top of page

Contract for the processing of personal data on behalf (order processing contract)

to the

Contract for the provision of the kroot application, placement of job advertisements and processing of reactions from job applicants based on the general terms and conditions of the contractor: https://www.kroot.de/agb.

closed on the basis of the General Terms and Conditions (https://www.kroot.de/agb),

- hereinafter referred to as "Main Contract" –

 

agreed between the

 

kroot GmbH, Hochfeldstrasse 9, 86159 Augsburg, Germany

– hereinafter referred to as "Processor"

 

and dem 

 

Customers of the main contract.

– hereinafter referred to as "Client"

 

– both hereinafter as "contracting parties" designated -

 

 

 

Preamble and scope

The processor processes personal data on behalf of the client. The order processing contract specifies the order processing with regard to its object and the claims and obligations between the contracting parties resulting from the order processing relationship.

 

1. Terms and Definitions

  1. "Order processing" - "Order processing" is, in accordance with Article 4 No. 8 GDPR, the processing of personal data by the order processor on behalf of the person responsible, regardless of the number of intermediary processors, in accordance with the subject matter of this order processing contract No. 2 DSGVO to understand.

  2. "Main contract" - The term main contract includes all types of ongoing business relationships between the client and the processor, in the context of which the processor processes personal data on behalf of and on the instructions of the client in accordance with the information on the subject of the order processing in this order processing agreement. Insofar as the validity of this order processing contract is otherwise limited (ie within this agreement or outside, in other contracts or regulations) to certain types, types or specific business relationships, contracts, etc., these are to be understood as the main contract in each case. The term main contract also includes ongoing individual orders from the client to the processor, which are issued by the client as part of the main contract (e.g. in the case of framework agreements).

  3. "Responsible person" - "Responsible person" is who alone or jointly with others decides on the purposes and means of processing (Art. 4 No. 7 DSGVO).

  4. "Personal data" - "Personal data" (hereinafter also referred to as "data" for short) is, in accordance with Art. 4 No. 1 DSGVO, all information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or one or more special features that express the physical , physiological, genetic, psychological, economic, cultural or social identity of that natural person.

  5. "Data subjects" - According to Art. 4 No. 1 GDPR, data subjects (“data subjects” for short) are persons who can at least be identified by means of personal data. The persons affected by this order processing result from the object of the order processing.

  6. "Third party" - According to Art. 4 No. 10 GDPR, "third party" is a natural or legal person, authority, institution or other body, other than the data subject, the person responsible, the processor and the persons who are under the direct responsibility of the person responsible or of the processor are authorized to process the personal data;

  7. "Sub-processing" - If a processor has not been commissioned directly by the controller, but by a processor of the controller, there is "sub-processing" and the processors following the first processor are referred to as "sub-processors".

  8. "Electronic format" - Declarations are deemed to have been made in "electronic format" in accordance with Art. 28 (9) GDPR if the person making the declaration is identifiable and the electronic declaration format is suitable as proof of the declaration. "Electronic format" means in particular the text form, an agreement stored on durable data carriers (e.g. e-mail), digital signing processes or the use of dedicated online functions (e.g. in user accounts).

 

2. Object of the order processing

  1. The order processing takes place within the framework of the following legal relationship (main contract): contract for the provision of the kroot application, placing job advertisements and processing the reactions of job applicants on the basis of the general terms and conditions of the contractor: https://www.kroot.de/agb.

  2. Detailed information on the subject of the processing carried out in the order, the processed personal data, persons affected by the processing as well as the type, scope and purpose of the processing are based on the specifications in the appendix "Object of the order processing".

 

3. Type of order processing

Insofar as the customer acts as the person responsible for the order processing, he is responsible within the framework of this order processing contract for compliance with the provisions of the data protection laws, in particular for the legality of the data processing and for the legality of the commissioning of the order processor. If the client acts as a processor himself, he commissions the processor as a sub-processor. The person responsible for the processing may, on the basis of this order processing contract, directly invoke the rights to which the client is entitled vis-à-vis the sub-processor.

 

4. Authority to issue instructions

  1. The processor may only process personal data within the framework of the main contract and the instructions of the client and only insofar as the processing is necessary within the framework of the main contract.

  2. The instructions are initially set out in the main contract or this order processing contract and can then be amended, supplemented or modified by the client by instructions in writing or in an electronic format (text form, e.g. e-mail) to the processor or the body designated by the processor be replaced. 

