Conditions for data processing pursuant to Art. 28 GDPR

Version: May 2018

Agreement

between

LexCom Informationssysteme GmbH, Rüdesheimer Str. 23, 80686 Munich, Germany

- hereinafter referred to as the “Contractor” or the “data processing company” -

and the customers of agroparts

- hereinafter referred to as the “Client” –

 

Note

This document contains the Contractor’s conditions for the data processing agreement between the Client and the Contractor pursuant to Art. 28 para. 3 of the General Data Protection Regulation (GDPR). The Client agrees to be bound by these conditions by concluding a user contract for agroparts (the “Service Agreement”) or – if a Service Agreement is already in place – through a subsequent declaration when using agroparts.

1. Object and duration of the order

(1) Object

The object of the order for data processing results from the Service Agreement.

(2) Duration

The duration of this order (term) corresponds to the term of the Service Agreement.

2. Specification of the content of the order

(1) Nature and purpose of the intended processing of data
This comprises the following processing operations relating to the use of agroparts:

(2) Location where data processing takes place

The contractually agreed processing of data will be performed exclusively in a member state of the European Union or in another contracting state to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the Client and may only take place if the special conditions of Articles 44 et seqq. GDPR are met.

(3) Type of data

The following data types/categories (list/description of the data categories) make up the object of the processing of personal data

(4) Categories of data subjects

The categories of data subjects to which the processing relates include:

3. Technical and organisational measures

(1) The Contractor documents the implementation of the required technical and organisational measures set out prior to the award of the contract, in particular with regard to the specific execution of the order, and makes this documentation available to the Client together with this declaration. Upon acceptance by the Client, the documented measures become the basis of the order. Otherwise, the parties will not conclude a Service Agreement.

(2) The Contractor will ensure the level of security pursuant to Articles 28 para. 3 lit. c, 32 GDPR in particular in connection with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk in terms of the confidentiality, integrity, availability and resilience of the systems. In doing so, the Contractor shall take into account the state of the art, the implementation costs and the nature, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR [details in Appendix].

(3) The technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, it will not fall short of the security level of the specified measures. It must document any major changes.

4. Correction, restriction and deletion of data

(1) The Contractor will not correct, delete or restrict the processing of the data to be processed on behalf of the Client on its own authority. It will only correct, delete or restrict the processing of the data in accordance with the documented instructions of the Client. Insofar as a data subject contacts the Contractor directly in this regard, the Contractor will immediately forward this request to the Client.

(2) Insofar as included in the scope of services, the Contractor will immediately ensure a deletion concept, the right to be forgotten, correction, data portability and information in accordance with the Client’s documented instructions. Individual instructions that deviate from the Service Agreement or that present additional requirements, require the prior consent of the Contractor. It must be taken into account that the online services provided by the Contractor are standard products, the adaptation of which to the Client’s data protection requirements can result in high costs. These costs are to be paid in full by the Client in accordance with a corresponding individual agreement.

5. Quality assurance and other duties of the Contractor

In addition to complying with the regulations of this order, the Contractor also has legal duties in accordance with Articles 28 to 33 GDPR; in particular, it must ensure compliance with the following requirements:

  1. Written appointment of a Data Protection Officer, who carries out his duties pursuant to Articles 38 and 39 GDPR. His contact details are communicated to the Client for the purpose of direct contact. A change of Data Protection Officer will be communicated to the Client immediately.
  2. Safeguarding of confidentiality in accordance with Articles 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor will use only employees who have been obliged to maintain confidentiality and who have previously been familiarised with the data protection regulations relevant to them. The Contractor and any person reporting to the Contractor who has access to personal data, must process such data only in accordance with the instructions of the Client, including the powers granted in this Contract, unless they are legally obliged to process the data.
  3. Implementation and compliance with all technical and organisational measures necessary for this order in accordance with Articles 28 para. 3 sentence 2 lit. c, 32 GDPR [details in Appendix].
  4. The Client and the Contractor will work together with the supervisory authority on request to fulfil the relevant tasks.
  5. Immediate informing of the Client regarding audit activities and measures by the supervisory authority, insofar as they relate to this order. This also applies if a competent authority investigates the Contractor due to an administrative offence or criminal proceedings with regard to the processing of personal data for the commissioned data processing.
  6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative offence or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with the data processing by the Contractor, the Contractor will support the Client to the best of its ability.
  7. The Contractor will regularly review the internal processes and technical and organisational measures to ensure that the processing within its area of responsibility complies with the requirements of applicable data protection law and ensures the protection of the data subject’s rights.
  8. Verifiability vis-à-vis the Client of the technical and organisational measures taken within its supervisory powers in accordance with Section 7 of this Contract.

6. Subcontractual relations

(1) For the purposes of this regulation, subcontractual relationships are those services that relate directly to the provision of the main service. This does not include ancillary services provided by the Contractor e.g. telecommunication services, postal/transport services, maintenance and user services or the disposal of data storage devices as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software for data processing systems. However, even in the case of outsourced ancillary services, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the protection and security of the Client’s data.

