General Terms and Conditions for Subscription Billing from

Agreement on the processing of data on be-half of a Controller


nexnet GmbH
Schöneberger Str. 21 A
10963 Berlin


Savska cesta 129
Zagreb, 10000-HR

1. General remarks

(1) The Processor will process personal data on behalf of the Controller in the meaning of Article 4 (8) and Article 28 of Regulation (EU) 2016/679. This Agreement governs the rights and obligations of the parties in connection with the processing of personal data.
(2) Insofar as the term “data processing” or “processing” (of data) is used in this Agreement, it is taken as that defined in Article 4 (2) GDPR.

2. Subject matter of the Agreement

The subject matter, nature and purpose of the processing, the nature of personal data and the categories of data subjects are set out in Annex 1 to this Agreement.

3. Rights and duties of the Controller

(1) The Controller is the responsible body within the meaning of Article 4 (7) GDPR for the processing of data on behalf of the Controller. Pursuant to section 4 (5) of this Agreement, the Processor has the right to inform the Controller if the Processor is of the opinion that the data processing is in breach of applicable statutory data protection law in this Agreement and/or an instruction.
(2) The Controller shall be the person responsible for safeguarding the data subject’s rights. The Processor shall promptly inform the Controller if data subjects claim their data subject’s rights against the Processor.
(3) The Controller shall be entitled to issue supplementary instructions concerning the nature, scope and procedure of data processing to the Processor at any time. Instructions must be given in text form (e.g. email).
(4) Regulations concerning a possible remuneration of additional expenses incurred through supplementary instructions by the Controller for the Processor remain unaffected.
(5) The Controller may designate authorized persons. Insofar that persons entitled to issue instructions are to be named, they are named in Annex 1. In the event that there is a change of persons authorized by the Controller, the Controller will notify the Processor thereof in text form.
(6) The Controller shall promptly inform the Processor if he finds errors or irregularities in connection with the processing of personal data by the Processor.
(7) In the event of the obligation to provide information to Third Parties pursuant to Articles 33, 34 GDPR or any other statutory reporting obligation applicable to the Controller, the Controller shall be responsible for the fulfillment of those obligations.

4. General obligations of the Processor

(1) The Processor shall process personal data only within the framework of this Agreement and/or in compliance with possible additional instructions given by the Controller. Excluded from this are legal provisions, which potentially oblige the Processor to a different processing of data. In such a case, the Processor shall inform the Controller of these legal requirements before the processing, unless the law in question prohibits such notification on account of an important public interest. Purpose, nature and scope of data processing shall be governed exclusively by this Agreement and/or the instructions of the Controller. Data processing deviating from this Agreement shall be forbidden, unless the Controller has given its written consent.
(2) The Processor shall undertake to perform the data processing on behalf of a Controller only within the Member States of the European Union (EU) or the European Economic Area (EEA). Processing of personal data in a third country requires the prior consent of the client, which must be given at least in text form (e.g. e-mail). The consent of the client can only be considered if it is ensured that the legal provisions to be complied with in accordance with Art. 44 – 49 of the GDPR are observed in order to guarantee an adequate level of protection for the personal data.
(3) The Processor assures in regard with the commissioned data processing of personal data the contractual execution of all agreed measures of this agreement.
(4) The Processor shall be responsible to structure the Processor’s internal organization in a manner that the data processed on behalf of the Controller is adequately protected against unauthorized or unlawful processing. Changes in how the commissioned data processing is organized that are relevant to the security of the data will be discussed and agreed on between the Controller and the Processor in advance.
(5) The Processor shall inform the Controller if the Processor is of the opinion that a Controller’s instruction is in breach of statutory data protection laws. The Processor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the Controller. Insofar as the Processor can demonstrate that processing according to the instructions of the Controller can lead to liability of the Processor according to Article 82 GDPR, the Processor is free to suspend further processing in this respect until the liability between the parties has been clarified.
(6) The Processor shall process the data which he processes on behalf of the Controller separately from other data. A physical separation is not mandatory.
(7) The Processor can designate the person(s) authorized to receiving instructions by the Controller. If persons entitled to receive instructions are to be named, they shall be named in Annex 1. In the event that there is a change of persons authorized to receive instructions for, the Professor will notify the Controller thereof in text form.

