Contract for the order processing of personal data according to the EU General Data Protection Regulation (AV contract)

Contract for the order processing of personal data between the form entries made
(hereinafter referred to as the client)

and, see the information in the imprint
(hereinafter referred to as the contractor)

1 Introduction, scope, Definitions

1.1 This contract regulates the rights and obligations of the client and contractor (hereinafter referred to as "parties") in the context of processing personal data on behalf of.

1.2 This contract applies to all activities in which employees of the contractor or subcontractors commissioned by him (subcontractors) process personal data of the client.

1.3 Terms used in this contract are to be understood in accordance with their definition in the EU General Data Protection Regulation. Insofar as declarations in the following have to be made "in writing", the written form according to § 126 BGB is meant. Apart from that, declarations can also be made in other forms, as long as appropriate verifiability is guaranteed.

2 Subject and duration of processing

2.1 Subject

The contractor undertakes the following processing:

• See the form entries made

The processing is based on the service contract existing between the parties (hereinafter "main contract").

2.2 Duration

Processing begins on 17.04.2024 and will continue for an indefinite period until termination of this Agreement or the Main Agreement by either party.

3 Type and purpose of data collection, processing or use:

3.1 Type and purpose of processing

The processing is of the following type: Collection, recording and storage
The processing serves the following purpose: Contacting the contractor

3.2 Type of data

The following data is processed:

• see form entries made

3.2.1 Categories of data subjects

The following are affected by the processing:

• see form entries made

4 Obligations of the contractor

4.1 The contractor processes personal data exclusively as contractually agreed or as instructed by the client, unless the contractor is legally obliged to carry out a specific processing. If such obligations exist for him, the contractor shall notify the client of these prior to processing, unless he is prohibited from notification by law. In addition, the contractor does not use the data provided for processing for any other purposes, in particular not for its own purposes.

4.2 The contractor confirms that he is aware of the relevant, general data protection regulations. He observes the principles of proper data processing.

4.3 The contractor undertakes to strictly maintain confidentiality during processing.

4.4 Persons who may gain knowledge of the data processed in the order must undertake in writing to maintain confidentiality, unless they are already subject to a relevant confidentiality obligation by law.

4.5 The contractor assures that the persons employed by him for processing have been familiarized with the relevant provisions of data protection and this contract before the start of processing. Appropriate training and awareness-raising measures must be repeated at appropriate regular intervals. The Contractor shall ensure that persons employed for order processing are adequately instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.

4.6 In connection with the commissioned processing, the contractor must support the client in creating and updating the list of processing activities and in carrying out the data protection impact assessment. All necessary information and documentation must be kept and forwarded to the client immediately upon request.

4.7 If the customer is subject to an inspection by supervisory authorities or other bodies or if the persons concerned assert rights against him, the contractor undertakes to support the customer to the extent necessary, insofar as the processing in the order is affected.

4.8 The contractor may only provide information to third parties or those affected with the prior consent of the client. Inquiries addressed directly to him will be forwarded to the customer without delay.

4.9 To the extent required by law, the contractor appoints a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the officer. In cases of doubt, the client can contact the data protection officer directly. The contractor shall immediately inform the client of the contact details of the data protection officer or justify why no officer has been appointed. The contractor shall inform the client immediately of any changes in the person or the internal tasks of the representative.

4.10 In principle, order processing takes place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the customer and under the conditions contained in Chapter V of the General Data Protection Regulation and in compliance with the provisions of this contract.

4.11 If the contractor is not based in the European Union, he will appoint a responsible contact person in the European Union in accordance with Article 27 of the General Data Protection Regulation. The contact details of the contact person as well as all changes in the person of the contact person are to be communicated to the customer immediately.

5 Technical and organizational measures

5.1 The data security measures described in Appendix 1 are defined as binding. They define the minimum owed by the contractor. The description of the measures must be made in such detail that, based on the description alone, a knowledgeable third party can unequivocally identify what the minimum owed should be. A reference to information that cannot be taken directly from this agreement or its attachments is not permitted.

5.2 The data security measures can be adapted to technical and organizational developments as long as the level agreed here is not exceeded. The contractor must implement changes required to maintain information security without delay. Changes are to be communicated to the client immediately. Significant changes are to be agreed between the parties.

5.3 If the security measures taken do not or no longer meet the requirements of the client, the contractor will inform the client immediately.

5.4 The contractor assures that the data processed in the order will be strictly separated from other databases.

5.5 Copies or duplicates are not made without the knowledge of the client. Excluded are technically necessary, temporary copies, insofar as an impairment of the level of data protection agreed here is excluded.

5.6 The processing of data in private homes is only permitted with the prior written consent of the client in individual cases. Insofar as such processing takes place, the contractor must ensure that a level of data protection and data security corresponding to this contract is maintained and that the control rights of the client specified in this contract can also be exercised without restriction in the private apartments concerned. The processing of data on behalf of private devices is not permitted under any circumstances.

5.7 Dedicated data carriers that originate from the client or are used for the client are specially marked and are subject to ongoing management. They must be stored appropriately at all times and must not be accessible to unauthorized persons. Inputs and outputs are documented.

