Agreement for Data Processing (“DPA”) according to GDPR

Table of Content

1. Subject Matter of the contract
2. Scope, nature and purpose of data processing, and the types of data
3. Technical and organizational measures for data security
4. Correction, deletion and blocking of data, data subject rights
5. Duties of the Contractor and Controls to be Performed
6. Subcontracting Relationships
7. Control Rights of the Customer and Cooperation Obligations of the Contractor
8. Violations of the Contractor to be reported
9. Obligations of the Client
10. Deletion of data after termination of the contract
11. Remuneration
Annex 1
Annex 2
Annex 3

between

Client

and

Labforward GmbH, Elsenstr 106, 12435 Berlin, Germany

Contractor

 

Preamble

The Contractor processes personal data on behalf of the Client within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data.

Insofar as the term “data processing” or “processing” (of data) is used in this contract, the definition of “processing” within the meaning of Art. 4 No. 2 GDPR shall apply.

__________________________________________________________________________________________________________________________________________

1. Subject Matter of the contract

1.1 The subject matter of the contract is the execution of the contract concluded between the parties on the use of the Labforward On-Premises Software Products by the Customer (the “Main Contract”).

1.2 The contract is concluded for an indefinite period of time. It shall end with the Main Contract without the need for termination.

1.3 The right to terminate for cause shall remain unaffected.

1.4 This Agreement shall not apply to the extent that personal data is processed within the scope of a free or trial version of Labforward Software Products in accordance with the provisions of the main contract.

1.5 Furthermore, the Parties agree that previous contracts for commissioned data processing shall be terminated by mutual consent upon the entry into force of this Agreement.

__________________________________________________________________________________________________________________________________________

2. Scope, nature and purpose of data processing, and the types of data

2.1 The Contractor is obliged to process the personal data provided to it exclusively for the purpose of providing the contractually agreed service.

2.2 The Contractor shall be permitted to create intermediate, temporary or duplicate files required for procedural and security reasons for the processing or use of the Personal Data in accordance with the performance, provided that this does not result in a transformation of the content. The Contractor is not permitted to make unauthorized copies of the Personal Data.

2.3 The types of personal data are listed under letter B. of Annex 1.

2.4 The group of data subjects is listed under letter C. of Annex 1.

2.5 Further details on the scope, nature and purpose of the collection, processing or use of the data are set out in the main contract referred to under § 1 and the data protection declaration referred to under § 1.

__________________________________________________________________________________________________________________________________________

3. Technical and organizational measures for data security

3.1 The Contractor is obligated to implement technical and organizational measures in an appropriate proportion to the intended protective purpose. In doing so, a level of protection appropriate to the risk shall be ensured, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons. This includes in particular the requirements of Art. 32 GDPR.

3.2 The status of the technical and organizational measures existing at the time of the conclusion of the contract is attached as Annex 2 to this contract. The parties agree that changes to the technical and organizational measures may become necessary in order to adapt to technical and legal circumstances.

3.3 Changes which may affect the integrity, confidentiality or availability of the personal data or which may entail a negative change in the risks to the rights and freedoms of the data subjects affected by the processing shall be coordinated by the Contractor with the Client in advance. Measures that only entail minor technical or organizational changes and do not negatively affect the integrity, confidentiality and availability of the personal data may be implemented by the Contractor without coordination with the Client.

__________________________________________________________________________________________________________________________________________

4. Correction, deletion and blocking of data, data subject rights

4.1 The Contractor shall correct, delete or block the data processed on behalf of the Customer in accordance with the Customer’s instructions.

4.2 If a data subject should contact the Contractor directly in order to exercise the rights to which he is entitled under Chapter 3 of the GDPR, the Contractor shall refer him to the Customer, insofar as this assignment is possible for him. If it is not possible for the Contractor to assign the data subject and the Contractor is also not obligated as a controller vis-à-vis the data subject under Chapter 3 of the GDPR, the Contractor shall inform the data subject that it is acting as a processor for third parties and that it cannot identify the third party with regard to the data subject. To the extent that the Contractor is itself obligated to the Data Subject as a Controller under Chapter 3 of the GDPR, the Contractor alone shall be responsible for fulfilling the corresponding obligations as a Controller.

