Dear ProofText User,
We are pleased that you are using ProofText from EyeC GmbH .
We take the protection of your private sphere in the use of the EyeC GmbH very seriously.
For this reason, we are in agreement with the applicable legal regulations for the protection of personal information and data security.
Following agreement is valid for ProofText:
Agreement on Commissioned Processing of Personal Data according to Art. 28 GDPR
Preamble
In the context of services and their provision, it is possible that the Contractor will have access to personal data of the Client or its employees. This applies in particular if 1. the documents processed by the Client contain personal data or 2. the Client uses personalized access data. The completed and signed Commissioned Data Processing Agreement can be returned to the following email address [email protected].
- General
- The Contractor shall process personal data on behalf of the Client within the meaning of Art. 4(8) and Art. 28 of (EU) 2016/679 – General Data Protection Regulation (GDPR). This Agreement regulates the rights and obligations of the parties in connection with processing of personal data.
- Insofar as the term “data processing” or “processing” (of data) is used in this Agreement, the definition of “processing” within the meaning of Art. 4(2) GDPR shall apply.
- The Client has carefully selected the Contractor and, in particular, ensured that the Contractor provides sufficient guarantees that appropriate technical and organizational measures are implemented in such a way that the processing of personal data by the Contractor is carried out in accordance with the data protection requirements applicable to it and it ensures protection of the rights of the data subjects affected by the processing.
- Subject matter of the order
- The subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in Annex 1 to this Agreement.
- The subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in Annex 1 to this Agreement.
- Rights and obligations of the Client
- The Client is the data controller within the meaning of Art. 4(7) GDPR on behalf of whom the data are processed by the Contractor. Pursuant to Section 4(5), the Contractor shall have the right to notify the Client if data processing which it considers to be unlawful is the subject of the Agreement and/or of an instruction.
- As the data controller, the Client is responsible for safeguarding the rights of the data subjects. The Contractor shall inform the Client without delay if data subjects assert their data subject rights against the Contractor.
- The Client has the right to issue supplementary instructions to the Contractor at any time regarding the type, scope and procedure of data processing. Instructions must be given in text form (e.g. email).
- The Client may appoint persons authorized to issue instructions. If persons authorized to give instructions are to be appointed, they are named in Annex 1. If the persons authorized to give instructions on behalf of the Client change, the Client shall notify the Contractor of this in text form.
- The Client shall inform the Contractor without undue delay if it discovers errors or irregularities in connection with the processing of personal data by the Contractor.
- In the event that there is an obligation to inform third parties pursuant to Art. 33, 34 GDPR or any other statutory notification obligation applicable to the Client, the Client shall be responsible for compliance with it.
- General obligations of the Contractor
- The Contractor shall process personal data exclusively within the scope of the agreements made and/or in compliance with any supplementary instructions issued by the Client. This does not apply to legal regulations that may require the Contractor to process the data in a different way. In such a case, the Contractor shall notify the Client of such legal requirements prior to processing, unless the relevant law prohibits such notification for reasons of important public interest. The purpose, type and scope of data processing shall otherwise be governed exclusively by this Agreement and/or the Client’s instructions. The Contractor is prohibited from processing data in any other way, unless the Client has agreed to this in writing.
- The Contractor undertakes to carry out the commissioned data processing within the European Union or the European Economic Area.
- In processing personal data, the Contractor shall ensure that all agreed measures are carried out in accordance with the Agreement.
- The Contractor is obliged to organize its company and its operating procedures in such a way that the data which it processes on behalf of the Client are secured to the extent necessary in each case and protected against unauthorized disclosure to third parties.
- The technical and organizational measures taken by the Contractor are subject to technical progress and further development. In view of this, the Contractor is permitted to use new technologies or technical tools that can improve the protection of the personal data it processes. In any case, the security level of the measures defined within the framework of this Agreement must be maintained.
- The Contractor shall document material changes and submit them to the Customer in this context in an appropriately adapted annex, without being requested to do so.
