Data Processing Agreement
pursuant to Art. 28 Par. 3 General Data Protection Regulation
Preamble
This agreement explicates the obligations of the contractual parties concerning data protection which follow from the commission processing that is here described in detail. It shall apply to all actions related to this contract and actions where employees of the contractor or persons commissioned by the contractor process personal data (“data”) of the client.
1. Object and Period of Commission
(1) The object of the commission for data processing is the performance of the following tasks by the contractor: Services in connection with the implementation and utilization of the Product Information Management (PIM) software developed by EGGHEADS, in accordance with the regulations of the main contract.
(2) The duration of this commission (period) is equal to the period of the service agreement.
2. Specification of Commission Processing
Type and Purpose of the Planned Processing of Data
More specific description of the object of commission regarding the type and purpose of the tasks of the contractor:
Services in connection with the implementation and use of the Product Information Management (PIM) software developed by EGGHEADS, maintenance and care of the software, as well as trainings and workshops.
Types of Data
Objects of the processing of personal data are the following data types or categories (enumeration or description of data categories):
a. Personal master data
b. Communication data (e.g. phone, e-mail)
c. Credentials for Jira, EGGHEADS Help Center, website downloads
d. Credentials and editing/change history of users
Categories of Data Subjects
Categories of persons from whom data is processed:
a. Customers
b. Employees
c. Contact persons
3. Technical Organizational Measures
(1) The contractor shall document the performance of the technical and organizational measures agreed upon prior to commission, in particular concerning the concrete performance of the commission, before beginning with the processing, and hand it over to the client for examination. Upon approval by the client, the documented measures shall serve as the basis of the commission. If the examination or audit by the client results in the requirement for amendment, it shall be implemented upon mutual agreement.
(2) The contractor shall ensure the security of processing pursuant to Art. 28 Par. 3 Lit. c, 32 GDPR, in particular in relation to Art. 5 Par. 1, Par. 2 GDPR. Altogether, the to-be-performed measures concern data security and guarantee of an appropriate security level adequate to the risks involved, in particular concerning confidentiality, integrity, availability, and system resilience. To this end, the state of the art, implementation costs, and the type, scope, and purpose of processing, as well as the calculated probability and significance of individual risks shall be considered for the rights and freedom of natural persons pursuant to Art. 32 Par. 1 GDPR. [Details provided in the appendix of TOM below.]
(3) The technical and organizational measures are subject to technological progress and development. To this extent, the contractor may utilize alternative measures adequate to the agreed-upon measures. Such alternative measures shall not fall short of the security level of defined measures. Essential amendments shall be documented.
4. Authorization, Restrictions, and Deletion of Data
(1) The contractor shall only correct, delete, or limit the processing of data processed as part of the commission on the basis of documented instructions by the client, instead of doing so on their own authority. If a data subject communicates a request directly to the contractor, the contractor shall immediately communicate this request to the client.
(2) To the extent that it is included in the scope of services, the deletion concept, right to be forgotten, authorization, data portability, and right to information on the basis of documented instructions by the client shall be immediately ensured by the contractor.
5. Quality Warranty and Other Obligations by the Contractor
In addition to the regulations concerning the commission, the contractor shall ensure legal obligations pursuant to Art. 28 to 33 GDPR; in particular, the contractor shall comply to the following regulations:
a. Written order of a data protection officer who carries out their activities pursuant to Art. 38 and 39 GDPR. Their contact data shall be provided to the client for the purpose of direct communication. A replacement of the data protection officer shall be communicated to the client immediately.
b. As a data protection officer, the contractor has ordered Mr. Jürgen Golda, P2Consult, datenschutzbeauftragter@eggheads.de. A replacement of this data protection officer shall be communicated immediately.
c. Protection of confidentiality pursuant to Art. 28. Par. 3 S. 2. Lit. b, 29, 32 Par. 4 GDPR. The contractor shall only order employees for the performance of labor who comply to the protection of confidentiality and who have been informed about the regulations for data protection relevant to them. The contractor and every person employed by the contractor who is granted access to personal data shall only process such data as instructed by the client, including the permissions granted in this contract, unless they are legally obligated to process such data.