  3. Oral instructions can be given if they are necessary due to the circumstances (e.g. urgency) and must be confirmed immediately in writing or in electronic form.

  4. If, based on objective circumstances, the processor is of the opinion that an instruction of the client violates applicable data protection law, the processor will inform the client immediately and justify the view objectively. In this case, the processor is entitled to suspend the execution of the instruction until the client has expressly confirmed the instruction and to reject obviously unlawful instructions.

  5. The processor may be obliged to carry out processing or to provide information by Union or Member State law and by administrative and judicial measures to which the processor is subject. In such a case, the Processor shall notify the Client of the legal requirements of the mandatory legal obligation prior to processing, unless the relevant law or regulation prohibits such notification because of an important public interest; in the event of a ban on communication, the processor shall take all possible and reasonable measures to prevent or restrict the processing that is required by law.

  6. The processor must document the instructions given to him and their implementation.

  7. The processor shall designate the contact person authorized to receive instructions and is obliged to immediately notify changes to the contact person or their contact information as well as representatives in the event of a non-temporary absence or inability to do so.

 

5. Technical and organizational measures (security and protection concept)

  1. The processor will design the internal organization in his area of responsibility in accordance with the legal requirements and will in particular take technical and organizational measures (hereinafter referred to as "TOMs") to adequately secure, in particular the confidentiality, integrity and availability of the client's data, taking into account the status of the Technology, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of the data subjects and ensure their maintenance, in particular through regular, at least annual evaluation. With regard to the protection of personal data, the TOMs include, in particular, access control, access control, access control, transfer control, input control, order control, integrity and availability control, separation control and safeguarding the rights of those affected.

  2. The TOMs communicated by the processor when the contract was concluded define the minimum security level owed by the processor. The TOMs may be further developed in accordance with technical and legal progress and replaced by adequate protective measures, provided they do not fall below the security level of the specified measures and the client is informed of significant changes. The description of the measures must be so detailed that, based on the description alone, a knowledgeable third party can unequivocally recognize at any time that the required statutory data protection level and the defined minimum security level are not undercut.

  3. The processor guarantees that the employees, agents and other persons working for the processor who process the data are prohibited from processing the personal data outside of the instructions. The processor also ensures that the persons authorized to process the data of the client have been instructed in the legal data protection regulations and those resulting from this order processing contract and have been obligated to confidentiality and secrecy or are subject to a corresponding and appropriate statutory obligation of confidentiality. The processor ensures that persons employed for order processing are continuously instructed and monitored with regard to the fulfillment of the data protection requirements.

  4. The processor shall ensure that the persons employed by him for processing take part in recurring training and awareness-raising measures with a reasonable frequency with regard to the protection of personal data and compliance with statutory data protection regulations.

  5. The processing of personal data outside of the business premises of the processor (e.g. in the home or mobile office or in the case of remote access) is permitted provided that the necessary technical and organizational measures are taken and documented that take the special features of these processing situations into account in an appropriate manner and in particular, also enable sufficient control of data processing (e.g. conclusion of an agreement on data protection in the home and mobile office with employees). The processor shall provide the client with documentation of the implemented technical and organizational measures for such home, mobile or other remote processing upon request.

  6. The processing of personal data on the private devices of the employees of the processor and agents is only permitted with the consent of the client.

  7. If stipulated by legal requirements, the processor appoints a data protection officer who meets the legal requirements. The processor will inform the client of the contact information of the data protection officer and subsequent changes.

  8. The processing operations carried out for the client are documented separately by the processor to an appropriate extent in a list of processing activities and made available to the client on request.

  9. The data and data carriers provided as part of the order processing contract and all copies made thereof remain the property or ownership of the client, are subject to the client's control, are to be carefully stored by the order processor, protected against access by unauthorized third parties and may only be destroyed with the consent of the customer. Destruction must be carried out in accordance with data protection regulations and in such a way that restoring even residual information is no longer possible with reasonable effort and is not to be expected. Copies of data may only be made if they are necessary to fulfill the main and secondary performance obligations of the processor towards the client (e.g. backups) and the contractual and legal level of data protection is guaranteed.

  10. The processor is obliged to bring about a return or deletion of the data and data carriers, which is to be brought about immediately according to this order processing contract, even in the case of sub-processors.

  11. The processor must provide evidence of the proper destruction or deletion of data and files within the scope of this order processing contract and make this available to the client upon request.