4.3 In addition, the Contractor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling the obligations incumbent upon it under Chapter 3 of the GDPR, if and to the extent that the Contractor’s cooperation is required for this purpose. For this purpose, the Customer shall inform the Contractor in text form which support actions it requires and provide the Contractor with the data required to fulfill the request (in particular, data on the identification of the data subject and which support actions are desired). Insofar as the Contractor requires further information from the Customer in order to be able to fulfill the Customer’s request, the Contractor shall immediately inform the Customer thereof in text form. Otherwise, the Contractor shall provide the services to be provided by it within a reasonable period of time.

4.4 The Contractor shall be entitled to an appropriate fee for the services to be rendered, based on the time required. The Contractor may not make the performance of the services owed by it dependent on the Client acknowledging and/or paying a certain remuneration in advance.

__________________________________________________________________________________________________________________________________________

5. Duties of the Contractor and Controls to be Performed

5.1 The Contractor shall only use employees or other vicarious agents for the performance of the contract who have committed themselves to confidentiality and have been familiarized in an appropriate manner with the requirements of data protection.

5.2 The Contractor shall take steps to ensure that natural persons subordinate to it who have access to the personal data process them only on the instructions of the Client, unless they are obliged to process them under Union or Member State law.

5.3 Likewise, taking into account the nature of the processing and the information available to it, the Contractor shall, upon request, assist the Client in complying with the Client’s obligations under Articles 32 to 36 GDPR, in particular with regard to the security of personal data (security of processing, notification of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach) and any required data protection impact assessment and prior consultations.

5.4 Furthermore, the Contractor shall comply with the relevant regulations on the appointment of the data protection officer. The Contractor shall ensure by means of suitable controls that the data to be processed under the order are processed only in accordance with the instructions of the Customer, that the transferred data processing is carried out separately from other commissioned data processing on an order-related basis and that the processed data are strictly separated from other data files. The Supplier shall submit to any control measures of the legally competent data protection supervisory authority and shall inform the Customer without undue delay about such control measures and their results, insofar as personal data of the Customer are affected thereby.

__________________________________________________________________________________________________________________________________________

6. Subcontracting Relationships

6.1 The Contractor shall be entitled to use the subcontractors specified in Annex 3 to this Agreement for the processing of data on behalf of the Contractor. The change of subcontractors or the commissioning of further subcontractors is permitted under the conditions specified in paragraph 2.

6.2 The Contractor shall carefully select subcontractors and, before commissioning them, check that they are able to comply with the agreements made between the Client and the Contractor. In particular, the Contractor shall check in advance and regularly during the term of the contract that subcontractors have taken the technical and organizational measures required to protect personal data in accordance with the requirements of this Agreement and Article 32 GDPR.

6.3 The Contractor shall be obliged to obtain confirmation from the subcontractor that the latter has appointed a company data protection officer in accordance with Art. 37 of the GDPR, insofar as the subcontractor is legally obliged to appoint a data protection officer.

6.4 Services which the Contractor uses from third parties as a purely ancillary service in order to carry out the business activity are not to be regarded as subcontracting relationships within the meaning of paragraphs 1 to 3. The Contractor shall nevertheless be obliged, also in the case of ancillary services provided by third parties, to ensure that appropriate precautions and technical and organizational measures have been taken to guarantee the protection of personal data.

6.5 The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship requiring consent and commissioned processing within the meaning of Art. 28 GDPR if the maintenance and testing concerns such IT systems that are also used in connection with the provision of services for the Client and personal data processed on behalf of the Client can be accessed during the maintenance.

__________________________________________________________________________________________________________________________________________

7. Control Rights of the Customer and Cooperation Obligations of the Contractor

7.1 The Customer shall have the right to monitor the Contractor’s compliance with the statutory provisions on data protection and/or compliance with the contractual provisions agreed between the Parties and/or compliance with the Customer’s instructions to the extent required.