5. Data protection officer of the Processor

(1) The Processor confirms that he has designated a data protection officer pursuant to Article 37 GDPR. The Processor shall ensure that the data protection officer has the necessary qualifications and expertise. The Processor shall communicate the name and contact details of his data protection officer to the Controller separately in text form.
(2) The duty of naming a data protection officer pursuant to section 1, may, at the Controller’s discretion, cease to apply if the Processor can account for that he is not obliged by law to appoint a data protection officer and that company provisions exist which ensure that personal data are processed in compliance with the provisions of law, the provisions of this Agreement, and any such further instructions as the Client may give.

6. Notification obligations of the Processor

(1) The Processor shall inform the Controller immediately of each breach of statutory data protection laws or contractual agreements and/or the Controller’s instructions which has occurred during the processing of the data by him or other persons involved in processing the data. The same shall apply to any violation of the protection of personal data which the Processor processes on behalf of the Controller.
(2) Furthermore, the Processor shall inform the Controller immediately if a regulatory authority pursuant to Art. 58 GDPR is operating against the Processor and this operation may also affect controlling of the processing which the Processor makes on behalf of the Controller.
(3) The Processor is aware that the Controller may be subject to a notification obligation pursuant to Articles 33 – 34 GDPR and _/ or § 169 Telecommunication Code, which provides that notification must be made to the supervisory authority within 72 hours or 24 hours after detection. The Processor shall assist the Controller in implementing the notification obligations. The Processor shall notify the Controller, in particular, of any unauthorized access to personal data processed on behalf of the Controller, without delay, but at the latest within 48 hours of knowledge of such access. In particular, the notification of the Processor to the Controller shall include the following information:
  • a description of the nature of the breach of the protection of personal data, indicating, as far as possible, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data sets concerned;
  • a description of the measures taken or proposed by the Processor to remedy the breach of the protection of personal data and, where appropriate, to mitigate its potential adverse effects.

7. Processor’s obligation of cooperation

(1) The Processor shall assist the Controller in fulfilling his duty to respond to requests for the exercise of rights of the data subjects in accordance with Art. 12-23 GDPR. The provisions of section 12 of this Agreement shall apply.
(2) The Processor assists the Controller in compiling the lists of processing activities. The Processor must provide the Controller with the required particulars by suitable means.
(3) Taking into account the type of processing and the information available to him, the Processor shall assist the Controller in complying with the obligations set out in Articles 32-36 GDPR.

8. Home Office

(1) The Contractor may allow its employees who are commissioned to process personal data for the Customer to process personal data in private residences (“home office”).
(2) The Contractor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed in the “home office” of the Contractor’s employees. Deviations from individual contractually agreed technical and organizational measures shall be agreed in advance with the Customer and approved by the latter in text form.
(3) The Contractor shall in particular ensure that, in the event of processing of personal data in the “home office”, the storage locations are configured in such a way that local storage of data on IT systems / mobile devices used in the “home office” is excluded. If this is not possible, the Contractor shall ensure that local storage is exclusively encrypted and that other persons in the household do not have access to this data.
(4) The Contractor shall be obliged to ensure that effective control of the processing of personal data on behalf of the Customer in the “home office” is possible. In this context, the personal rights of the employees as well as of the other persons living in the respective household shall be adequately taken into account.
(5) If employees are also to be deployed in the “home office” at subcontractors, the provisions of Paragraphs 1 to 4 shall apply accordingly.

