Annex - Data Processing Agreement
This Data Processing Agreement (“DPA”) specifies the data protection obligations and rights of the Parties in connection with the processing of personal data processed by ZeroWork GmbH, Pettenkoferstr. 11, 10247 Berlin (hereinafter “Contractor“) for the Customer (hereinafter “Customer“) under the contract concluded between the Parties on the use of the ZeroWork software (hereinafter “Main Agreement“).
1. Scope of Application
When providing the services in accordance with the Main Agreement, the Contractor shall process personal data which the Customer has provided for the purpose of providing the services and in respect of which the Customer acts as the responsible party in the sense of data protection law (“Customer Data”). In the event of contradictions between this DPA and provisions of other agreements, in particular of the Main Agreement, the regulations of this DPA shall take precedence.
2. Customer Data
2.1. The Contractor will process the Customer Data exclusively on behalf of the Customer and in accordance with the Customer’s instructions, unless the Contractor is legally required to do otherwise under the law of the European Union or a member state. In such a case, the Contractor shall notify Customer of these legal requirements prior to processing, unless the law in question prohibits such information for an important public interest.
2.2. Unless otherwise agreed in the Main Agreement, the processing of Customer Data by the Contractor shall be carried out exclusively in the nature, to the extent and for the purpose specified in Annex 1 to this DPA; the processing shall only concern the types of personal data and categories of data subjects specified therein.
2.3. The duration of the processing corresponds to the duration of the Main Agreement.
2.4. Personal data is generally processed in member states of the European Union or in another state that is a party to the Agreement on the European Economic Area (“EEA“). Subject to compliance with the provisions of this DPA, the Contractor is also permitted to process Customer Data outside the EEA or to have it processed by other contractors in accordance with Clause 5 of this DPA, if the conditions of Articles 44 to 48 GDPR (General Data Protection Regulation) are fulfilled or an exception in accordance with Art. 49 GDPR exists. If the conclusion of standard contractual clauses is required for this purpose, the Customer hereby authorises the Contractor to conclude these clauses on his behalf with any further processor. If this is not possible, the Contractor shall, on the instructions of the Customer, immediately enforce against the further processors all instructions and rights to which the data exporter is entitled under the EU standard contractual clauses and assign them to the Customer upon request.
2.5. The instructions are set out in the Main Agreement. In addition, the Customer is entitled to issue instructions on the nature, scope, purposes and means of processing Customer Data. These instructions must be in written form or text form. Oral instructions will be confirmed by the Customer in written form or by e-mail. All instructions shall be documented by the parties. The persons authorised to give instructions and the recipients of instructions are listed in Annex 1. In the event of a change or a long-term inability of the persons named to carry out the instructions, the successor or representative must be named to the contractual partner in text form without delay.
2.6. If the Contractor is of the opinion that an instruction of the Customer violates this DPA, the GDPR or other data protection regulations of the European Union or the member states, the Contractor shall inform the Customer of this immediately in written form or text form. The Contractor is entitled to suspend the execution of such an instruction until the Customer confirms it in written form or text form. If the Customer insists on the execution of an instruction in spite of the reservations expressed by the Contractor, the Customer shall indemnify the Contractor against all damages and costs incurred by the contractor in executing the Customer’s instruction. The Contractor will inform the Customer about damages and costs claimed against him and will not acknowledge claims of third parties without the consent of the Customer and will conduct the defence at the discretion of the Contractor in coordination with the Customer or leave it to the Customer.
3. Requirement for Personnel
3.1. The Contractor shall obligate all personnel under his authority who have access to Customer Data to maintain confidentiality, unless they are subject to appropriate statutory confidentiality obligations.
3.2. The Contractor shall ensure that personnel under his authority who have access to Customer Data only process this data in accordance with this DPA and the Customer’s instructions, unless they are required to do so under the laws of the European Union or the member states.
4. Security of Processing
4.1. Taking into account the state of the art, the costs of implementation and – as far as known to the Contractor – the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of data subjects, the Contractor shall implement appropriate technical and organisational measures to ensure a level of security for the Customer Data appropriate to the risk.
4.2. Prior to the beginning of the processing of the Customer Data, the Contractor shall in particular implement the technical and organisational measures specified in Annex 3 to this DPA and maintain them for the duration of the Main Agreement and ensure that the processing of Customer Data is carried out in accordance with these measures.
4.3. Since the technical and organisational measures are subject to technical progress, Contractor is entitled and obliged to implement alternative, adequate measures in order not to fall below the security level of the measures specified in Annex 3. If the Contractor makes significant changes to the measures specified in Annex 3, he will inform the Customer of such changes in advance.
4.4. It is incumbent on the Customer to check the technical and organisational measures taken by the Contractor, in particular whether these are also sufficient with regard to circumstances of data processing of which the Contractor is not aware.
5. Use of Sub-Processors
5.1. The Contractor uses the sub-processors listed in Annex 2 for the processing of Customer Data. These are deemed to be approved upon conclusion of this DPA.
5.2. The Contractor may use further sub-processors to process Customer Data subject to the following conditions: The Contractor shall inform the Customer at least 15 working days before making use of the further sub-processor in text form or written form. Unless the Customer raises an objection within 5 working days, the commissioning is deemed approved.