  12. The objection of a right of retention is excluded with regard to the data processed in the order and the associated data carriers.

  13. The processor provides regular proof of the fulfillment of his obligations to an appropriate extent, in particular the complete implementation of the agreed technical and organizational measures and their effectiveness (e.g. through regular controls, tests, etc.). Proof is to be provided to the customer upon request. Evidence can be provided through approved codes of conduct or an approved certification process.

  14. If the security measures taken do not or no longer meet the requirements of the processor or the legal requirements, the processor will inform the client immediately.

  15. The subcontracting relationships that already exist at the time of the conclusion of this order processing contract are listed by the processor in the appendix "Technical and organizational measures" and accepted by the client.

 

6. Information obligations and cooperation obligations of the processor

  1. The processor may only provide information to third parties or those affected with the prior consent of the client or in the case of mandatory statutory obligations, judicial or statutory information. If an affected person contacts the processor and asserts their rights (in particular rights to information or correction or deletion of personal data), the processor will refer the affected person to the client, provided that an assignment to the client according to the data subject is possible. The processor forwards the request of the person concerned to the client without delay and supports the client within the scope of what is reasonable and possible. The processor shall not be liable if the client does not respond to the request of the data subject, or does not respond correctly or in a timely manner, unless the processor is responsible for this.

  2. The processor must inform the client immediately and in full if the processor discovers errors or irregularities in compliance with the provisions of this order processing contract and/or relevant data protection regulations with regard to the processing of the personal data. The processor takes the necessary measures to secure the personal data and to reduce possible adverse consequences for the data subjects and coordinates this with the client without delay.

  3. The processor will inform the client immediately if a supervisory authority takes action against the processor and their activities may affect the data processed for the client. The processor supports the client in fulfilling his obligations (in particular to provide information and to tolerate controls) towards supervisory authorities.

  4. Should the security of the customer's personal data be endangered by measures taken by third parties (e.g. creditors, authorities, courts, etc.) (seizure, confiscation, insolvency proceedings, etc.), the processor will inform the third party immediately that the sovereignty and ownership of the data are exclusively with the customer and after consultation with the customer, if necessary, take appropriate protective measures (e.g. objections, applications, etc.).

  5. The processor provides the client with information regarding the processing of data within the scope of this order processing contract, which is necessary for the fulfillment of the client's legal obligations (which may include, in particular, inquiries from data subjects or authorities and compliance with his accountability obligations for a data protection impact assessment). .

  6. The information obligations of the processor initially extend to information that is available to the processor, its employees and agents. The information does not have to be obtained from third parties if the procurement by the client could be carried out within reasonable limits and no other agreement has been made.

  7. The processor must be able to demonstrate compliance with its contractual and legal obligations arising from the processing of the order at any time by suitable means

 

7. Measures in the event of a threat or violation of data protection

  1. In the event that the processor discovers facts which justify the assumption that the protection of the personal data processed for the client within the meaning of Art. 4 No. 12 DSGVO could have been violated, the processor must inform the client immediately and in full, to take necessary protective measures immediately and to support the fulfillment of the obligations incumbent on the client, in particular in connection with reporting to the responsible authorities or persons concerned.

  2. Information about a (possible) violation of the protection of personal data must be given immediately, in principle within 24 hours of becoming aware of it.

  3. According to Art. 33 Para. 3 GDPR, the notification of the processor must contain at least the following information:

    1. Description of the nature of the personal data breach, including, where possible, the categories of data affected and the approximate number of individuals affected and the approximate number of personal data sets affected;

    2. the name and contact details of the data protection officer or another point of contact for further information;

    3. a description of the likely consequences of the personal data breach (e.g. giving further details: identity theft, financial loss, etc.);

    4. a description of the measures taken or proposed to be taken by the processor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects

  4. Significant disturbances in the execution of the order as well as violations of the order processor or the persons employed by him or his agents against data protection regulations or the stipulations made in this order processing contract must also be reported immediately.

 

8. Reviews and Inspections

  1. The client has the right to check compliance with the legal requirements and the regulations of this order processing contract, in particular the TOMs at the processor, at any time to the required extent itself or through third parties and to carry out the necessary checks, including inspections.

  2. The processor must support the client with the controls and inspections to the extent necessary (e.g. by providing personnel and granting access rights).