7.2 The Contractor shall be obliged to provide the Customer with information to the extent that this is necessary to carry out the control within the meaning of paragraph 1.

7.3 The Contractor shall inform the Customer of the basis of a cost calculation before the control is carried out.

7.4 If the Customer has justified doubts, an on-site inspection can be carried out by the Customer. The Customer is aware that an on-site inspection is only possible in justified exceptional cases.

7.5 The Contractor is obligated to provide the necessary information to the Customer in the event of measures by the supervisory authority vis-à-vis the Customer within the meaning of Art. 58 of the GDPR, in particular with regard to information and control obligations, and to enable the respective competent supervisory authority to carry out an on-site control.

__________________________________________________________________________________________________________________________________________

8. Violations of the Contractor to be reported

8.1 The Contractor is obliged to notify the Customer immediately of any breach of data protection regulations, of the agreements made and/or of the instructions issued. The corresponding notification shall contain at least the following information:

a) a description of the nature of the breach, including, to the extent possible, the type and amount of data involved and categories of data subjects;
b) the name and contact information of the Data Protection Officer or other point of contact for further information;
c) a description of the likely consequences of the personal data breach;
d) a description of the measures taken or proposed by the data controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

8.2 Any notification to a supervisory authority or information of data subjects that may be required shall be the sole responsibility of the Client. The Contractor shall cooperate in this to the extent necessary.

__________________________________________________________________________________________________________________________________________

9. Obligations of the Client

9.1 The Client shall be solely responsible for the lawfulness of the data transfer to the Contractor and compliance with the statutory provisions on data protection, in particular for the lawfulness of the data processing by the Contractor, and shall thus be the “responsible party” within the meaning of Art. 4 No. 7 GDPR.

9.2 In the event of a claim against the Client by a data subject with regard to any claims pursuant to Art. 82 GDPR, the Contractor undertakes to support the Client in defending the claim within the scope of its possibilities. In this case, the Customer undertakes to indemnify the Contractor against all claims of data subjects.

9.3 The Customer shall inform the Contractor of the contact person for data protection issues arising within the scope of the contract.

__________________________________________________________________________________________________________________________________________

10. Deletion of data after termination of the contract

10.1 The Contractor is obligated to delete the personal data completely in accordance with data protection upon termination of the contract or on the basis of instructions from the Client (including any copies required for procedural or security reasons) or to return them to the Client.

__________________________________________________________________________________________________________________________________________

11. Remuneration

11.1 There shall be no additional remuneration for commissioned data processing, unless otherwise agreed above. This is covered by the fees for the use of Labforward Software Products.

__________________________________________________________________________________________________________________________________________

Annex 1

A Nature and purpose of the processing
(according to the definition of Art. 4 No. 2 GDPR):

Hosting of Cloud Services (SaaS)
Support services

B Re § 2 Type of personal data
(according to the definition of Art. 4 No.1,13,14 and 15 GDPR)

Name
Email
IP address
Usage data
User accounts
Other categories of personal data:

C Re § 2 Group of data subjects
(according to the definition of Art. 4 No. 1 GDPR):

Employees
Freelancers
Customers
Business partners

__________________________________________________________________________________________________________________________________________

Annex 2

Data security measures according to Art. 32 GDPR

This document serves to fulfill legal requirements and is intended to provide a general description that makes it possible to preliminarily assess whether the data security measures taken are adequate with regard to the aspects addressed below. The document shall be an integral part of the contract and shall be submitted to the Customer in the event of any material changes.

If you have any questions regarding the information security of Labforward and its services, please contact the data protection officer:

Labforward GmbH
Data Protection Officer
Elsenstr. 106
12435 Berlin
dataprotection@labforward.io

Data protection measures

The data protection measures implemented at Labforward aim to ensure the availability of data, confidentiality, integrity and transparency of all auditability measures.