9. Supervisory powers

(1) The Controller has the right to monitor compliance with statutory laws regarding data protection and/or compliance of the regulations agreed between the Parties and/or compliance with the instructions of the Controller by the Processor at any time to the extent necessary.
(2) The Processor shall be obliged to provide the Controller with information to the extent necessary to carry out an inspection in the meaning of paragraph 1.
(3) The Controller may demand to inspect the data that are processed by the Processor for the Controller along with the inspection of data processing systems or programs that are used.
(4) Pursuant to paragraph 1, the Controller shall be permitted to control the premises of the Processor, upon prior timely notification, during regular business hours. The Controller shall thereby ensure that the inspections are carried out only to the extent necessary in order to not interfere with the Processor’s business operations.
(5) The Processor shall be obliged to provide necessary information to the Controller in case of measures of a supervisory body against the Controller according to Art. 58 GDPR, especially regarding obligations of information and monitoring and to grant the competent supervisory body on-site inspections. The Processor shall inform the Controller about such relevant intended measures.
(6) The Parties agree that the control measures for the processing of personal data in the “home office” to protect the personal rights of employees of the Contractor and any other persons in the respective household shall primarily be carried out by controlling the assurance of the measures to be taken by the Contractor in accordance with Clause 8 (2) and (3). If necessary, the Customer shall also allow the Contractor to carry out checks in the “home office” of employees.

10. Subcontracting

(1) The Processor shall not assign any subcontractors without approval of the Controller in text form. The Processor shall name all existing subcontractual relations in “Annex 2” of this Agreement.
(2) By contrast, third parties that the contractor uses as an ancillary service to support the performance of the order, third parties that provide services that are permissible on the basis of a statutory provision or third parties that provide services directly to the client and therefore have a direct contractual relationship with the client (e.g. banks including acquirers, i.e. the merchant’s banks that settle payments from customers by credit card, credit agencies, telecommunications service providers, postal service providers, transport service providers or cleaning staff) shall not be considered subcontractors. However, the However, the Contractor shall also enter into appropriate contractual arrangements with these third parties to ensure data protection and data security and shall take control measures if this is required by law (in particular if the corresponding ancillary services constitute commissioned processing in the relationship between the Contractor and the commissioned company).
(3) The Processor shall diligently select any subcontractor and assure in advance that they may comply with the Agreement between Controller and Processor. The Processor must, in particular, verify in advance, and regularly during the term of this Agreement, that the subcontractors have undertaken the technical and organizational measures that are required according Art. 32 GDPR for the protection of personal data. The result of the verification must be documented by the Processor and communicated to the Controller on request.
(4) The Processor is obliged to have the subcontractor confirm that he has appointed a company data protection officer within the meaning of Art. 37 GDPR. In the event that no data protection officer has been appointed by the sub-contractor, the Processor must point this out to the Controller and provide information that indicates that the subcontractor is not legally obliged to appoint a data protection officer.
(5) The Processor must ensure that the regulations and, where appropriate, supplementary instructions of this Agreement also apply to a reasonable extent to the subcontractor.
(6) The Processor shall conclude a commissioned data processing contract with the subcontractor, which meets the requirements of Art. 28 GDPR. In addition, the Processor shall impose the same data protection obligations with regard to the protection of personal data on the subcontractor as those laid down between the Controller and the Processor. The technical and organisational measures to be agreed do not have to be identical, but they must also comply with the requirements of Art. 32 GDPR. On request, the Processor shall provide the Controller with a copy of the written agreement on commissioned data processing.
(7) The Processor shall in particular be obliged to ensure through contractual regulations that the Controller’s powers of control (Section 9 of this Agreement) and of supervisory bodies also apply to subcontractors and that corresponding monitoring by the Controller and supervisory bodies have been agreed upon. It shall also be specified by contractual regulations that subcontractors have to tolerate these monitoring measures and any on-site inspections.
(8) Not considered as subcontracting relationships within the meaning of sections 1 – 6 are services which the Processor uses for Third Parties as a mere ancillary service in order to carry out the business activity. These include for example cleaning services, telecommunication services without specific reference to services that the Processor performs on behalf of the Controller, postal and courier services, transportation services or security services. The Processor shall nevertheless be required to ensure that appropriate technical and organizational measures have been undertaken to protect personal data, even with ancillary services that are provided by Third Parties. The maintenance and care of IT systems or applications constitutes a subcontracting relationship subject to approval and commissioned data processing within the meaning of Art. 28 GDPR if the maintenance and monitoring concerns IT systems that are also used in connection with the provision of services for the Controller and can be accessed during maintenance of personal data that are processed on behalf of the Controller.