  3. On-site inspections are carried out within normal business hours and must be reported by the customer within a reasonable period of time (at least 14 days). In emergencies, ie if waiting would jeopardize the rights of those affected and/or the customer to an unreasonable extent, an appropriately shorter period can be chosen. Conversely, a longer period may be required (e.g. if extensive preparations have to be made or during holiday periods). The deviations from the deadline are to be justified by the contracting party making use of them.

  4. The controls are limited to the necessary framework and must take into account the processor's trade and business secrets as well as the protection of personal data of third parties (e.g. other customers or employees of the processor). Avoidable operational disruptions are to be avoided. As far as the cause and purpose of the test are sufficient, a control should be limited to spot checks.

  5. Only competent persons who can identify themselves and who are obligated to confidentiality and secrecy with regard to the company and business secrets as well as internal processes of the processor and personal data are permitted to carry out the control. The processor may request proof of a corresponding obligation. If the auditor commissioned by the client is in a competitive relationship with the processor or if there is any other justified reason for his refusal, the processor has the right to object to this.

  6. Instead of the inspections and on-site controls, the processor may ask the client for an equivalent control by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct (Article 40 GDPR) or suitable data protection or IT security certifications in accordance with Art. 42 GDPR. This only applies if the reference is reasonable for the customer and the type and scope of the examination and references correspond to the type and scope of the customer's legitimate control project. The processor undertakes to inform the client immediately about the exclusion of approved codes of conduct in accordance with Art. 41 (4) GDPR, the revocation of a certification in accordance with Art. 42 (7) and any other form of cancellation or significant change to the aforementioned evidence.

  7. In principle, the client does not exercise his right to control more frequently than every 12 months, unless a specific reason (in particular a breach of data protection, a security incident or the result of an audit) necessitates controls before the end of this period.

 

9. Subcontracting relationships

  1. Notwithstanding any restrictions in the main contract, the customer expressly agrees that the processor may use sub-processors as part of the order processing. The processor informs the client about new sub-processors with a reasonable advance notice, which is regularly 14 working days, and gives the client the opportunity to check the sub-processors before they are used within a reasonable framework and, if there is a legitimate interest, to object to the use of the sub-processors. If the client does not raise an objection within the period of notice, the sub-processor may be used. The Client will only exercise its right to object to the changes in accordance with the principles of good faith, reasonableness and equity.

  2. If the processor uses the services of a sub-processor (e.g. a subcontractor) to carry out certain processing activities on behalf of the client, then it must, by means of a contract or other legal instrument permitted by law, grant the sub-processor the same data protection obligations as the processor in has committed to this order processing contract (in particular with regard to following instructions, complying with the TOMs, providing information and tolerating controls).

  3. The processor carefully selects the sub-processor, paying particular attention to suitability and reliability to comply with the obligations arising from this order processing contract and the suitability of the TOMs made by the sub-processor.

  4. The transfer of personal data processed on behalf of a sub-processor is only permitted after the processor has satisfied itself that the sub-processor has fully fulfilled its obligations. The test must be documented and the documentation must be submitted to the customer upon request.

  5. The processor has to check the compliance with the obligations of the sub-processors, in particular the TOMs, regularly, at least every 12 months, to an appropriate extent. The test and its result must be documented in such a way that they can be understood by a competent third party. The documentation must be presented to the customer upon request. Instead of conducting its own review, the processor may refer to a review by independent third parties (e.g. neutral data protection auditors), compliance with approved codes of conduct (Art. 40 GDPR) or suitable data protection or IT security certifications in accordance with Art. 42 GDPR. The processor undertakes to inform the client immediately about the exclusion of approved codes of conduct in accordance with Art. 41 (4) GDPR, the revocation of a certification in accordance with Art. 42 (7) and any other form of cancellation or significant change in the aforementioned evidence at the subcontractor .

  6. The responsibilities for fulfilling the obligations arising from this order processing contract and from the law must be clearly regulated and differentiated between the processor and the sub-processor.

  7. The rights of the client must also be able to be effectively exercised vis-à-vis the sub-processors. In particular, the customer must be entitled to carry out checks on sub-processors or have them carried out by third parties at any time within the scope specified in this order processing contract.

  8. If the sub-processor does not comply with its data protection obligations, the processor is liable to the client for this.

  9. Processing of personal data that is not directly related to the provision of the main service from the main contract and in which the processor uses the services of third parties as a purely ancillary service to carry out his business activities (e.g. cleaning, security, maintenance, telecommunications or transport services) do not represent sub-processing within the meaning of the above provisions of this order processing contract. Nevertheless, the processor must ensure, e.g. through contractual agreements or notices and instructions, that the security of the data is not endangered and that the specifications of this order processing contract and the data protection regulations are observed become. 

