Data Processing Agreement for Linkando Cloud Services
1. Introduction, scope, definitions
- This document („Data Processing Agreement for Linkando Cloud Services“) is incorporated into the agreement between Linkando GmbH, Ostbahnstr. 17, 76829 Landau, Germany (“Linkando” or „Contractor“) and the customer („Customer“) and is part of the Terms of Use for the Linkando Portal (also agreed in electronic form between Linkando and the Customer, hereinafter referred to as the Main Agreement. This data processing agreement governs the rights and obligations of the Contractor and the Customer (hereinafter referred to as the „Parties“) in the context of a processing of personal data on behalf of Contractor by Linkando and its sub-service providers in connection with the provision of Cloud Services.
- Appendices 1 and 2 form an integral part of this data processing agreement. They specify the technical and organizational measures to be applied as well as the approved sub-service providers.
- This agreement governs the rights and obligations of the parties in the context of the processing of personal data on behalf of Client. This agreement shall apply to all activities in which employees of Contractor or sub-service providers commissioned by Contractor process personal data on behalf of the Client.
- Terms used in this agreement are to be understood as defined in the EU General Data Protection Regulation. In this sense, the Client is the „responsible person“, the Contractor is the „Processor“. Insofar as declarations are to be made „in writing“ below, the written form is meant in accordance with Section 126 of the German Civil Code (BGB). Furthermore, declarations may also be made in other forms, provided that adequate verifiability is guaranteed.
2. The subject-matter and duration of the processing
2.1. Subject
The Contractor undertakes the following processing:
- E-mail communication
- Customer management
- Website operation
- Contact Forms
- Chat Tool
- Video Conferences
- Cloud rooms
The processing is based on the existing Main Agreement between the parties.
2.2. Duration
Processing begins together with the Main Agreement and is effected for an indefinite period until the termination of this agreement or the Main Agreement by any party.
3. Nature, purpose and subjects of data processing:
3.1. Type of processing
Processing includes the following: collection, organization, ordering, storage, adaptation or modification, reading, querying, use, disclosure by transmission, dissemination or any other form of provision, matching or linking, restriction, erasure or destruction of data.
3.2. Purpose of processing
The purpose of the processing is to:
Provide the Linkando Cloud Platform to the Customer and the associated commercial processing and provision of end-user support.
3.3. Type of data
The following data is processed:
- Title
- First and last name
- Email address
- Address
- Communication data
- Usage data (IP addresses, login time, login name)
3.4. Categories of data subjects
Affected by Processing are:
- Clients of the customer
- Interested parties of the Customer
- Employees of the Customer
4. Contractor’s obligations
- The Contractor processes personal data exclusively as contractually agreed or as instructed by the Customer unless Contractor is legally obliged to perform a specific processing. If such obligations exist for him, the Contractor shall inform the Customer of these obligations before processing, unless the notification is prohibited by law. In addition, the Contractor shall not use the data provided for processing for any other purpose, in particular for its own purposes.
- The Contractor confirms that he is aware of the relevant general data protection regulations. It shall respect the principles of proper data processing.
- The Contractor undertakes to strictly respect confidentiality during processing.
- Persons who may become aware of or have access to the data processed on behalf of the Customer must undertake in writing to maintain confidentiality, unless they are already subject to a relevant obligation of confidentiality by law.
- The Contractor warrants that the persons employed by him for processing have been familiarized with the relevant provisions of data protection and this agreement prior to the commencement of the processing. Appropriate regular training and awareness-raising activities shall be regularly repeated. The Contractor shall ensure that persons employed in order processing are constantly adequately guided and monitored in order to comply with data protection requirements.
- In connection with the commissioned processing, Contractor shall assist the Customer, where necessary, in the fulfilment of its data protection obligations, in particular in the preparation and updating of the list of processing activities, in carrying out the data protection impact assessment and in a necessary consultation of the supervisory authority. The required information and documentation must be kept and forwarded to the Customer without delay upon request.
- If the Customer is subject to a check by supervisory authorities or other bodies or data subjects assert rights against him, Contractor undertakes to support the Customer to the extent necessary, insofar as the processing is affected according to the order.
- The Contractor may only provide information to third parties or the parties concerned with the prior consent of the Customer. He will immediately forward any enquiries addressed directly to him to the Client.