5.8 The contractor shall provide regular proof of the fulfillment of his obligations, in particular the full implementation of the agreed technical and organizational measures and their effectiveness. Evidence must be provided to the customer at least every 12 months without being asked and otherwise at any time upon request. Evidence can be provided through approved codes of conduct or an approved certification process.

6 Regulations for the correction, deletion and blocking of data

6.1 The contractor will only correct, delete or block data processed within the scope of the order in accordance with the contractual agreement made or in accordance with the instructions of the client.

6.2 The contractor will follow the corresponding instructions of the customer at any time and also beyond the termination of this contract.

7 Subcontracting

7.1 The commissioning of subcontractors is only permitted with the written consent of the client in individual cases.

7.2 Approval is only possible if the subcontractor has at least contractually imposed data protection obligations that are comparable to those agreed in this contract. Upon request, the client shall be given access to the relevant contracts between the contractor and the subcontractor.

7.3 The rights of the client must also be able to be effectively exercised against the subcontractor. In particular, the client must be entitled to carry out checks at subcontractors or have them carried out by third parties at any time within the scope specified here.

7.4 The responsibilities of the contractor and the subcontractor must be clearly distinguished from each other.

7.5 Further subcontracting by the subcontractor is not permitted.

7.6 The contractor selects the subcontractor carefully, paying particular attention to the suitability of the technical and organizational measures taken by the subcontractor.

7.7 The forwarding of data processed on behalf of the subcontractor is only permitted if the contractor has documented and satisfied himself that the subcontractor has fully fulfilled his obligations. The contractor must submit the documentation to the client without being asked.

7.8 The commissioning of subcontractors who perform processing on behalf of others not exclusively from the territory of the EU or the EEA is only possible if the conditions specified in Chapter 4 (10) and (11) of this contract are observed. In particular, it is only permissible if and for as long as the subcontractor offers appropriate data protection guarantees. The contractor shall inform the client which specific data protection guarantees the subcontractor offers and how proof of this can be obtained.

7.9 The contractor must regularly, at the latest every 12 months, appropriately check compliance with the subcontractor's obligations. The test and its result must be documented in such a meaningful way that they can be understood by a competent third party. The documentation must be presented to the customer without being asked.

7.10 If the subcontractor does not meet his data protection obligations, the contractor shall be liable to the client for this.

7.11 The subcontractors named in Annex 2 with their name, address and order content are currently busy processing personal data to the extent specified there and approved by the client. The other obligations of the contractor towards subcontractors set out here remain unaffected.

7.12 Subcontract relationships within the meaning of this contract are only those services that are directly related to the provision of the main service. Ancillary services such as transport, maintenance and cleaning and the use of telecommunications services or user services are not included. The obligation of the contractor to ensure compliance with data protection and data security in these cases remains unaffected.

8 Rights and obligations of the client

8.1 The client is solely responsible for assessing the admissibility of the commissioned processing and for safeguarding the rights of those affected.

8.2 The client places all orders, partial orders or instructions in a documented manner. In urgent cases, instructions can be given verbally. The client will immediately confirm such instructions in a documented manner.

8.3 The customer shall inform the contractor immediately if he discovers errors or irregularities when checking the order results.

8.4 The client is entitled to ensure compliance with the regulations on data protection and the contractual agreements at the contractor to a reasonable extent himself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks to control. If necessary, the contractor must allow access and insight to the persons entrusted with the inspection. The contractor is obliged to provide the necessary information, to demonstrate processes and to provide evidence that is required to carry out an inspection.

8.5 Checks at the contractor's premises must be carried out without avoidable disruption to his business operations. Unless otherwise indicated for urgent reasons to be documented by the client, checks will take place after reasonable advance notice and during the business hours of the contractor, and not more frequently than every 12 months. If the contractor provides evidence of the correct implementation of the agreed data protection obligations as provided for in Chapter 5 (8) of this contract, a check should be limited to spot checks.

9 Reporting Requirements

9.1 The contractor shall notify the client immediately of any violations of the protection of personal data. Justified cases of suspicion must also be reported. The notification must be sent to an address specified by the client within 24 hours of the contractor becoming aware of the relevant event. It must contain at least the following information:

a. a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects affected, categories affected, and approximate number of personal datasets affected;

b. the name and contact details of the data protection officer or other contact point for further information;

c. a description of the likely consequences of the personal data breach;

d. a description of the measures taken or proposed by the contractor to rectify the violation of the protection of personal data and, if necessary, measures to mitigate its possible adverse effects

9.2 Significant disruptions in the execution of the order and violations of the contractor or the persons employed by him against data protection law must also be reported immediately provisions or the stipulations made in this contract.

9.3 The contractor shall inform the client immediately of controls or measures by supervisory authorities or other third parties, insofar as these relate to order processing.

9.4 The contractor assures to support the client in his obligations according to Art. 33 and 34 General Data Protection Regulation to the required extent.