  10. Subcontracting relationships that were communicated to the client upon conclusion of this order processing contract shall be deemed to have been approved to the extent communicated, subject to the provisions of this order processing contract on subcontracting relationships.

  11. The subcontracting relationships that already exist at the time of the conclusion of this order processing contract are listed by the processor in the appendix "Subcontracting relationships" and updated by the processor.

 

10. Spatial area of order processing

  1. Personal data is processed as part of order processing in a member state of the European Union (EU) or in another contracting state of the Agreement on the European Economic Area (EEA).

  2. Processing may take place in third countries if the special requirements of Art. 44 et seq. GDPR are met, ie in particular the EU Commission has determined an appropriate level of data protection; b) on the basis of effective standard contractual clauses (SCC); or c) on the basis of recognized binding internal data protection regulations.

  3. The approval of subcontracting relationships by the client within the framework of this order processing contract also extends to the spatial area of order processing.

  4. Order processing in a country other than those mentioned above, also by sub-processors, requires the prior approval of the client.

 

11. Obligations of the client

  1. The customer must inform the processor immediately and in full if he discovers errors or irregularities in the order results, instructions or processing processes with regard to data protection regulations.

  2. The client names the contact persons who are authorized to receive instructions and is obliged to immediately notify changes to the contact persons or their contact information as well as representatives in the event of a non-temporary absence or impediment.

  3. In the event of claims being made against the processor by data subjects, third-party companies, bodies or authorities with regard to any claims arising from the processing of personal data within the framework of this order processing contract, the client undertakes to defend the order processor within the scope of his possibilities and taking into account the degree of fault to support the contracting parties.

 

12. Liability

The statutory liability regulations apply, in particular Art. 82 GDPR and, in the case of the use of a subcontractor, Art. 28 Para. 4. S. 2 GDPR.

 

13. Duration, continued validity after the end of the contract and data deletion

  1. This order processing contract becomes effective when it is signed or concluded in an electronic format.

  2. The term and end of this order processing contract are based on the term and end of the main contract.

  3. The contracting parties reserve the right to extraordinary termination, in particular in the event of a serious violation of the obligations and requirements of this order processing contract and the applicable data protection law. A serious violation occurs in particular if the processor has not or has not fulfilled the obligations specified in the order processing contract and the agreed technical and organizational measures to a considerable extent.

  4. In the case of insignificant breaches of duty, the extraordinary termination must be preceded by a warning of the breaches with a reasonable period of time to remedy the situation, whereby the warning is not required if it is not to be expected that the breaches complained about will be remedied or if they are so serious that adherence to the order processing contract of the is not reasonable for the terminating contracting party.

  5. The termination of this order processing contract as well as the cancellation of this formal clause must at least be in electronic format.

  6. After completion of the provision of the processing services within the framework of this order processing contract, the processor will either destroy all personal data and copies thereof (as well as all documents, processing and usage results created and databases that have come into its possession in connection with the contractual relationship) or, at the discretion of the client return it unless there is a legal obligation to store the personal data; in this case, the processor shall inform the client of the obligation and its scope, unless the client can be expected to be aware of the obligation. Destruction or deletion must be carried out in accordance with data protection regulations and in such a way that restoring even residual information is no longer possible and is not to be expected with reasonable effort. The objection of a right of retention is excluded with regard to the processed data and the associated data carrier. With regard to the deletion or return, the client's rights to information, proof and control apply in accordance with this order processing contract.

  7. The obligations to protect confidential information arising from the order processing contract continue to apply even after the end of the order processing contract, provided that the processor continues to process the personal data covered by the order processing contract and compliance with the obligations for the processor is reasonable even after the end of the contract.

  8. Documentation that serves to prove proper data processing and to ensure the TOMs are to be retained by the processor for at least three years, including after the end of the contract, in accordance with the respective retention and deletion periods (or those that should be known to him) of the client . The processor can hand over the documentation to the client at the end of the contract to relieve him.

 

14. Final Provisions

  1. The applicable law is determined by the main contract.

  2. The place of jurisdiction is determined by the main contract.

  3. The present order processing contract represents the complete agreement made between the contracting parties. There are no side agreements.

