Agreement on data protection for commissioned processing in accordance with Art. 28 GDPR - Parlabox DPA
Preamble
The question of responsibility within the meaning of Art. 4 No. 7 GDPR is determined on the basis of objective standards, as is the existence of commissioned processing of personal data. When concluding this agreement, the contracting parties are aware that in the event of outsourcing of the internal reporting office, parts of the activities may constitute commissioned processing, unless the contractor also processes personal data in connection with its independence pursuant to Section 15 (1) HinSchG. Insofar as personal data is processed by the contractor on behalf of the client, the following provisions on order processing shall apply as an “agreement on order processing” concluded between the contracting parties.
This DPA is concluded between you (“Customer” or “Client”) and Cookiebox GmbH (“Service Provider” or “Contractor”) and is an integral part of the GTC.
The Contractor processes personal data from the Client’s area of responsibility under data protection law within the meaning of Art. 28 of the General Data Protection Regulation (GDPR) within the scope of contracts concluded or to be concluded. The personal data provided to the Contractor by the Client is subject to the provisions of the GDPR and other data protection regulations (e.g. BDSG).
This agreement sets out the framework conditions for ensuring compliance with data protection regulations.
1. object and duration of the order
(1) The subject matter of the order as well as the type and purpose of the processing shall generally result from the main contract.
(2) The duration of the contract corresponds to the main contract for the provision of services by the internal reporting office in accordance with the Whistleblower Protection Act.
2. specification of the order content
Nature and purpose of the intended processing of data
- Provision of the Parlabox – Reporting Office software to implement the requirements of the EU Whistleblower Directive
The provision of the contractually agreed data processing generally takes place in a member state of the European Union or in another state party to the Agreement on the European Economic Area.
Type of data
- Information on the identity of whistleblowers and contact details, unless reported anonymously
- Details of persons accused or otherwise involved (e.g. surname, first name, position, contact details, employment context)
- Notifications within the meaning of Section 3 (4) HinSchG
- Data generated in connection with the examination and processing of notifications and follow-up measures (Section 18 HinSchG).
- Planning and control data
- IP addresses, log files, browser types
Categories of affected persons
The categories of data subjects affected by the processing include:
- persons providing information
- Persons who are the subject of a notification
- other persons involved
- Employees of the client
- Temporary agency workers who are or were employed by the client
- if applicable, debtors and creditors of the client
- Third parties, if applicable
3. technical and organizational measures
The Contractor shall establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. The Contractor shall take appropriate technical and organizational measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR must be taken into account [details in Annex 1].
The technical and organizational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. In doing so, the security level of the specified measures must not be undercut. Significant changes are to be
4. rectification, restriction and erasure of data
The Contractor may not rectify, erase or restrict the processing of data processed on behalf of the Client without authorization, but only in accordance with documented instructions from the Client. If a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay.
5. quality assurance and other obligations of the contractor
In addition to complying with the provisions of this contract, the Contractor has legal obligations pursuant to Art. 28 to 33 GDPR; in this respect, the Contractor guarantees compliance with the following requirements in particular:
- The contractor is not obliged to appoint a data protection officer. Mr. Jörg ter Beek is appointed as the contact person at the contractor; for contact details see Privacy Policy
- Maintaining confidentiality in accordance with Art. 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor shall only use employees who have been obliged to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the powers granted in this contract, unless they are legally obliged to process it.
- The implementation of and compliance with all technical and organizational measures required for this order in accordance with Art. 28 para. 3 sentence 2 lit. c, 32 GDPR [details in Annex 1].
- The Client and the Contractor shall cooperate with the supervisory authority in the performance of their tasks upon request.
- Immediate information of the client about control actions and measures of the supervisory authority, insofar as they relate to this order. This also applies if a competent authority is investigating the processing of personal data in the context of administrative offense or criminal proceedings relating to the processing of personal data by the contractor.
- If the Client is subject to an inspection by the supervisory authority, administrative offense or criminal proceedings, a liability claim by a data subject or a third party or any other claim in connection with the commissioned processing at the Contractor, the Contractor shall support the Client to the best of its ability.