d. The performance and maintenance of all technical and organizational measures required for this contract pursuant to Art. 28 Par. 3 S. 2 Lit. c GDPR. [Details provided in the appendix of TOM below.]
e. The client and contractor shall collaborate to fulfill their tasks upon request by regulating authorities.
f. The immediate communication with the client concerning control actions and measures by regulating authorities, to the extent that they concern this commission. This shall also apply to contravention and criminal procedure by relevant authorities in relation to personal data being subject to investigation as part of the commission processing by the contractor.
g. To the extent that the client is subject to the control of regulating authorities, a contravention or criminal procedure, the liability claim by a data subject or third party, or another claim in relation to the commission processing by the contractor, the contractor shall support the client to the best of their capacities.
h. The contractor controls at regular intervals the internal processes as well as the technical and organizational measures in order to ensure that the processing which falls under their responsibility complies to the requirements of applicable data protection law and that the protection of the rights of the data subject is guaranteed.
i. Proof of performed technical and organizational measures for the client within their supervisory power pursuant to paragraph 7 of this contract.
6. Subcontractor (Further Commission Processors)
(1) Sub-contractual relations under the definition of this regulation are services which relate immediately to the performance of the main service. Not included are supplementary services which the contractor performs, for example telecommunication services, mailing and transport services, maintenance and user services, the disposal of data storage devices, and other services to ensure confidentiality, availability, integrity, and system resilience of both hardware and software of data processing systems. However, the contractor is obligated to ensure the data protection and data security of the data by the client with appropriate contractual agreements and control measures conformable to law even when outsourcing supplementary services.
(2) A sub-contractual relationship is established when the contractor commissions further subcontractors with all or a part of the services agreed upon in this contract. The contractor shall make appropriate agreements with these third parties to the extent required to ensure data protection and information protection measures. If required, the involvement of sub-contractors shall be announced prior to the assignment of activities.
(3) Prior to the involvement of further sub-contractors or the replacement of existing sub-contractors, the contractor shall request consent from the client, whereas the client shall not refuse consent without a significant reason regarding the data protection law.
(4) If the contractor transfers tasks to sub-contractors, it shall be the obligation of the contractor to also transfer their obligations of data protection concerning this contract to the sub-contractor.
7. Control Rights of the Client
(1) The client has the right, after consultation with the contractor, to carry out examinations or let examinations be carried out by an examinator designated on an individual basis. They have the right to carry out sample controls which shall be announced ahead of time, so that the client can assure themselves that the contractor complies to this agreement in their business operations.
(2) The contractor shall guarantee that the client can assure themselves of the compliance to obligations by the contractor pursuant to Art. 28 GDPR. The contractor is obligated to provide the client with the required information on demand, in particular concerning the performance of technical and organizational measures.
(3) The proof of such measures which do not only concern the concrete commission may be provided in the form of compliance to agreed-upon rules of conduct pursuant to Art. 40 GDPR.
(4) For enabling the control by the client, the contractor shall be entitled to claim remuneration.
8. Communication of Breaches by the Contractor
(1) The contractor shall support the client in ensuring the obligations pursuant to Art. 32 to 36 GDPR concerning the security of personal data, obligation to report data breach, data protection impact assessment, and prior business consultations. Among other things, this includes:
a. The guarantee of an adequate security level through technical and organizational measures, which take into consideration the circumstances and purposes of processing as well as the predicted probability and significance of possible breaches of the law because of security vulnerabilities, and which enable an immediate identification of relevant data breach events.
b. The obligation to immediately report a breach of personal data to the client.
c. The obligation to support the client in their obligation to inform the data subject and to immediately provide them with all relevant information in this context.
d. Support for the client in their data protection impact assessment.
e. Support for the client as part of prior consultations with the regulating authorities.
(2) For support services not included in the description of services or which are unrelated to misconduct by the contractor, the contractor may request remuneration.