  4. With the conclusion of this order processing contract, any previous contracts that have been concluded between the contracting parties to this contract and which regulate the processing of personal data in the order will be annulled if and to the extent that they relate to the same object of the order processing and if and to the extent that something has not been expressly agreed in writing between the contracting parties otherwise agreed.

  5. Changes and additions to this order processing contract, as well as the cancellation of this formal clause, must be made at least in electronic format.

  6. In the event of any contradictions, the provisions of this order processing contract on data protection take precedence over the provisions of the main contract.

  7. Should one or more provisions of this order processing contract be ineffective or unenforceable, this shall not affect the validity of the remaining provisions. Rather, the ineffective provisions shall be replaced by way of supplementary interpretation by a provision that comes as close as possible to the economic purpose clearly pursued by the contracting parties with the ineffective provision(s). If the aforementioned supplementary interpretation is not possible due to mandatory statutory provisions, the contracting parties will agree on a corresponding regulation.

  8. This order processing contract is part of the main contract and becomes effective upon its conclusion.

 

 

15. Annex: Object of the order processing

 

Purposes of order processing

Personal data of the client are processed on the basis of this order processing contract for the following purposes:

  • Collection of feedback from job applicants, their storage and forwarding to the client.

Note: kroot-GmbH does not process the client’s personal data communicated in the context of the placement of job advertisements (e.g. name of the company owner or the contact person and their contact information) as a processor, but as the person responsible within the meaning of Art. 4 No. 7 DSGVO.

 

Types and categories of data

The types and categories of personal data processed on the basis of this order processing contract include:

  • First and last names of job applicants

  • E-mail addresses of job applicants

  • Telephone numbers of job applicants

  • Other information entered or voluntarily provided by job applicants (e.g. accompanying notes).

  • Assignment to the corresponding job advertisements.

  • Timestamps of the data records.

 

Categories of data subjects

The groups of people affected by the processing of personal data on the basis of this order processing contract include:

  • job prospects

 

Sources of processed data

The data processed on the basis of this order processing contract is collected or otherwise received from the sources mentioned below or as part of the procedures mentioned:

  1. Collection of data subjects.

  2. Collection as part of advertising and marketing campaigns.

 

Appendix: Technical-Organizational Measures (TOMs)

A level of protection appropriate to the risk for the rights and freedoms of the natural persons affected by the processing is guaranteed for the specific order processing and the personal data processed within the scope of this. For this purpose, the protection goals of confidentiality, integrity and availability of the systems and services as well as their resilience in relation to the type, scope, circumstances and purpose of the processing are taken into account in such a way that the risk is contained in the long term through suitable technical and organizational remedial measures.

 

Organizational measures

Organizational measures have been taken to ensure an appropriate level of data protection and its maintenance.

  1. The processor has implemented an appropriate data protection management system or a data protection concept and ensures its implementation.

  2. A suitable organizational structure for data security and data protection is in place and information security is integrated into company-wide processes and procedures

  3. Internal safety guidelines are defined, which are communicated to employees as binding rules within the company.

  4. If necessary, but at least annually, the processor carries out a review, assessment and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing. The procedure is structured in accordance with the PDCA cycle and consists of continuous observation of the technical and organizational measure and determination of the current status and the target status to be achieved with the following implementation and subsequent review phase as well as evaluation of the implementation and derivation of the gained Experiences for future optimizations and procedures with regard to security standards.

  5. The technical and organizational measures are checked and adjusted regularly, at least annually, according to the PDCA cycle (Plan-Do-Check-Act). 

  6. The development of the state of the art as well as developments, threats and security measures are continuously observed and derived in a suitable manner from our own security concept.

  7. There is a concept that ensures that the client protects the rights of those affected (in particular with regard to information, correction, deletion or restriction of processing, data transfer, revocation and objections). The concept includes informing the employees about the information obligations towards the client, setting up implementation procedures and naming responsible persons as well as regular control and evaluation of the measures taken.

  8. There is a concept that ensures an immediate response to threats and violations of the protection of personal data in accordance with legal requirements. The concept includes informing the employees about the information obligations towards the client, setting up implementation procedures and naming responsible persons as well as regular control and evaluation of the measures taken.

  9. Consultation and involvement of the data protection officer on security issues and in security procedures that affect the protection of personal data.

  10. Sufficient professional qualifications of the data protection officer for security-related issues and opportunities for further training in this specialist area.

