Data Processing Amendment (DPA)
This Data Processing Addendum ("DPA") is an addendum to the Subscriber Agreement between controlex GmbH as the brand owner of GroupLotse (hereinafter "GroupLotse") and the Customer and is subject to its terms, except as otherwise agreed herein. It is only valid in connection with the subscription contract between GroupLotse and the customer. The Subscriber Agreement and all of its Schedules (including this DPA) are collectively referred to as the "Agreement."
The definitions in the Services Agreement apply to this DPA. In addition, for purposes of this DPA, the following definitions apply:
- Personal data is any information relating to an identified or identifiable natural person (the data subject), whether such identification is, or can be, direct or indirect.
- Customer Personal Information is Customer's personal information or information otherwise related to Customer's business.
- Processing means processes and actions that relate to or include personal data, such as collecting, recording, organizing, storing, adapting or changing, reading or using.
- The data controller is the entity that alone or jointly with others determines the purposes and means of the processing of personal data.
- The data subject is the natural person whose personal data is being processed. Data processor is the entity that processes personal data on behalf of and under the direction of the controller.
- Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed.
- Applicable law is the law and practice resulting from the General Data Protection Regulation (GDPR), national legislation implementing or supplementing the General Data Protection Regulation, the regulations and statements of the supervisory authorities, including the European Data Protection Board, and the actions of the commission revealed.
- Subcontractor is a company that processes personal data according to the instructions of the processor as a subprocessor of the processor.
GroupLotse provides the Customer with the services specified in the Subscriber Agreement. As part of the provision of services to the Customer under the Service Agreement, GroupLotse may process Personal Data on behalf of the Customer. The purpose of this DPA is to set out the terms of the processing of Customer Personal Data in connection with the Services.
III. Customer Obligations
Customer is the data controller with respect to Customer Personal Data processed under this DPA and the Services Agreement and is responsible for the lawful collection, processing, use and accuracy of Customer Personal Data and compliance with any other legal obligation of a data controller. Customer is responsible for notifying Data Subjects of any disclosure of their Personal Data and obtaining their consent for such disclosure, if any.
Customer acknowledges that Processor cannot control, and has no obligation to verify, Customer Personal Data disclosed or transferred to it for processing on Customer's behalf when Customer uses the Services. Customer warrants and represents that it has the appropriate legal basis to transmit and disclose the Customer Personal Data to the Processor in order for the Processor to lawfully process the Customer Personal Data as agreed between the parties.
Customer acknowledges that Customer's instructions for the processing of Customer Personal Data (“Instructions”) are fully contained in the Agreement. In the event that the Customer subsequently wishes to change his instructions, he will primarily use the functions offered by the Services. However, if these functions are not sufficient to implement these new instructions, the customer must contact the processor in writing. If the scope of these new instructions goes beyond the Services, Processor is entitled to charge Customer for any additional costs incurred in connection with Processor's execution of these new instructions. The instructions must make economic sense, comply with applicable laws and comply with the contract.
IV. Obligations of GroupLotse
GroupLotse is the processor of the Customer Personal Data processed under the Agreement. GroupLotse is committed to complying with applicable laws and Customer instructions for all processing of Customer Personal Data. The Processor shall not copy or reproduce the Customer Personal Data or otherwise process it for purposes other than those agreed in the Agreement.
Processor shall notify Customer if it reasonably believes that new instructions from Customer violate applicable laws. Processor may suspend implementation of this new instruction until modified or confirmed by Customer. The customer is always responsible for all his instructions, which comply with the applicable laws. The Processor is only obliged to notify the Customer if it detects impending violations of the applicable laws in the instructions, but is otherwise not obliged to control or verify the compliance of the instructions with the applicable laws.
GroupLotse undertakes to adequately assist Customer in fulfilling its obligations as data processor of Customer Personal Data processed by GroupLotse. These obligations may include assisting the customer in responding to requests or inquiries from the relevant supervisory authorities, conducting data protection impact assessments and requesting prior consultation with the supervisory authorities, and assisting the customer in complying with requests from data subjects regarding their rights the applicable laws.
In terms of assisting in responding to requests from a Data Subject exercising their rights under Applicable Laws (such as the right of access and the right to rectification or erasure), Customer must first use the relevant features of the Service. If and to the extent that the customer is unable to respond to such a request using the functions of the service, GroupLotse will provide the customer with other commercially reasonable support. GroupLotse is entitled to charge the reasonable additional costs arising from this support and the customer is obliged to pay the additional costs charged by GroupLotse.
If a data subject, another person or supervisory authority requests GroupLotse directly for assistance with customer personal data (e.g. request for access, correction or deletion, provision of information or implementation of other measures), GroupLotse will inform the customer as soon as possible and within the framework of the applicable law about it.
C. Disclosure of Personal Information
GroupLotse mainly processes customer personal data within the European Economic Area (“EEA”). However, in order to provide the Services, GroupLotse may need to disclose or transfer Customer Personal Data outside of the EEA from time to time. These situations may include instances where GroupLotse's subcontractors or their systems are located outside the EEA. In such cases, GroupLotse will always take the necessary legal precautions to ensure the security and confidentiality of customer personal data in accordance with applicable laws. Customer acknowledges and accepts such disclosures and transmissions in connection with the Services. At the request of the customer, GroupLotse will provide the customer with further information about such transmissions and the legal precautions taken.
GroupLotse's right to use subcontractors is described below in Section VI.
D. Data Protection Officer
GroupLotse has appointed a data protection officer to take care of data protection. If required by applicable law, GroupLotse will provide the relevant contact details to the customer upon request.