- The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that the processing in its area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.
- The contractor is obliged to design its operating procedures in such a way that the data it processes in connection with its contractual services are protected against unauthorized access by third parties.
6. subcontracting relationships
Subcontracting relationships within the meaning of this provision are those services that are directly related to the provision of the main service. This does not include ancillary services which the Contractor uses, e.g. as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the data protection and data security of the Client’s data, even in the case of outsourced ancillary services.
The list of current sub-service providers can be found in Annex 2. Approval of the sub-service provider is deemed to have been granted when the service is booked.
The transfer of the client’s personal data to the subcontractor and the subcontractor’s initial activities are only permitted once all requirements for subcontracting have been met.
If the subcontractor provides the agreed service outside the EU/EEA, the Contractor shall ensure the admissibility under data protection law by taking appropriate measures. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.
Further outsourcing by the subcontractor is generally permitted; all contractual provisions in the contractual chain must also be imposed on the additional subcontractor.
In the event of a planned change of subcontractor or the planned commissioning of a new subcontractor, the Contractor shall inform the Client in text form in good time, but no later than 4 weeks before the change or new commissioning (“Information”). The client shall have the right to object to the change or new assignment of the subcontractor in text form within three weeks of receipt of the “Information”, stating the reasons. The objection may be withdrawn by the client in text form at any time. In the event of an objection, the Contractor may terminate the contractual relationship with the Client with a notice period of at least 14 days to the end of a calendar month. The Contractor shall give reasonable consideration to the interests of the Client in the notice period. If the Client does not object to the use of a subcontractor within three weeks of receipt of the “Information”, this shall be deemed to constitute the Client’s consent to the change or reassignment of the subcontractor concerned.
7. control rights of the client
The Client shall have the right to monitor compliance with the statutory provisions on data protection and/or compliance with the contractual provisions agreed between the contracting parties and/or compliance with the Client’s instructions by the Contractor at any time to the extent necessary, insofar as this concerns the processing of data by the Contractor on behalf of the Client.
The Contractor is obliged to provide the Client with information insofar as this is necessary to carry out the inspection within the meaning of paragraph 1.
The Client may carry out the inspection within the meaning of paragraph 1 at the Contractor’s premises during normal business hours after prior notification with a reasonable period of notice. The Client shall ensure that the inspections are only carried out to the extent necessary if the Contractor’s operations could be disrupted by the inspections.
The Contractor shall be obliged, in the event of measures taken by the supervisory authority against the Client within the meaning of Art. 58 GDPR in conjunction with § Section 40 BDSG, in particular with regard to information and control obligations, to provide the Client with the necessary information.
The Contractor may claim remuneration for enabling the Client to carry out inspections.
8. prevention of and obligations in the event of breaches by the contractor
The Contractor shall support the Client in complying with the personal data security obligations set out in Articles 32 to 36 of the GDPR, data breach notification obligations, data protection impact assessments and prior consultations. This includes, among other things
- ensuring an adequate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the predicted likelihood and severity of a potential breach through security vulnerabilities and enable the immediate detection of relevant breach events;
- the obligation to report personal data breaches to the client without delay;
- the obligation to support the client within the scope of his duty to inform the data subject and to provide him with all relevant information in this context without delay;
- the support of the client for its data protection impact assessment and
- supporting the client in the context of prior consultations with the supervisory authority.
The Contractor shall be obliged to notify the Client immediately of any breach of data protection regulations or of the contractual agreements made and/or the instructions issued by the Client which has occurred in the course of the processing of data by the Contractor or other persons involved in the processing.
The Contractor is aware that the Client may be subject to a reporting obligation pursuant to Art. 33, 34 GDPR in the event of a data breach, which provides for notification to the supervisory authority within 72 hours of becoming aware of it. The Contractor shall support the Client in implementing the reporting obligations. In particular, the Contractor shall inform the Client immediately of any unauthorized access to personal data processed on behalf of the Client.