- The Contractor shall inform the Customer without delay if, in its opinion, an instruction issued by the Customer violates statutory regulations. The Contractor is entitled to suspend implementation of the relevant instruction until it is confirmed or amended by the Client. If the Contractor can demonstrate that processing in accordance with the Client’s instructions may lead to liability on the part of the Contractor pursuant to Art. 82 GDPR, the Contractor shall be free to suspend further processing in this respect until liability has been clarified between the parties.
- The person authorized to issue instructions for the Client is exclusively the signatory to the Agreement or a person designated by it in writing.
- Data protection officer of the Contractor
- The Contractor confirms that it has appointed a data protection officer in accordance with Art. 37 GDPR. The Contractor shall ensure that the data protection officer has the necessary qualifications and expertise. The name and contact details of the Contractor’s data protection officer are specified in Annex 1.
- The obligation to appoint a data protection officer pursuant to paragraph 1 may be waived at the discretion of the Client if the Contractor is able to demonstrate that it is not required by law to appoint a data protection officer and the Contractor is able to demonstrate that operational regulations are in place which ensure that personal data are processed in compliance with the statutory provisions, the provisions of this Agreement and any further instructions issued by the Customer.
- Reporting obligations of the Contractor
- The Contractor is obliged to notify the Client without undue delay of any violation of data protection regulations or of the contractual agreements made and/or of the Client’s instructions which has occurred in the course of processing of the data by the Contractor or other persons involved in the processing. The same shall apply to any breach of the protection of personal data processed by the Contractor on behalf of the Client.
- Furthermore, the Contractor shall inform the Customer without undue delay if a supervisory authority takes action against the Contractor pursuant to Art. 58 GDPR and this may also concern a check of the processing that the Contractor provides on behalf of the Client.
- The Contractor is aware that the Client may be subject to a notification obligation pursuant to Art. 33, 34 GDPR, which provides for notification of the supervisory authority within 72 hours of becoming aware of the violation. The Contractor shall support the Client in meeting its reporting obligations. In particular, the Contractor shall notify the Client of any unauthorized access to personal data processed on behalf of the Client without undue delay, but no later than within 48 hours of becoming aware of such access. The Contractor’s notification to the Client shall include, in particular, the following information:
- a description of the nature of the personal data protection breach, including, as far as possible, the categories and approximate number of individuals affected, the categories affected, and the approximate number of personal data records affected;
- a description of the measures taken or proposed by the Contractor to address the personal data protection breach and, if applicable, measures to mitigate its potential adverse effects.The Contractor is obliged to provide the necessary information to the
- Client in the event of measures taken by the supervisory authority vis-à-vis the Client within the meaning of Art. 58 GDPR, in particular with regard to information and control obligations, and to enable the competent supervisory authority to conduct an on-site inspection. The Client shall be informed by the Contractor of any planned measures of this sort.
- Cooperation obligations of the Contractor
- The Contractor shall support the Client in its obligation to respond to applications of data subjects to exercise their rights pursuant to Art. 12-23 GDPR. The provisions of Section 11 of this Agreement shall apply.
- The Contractor shall cooperate in the preparation of registers of processing activities by the Client. It shall provide the Client with the information required in this respect in an appropriate way.
- The Contractor shall support the Client in complying with the obligations set out in Art. 32-36 GDPR, taking into account the nature of the processing and the information available to it.
- Powers of inspection
- The Client shall satisfy itself of the technical and organizational measures taken by the Contractor before the commencement of data processing and thereafter on a regular basis. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or, with coordination in advance, inspect the Contractor’s technical and organizational measures in person during normal business hours or have them inspected by a competent third party, provided that the latter is not in a competitive relationship with the Contractor. The Client shall carry out inspections only to the extent necessary and shall not disrupt the Contractor’s operations unduly in the process.
- The Contractor undertakes to provide the Client, at the latter’s verbal or written request and within a reasonable period of time, with all information and evidence required to carry out an inspection of the Contractor’s technical and organizational measures.
- The Client shall document the outcome of the inspection and notify the Contractor of it. In the event of errors or irregularities discovered by the Client, in particular during the inspection of results covered by the Agreement, the Client shall inform the Contractor without delay. If issues are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall notify the Contractor of the necessary procedural changes without delay.
- The Contractor may claim remuneration for facilitating inspections by the Customer.
