trade Secret Act (GeschGehG) and, if applicable, special professional confidentiality obligations), the Contractor shall also be obligated to keep secret and not disclose to third parties all information and data of which it becomes aware within the scope of the contractually agreed services (confidential information). Confidential information is in particular business and trade secrets, contract conclusions, technical or commercial information of any kind or other information which is designated as confidential or which by its nature is to be regarded as confidential. This also applies in particular to:
   • Names, addresses as well as the personal, legal and economic circumstances of all customers of the Client and the personal, legal and economic circumstances of the Client and all other persons working for the Client.
   • Information shall not be considered confidential if it was already publicly known at the time the information came to the knowledge of the Contractor. Likewise, information which has become publicly known or has been made publicly known at a later time with the consent of the Client shall not be regarded as confidential.
6. The Contractor undertakes to oblige all employees who gain knowledge of the aforementioned confidential information of the Client in the course of their work for the Client to do the same as he does himself.
7. If the Contractor commissions third parties, it shall ensure that the requirements of paragraphs 1 to 6 are implemented accordingly.

13. Final Provisions

1. The Parties agree that the defense of the right of retention by the Contractor within the meaning of § 273 of the German Civil Code (BGB) is excluded with respect to the data to be processed and the associated data carriers.
2. Amendments and supplements to this DPA must be made in electronic form.
3. In case of doubt, the provisions of this DPA shall take precedence over the provisions of the Main Contract. Should individual provisions of this DPA prove to be invalid or unenforceable in whole or in part or become invalid or unenforceable as a result of changes in legislation after the conclusion of the DPA, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision which comes as close as possible to the meaning and purpose of the invalid provision.
4. This DPA shall be governed by German law. The exclusive place of jurisdiction shall be the Contractor's registered office.

Annexes

• Annex 1 - Contract Specifications
• Annex 2 - Technical & Organizational Measures (Art. 32 GDPR)

Annex 1 – Contract Specifications

Subcontractors

Annex 2 – Technical & Organsational Measures

Pursuant to Article 32 of the GDPR, data controllers are obliged to take technical and organizational measures to ensure the security of the processing of personal data. Measures must be selected in such a way that, taken together, they ensure an appropriate level of protection. Against this background, this overview explains which concrete measures have been taken by the Contractor with regard to the processing of personal data in the specific case.