10 Instructions

10.1 The customer reserves the right to issue instructions with regard to processing on behalf of the customer.

10.2 Client and contractor name the persons who are exclusively authorized to issue and accept instructions in Appendix 3.

10.3 In the event of a change or a long-term prevention of the named persons, the other party must be informed immediately of successors or representatives.

10.4 The contractor shall immediately draw the client's attention to it if, in his opinion, an instruction given by the client violates statutory provisions. The contractor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the person responsible at the client.

10.5 The contractor must document the instructions given to him and their implementation.

11 Termination of Order

(1) Upon termination of the contractual relationship or at any time at the request of the client, the contractor must either destroy the data processed in the order or hand them over to the client, at the client's option. All existing copies of the data must also be destroyed. Destruction must be carried out in such a way that restoring even residual information is no longer possible with reasonable effort. Physical destruction takes place in accordance with DIN 66399.

(2) The contractor is obliged to bring about the immediate return or deletion, even with subcontractors.

(3) The contractor must provide evidence of proper destruction and submit it to the client without delay.

(4) Documentation that serves as proof of proper data processing must be retained by the contractor in accordance with the respective retention periods beyond the end of the contract. He can hand them over to the client at the end of the contract to relieve him.

12 Remuneration

The remuneration of the contractor is finally regulated in the main contract. There is no separate payment or reimbursement of costs within the framework of this contract.

13 Liability

13.1 Client and contractor are jointly and severally liable for compensation for damage suffered by a person as a result of inadmissible or incorrect data processing within the framework of the contractual relationship.

13.2 The contractor bears the burden of proof that damage is not the result of a circumstance for which he is responsible, insofar as the relevant data was processed by him under this agreement. As long as this proof has not been provided, the contractor shall indemnify the client at first request from all claims that are raised against the client in connection with the order processing. Under these conditions, the contractor also reimburses the client for all costs incurred for legal defense.

13.3 The contractor shall be liable to the client for damage culpably caused by the contractor, his employees or those commissioned by him with the execution of the contract or the subcontractors employed by him in connection with the provision of the commissioned contractual service.

13.4 Numbers 13.2 and 13.3 do not apply if the damage was caused by the correct implementation of the commissioned service or an instruction given by the client.

14 Penalty

14.1 In the event of a breach of the provisions of this contract, a no-fault contractual penalty of €5,000 per individual case shall be agreed. The contractual penalty is forfeited in particular in the event of deficiencies in the implementation of the agreed technical and organizational measures. In the case of permanent violations, each calendar month in which the violation occurs in whole or in part is considered an individual case. The objection of the continued connection is excluded.

14.2 The contractual penalty has no influence on other claims of the customer.

15 Special Right of Termination

15.1 The client can terminate the main contract and this agreement at any time without notice ("extraordinary termination") if the contractor has seriously violated data protection regulations or the provisions of this agreement, the contractor cannot carry out a lawful instruction of the client or wants or the contractor refuses control rights of the customer contrary to the contract.

15.2 A serious violation exists in particular if the contractor has not or has not fulfilled the obligations specified in this agreement, in particular the agreed technical and organizational measures, to a considerable extent.

15.3 In the case of insignificant violations, the customer shall set the contractor a reasonable period of time to remedy the situation. If the remedy is not provided in time, the customer is entitled to extraordinary termination as described in this section.

15.4 The contractor must reimburse the client for all costs incurred by the premature termination of the main contract or this contract as a result of an extraordinary termination by the client.

16 Miscellaneous

16.1 Both parties are obliged to treat as confidential all knowledge of business secrets and data security measures of the other party obtained within the framework of the contractual relationship, including after the termination of the contract. If there are doubts as to whether information is subject to the obligation of secrecy, it must be treated as confidential until it has been approved in writing by the other party.

16.2 Should the property of the client at the contractor be endangered by third-party measures (e.g. seizure or confiscation), through insolvency or composition proceedings or by other events, the contractor must inform the client immediately.

16.3 Subsidiary agreements must be in writing.

16.4 The defense of the right of retention i. S.v. § 273 BGB is excluded with regard to the data processed in the order and the associated data carriers.

16.5 Should individual parts of this agreement be ineffective, this does not affect the validity of the rest of the agreement.

Appendix 1 - technical and organizational measures

The technical and organizational measures to ensure data protection and data security are specified below, which the contractor must at least set up and maintain on an ongoing basis. The aim is to guarantee in particular the confidentiality, integrity and availability of the information processed in the order.

Protection class 1 applies to destruction in accordance with DIN 66399.

1. Information security organization
2. Personnel security
3. Asset management
4. Access control
5. Cryptography
6. Physical and environmental security
7. Operational security
8. Communication security
9. Acquisition, development and maintenance of systems
10. Supplier relationships
11. Handling of information security incidents
12. Information security aspects in business continuity management
13. Compliance

Appendix 2 - Approved subcontractors

see information in the imprint

Appendix 3 - Persons authorized to issue instructions

The following persons are authorized to issue and receive instructions:

see information in the imprint

© by (free data protection samples & templates) - adapted from