- Subcontracting relationships
- The Contractor shall specify all subcontracting relationships already existing at the time of conclusion of the Agreement in Annex 2 to this Agreement. The Contractor shall inform the Client in good time in advance in writing or in text form before involving further subcontractors or replacing existing ones.
- The Client may object to the change – within a reasonable period of time, but no longer than 2 weeks – for good reason under data protection law by notifying the office designated by the Contractor. If no objection is made within the time limit, the change is deemed to have been approved. In the event of an unjustified objection, there may be corresponding delays in the provision of the service under the main Agreement. The Contractor shall not be responsible for any restriction of the contractual services resulting from an unjustified objection.
- If the Client has made a legitimate objection to a subcontractor for good reason under data protection law and if a mutually agreeable solution cannot be found between the parties by other means for good reason under data protection law, the Contractor shall have a special right of termination.
- In exceptional cases, a retrospective agreement between the parties is also possible. In this case, the Contractor shall immediately inform the Client about the use of a subcontracted processor.
- The Contractor shall select the subcontractor carefully and check that the subcontractor is able to comply with the agreements made between the Client and the Contractor prior to commissioning. In particular, the Contractor shall check in advance and regularly during the term of the contract that the subcontractor has taken the technical and organizational measures required under Art. 32 GDPR to protect personal data. The outcome of the inspection shall be documented by the Contractor and submitted to the Client on request.
- In the case of data subject to professional secrecy pursuant to Section 203 of the German Criminal Code (StGB), the resulting restrictions, e.g. in territorial terms, must be observed: the Contractor must have its registered office in the territory governed by German criminal law.
- The Contractor shall ensure that the provisions of this Agreement and, if applicable, any supplementary instructions of the Client also apply to the subcontractor. The Contractor shall conclude a commissioned data processing agreement with the subcontractor that complies with the requirements of Art. 28 GDPR. In addition, the Contractor shall impose on the subcontractor the same obligations for the protection of personal data that are established between the Client and the Contractor. A copy of the Commissioned Data Processing Agreement shall be provided to the Client on request.
- In particular, the Contractor is obliged to ensure by contractual provisions that the powers of the Client and of supervisory authorities to carry out inspections (Section 8 of this Agreement) also apply vis-à-vis the subcontractor and that corresponding inspection rights of the Client and supervisory authorities have been agreed. It shall also be stipulated by contract that the subcontractor shall acquiesce to these control measures and any on-site inspections.
- Any further outsourcing by the sub-processor shall require the express consent of the main Contractor (at least in text form); all contractual provisions regarding data protection obligations in the contractual chain shall also be imposed on the further sub-processor.
- Services which the Contractor uses from third parties purely as ancillary services in order to carry out its business activities shall not be regarded as subcontracting relationships within the meaning of paragraphs 1 to 6. These include, for example, cleaning services, pure telecommunications services without any specific reference to services provided by the Contractor to the Client, postal and courier services, transport services, security services. The Contractor shall nevertheless also be obliged in the case of ancillary services provided by third parties to ensure that appropriate precautions and technical and organizational measures have been taken to guarantee the protection of personal data. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship requiring consent and commissioned processing within the meaning of Art. 28 GDPR if the maintenance and testing concerns IT systems that are also used in connection with the provision of services for the Client and personal data processed on behalf of the Client can be accessed during the maintenance work.
- The provisions of this section also apply if a subcontractor is engaged in a third country. The Client hereby authorizes EyeC GmbH, acting on behalf of the Client, to enter into an agreement with a subcontractor that processes or uses “Client Data” outside the EEA, incorporating the EU Standard Contractual Clauses for the Transfer of Personal Data to Processors in Non-EU Countries dated 05.02.2010 or, if applicable, any standard data protection clauses subsequently issued by the EU Commission or the competent supervisory authority. The Client declares its willingness to cooperate to the extent necessary in fulfilling the requirements pursuant to Art. 46 GDPR.
- Confidentiality obligation
- The Contractor confirms that it is aware of the applicable provisions of data protection and criminal law and is familiar with their application. The Contractor further confirms that it has familiarized its employees with the provisions of data protection and professional confidentiality applicable to them and has obliged them to maintain confidentiality. The Contractor further confirms that it has obligated the employees engaged in performance of the work in particular to maintain confidentiality and has informed them of the Client’s instructions.