9. Managerial Authority of the Client
(1) Oral instructions shall be confirmed immediately by the client (at least in written form).
(2) The contractor shall immediately inform the client if they hold the opinion that an instruction breaches data protection law. The contractor is entitled to postpone the performance of the instruction for as long as the client does not conform or modify it.
10. Deletion and Return of Personal Data
(1) No copies or duplicates of data shall be created without prior knowledge by the client. This excludes safety copies to the extent that they are required to ensure appropriate data processing, and this also excludes data which is subject to the legal obligation to preserve records.
(2) After the completion of the contractual tasks, or earlier after request by the client – at the latest after termination of the service agreement – the contractor shall hand over all documents, created processing and usage results, as well as data records related to this commission contract, or delete it upon mutual agreement in a manner that complies to data protection law. The same applies to test and scrap material. The corresponding deletion protocol shall be handed over upon request.
(3) Documentations for the proof of appropriate data processing in compliance to the commission shall be preserved by the contractor for the respective period of the obligation to preserve data after the termination of contract. The contractor may transfer the documentation to the client for the discharge of obligations.
11. Information Obligation, Written Form Clause, Choice of Law and Jurisdiction
(1) If the data of the client stored by the contractor is threatened by seizure related to insolvency or settlement proceedings, or any other event or measure by third parties, the contractor shall immediately inform the client. In this context, the contractor shall immediately inform all persons in response that the power of disposition and ownership of the data are held by the client as the “controller” pursuant to GDPR.
(2) Modifications and supplements to this appendix and any of its parts – including all warranties by the contractor – require written agreement which may also be provided in electronic form (text form) with an explicit note that it does concern a modification or supplement of these conditions. This also applies to a waiver of this form requirement.
(3) In the event of contradictions, regulations of this appendix enjoy priority over the regulations of the contract. If individual parts of this appendix are legally void, the remainder of the appendix shall retain its legal effectiveness.
Appendix TOM – Technical Organizational Measures
1. Confidentiality (Art. 32 Par. 1 Lit. b GDPR)
(1) Entry Control:
Servers are operated in a class 3 data centre, IDW PS 951 type 2 with ISO 27001 certification and TISAX certificate. Access to the servers is only possible when accompanied by the operator.
(2) Access Control:
No unauthorized system use, e.g. secured by passwords, firewalls, mobile device management, encryption of data storage devices.
(3) Action Control:
No unauthorized reading, writing, modifying, or deletion when utilizing systems, e.g. roles or rights concept, user-based access control, encryption of data storage devices.
(4) Separation Control:
Processing data utilized for different purposes separately, e.g. multitenancy.
(5) Pseudonymization (Art. 32. Par. 1 Lit. a GDPR; Art. 25 Par. 1 GDPR):
Separating master data about clients from related commission data.
2. Integrity (Art. 32 Par. 1 Lit. b GDPR)
(1) Transfer Control:
No unauthorized reading, writing, modifying, or deletion during electronic transfer or transport, e.g. encryption, virtual private networks (VPN).
(2) Input Control:
Measures for documenting if and who adds, edits, modifies, or deletes personal data in data processing systems, e.g. protocols.
3. Availability and Resilience (Art. 32 Par. 1 Lit. b GDPR)
(1) Availability Control:
Protection against accidental or malicious destruction or loss. Backups are carried out according to the 3-2-1 backup rule. Virus protection and firewall in use, reporting channels and emergency plans developed.
(2) Ensuring quick data recovery (Art. 32 Par. 1 Lit. c GDPR).
4. Process for Regular Testing, Assessing, and Evaluation (Art. 32 Par. 1 Lit. d GDPR; Art. 25 Par. 1 GDPR)
(1) Carrying out regular internal audits.
(2) Data protection by design and default.
(3) Commission Control. No commission processing shall be carried out pursuant to Art. 28 GDPR without corresponding instructions by the client, e.g. definite contract design, separate instructions in text form, careful selection of service providers, follow-up controls.
eggheads GmbH – Data Processing Agreement (Status: 01.10.2024)