The Contractor may claim remuneration for support services that are not included in the service description or are not attributable to misconduct on the part of the Contractor.
9. authority of the client to issue instructions
The Contractor shall process personal data processed on behalf of the Client in accordance with the contractual agreements and/or the Client’s instructions. The client has the right to issue supplementary instructions to the contractor at any time regarding the type, scope and procedure of data processing in connection with the commissioned processing. Instructions may be issued in text form (e.g. e-mail). The client shall confirm verbal instructions immediately at least in text form.
The Contractor must inform the Client immediately if it believes that an instruction violates data protection regulations. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client.
10. safeguarding the rights of data subjects
The Client is solely responsible for safeguarding the rights of data subjects insofar as the personal data in question is processed by the Contractor on behalf of the Client.
To the extent covered by the scope of services, the Contractor shall support the Client with suitable technical and organizational measures to comply with the Client’s obligation to respond to requests from data subjects in accordance with Art. 12-23 GDPR, insofar as the Client is dependent on the Contractor’s support in this respect.
11. deletion of data and return of data carriers
Copies or duplicates of the data are not created without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data required to comply with statutory retention obligations.
After completion of the contractually agreed work or earlier at the request of the Client – at the latest upon termination of the service agreement – the Contractor shall hand over to the Client all documents, processing and usage results and data pertaining to the contractual relationship that have come into its possession or, with prior consent, destroy them in accordance with data protection regulations. The same applies to test and scrap material. The deletion log must be submitted on request.
Documentation that serves as proof of proper data processing in accordance with the order shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods. The Contractor may hand them over to the Client at the end of the contract in order to discharge the Client.
12 Entry into effect and termination
This agreement shall enter into force upon conclusion of the contract and shall remain valid as long as the relevant service relationship continues. The right to extraordinary termination remains unaffected. Any termination must be in writing.
13. final provisions
The law of the Federal Republic of Germany shall apply.
Should individual parts of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract.
Attachment 1:
I. Technical and organizational measures of the contractor
1. confidentiality (Art. 32 para. 1 lit. b GDPR)
- Access control
No unauthorized access to data processing systems- Keys
- Access control
No unauthorized system use- (Secure) passwords
- Automatic locking mechanisms
- Access control
No unauthorized reading, copying, modification or removal within the system- Authorization concepts and needs-based access rights
- Logging of accesses
- Separation control
Separate processing of data collected for different purposes- Multi-client capability
- Sandboxing
- Pseudonymization (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)
The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to appropriate technical and organizational measures
2. integrity (Art. 32 para. 1 lit. b GDPR)
- Transfer control
No unauthorized reading, copying, modification or removal during electronic transmission or transport- Encryption
- Input control
Determining whether and by whom personal data has been entered, modified or removed from data processing systems- Logging
3. availability and resilience (Art. 32 para. 1 lit. b GDPR)
- Availability control
Protection against accidental or willful destruction or loss- Backup-Strategy (online/offline; on-site/off-site)
- Virus protection
- Firewall
- Rapid recoverability (Art. 32 para. 1 lit. c GDPR);
4. procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
- Data protection management
- Vorfall-Reaktions-Management
- Data protection-friendly default settings (Art. 25 para. 2 GDPR)
- Order control
No commissioned data processing within the meaning of Art. 28 GDPR without corresponding instructions from the client- Clear contract design
- Formalized order management
- Strict selection of the service provider
- Duty of prior persuasion
- Follow-up checks
Attachment 2:
The following sub-service providers are used to provide the services of the outsourced internal reporting office in accordance with the HinSchG:
- Google Cloud EMEA Limited, Velasco, Clanwilliam Place, Dublin 2, Ireland; hosting of the Parlabox software
- Cloudflare, Inc, 101 Townsend St., San Francisco, CA 94107 USA; Hosting, DDoS Protection
- Usetiful, Dobbytec OÜ, Sepapaja 6, 15551 Tallinn, Estonia; Tutorial / User-Tour