- The obligation of the employees according to paragraph 1 shall be proven to the Client on request.
- Protection of the rights of data subjects
- The Client shall be solely responsible for protecting the rights of data subjects. The Contractor is obliged to support the Client in its obligation to process requests from data subjects pursuant to Art. 12-23 GDPR. The Contractor shall in particular ensure that the information required in this respect is provided to the Client without undue delay so that the Client is able to comply with its obligations under Article 12(3) GDPR.
- Insofar as the cooperation of the Contractor is necessary for protection of the rights of data subjects - in particular for information, rectification, blocking or erasure - by the Client, the Contractor shall take the action required in each case in accordance with the Client’s instructions. The Contractor shall support the Client as far as possible in fulfilling its obligation to respond to requests from data subjects to exercise their rights with suitable technical and organizational measures.
- Non-disclosure obligations
- Both parties undertake to treat all information received in connection with the performance of this contract as confidential for an unlimited period of time and to use it only for the performance of the Agreement. Neither party is entitled to use this information in whole or in part for purposes other than those previously mentioned or to make this information available to third parties.
- If the service concerns processing of data of natural persons, the provisions of the applicable data protection law shall also be observed. This applies in particular to commissioned data processing (Art. 28 GDPR) and related supplementary agreements in the following section, which remain unaffected by the above non-disclosure agreement. If data subject to medical secrecy (incl. genetic data and health data, Art. 4(13), (15) GDPR) are to be processed, the additional requirements resulting from Section 203 of the German Criminal Code (new version 2017) shall be observed.
- The foregoing obligation shall not apply to information that one of the parties has demonstrably received from a third party without a non-disclosure obligation or that is publicly known.
- Technical and organizational data security measures
- The Contractor undertakes vis-à-vis the Client to observe the technical and organizational measures required to comply with the applicable data protection regulations. This includes in particular the requirements of Art. 32 GDPR.
- The status of the technical and organizational measures existing at the time of conclusion of the Agreement is attached as Annex 3 to this contract. The parties agree that changes to the technical and organizational measures may be necessary in order to adapt to technical and legal circumstances. The Contractor shall coordinate any significant changes that may affect the integrity, confidentiality or availability of the personal data with the Client in advance. Measures that involve only minor technical or organizational changes and do not negatively affect the integrity, confidentiality or availability of the personal data may be implemented by the Contractor without coordination with the Client. The Customer may at any time request an up-to-date version of the technical and organizational measures taken by the Contractor.
- The Contractor shall review the effectiveness of the technical and organizational measures it has taken both regularly and on an ad hoc basis.
- Evidence of such measures (technical and organizational data protection measures) which relate not only to the specific order can be provided by
- compliance with approved rules of conduct pursuant to Art. 40 GDPR;
- certification in accordance with an approved certification procedure pursuant to Art. 42 GDPR;
- current attestations, reports or report extracts from independent bodies (e.g. auditors, audits, data protection officers, IT security department, data protection auditors, quality auditors)
- suitable certification by IT security or data protection audit (e.g. according to BSI-Grundschutz or ISO 27001 ff.);
- Duration of the Agreement
- The duration of this Agreement (term) corresponds to the term of the commission or DEMO access.
- The Client may terminate the Agreement at any time without notice if there is a serious breach by the Contractor of the applicable data protection provisions or of obligations under this Agreement, if the Contractor is unable or unwilling to carry out an instruction of the Client or if the Contractor denies access by the Client or the competent supervisory authority in breach of the Agreement.
- Termination
- On termination of the Agreement, the Contractor shall, at the Client's discretion, return to the Client or delete all documents, data and results of processing or utilization in its possession that are related to the Agreement. Deletion must be documented in a suitable way. Any statutory retention obligations or other obligations to store the data remain unaffected. In the case of data carriers, these shall be destroyed if the Client wishes them to be erased, whereby security level 3 of DIN 66399 must be observed as a minimum; proof of destruction shall be provided to the Client with reference to the security level in accordance with DIN 66399.
