Contract for order processing
Within the meaning of Art. 28 Para. 3 GDPR
Muster GmbH
Musterstr. 1
12345 Musterstadt
nachfolgend „Auftraggeber“
and
Maisonpure GmbH
Bismarckstr 55
41747 Viersen
below „Maisonpure GmbH“
1. General provisions and subject matter of the contract
1.1 The subject of this contract is the processing of personal data on behalf of Maisonpure GmbH (Art. 28 GDPR). The responsible party within the meaning of Article 4 No. 7 GDPR is the client.
1.2 Content of the order, categories of data subjects and types of data as well as the purpose of the agreement can be found in Appendix 1.
1.3 The processing of data by Maisonpure GmbH takes place exclusively in the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state to the EEA Agreement. Processing outside of these countries only takes place under the conditions of Chapter 5 of the GDPR (Art. 44 ff.) and with the prior consent or instructions of the client.
2. Contract term and termination
This contract is concluded for an indefinite period and can be terminated by either party with three months' notice. The right to extraordinary termination for good cause remains unaffected. If and to the extent that the data described in Appendix 1 continues to be processed after termination of this contract, this contract continues to apply to this processing until the processing is terminated.
3. Instructions from the client
3.1 The client has a comprehensive right to give instructions regarding the type, scope and modalities of data processing. Maisonpure GmbH. Maisonpure GmbH will inform the client immediately if Maisonpure GmbH is of the opinion that an instruction from the client violates legal regulations. If an instruction is issued whose legality Maisonpure GmbH doubts for objectively understandable reasons, Maisonpure GmbH is entitled to temporarily suspend its execution until the client expressly confirms or changes it again. If there is a possibility that Maisonpure GmbH will be exposed to a liability risk by following the instructions or that it will be threatened with other damages, the implementation of the instructions can be suspended until the internal liability has been clarified - or until the client has granted other appropriate security to prevent damages to Maisonpure GmbH.
3.2 Processing that deviates from the instructions or without instructions of the client is only permitted if Maisonpure GmbH is obliged to process data under the law of the European Union or the member states to which the processor is subject. In the event of such processing, Maisonpure GmbH will immediately inform the client about any intended or already initiated processing, unless the relevant law of the European Union or the Member State prohibits such notification due to important public interest; In this case, notification will be made immediately as soon as the legal obstacles no longer exist.
3.3 Instructions must generally be given in writing or in an electronic format (e.g. by email). Oral instructions are permissible in justified individual cases and will be confirmed by the client immediately in writing or in an electronic format. The confirmation must expressly state why instructions could not be given in text form. The client must document the person, date and time of the oral instructions in an appropriate form.
3.4 At the request of Maisonpure GmbH, the client names one or more persons authorized to give instructions. Maisonpure GmbH must be notified of any personnel changes immediately.
4. Control powers of the client
4.1 The client is entitled to check compliance with the legal and contractual regulations on data protection and data security before the start of data processing and regularly, to the extent necessary, during the term of the contract. Maisonpure GmbH must enable and contribute to these checks - including inspections - which are carried out by the client or another inspector commissioned by the client.
4.2 The client must ensure that the control measures are proportionate and do not lead to excessive disruption to business operations. As a rule, an examination should only take place after prior registration, unless prior registration would jeopardize the purpose of the inspection. If the client appoints an inspector, he must not be in direct competition with Maisonpure GmbH.
4.3 The results of the checks must be recorded in an appropriate manner by the client.
4.4 Maisonpure GmbH undertakes to provide the client with all necessary information to prove compliance with the obligations set out in Article 28 GDPR.
5. General obligations of Maisonpure GmbH
5.1 The processing of the contractual data by Maisonpure GmbH is carried out exclusively on the basis of the contractual agreements in conjunction with any instructions given by the client. Processing deviating from this is only permitted if Maisonpure GmbH is obliged to process data under the law of the European Union or the member states. In the event of such processing, Maisonpure GmbH will immediately inform the client of any intended or already initiated processing, unless the relevant European Union or Member State law prohibits such notification due to important public interest; In this case, notification will be made immediately as soon as the legal obstacles no longer exist.
5.2 Maisonpure GmbH must ensure that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal obligation of confidentiality (Art. 28 Para. 3 lit. b GDPR). Before submitting to the obligation of confidentiality, the persons concerned may not have access to the personal data provided by the client.
6. Technical and organizational measures
Maisonpure GmbH has defined suitable technical and organizational measures to ensure an appropriate level of protection and has recorded these in Appendix 2 of this contract. The measures described there were selected taking into account the requirements of Art. 32 GDPR. Maisonpure GmbH will review and adapt the technical and organizational measures regularly and as needed.
7. Maisonpure GmbH’s support obligations
7.1 Maisonpure GmbH undertakes in accordance with Article 28 Paragraph 3 Letter e of the GDPR to support the client, taking into account the nature of the agreement, with appropriate technical and organizational measures, if possible, in fulfilling the client's obligation to respond to requests to exercise the rights of the data subjects listed in Chapter III, Articles 12 - 22 of the GDPR. This applies in particular to the provision of information and the deletion, correction or restriction of personal data.
7.2 Maisonpure GmbH will also support the client in accordance with Article 28 Paragraph 3 Letter f of the GDPR with its obligations under Articles 32-36 of the GDPR (in particular reporting obligations). The scope of these support obligations is determined in each individual case, taking into account the type of processing and the information available to Maisonpure GmbH.