  11. Sufficient technical qualification of the IT security officer for security-related issues and opportunities for further training in this specialist area.

  12. Service providers who are used to fulfill ancillary tasks (maintenance, security, transport and cleaning services, freelancers, etc.) are carefully selected and it is ensured that they observe the protection of personal data. If the service providers receive access to the customer's personal data as part of their work or there is otherwise a risk of access to the personal data, they are specifically obliged to maintain secrecy and confidentiality.

  13. The protection of personal data is already provided at the development or selection of hardware, software and processes, according to the principle of data protection through technology design and through data protection-friendly default settings.

  14. The software and hardware used is always kept up to date and software updates are carried out without delay within a period that is reasonable in view of the level of risk and any need for testing. No software or hardware is used that is no longer updated by the providers in terms of data protection and data security (e.g. outdated operating systems).

  15. Standard software and corresponding updates are only obtained from trustworthy sources.

  16. A "paperless office" is maintained, ie documents are only stored digitally and only in paper form in exceptional cases. 

  17. Documents in paper format are only kept if there is no adequate digital copy with regard to the order processing, its purpose and the interests of the persons affected by the contents of the documents or if storage has been agreed with the client or is required by law.

  18. There is a deletion and disposal concept that corresponds to the data protection requirements of order processing and the state of the art. The physical destruction of documents and data carriers is carried out in accordance with data protection regulations and in accordance with legal requirements, industry standards and state-of-the-art industrial standards (e.g. according to DIN 66399). Employees were informed about legal requirements, deletion deadlines and, where relevant, about specifications for data destruction or device destruction by service providers.

Vertrag über die Verarbeitung von personenbezogenen Daten im Auftrag (Auftragsverarbeitungsvertrag)

Employee-level data protection

Measures have been taken to ensure that the employees who process personal data have the necessary expertise and reliability under data protection law.

  1. Employees are committed to confidentiality and secrecy (data protection secrecy).

  2. Employees are sensitized and instructed with regard to data protection according to the requirements of their function. The training and awareness-raising will be repeated at appropriate intervals or as circumstances require.

  3. Relevant guidelines, e.g. E.g. on e-mail/Internet use, dealing with malicious code reports, use of encryption techniques, are kept up to date and are easy to find (e.g. on the intranet).

  4. If employees work outside of the company's internal premises (home and mobile office), employees are informed about the special security requirements and protective obligations in these constellations, and are obliged to comply with them, subject to control and access rights.

  5. If employees use private devices for operational activities, employees are informed about the special security requirements and protection obligations in these constellations and are obliged to comply with them, subject to control and access rights.

  6. The keys, access cards or codes issued to employees, as well as authorizations granted with regard to the processing of personal data, will be confiscated or revoked after they leave the services of the processor or change responsibilities.

  7. Employees are obliged to leave their working environment tidy and in particular to prevent access to documents or data carriers with personal data (Clean Desk Policy).

 

access control

Physical access control measures have been taken to prevent unauthorized persons from physically approaching the systems, data processing equipment or procedures with which personal data are processed.

  1. Except for the workstation computers and mobile devices, no data processing systems are maintained on the company's own business premises. The customer's data is stored with external server providers in compliance with the specifications for order processing.

  2. Visitors are not allowed to move freely, but only when accompanied by employees.

  3. Access is secured by a manual locking system.

  4. Employees are required to lock or specially secure devices when they leave their work environment or the devices.

  5. Documents (files, documents, etc.) are secured, e.g. B. in filing cabinets or other appropriately secured containers and appropriately secured against access by unauthorized persons.

  6. Data carriers are stored securely and adequately secured against access by unauthorized persons.

 

access control

Electronic access control measures have been taken to ensure that unauthorized persons are prevented from accessing systems, data processing equipment or processes (ie even the possibility of using, using or monitoring).

  1. A password concept stipulates that passwords must have a minimum length and complexity corresponding to the state of the art and the security requirements.

  2. All data processing systems are password-protected.

  3. Passwords are generally not stored in plain text and are only transmitted hashed or encrypted.

  4. Password management software is used.

  5. Access data will be deleted or deactivated if their users have left the processor's company or organization.

  6. Up-to-date anti-virus software is used.

  7. Use of software firewall(s).

  8. Backups are stored encrypted.

 

Internal access control and input control (authorizations for user rights to access and change data)

Access control measures have been taken to ensure that those authorized to use a data processing system can only access the data subject to their access authorization and that personal data cannot be read, copied, changed or removed without authorization during processing. Furthermore, input control measures have been taken to ensure that it can be subsequently checked and determined whether and by whom personal data has been entered, changed, removed or otherwise processed in data processing systems.