- The Client has the right to verify complete return and deletion of the data in accordance with the Agreement on the Contractor’s premises. This can also be done by an inspection of the data processing equipment on the Contractor’s premises. Notification of the on-site inspection shall be provided by the Client with reasonable notice.
- The Contractor may store personal data that have been processed in connection with the Agreement beyond the termination of the Agreement if and to the extent that the Contractor has a legal obligation to retain them. In these cases, the data may only be processed for the purpose of implementing the respective statutory retention obligations. On expiry of the retention period, the data shall be deleted immediately.
- Right of retention
The parties agree that the defense of the right of retention by the Contractor within the meaning of Section 273 of the German Civil Code (BGB) is excluded with regard to the processed data and the associated data carriers.
- Liability
For breaches of data protection law, the liability of the parties shall be governed by the liability provisions of Art. 82 GDPR.
- Final provisions
- Should the property of the Client held by the Contractor be at risk as a result of action taken by third parties (for example seizure or attachment), by insolvency proceedings or by other events, the Contractor shall inform the Client immediately. The Contractor shall immediately inform the creditors of the fact that processing of the data has been commissioned.
- Any ancillary agreements shall take written form.
- Should individual parts of this Agreement be invalid, this shall not affect the validity of the remaining provisions of the Agreement.
ANNEX 1: Subject matter of the Agreement
- Subject and purpose of processing
The Client’s commissioning of the Contractor shall include the following work and/or services:
Provision, maintenance and support of ProofText
- Type(s) of personal data
The following types of data are regularly subject to processing:- Personal master data (name, username, email address, IP address, role in ProofText)
- Traffic data (e.g. time of last login, IP address)
- Audit trail / audit history - traceability of changes arising from an audit
- Any type of data may be present within the raw data. These are not required by the Contractor, are compared as part of the check and are therefore processed by the Contractor. These data may also include special categories of data within the meaning of Article 9(1) GDPR. Sample, variable personal data on personalized labels.
- Categories of data subject
Group of persons affected by the data processing:- Employees of the Client.
- In principle, all categories of persons processed as part of the raw data check.
- Data protection officer of the Client
The current contact details of the Client’s data protection officer are always provided on the Client’s website.
- Persons authorized to receive instructions on behalf of the Contractor
Full name Dirk Lütjens
Phone +49 40 2263555 - 211
Email [email protected]
- Data protection officer of the Contractor
Full name Vladimir Siemens
Phone 05251 877 888-355
Email [email protected]
ANNEX 2 – Subcontractors
For the processing of data on behalf of the Client, the Contractor shall use the services of third parties who process data on its behalf (“subcontractors”).
The following company/companies are involved:
All companies with names, legal form, contact details and full address shall be provided here by the Contractor. The nature of the service shall also be described in brief.
Name/Company name/ Address | Country/countries of processing | Type of service |
Microsoft Ireland | Europe / EEA | Provision of the cloud infrastructure |
Auth0, Inc. - European HQ 3rd Floor Union House 182-194 Union Street London, SE1 0KH, UK | Europe / EEA | Identity management |
|
|
|
We do not independently transmit personal data to a third country. For both subcontractors, the server location is within the EU/EEA. However, such a transmission cannot be completely ruled out if Microsoft Ireland or Auth0 as a company of an American parent company are requested to do so.
In addition to the standard contractual clauses and an order processing contract, we have also made further regulations on data protection with Microsoft and Auth0; for example, through the use of encryption technologies.
It is also agreed that Microsoft and Auth0 store and process the data exclusively in Germany or the EU. The processing is subject to the GDPR provisions under European Union law.
The protection of your personal data is important to us. Nevertheless, there are possible risks which, despite the existing data protection and data security measures in connection with the processing, cannot currently be completely ruled out. In particular, these are:
- Your personal data could possibly be processed beyond the actual purpose of fulfilling the order and obtained from third parties in the above-mentioned case (that the American parent companies request the submission)
- You may not be able to sustainably enforce your information rights against Microsoft Corporation and Auth0 (Okta inc.) in the USA.
ANNEX 3 – Status of technical and organizational measures
on request via mail to [email protected]
As of: 15.03.2022, Hamburg, Germany