Supplementary agreement for commissioned processing in accordance with DSGVO
This supplementary agreement specifies the data protection obligations of the contracting parties resulting from the conclusion of the contract for commissioned processing pursuant to Art. 28 DSGVO.
§ 1 Subject matter of the contract
(1) Within the scope of the contract concluded with the Customer on the processing of ERP, machine control and other data relevant to business processes (hereinafter referred to as the "Main Contract"), the Contractor shall store and process the operational data collected from the Customer and fed into the software exclusively on behalf of and in accordance with the instructions of the Customer.
(2) In doing so, the Contractor shall also process personal data for the Client within the meaning of Art. 4 No. 2 and Art. 28 DSGVO on the basis of this contract.
§ 2 Nature and purpose of the processing, type of data, data subjects
(1) The type of data processing carried out by the contractor and its subcontractors is limited to the organization, arrangement, storage, adaptation or modification, reading, querying, use, disclosure by transmission, comparison, restriction and deletion. The collection and initial recording of the data is carried out by the client.
(2) The Contractor shall have access to the data collected by the Client via the Software. This may be personal data as usually collected in the field of manufacturing or automation, such as names and times when booking orders, user IDs or other identifying characteristics.
(3) The group of data subjects includes those persons whose personal data are usually collected in the context of order data collection, production data collection or similar measures. The scope and purpose of the data processing are set out in the main contract.
§ 3 Client's right to issue instructions
(1) The Contractor shall store, process and use the data exclusively in accordance with the Client's instructions, unless an exception within the meaning of paragraph 3 or 4 applies. The instructions shall be given by entering them in the software or by configuring it; they shall be electronically documented by the Contractor in the form of database entries.
(2) The assessment of the permissibility of the data processing in accordance with Art. 6 (1) DSGVO and the protection of the rights of the data subjects in accordance with Art. 12 to 22 DSGVO shall be the sole responsibility of the Client.
(3) If the Contractor is obliged on the basis of German or European law to carry out processing that deviates from the instructions (e.g. on the basis of a court order), it shall notify the Client of this prior to the processing, unless it is prohibited from notification by the law in question.
(4) If the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall notify the Client thereof without undue delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. The Contractor may refuse to carry out an unlawful instruction.
§ 4 Technical and organisational measures
(1) The technical and organisational measures for data protection are described in Annex 1 to the main contract.
(2) The contractor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.
(3) The Contractor shall support the Client as far as possible with suitable technical and organisational measures, in particular with information on the homepage, as well as with information in the fulfilment of the Client's obligations in accordance with Art. 12-22 and 32 to 36 DSGVO.
§ 5 Further protective measures and obligations of the contractor
(1) The Contractor undertakes to appoint a data protection officer. The contact details of the data protection officer are published on the website.
(2) The persons employed in data processing by the contractor are prohibited from collecting, processing or using personal data without authorization. The Contractor shall oblige all persons entrusted by it with the processing and performance of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 (3) b) DSGVO) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after the termination of this contract or the employment relationship between the employee and the contractor.
(3) The contractor undertakes to store and process data exclusively on servers within the European Union. If the processing includes the integration or case-related queries of data which originate from servers outside the European Union and if this is done on behalf of the Client, the Contractor shall be released from the provisions of $5, Paragraph 3 for this processing step. This also applies to the delivery of data, if this is defined as a processing step and is to be carried out on behalf of the Client on servers outside the European Union. For these aforementioned cases, the client is responsible for compliance with all legal provisions.
(4) The Contractor shall notify the Client without undue delay of any disruptions, infringements by the Contractor or the persons employed by the Contractor and against provisions under data protection law or the stipulations made in the order as well as of any suspected data protection infringements or irregularities in the processing of personal data. This shall also apply in particular with regard to any reporting and notification obligations of the Client pursuant to Art. 33 and Art. 34 DSGVO. The Contractor assures to adequately support the Client, if necessary, in its obligations pursuant to Art. 33 and 34 DSGVO (Art. 28 (3) sentence 2 f) DSGVO). The Contractor may only carry out notifications pursuant to Art. 33 or 34 of the GDPR for the Client after prior instruction.
§ 6 Subcontractors
(1) The contractual services of the Contractor or parts thereof may be performed with the involvement of subcontractors.
(2) The contractor is obliged to carefully select subcontractors according to their suitability and reliability.
(3) When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and in doing so shall ensure that the Client can also exercise its rights under this Agreement (in particular its inspection and monitoring rights) directly against the subcontractors.
(4) The involvement of subcontractors outside the European Union is excluded.
§ 7 Control rights of the client
(1) The Client shall have the right to satisfy itself of the technical and organisational measures taken by the Contractor prior to the commencement of data processing and thereafter on a regular basis.
(2) The documentation of the Technical and Organisational Measures, Annex 1 to the Main Contract, is available to the Client for this purpose.
(3) The Customer shall also have the right to have any existing certifications and documentation of the organisational measures of the Contractor's subcontractors presented to it or to inspect the Contractor's technical and organisational measures itself personally or have them inspected by a competent third party after timely coordination during normal business hours, provided that the third party is not in a competitive relationship with the Contractor. The Client shall only carry out inspections to the extent necessary and shall not disproportionately disrupt the Contractor's operating processes in the process.
(4) The Contractor undertakes to provide the Client, at the latter's written request and within a reasonable period of time, with all information and evidence required to carry out a check of the Contractor's technical and organisational measures.
(5) The Client shall document the inspection results and notify the Contractor thereof. In the event of errors or irregularities discovered by the Client, in particular during the inspection of order results, the Client shall inform the Contractor without delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall inform the Contractor of the necessary procedural changes without delay.
§ 8 Termination, duration of the agreement
(1) The duration of this agreement is dependent on the duration of the main contract, insofar as no further obligations or rights of termination arise from the following provisions.
(2) The Customer may terminate the main contract in whole or in part without notice if the Contractor fails to comply with its obligations under this contract, violates provisions of the GDPR with intent or gross negligence, or is unable or unwilling to carry out an instruction of the Customer. In the case of simple - i.e. neither intentional nor grossly negligent - violations, the Client shall set the Contractor a reasonable deadline within which the Contractor can remedy the violation.
(3) After termination of the main contract or at any time upon request of the Principal, the Contractor shall reach an agreement with the Principal as to whether the data are to be surrendered to him or a third party upon termination of the main contract or whether surrender of the data is waived. After termination of the main contract or at any time upon request of the Customer, the Contractor shall delete all data provided to it - unless there is a legal obligation to store the personal data - after the data has been surrendered in accordance with sentence 1 or the Customer has waived surrender of the data. This shall also apply to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still in existence. The Client has the right to control the complete and contractual deletion of the data at the Contractor in an appropriate manner.
§ 9 Final provisions
(1) German law shall apply to this contract.
(2) Place of jurisdiction is Bruchsal.
(3) Should individual provisions of this contract be or become invalid in whole or in part, or should there be a loophole in the contract, this shall not affect the validity of the remaining provisions. In place of the invalid provision or to fill the gap, an appropriate provision shall be made which, as far as legally possible, comes as close as possible to what the contracting parties intended or would have intended according to the meaning and purpose of this contract if they had considered the point.
Appendix 1: Technical and organisational measures
Addendum
According to Art. 28 of the GDPR, commissioned processing must be based on a contract or another legal instrument. If you would prefer to regulate the commissioned processing in a written contract instead of via this supplementary agreement to our GTC, then print out the Contract twice and send us both copies signed. We will then send you back one copy signed by us.
DE 
EN