(2) The Client hereby grants the Contractor general permission to call in additional data processing companies for the processing of client data. The additional data processing companies involved at the time of conclusion of the contract are shown in the following overview:

Subcontractor’s company

Address/country

Service

Belenus LOB GmbH

Rüdesheimer Str. 23

80686 Munich

Germany

Provision of all internal and external IT operations

 

(3) The Contractor will inform the Client of any intended changes with regard to the involvement or replacement of additional data processing companies. In individual cases, the Client is entitled to object to the commissioning of a potential additional data processing company. An objection may only be raised by the Client on significant grounds to be demonstrated to the Contractor. If the Client does not object within 14 days of receipt of the notification, his right of objection with respect to the corresponding commissioning expires. If the Client objects, the Contractor is entitled to terminate the Main Contract and this Contract with a notice period of 3 months.

(4) The transfer of the Client’s personal data to the subcontractor and its commencing work are only permitted if all conditions for subcontracting are met.

(5) Any further outsourcing by the subcontractor requires the express consent of the main contractor (in text form as a minimum); all contractual regulations in the contracting chain must also be imposed on the additional subcontractor.

7. Monitoring rights of the Client

(1) In consultation with the Contractor, the Client is entitled to carry out inspections or have them carried out by auditors who are to be named in individual cases. It is entitled to carry out spot checks to verify that the Contractor is in compliance with this Agreement in its business operations. The Client must notify the Contractor in good time that it intends to conduct such a spot check. Such spot checks must be carried out during normal business hours without disturbing the Contractor’s course of operations, while maintaining strict confidentiality with regard to the Contractor’s operating and business secrets.

(2) The Contractor will make sure that the Client can satisfy itself of the compliance with the duties of the Contractor in accordance with Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organisational measures. As a rule, the Client can carry out one inspection per calendar year; additional checks are permitted in the case of specific incidents.

(3) The Contractor is entitled, at its sole discretion and taking into account the statutory obligations of the Client, not to disclose information that is sensitive with regard to the Contractor’s business or if the Contractor would breach any legal or contractual obligations by disclosing such information.

(4) At the Contractor’s discretion, the proof of such measures that relate not only to the specific order can be made by the following means instead of an on-site inspection

  1. Compliance with approved codes of conduct pursuant to Art. 40 GDPR
  2. Certification in accordance with an approved certification mechanism pursuant to Art. 42 GDPR
  3. Current attestations, reports or excerpts of reports from independent entities (e.g. auditors, review, Data Protection Officer, IT security department, data protection auditors, quality auditors)
  4. Appropriate certification from an IT security audit or data protection audit (e.g. in accordance with the baseline security of the German Federal Office for Information Security (BSI)).

A prerequisite for this is that this measure enables the Client to reasonably satisfy itself of the compliance with the technical and organisational measures as specified in the Appendix to this Agreement.

(5) The Contractor may assert a claim for compensation for enabling the Client to perform checks.

8. Notification in case of violations on the part of the Contractor

(1) The Contractor shall assist the Client in complying with the obligations relating to the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as set out in Articles 32 to 36 GDPR. This includes but is not limited to:

  1. Ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing and the predicted likelihood and severity of a possible breach of rights due to security vulnerabilities, and enable the immediate detection of relevant violation events
  2. The duty to report personal data breaches to the Client without delay
  3. The obligation to support the Client in its duty to provide information to the data subject and to provide it with all relevant information in this context without delay
  4. Providing assistance to the Client for its data protection impact assessment
  5. Supporting the Client in the context of prior consultations with the supervisory authorities

(2) The Contractor may claim reasonable compensation for provision of support that is not included in the Service Agreement or is not the result of misconduct by the Contractor.

9. Authority of the Client

(1) The Client shall confirm verbal instructions immediately (in text form as a minimum).

(2) The Contractor will inform the Client immediately if it believes that an instruction violates data protection regulations. The Contractor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Client. The Contractor may assert a claim for compensation against the Client for expenses that it incurs as a result of this.

10. Deletion and return of personal data

(1) Copies or duplicates of the data will not be created without the knowledge of the Client. This does not include backup copies, to the extent that these are necessary to ensure proper data processing, and data that is required for compliance with statutory retention requirements.

(2) Upon completion of the contractually agreed work or earlier at the request of the Client – at the latest upon termination of the Service Agreement – the Contractor must hand over to the Client all documents that have come into its possession, results of processing and utilisation as well as datasets created in connection with the contractual relationship or, with prior consent, destroy them in line with data protection guidelines. The same applies to test material and discarded material. The log documenting the deletion must be submitted on request.

(3) The Contractor will retain documentation that serves to provide evidence of the proper data processing as per the order beyond the end of the Contract in accordance with the respective retention periods. It can hand this documentation over to the Client at the end of the contract term.

 

 

Appendix – Technical and organisational measures

1. Confidentiality (Art. 32 para. 1 lit. b GDPR)

Controlling access to equipment

Controlling access to data

Controlling access to systems

Separation control

2. Integrity (Art. 32 para. 1 lit. b GDPR)

>Disclosure control

Entry control

3. Availability and resilience (Art. 32 para. 1 lit. b GDPR)

Availability control

4. Restoration of availability and access (Art. 32 para. 1 lit. c GDPR)

5. Monitoring, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

Process for regular monitoring, assessment and evaluation

Order control