- To the extent required by law, the Contractor shall appoint an expert and reliable person as a data protection officer. It is necessary to ensure that there are no conflicts of interest for the Trustee. In case of doubt, the Customer may contact the data protection officer directly. The Contractor shall immediately inform the Customer of the contact details of the data protection officer or explain why no agent has been appointed. Changes in the person or the internal tasks of the agent shall be communicated by the Contractor to the Customer without delay.
- Order processing takes place exclusively within the EU or the EEA.
- If the Contractor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Article 27 of the General Data Protection Regulation. The contact details of the contact person as well as any changes in the person of the contact person must be communicated to the Customer without delay.
5. Safety of processing
- The data security measures described in Annex 1 shall be defined as binding and define the minimum due by the Contractor. The description of the measures must be made in such detail that it is clear to a competent third party at all times, on the basis of the description alone, what the minimum due should be. A reference to information that cannot be directly extracted from this Agreement or its annexes is not permitted.
- The data security measures can be adapted according to the technical and organizational development, as long as the level agreed here is not undercut. Changes necessary to maintain information security shall be implemented without delay by the Contractor. The Customer must be notified of the changes without delay. Substantial changes must be agreed between the parties.
- Insofar as the security measures taken do not or no longer meet the requirements of the Customer, the Contractor shall immediately notify the Client.
- The Contractor warrants that the data processed on the order will be strictly separated from other data.
- Copies or duplicates will not be made without the knowledge of the Customer. Technically necessary temporary reproductions are excluded, insofar as an impairment of the data protection level agreed here is excluded.
- The processing of data in private homes is permitted. Insofar as such processing takes place, the Contractor shall ensure that a level of data protection and data security corresponding to this agreement is maintained and that the control rights of the Customer specified in this agreement can be exercised without restriction in the private dwellings concerned. The processing of data on private devices is not permitted under any circumstances.
- Dedicated data carriers that originate from the Customer or are used for the Customer are specially marked and are subject to ongoing management. They must be kept appropriately at all times and may not be accessible to unauthorized persons. Inputs and outputs are documented.
- The Contractor shall provide regular proof of the fulfilment of his obligations, in particular the full implementation of the agreed technical and organisational measures and their effectiveness.
6. Rules for the correction, deletion and blocking of data
- Data processed within the scope of the order will only be corrected, deleted or blocked by the Contractor in accordance with the contractual agreement made or under the instructions of the Customer.
- The Contractor will comply with the corresponding instructions of the Customer at any time and beyond the termination of this agreement.
7. Sub-service provider Agreements
- Sub-service providers shall be used at the discretion of Contractor, provided that Contractor informs the Customer in advance (by email or by posting on the support portal) of any planned additions or replacements within the list of Sub-service providers and that Customer may object to such changes in accordance with the following provisions. The Contractor shall carefully select the sub-service provider with particular regard to the suitability of the technical and organizational measures taken by the sub-service provider.
- If the Customer has a justified reason under data protection law to object to the processing of personal data by the new sub-service provider, it may terminate the Agreement by written notice to the Contractor with effect from a date specified by the Customer, but no later than thirty days after the date of the Contractor’s notification to the Customer of the new sub-service provider. If the Customer does not terminate the agreement within this period of thirty days, the new sub-service provider shall be deemed approved by the Customer.
- Within the thirty-day period from the date of the Contractor’s notice to the Customer informing the Customer of the new sub-service provider, the Customer may request that the parties meet in good faith to discuss a resolution of the conflict. Such discussions shall not extend the notice period and shall not affect Contractor’s right to take the new sub-service providers into service after the expiration of the thirty-day period. Any termination under this section shall be deemed by both parties to be without fault and subject to the terms of the Agreement.
- The assignment of sub-service providers who do not carry out processing in the territory of the EU or the EEA is only possible if the conditions set out in Chapters 4 (10) and (11) of this agreement are observed. In particular, it is only permitted to the extent and as long as the sub-service provider provides adequate data protection guarantees. The Contractor shall inform the Customer of the specific data protection guarantees offered by the sub-service provider and how to obtain proof of this. Insofar as currently valid standard contractual clauses are used as reasonable guarantees on the basis of a decision of the EU Commission (e.g. in accordance with Commission Decision 2010/87/EU) or standard data protection clauses in accordance with Art. 46 GDPR, the Customer authorises the Contractor, exempt from the prohibition of double representation in accordance with Section 181 of the German Civil Code (BGB), to take all necessary actions and to make and receive declarations of intent to the sub-service provider. Furthermore, the Contractor is entitled to exercise the rights and powers of the Customer under this Agreement vis-a-vis the sub-service provider.