8. Use of sub-processors (subcontractors)
8.1 Maisonpure GmbH is entitled to use sub-processors (subcontractors). All subcontractor relationships of Maisonpure GmbH that already existed at the time the contract was concluded are attached to this contract in Appendix 3. For the subcontractors listed in Appendix 3, consent is deemed to have been given upon conclusion of this contract.
8.2 If Maisonpure GmbH intends to use additional subcontractors, Maisonpure GmbH will notify the client of this in writing or electronic form in good time - but no later than two weeks - before their use. After this notification, the client has two weeks to object to the involvement of the subcontractor(s). If no objection is made within this period, the involvement of the subcontractor(s) is deemed approved. In urgent cases (e.g. if error analyzes or defect eliminations are required at short notice), Maisonpure GmbH can shorten the notification and objection period for subcontractors appropriately. If an objection is made in a timely manner, the affected subcontractors may not be used. Objections are only permitted if there is an objective reason, which must be included in the notification of objection.
8.3 Subcontractors are selected by Maisonpure GmbH in compliance with the legal and contractual requirements. All contracts between the processor (Maisonpure GmbH) and sub-processors (subcontractors) must comply with the legal regulations regarding the processing of personal data in the order; This applies in particular to the implementation of suitable technical and organizational measures in accordance with Art. 32 GDPR in the subcontractor's operations. Ancillary services that Maisonpure GmbH uses to carry out business activities do not constitute subcontracting relationships within the meaning of Art. 28 GDPR. Ancillary activities in this sense include, in particular, telecommunications services without a specific connection to the main service, postal and transport services as well as other measures that are intended to ensure the confidentiality and/or integrity of the hardware and software and have no specific connection to the main service. However, Maisonpure GmbH will also ensure compliance with statutory data protection standards for these third-party services (in particular through appropriate confidentiality agreements).
8.4 All contracts between Maisonpure GmbH and the sub-processor (subcontractor contracts) must meet the requirements of this contract and the legal regulations regarding the processing of personal data on behalf of the contract.
8.5 Commissioning subcontractors in third countries is only permitted if the legal requirements of Article 44 ff. GDPR are met and the client has agreed.
9. Notification obligations of Maisonpure GmbH
9.1 Violations of this contract, of the client's instructions or of other data protection regulations must be reported to the client immediately; the same applies if there is reasonable suspicion. This obligation applies regardless of whether the violation was committed by Maisonpure GmbH itself, a person employed by Maisonpure GmbH, a subcontractor or another person employed by Maisonpure GmbH to fulfill contractual obligations.
9.2 If a data subject, an authority or another third party requests Maisonpure GmbH for information, correction, restriction of processing or deletion, Maisonpure GmbH will immediately forward the request to the client and coordinate further action with him.
9.3 Maisonpure GmbH will inform the client immediately if supervisory actions or other measures by an authority are imminent, which could also affect the processing, use or collection of the personal data provided by the client. In addition, Maisonpure GmbH must immediately inform the client of all events or measures taken by third parties that could jeopardize or impair the contractual data.
10. Termination of contract, deletion and return of data
Maisonpure GmbH undertakes, after completion of the provision of the processing services, to either delete or return all contractual personal data at the choice of the client and to delete the existing copies, unless there is an obligation to store the personal data under Union law or the law of the Member States.
11. Data secrecy and confidentiality
Maisonpure GmbH is obliged to treat personal data obtained as part of this contractual relationship confidentially for an unlimited period and beyond the end of this contract. In particular, Maisonpure GmbH must take appropriate measures to ensure that the data provided to it relating to the order is not disclosed to unauthorized third parties; Within his company, he must take appropriate measures to ensure that the contractual data is only disclosed to those people who need the data to fulfill their tasks (need-to-know principle). Maisonpure GmbH undertakes to familiarize employees with the relevant data protection regulations and confidentiality rules and to oblige them to maintain confidentiality before they start working at Maisonpure GmbH.
12. Liability
12.1 Maisonpure GmbH is liable. not to the client internally if the data processing/measure that triggers liability was carried out as a result of an instruction from the client. The same applies to measures that have been agreed with the client (e.g. TOMs according to Art. 32 GDPR). It also counts as coordination if a regulation was added to this contract at the request of the client.
12.2 The client must ensure that the original collection of the data processed in the order is carried out lawfully. In particular, he must obtain any necessary consent completely and correctly. If a claim is made against Maisonpure GmbH externally due to a breach of this obligation, the client is liable to Maisonpure GmbH internally and will indemnify Maisonpure GmbH from any damage that may arise.
12.3 Otherwise, the statutory liability regulations (in particular Art. 82 GDPR) remain unaffected.
13. Final provisions
13.1 Changes to this contract and additional agreements must be in written or electronic form, which clearly indicates what changes or additions to these conditions are to be made by them.
13.2 If the contracting parties are merchants, legal entities under public law or special funds under public law, the registered office of Maisonpure GmbH is the place of jurisdiction for all disputes arising from this contract; Exclusive places of jurisdiction remain unaffected.
13.3 If the GDPR or other referenced legal regulations change during the term of the contract, the references here also apply to the respective successor regulations.
13.4 Should individual parts of this agreement be or become invalid, the validity of the remaining provisions remains unaffected.
13.5 All appendices to this contract are part of the contract.
Place, date Signature (client)
Place, date signature (Maisonpure GmbH)