5.3. If the Customer objects to the use of a further sub-processor, the Contractor shall be entitled, at its option, to continue to provide the services without the corresponding processor or to terminate the Main Agreement and this DPA at the time of the planned use of the processor.
5.4. The Contractor must obligate each further processor by means of a written agreement in the same way as the Contractor is obligated to the Customer under this agreement.
5.5. The Contractor shall be obliged to select and use only those sub-processors who offer sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing of the Customer Data is carried out in accordance with the requirements of the GDPR and this DPA.
6. Rights of the Data Subjects
6.1. The Contractor shall take all reasonable technical and organisational measures to assist the Customer in fulfilling its obligation to respond to requests from affected persons to exercise their rights.
6.2. The Contractor will in particular:
– immediately inform the Customer if a data subject should contact Contractor directly with a request to exercise his rights in relation to Customer Data;
– immediately provide the Customer with all information in his possession concerning the processing of Customer Data which the Customer requires to answer the request of a data subject and which the Customer does not have at his disposal;
– Customer Data can be corrected, deleted or limited in processing immediately upon instruction of the Customer;
– ensure that the Customer can and does receive the Customer Data processed in the area of responsibility of the Contractor in a structured, common and machine-readable format, provided that the data subject has a right of data transferability with respect to the Customer with regard to the Customer Data.
7. Other Obligations of the Contractor to assist the Customer
7.1. The Contractor shall notify the Customer immediately after becoming aware of any Customer Data breach, in particular incidents that lead to the destruction, loss, alteration or unauthorised disclosure of or access to Customer Data.
7.2. In the event of any violation of the protection of Customer Data, Contractor shall, without delay, take all necessary and reasonable measures to remedy the violation of the protection of Customer Data and, if necessary, to mitigate its possible adverse effects.
7.3. If the Customer is obliged to provide information to a government authority or a third-party regarding the processing of Customer Data or to cooperate with such entities in any other way, the Contractor is obliged to assist the Customer in providing such information or in fulfilling other obligations to cooperate.
7.4. Taking into account the information available to him, the Contractor will assist the Customer in complying with the obligations set out in Art. 32 GDPR.
7.5. In the event that the Customer is obliged to inform the supervisory authorities and/or data subjects in accordance with Art. 33, 34 GDPR, the Contractor shall, at the request of the Customer, assist the Customer in complying with these obligations. In particular, the Contractor is obliged to document all potential violations of Customer Data breaches, including all related facts, in a manner that enables the Customer to prove compliance with any relevant statutory reporting obligations.
7.6. The Contractor shall support the Customer within the scope of what is reasonable in any data protection impact assessments to be carried out by him and, if necessary, subsequent consultations with the supervisory authorities in accordance with Art. 35, 36 GDPR.
8. Detection and Return of Customer Data
8.1. Upon the instruction of the Customer, the Contractor shall, upon termination of the Main Agreement, either delete all Customer Data completely or return it to the Customer and delete any existing copies, unless the law of the European Union or a member state requires the Contractor to continue storing Customer Data.
8.2. However, the Contractor shall be entitled to keep backup copies of the Customer Data for a period of 30 days, provided that deletion of the Customer’s data from these backup copies is technically impossible or impossible with regard to Art. 32 GDPR. For this period the rights and obligations of the parties under this DPA with regard to the backup copies shall continue to apply in deviation from Clause 2.3.
8.3. Documentation which serves as proof of the orderly and proper processing of the Customer Data must be kept by the Contractor in accordance with the statutory retention periods beyond the end of the agreement.
9. Evidence & Checks
9.1. The Contractor shall ensure and regularly check that the processing of Customer Data is carried out in accordance with this DPA, including the scope of processing of Customer Data as set out in Annex 1 and the Customer’s instructions.
9.2. The Contractor shall document the implementation of the obligations under this DPA in a suitable manner and shall provide the Customer with all necessary evidence of the Contractor’s compliance with the obligations under the GDPR and this DPA at the Customer’s request.
9.3. The Customer shall be entitled to audit the Contractor prior to the start of the processing of Customer Data and regularly during the term of the Main Agreement with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures in accordance with Annex 3, either himself or through a qualified and auditor who is obliged to maintain secrecy; this shall include inspections. Contractor shall allow such inspections and shall contribute to such inspections by taking all reasonable and appropriate measures; inter alia by granting the necessary access and access rights and by providing all necessary information.
9.4. As far as possible, the checks and inspections should not hinder the Contractor in his normal business operations and should not place an excessive burden on him. In particular, inspections on the Contractor’s premises should not take place more than once per calendar year and only during the Contractor’s normal business hours without any specific reason. The Customer must notify the Contractor of inspections in good time in writing or text form.
9.5. In accordance with the provisions of the GDPR, the Customer and the Contractor are subject to public controls by the competent supervisory authority. At the request of the Customer, the Contractor shall provide the supervisory authority with the desired information and give it the opportunity for verification; this includes inspections at the contractor’s premises by the supervisory authority or by persons appointed by it. In this context, the Contractor shall grant the competent supervisory authority the necessary rights of access, information and inspection.
The parties shall be liable within the scope of this DPA in accordance with the statutory provisions.