- The Contractor shall adequately verify compliance with the sub-service provider’s obligations on a regular basis, at the latest every 12 months. The examination and its results must be documented in such a meaningful way that they are comprehensible to a competent third party. The documentation must be submitted to the Customer without request. The Contractor shall keep the documentation of the tests carried out at least until the end of the third calendar year following the end of the order processing and shall submit it to the Customer at any time upon request.
- If the sub-service provider fails to fulfil its data protection obligations, the Contractor shall be liable to the Customer for this.
- At present, the sub-service providers referred to in Appendix 2 with their name, address and content of the agreement are engaged in the processing of personal data to the extent specified therein and approved by the contracting authority. The other obligations of the Contractor towards sub-service providers as set out here remain unaffected.
- Subcontracting relationships within the meaning of this agreement are only those services which have a direct connection with the provision of the main service. Ancillary services such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not covered. The obligation of the Contractor to ensure compliance with data protection and data security in these cases remains unaffected.
8. Rights and obligations of the Client
- The Customer is solely responsible for assessing the admissibility of the commissioned processing and for safeguarding the rights of data subjects.
- The Customer shall issue all orders, partial orders or instructions in documented form. In urgent cases, instructions may be issued verbally. The Customer shall confirm such instructions immediately in a documented manner.
- The Customer shall inform the Contractor immediately if he finds errors or irregularities in the examination of the results of the order.
- The Customer is entitled to check compliance with the provisions on data protection and contractual agreements with the Contractor to an appropriate extent itself or by third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks. The persons entrusted with the control must be provided by the Contractor with access and insight as far as necessary. The Contractor is obliged to provide the necessary information, to demonstrate procedures and to provide evidence necessary to carry out a check. The Contractor is entitled to refuse checks by third parties insofar as they are in a competitive relationship with him or if there are similarly important reasons.
- Checks must be carried out on the Contractor without any avoidable disruption to his business operations. Unless otherwise indicated by the Customer for urgent reasons to be documented, checks shall be carried out after reasonable prior notice and during the Contractor’s business hours, and no more frequently than every 12 months. Insofar as the Contractor provides proof of the correct implementation of the agreed data protection obligations as provided for in Chapter 5 (8) of this agreement, a check shall be limited to samples.
9. Notification obligations
- The Contractor shall immediately notify the Customer of breaches of the protection of processed personal data on behalf of the Contractor. Well-founded cases of suspicion must also be reported. The notification must be made to an address designated by the Customer no later than 24 hours from the knowledge of the Contractor of the relevant event. It must contain at least the following information:
- a description of the nature of the breach of the protection of personal data, where possible, indicating the categories and the approximate number of data subjects, the categories concerned and the approximate number of personal data sets concerned;
- the name and contact details of the Data Protection Supervisor or any other point of contact for further information;
- a description of the likely consequences of the breach of the protection of personal data;
- a description of the measures taken or proposed by the Contractor to remedy the breach of the protection of personal data and, where appropriate, measures to mitigate their potential adverse effects.
- Also without delay, significant disturbances in the execution of the order as well as violations of data protection regulations or the provisions of this agreement by the Contractor or the persons employed by him must be notified without delay.
- The Contractor shall inform the Customer without delay of checks or measures taken by supervisory authorities or other third parties insofar as they have references to the processing of the order.
- The Contractor undertakes to assist the Customer in its obligations under Articles 33 and 34 of the General Data Protection Regulation to the extent necessary.
10. Instructions
- The Customer reserves a comprehensive right of instruction with regard to the processing according to the order.
- The contracting authority and the Contractor shall designate the persons authorised to issue and accept instruction. Unless persons authorised to give instructions are named, only the persons authorised to represent the respective party shall be authorised to give instructions.
- In the event of a change or a longer-term prevention of the designated persons, the other party shall be informed immediately of its successor or representative.