  1. A rights and role concept (authorization concept) ensures that access to personal data is only possible for a group of people selected according to the standards of necessity and only to the required extent.

  2. The rights and roles concept (authorization concept) is evaluated regularly, within a reasonable time interval and when required (e.g. violations of access restrictions), and updated if necessary.

  3. Registrations in the data processing systems or processing systems are logged.

  4. The activities of the administrators are appropriately monitored and logged within the scope of legally permissible possibilities and within the scope of technically justifiable effort.

 

disclosure control

Measures have been taken to control transfers to ensure that personal data cannot be read, copied, altered or removed without authorization during electronic transmission or during transport or storage on data carriers, and that it can be checked and determined to which bodies a transmission of personal data by means of data transmission facilities is provided.

  1. Encrypted transmission technologies (eg VPN) are used when accessing in-house systems from outside (e.g. for remote maintenance).

  2. Mobile data carriers are encrypted.

  3. The transmission and processing of the customer's personal data via online offers (websites, apps, etc.) is protected by means of TLS/SSL or an equally secure encryption.

Order control, earmarking and segregation control

 

Order control measures have been taken to ensure that personal data processed in the order is only processed in accordance with the client's instructions. The measures ensure that the client's personal data collected for different purposes is processed separately and that there is no mixing, cutting or other joint processing of this data that contradicts the order.

  1. The processing operations carried out for the client are documented separately to an appropriate extent in a list of processing activities.

  2. Careful selection of sub-processors and other service providers.

  3. Employees and agents are informed clearly and understandably about the client's instructions and the permissible processing framework and instructed accordingly. Separate information and instructions are not required if compliance with the permissible framework anyway, e.g. B. due to other agreements or operational practice, can be reliably expected.

  4. Compliance with the client's instructions and the permissible framework for the processing of personal data by employees and agents is checked at appropriate intervals.

  5. The deletion periods applicable to the processing of the client's personal data are documented separately within the processor's deletion concept, if necessary.

  6. Necessary evaluations and analyzes of the processing of the personal data of the client are, as far as possible and reasonable, processed anonymously (i.e. without any personal reference) or at least processed pseudonymously in accordance with Art. 4 No. 5 DSGVO (i.e. in a way that the personal data is processed without consultation additional information can no longer be assigned to a specific data subject, whereby this additional information is kept separately and is subject to technical and organizational measures to ensure that the personal data are not assigned to an identified or identifiable natural person).

  7. The personal data of the client are processed logically separately from data from other processing methods of the processor and protected against unauthorized access or connection or overlapping with other data (e.g. in different databases or by appropriate attributes).

 

Ensuring the integrity and availability of data and the resilience of processing systems

 

Measures have been taken to ensure that personal data is protected against accidental destruction or loss and can be quickly restored in the event of an emergency.

  1. The availability of the data processing systems is permanently monitored and controlled, in particular for availability, errors and security incidents.

  2. The personal data is stored with external hosting providers. The hosting providers are carefully selected and meet the state-of-the-art requirements with regard to protection against damage caused by fire, moisture, power failures, catastrophes, unauthorized access, data backup and patch management, as well as building security.

  3. The processing of personal data takes place on data processing systems that are subject to regular and documented patch management, ie in particular are regularly updated.

  4. The server systems used for processing have protection against Denial of Service (DoS) attacks.

  5. Server systems and services are used that provide a backup system at other locations on which the current data is stored and thus provide an operable system even in the event of a disaster.

  6. The client's data records are protected by the system against accidental changes or deletion (e.g. through access restrictions, security queries and backups).

  7. Server systems and services are used that have an appropriate, reliable and controlled backup and recovery concept. 

  8. Restoration tests are carried out regularly at appropriate intervals to check that the data backups can actually be restored (data integrity of the backups).

 

 

Appendix: Sub-processors

The processor uses the following sub-processors to process data for the client:

  • STRATO: Services in the field of providing information technology infrastructure and related services (e.g. storage space and/or computing capacity); Service provider: STRATO AG, Pascalstraße 10, 10587 Berlin, Germany; Website: https://www.strato.de; Data protection declaration: https://www.strato.de/datenschutz; Order processing contract: concluded with the provider.

bottom of page