Measures for the encryption of personal data are implemented, which ensure an appropriate level of protection according to the current state of the art and the GDPR. All server systems, services and technical measures are designed for permanent load with regard to the associated data processing. In this way, we ensure that the availability of personal data can be restored reliably and quickly after a physical or technical incident. In addition, we use measures and technical procedures of permanent monitoring and evaluation to ensure the security of processing.

Furthermore, Labforward’s business processes are based on the requirements of Art. 32 of the EU Data Protection Regulation (EU-GDPR).

Specification of the individual measures for protection against unauthorized acquisition of personal data

a Physical access control

Measures to prevent unauthorized persons from gaining access to data processing systems with which personal data are processed or used:

Keys / key allocation
Door security (electric door openers, etc.)
Visitor control, escort and briefing

b System access control

Measures to prevent the use of data processing systems by unauthorized persons:

Assignment of user rights
Creation of user profiles
Password procedures
Authentication with username / password
Assignment of user profiles to IT systems
Automatic locking
Individual user accounts for authorized users (not root)
Use of anti-virus software
Encryption of data carriers in laptops / notebooks

c Authorization control

Measures to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be unauthorized, read, copied, modified or removed during processing, use or after storage:

Demand-oriented design of an authorization concept and access rights, as well as their monitoring and logging.
Administration of rights by system administrator
Number of administrators reduced to the bare minimum
Password policy incl. password length, password change
Logging of accesses to applications, especially when entering, changing and deleting data
Encryption of data carriers
Job assignment and logging only in written form via ticket system
Automatic generation of log files, where technically possible and reasonable, as well as evaluation of these logs in case of suspicion.

d Transmission control

Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or while being transported or stored on data media, and that it is possible to verify and determine to which entities personal data is intended to be transmitted by data transmission equipment:

No physical storage or transport of personal data
Logging of logins
Encryption and tunnel connections (SSL, VPN, opt.)

e Input control

Measures to ensure that it is possible to verify retrospectively whether and by whom personal data have been entered, modified or removed in data processing systems:

Logging of commissioned database changes
Proof of commissioning and successful processing in the ticket system
Assignment of rights to enter, change and delete data on the basis of an authorization concept

f Order control

Measures to ensure that personal data processed on behalf of the customer can only be processed in accordance with the customer’s instructions:

Selection of the contractor under due diligence aspects (in particular with regard to data security)
Prior review and documentation of the security measures taken by the contractor
Written instructions to the contractor (e.g. by order processing agreement)
Contractor has appointed data protection officer
Ensuring the return/destruction of data after completion of the order
Obligation of employees to maintain data secrecy in accordance with § 5 BDSG
Control of data security precautions

g Availability control

Measures to ensure that personal data is protected against accidental destruction or loss:

Creation of a backup & recovery concept
Testing of data recovery
Creating a disaster recovery plan
Keeping backup data in a secure, off-site location
Avoiding single point of failure as the fundamental concept of all infrastructure
Monitoring of infrastructure systems and deployments

h Separation requirement

Measures to ensure that data collected for different purposes can be processed separately.

Separate development, test and production data processing
Logical client separation
Definition of database rights
Authorization concept with definition of access rights

__________________________________________________________________________________________________________________________________________

Annex 3

Designation of subcontractors “Approved subcontractors”.

Amazon Web Services EMEA SARL
38 Avenue John F. Kennedy, L-1855 Luxembourg
Hosting Services Labforward Daten, Backups

Billwerk GmbH
Mainzer Landstr. 51, 60329 Frankfurt/Main, DE
Billing System

Google Ireland Limited
Gordon House, Barrow Street, Dublin 4, IE
Hosting Services Labforward Daten, Email Hosting, Backups

Freshworks GmbH
Alte Jakobstraße 85/86, Hof 1, Haus 5,10179 Berlin, Deutschland
CRM System

Intercom R&D Unlimited Company
2nd Floor, Stephen Court, 18-21 Saint Stephen’s Green, Dublin 2
Messaging & notifications solution

Zoho Corporation B.V.
Beneluxlaan 4B, 3527 HT UTRECHT, NL
Billing System