- The Contractor shall immediately draw the Client’s attention to this if he believes that an instruction given by the Customer violates legal regulations. The Contractor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the controller at the Client.
- The Contractor shall document instructions given to him and their implementation.
11. Termination of the order
- If, at the end of the agreement, data processed in the order or copies thereof are still in the power of the Contractor, the Contractor must either destroy the data or hand over the data to the Customer at the Client’s discretion. The Customer must make the choice within 2 weeks of the corresponding request by the Contractor. The destruction must be carried out in such a way that it is no longer possible to recover residual information with reasonable effort. Physical destruction takes place in accordance with DIN 66399.
- The Contractor is obliged to bring about the immediate destruction or return also with sub-service providers.
- The Contractor shall provide proof of proper destruction and submit it to the Customer without delay.
- Documentation intended to prove the proper processing of data shall be kept by the Contractor at least until the end of the third calendar year after the end of the agreement. He may hand them over to the Customer for his discharge.
12. Liability
- The Customer and the Contractor shall be jointly and severally liable for compensation for damages suffered by a person as a result of improper or incorrect data processing within the scope of the contractual relationship.
- The Contractor bears the burden of proof that damage is not the result of a circumstance for which he is responsible, insofar as the relevant data were processed by him under this agreement. As long as this proof has not been provided, the Contractor shall, upon first request, hold free the Customer from all claims made against the Customer in connection with the processing of the order. Under these conditions, the Contractor shall also reimburse the Customer for all costs incurred in legal defence.
- The Contractor shall be liable to the Customer for damages that the Contractor, his employees or the agents entrusted by him with the performance of the agreement or the sub-service providers employed by him in connection with the provision of the contracted contractual service culpably cause.
- Numbers (2) and (3) shall not apply if the damage has been caused by the correct implementation of the commissioned service or an instruction given by the Client.
13. Special right of termination
- The Customer may terminate the Main Agreement and this Agreement at any time without notice („Extraordinary Termination“) if there is a serious breach of the Contractor’s data protection rules or the provisions of this Agreement, if the Contractor cannot or will not execute a lawful instruction of the Customer or if the Contractor refuses control rights of the Customer in breach of contract.
- A serious infringement shall be in particular where the Contractor has not fulfilled or has not fulfilled to a significant extent the obligations specified in this agreement, in particular the agreed technical and organisational measures.
- In the event of minor infringements, the Customer shall set a reasonable period of time for the Contractor to remedy the situation. If the remedy is not made in due time, the Customer is entitled to extraordinary termination as described in this section.
- The Contractor shall reimburse the Customer for all costs incurred by the Contractor as a result of the premature termination of the Main Agreement or this agreement as a result of an extraordinary termination by the Contractor.
14. Other
- Both parties are obliged to treat confidentially all knowledge of trade secrets and data security measures acquired within the framework of the contractual relationship, including the termination of the Main Agreement. If there are doubts as to whether information is subject to the obligation of confidentiality, it shall be treated as confidential until written release by the other party.
- Should the property of the Customer be endangered by third-party measures (e.g. seizure), insolvency or settlement proceedings or other events, the Contractor must notify the Customer without delay.
- For ancillary agreements, the written form and the express reference to this Agreement are required.
- The objection of the right of retention in the terms of section 273 of the German Civil Code (BGB) is excluded with regard to the data processed in the order and the associated data carriers.
- Should individual parts of this Agreement be ineffective, this shall not affect the validity of the remainder of the Agreement.
Appendix 1 – Technical and organisational measures
See document: Technical and organisational measures
Appendix 2 – Approved sub-service providers
Company | Address | Services Provided |
---|---|---|
Host Europe | Hansestraße 111 51149 Cologne | data centre space and operation, mainly for staging environments. Datadock Computational Centre (1 Rue du Havre, 67100 Strasbourg, France) |
Microsoft Azure | Microsoft Deutschland GmbH. Walter-Gropius-Straße 5. 80807 Munich | data centre space and operation. Cloud data centre „Germany, West-Mitte“ (based in Frankfurt) |
Vonage / Nexmo | 25 Canada Square Level 37, London, England, E14 5LQ | Video conference technology provider |
Saecon GmbH | Im Ferning 39b, 76275 Ettlingen, Germany | User support, selective (not for all customers) |