GroupLotse acquaints its employees involved in the processing of personal data (including customer personal data) with the data protection provisions of the applicable laws, provides them with instructions and training and ensures that such employees have committed themselves to an appropriate level of confidentiality or an appropriate statutory obligation of non-disclosure subject. If the customer has given specific instructions on the processing of customer personal data, GroupLotse will also inform its employees involved in the processing of customer personal data of the content of these instructions.
GroupLotse implements and maintains appropriate technical and organizational security measures to protect all personal data (including customer personal data) it processes. GroupLotse chooses such security measures in its sole discretion, eg based on industry standards, market practices and the specific requirements of applicable laws. GroupLotse may change its security measures from time to time, but will not reduce the overall level of security during the term of the DPA.
GroupLotse ensures at all times the confidentiality, integrity, availability and resilience of the systems it uses to process personal data. GroupLotse regularly checks, examines and evaluates the effectiveness of the technical and organizational security measures implemented by GroupLotse. GroupLotse undertakes to comply with regulatory decisions on appropriate security measures for the processing of personal data.
In the event of a Security Incident leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to, Customer Personal Data processed by GroupLotse (“Security Incident”), GroupLotse shall promptly notify the Customer of such Security Incident.
Such security incident notification shall include at least the information required by applicable law:
- a description of the nature and scope of the Security Incident, including, to the extent possible, the categories and approximate number of individuals affected by the Security Incident and the categories and approximate number of Customer Personal Data affected by the Security Incident;
- Name and contact details of GroupLotse's Data Protection Officer (if appointed) or other contact points from which further information may be obtained;
- a description of the estimated consequences of the security incident and
- a description of the actions GroupLotse has taken or intends to take to resolve and rectify the security incident, including actions to mitigate its potential adverse impact.
The above information about the security incident can also be provided in phases if GroupLotse cannot provide them all at the same time when the customer is informed about the security incident. GroupLotse documents all security incidents that have occurred in accordance with the applicable laws.
GroupLotse shall keep appropriate records or otherwise document the processing of Customer Personal Data to the extent and to the extent required by applicable law. Upon request, GroupLotse shall provide Customer with a copy of the relevant portion of these documents or records relating to GroupLotse's processing of Customer Personal Data.
Customer, or a third-party auditor appointed by Customer, may verify GroupLotse's compliance with this DPA and applicable laws governing the processing of Customer Personal Data in accordance with the terms of this DPA. Customer must notify GroupLotse of any intended audit at GroupLotse's premises in writing and always at least twenty-one (21) days in advance. GroupLotse sets up a test platform on which the customer can test the services of GroupLotse. Such audits shall be conducted primarily by an independent third party and always during GroupLotse's normal business hours without significantly disrupting GroupLotse's business operations.
GroupLotse will provide a copy of its records of the processing of Customer Personal Data and any other documentation relevant to the audit and, if requested by the Customer, will provide reasonable assistance to the Customer in the audits. For any additional documentation, support or service requested by the customer, GroupLotse reserves the right to charge the customer for the effort and the reasonable costs incurred. This also includes reasonable remuneration for the working hours of GroupLotse employees who support the customer in his examination. Customer shall be responsible for its own costs (including the costs of any external auditor used) in connection with such audits.
GroupLotse also agrees to allow inspections of GroupLotse's processing of Customer Personal Data initiated and carried out by the competent supervisory authorities and undertakes to provide those competent supervisory authorities with the necessary information about its processing activities. If GroupLotse receives a notification from a competent supervisory authority about an intended examination of the processing of personal customer data, GroupLotse will inform the customer immediately about the intended examination by the supervisory authority.
GroupLotse uses subcontractors in connection with its services, some of which are also involved in the processing of customer personal data. Customer provides its general authorization and consent that GroupLotse may engage and use its affiliated companies and other subcontractors for the processing of Customer Personal Data in connection with the provision of the Services, provided that such appointment does not result in non-compliance with applicable laws or GroupLotse's obligations under this DPA.
GroupLotse ensures that the subcontractors involved are properly qualified, enter into a data processing agreement with GroupLotse and comply with the data processing and confidentiality obligations at least as fully as those agreed in this DPA. GroupLotse regularly monitors the performance of its subcontractors and is liable for their work to the Customer as it is to itself. GroupLotse undertakes to provide the Customer, upon request, with a list of its subcontractors used in connection with the Services.
GroupLotse is free to choose and change its subcontractors in accordance with the terms of this DPA and applicable laws. Nevertheless, GroupLotse informs the customer about any significant changes in its subcontractors. If the Customer reasonably believes that such a change at GroupLotse's subcontractors would pose a risk to Customer Personal Data, the Customer has the right to object to such a change at GroupLotse's subcontractors.
In processing Customer Personal Data in connection with the Agreement, both parties shall be liable to each other for any direct loss or damage caused to the non-violating party by their violations of this DPA or applicable laws (including, but not limited to, administrative sanctions imposed by be imposed on the competent supervisory authorities). Neither party will be liable for any incidental, consequential or consequential damages, including but not limited to lost profits, revenue, reputation or goodwill.
The liability of the parties is based on the maximum liability limit agreed in the contract.
This DPA is effective on the same date as the General Data Protection Regulation and will remain in effect until the termination of the Agreement.
During the thirty (30) day period after the termination of the Agreement, GroupLotse will promptly make the Customer Data available to the Customer upon request. Upon termination of the Agreement, GroupLotse shall promptly return or destroy all Customer Personal Data (and any copies thereof) to Customer, unless GroupLotse is required to retain Customer Personal Data due to the requirements of the laws applicable to GroupLotse.