11. Obligation of confidentiality

(1) When processing data on behalf of the Controller, the Processor shall be obliged to maintain confidentiality of data which he receives or obtains in connection with the data processing order. The Processor shall undertake to comply with the same confidentiality regulations as those incumbent for the Controller. The Controller is obliged to inform the Processor of any specific confidentiality regulations.
(2) The Processor warrants that applicable data protection regulations are known to him and that the Processor is familiar with their application. The Processor also warrants that the employees working on the data have been made known to applicable regulations of data protection and that they are bound to maintain data confidentiality. Furthermore, the Processor warrants that he has undertaken to maintain confidentiality, in particular with regard to the employees involved in carrying out the work and has informed them of the instructions of the Controller.
(3) Proof for such an obligation for the employees pursuant to paragraph 2 must be presented to the Controller on request.

12. Protection of Data Subjects’ rights

(1) The Controller is solely responsible for safeguarding data subjects’ rights. The Processor is obliged to support the Controller in his duty to process requests from data subjects in accordance with Articles 12-23 GDPR. The Processor shall in particular ensure that the information required in this respect is provided to the Controller without delay so that the Controller is able to fulfil his obligations under section 12 (3) GDPR in particular
. (2) As far as a participation of the Processor for the protection of data subjects’ rights by the Controller is necessary – especially regarding access, rectification, blocking or deleting –, the Processor will undertake the necessary measures on instruction by the Controller. Where possible, the Processor shall assist the Controller with appropriate technical and organizational measures to fulfil his obligation to respond to requests for the exercise of the data subjects’ rights.
(3) Provisions concerning remuneration of additional expenses incurred through participation of the Processor in connection with assertion of data subjects’ rights against the Controller remain unaffected.
(4) In the event that a data subject asserts his rights under Art. 12-23 GDPR with the Contractor, although this obviously concerns a processing of personal data for which the Client is responsible, the Contractor shall be entitled to inform the data subject that the Client is the data controller. In this context, the Contractor may inform the Data Subject of the contact details of the Controller.

13. Confidentiality obligations

(1) Both Parties hereby undertake to treat all information received in connection with the processing of this Agreement indefinitely confidential and to use the information only for carrying out the Agreement. No Party has the right to use the information in part or as a whole for other than those mentioned purposes or to make this information available to Third Parties.
(2) The foregoing obligation shall not apply for information that one Party received demonstrably from Third Parties, without being bound by secrecy or which are publicly known.

14. Remuneration

  • The Processor’s remuneration is provided for by way of a separate agreement.
  • The Contractor may charge the Client for the costs incurred, in particular for audits and further longer reviews, unless these are unreasonable or disproportionate. The costs shall be based on the prices of the main contract for special services and shall be agreed in advance.

15. Technical and organizational measures for data security

(1) The Processor shall pledge against the Controller to comply with all technical and organizational measures that are required for compliance with applicable data protection regulations. This includes, in particular the dispositions in Art. 32 GDPR.
(2) The technical and organizational measures as of the time at which this Agreement is made are attached as Annex 3 to this contract. The Parties agree that changes to technical and organizational measures may be required to adapt to technical and legal requirements. The Processor will inform the Controller in advance and within a reasonable period of any material changes affecting the integrity, confidentiality or availability of personal data. The Processor may implement without consulting with the Controller measures that entail only slight technical or organizational changes and that do not negatively affect the integrity, confidentiality or availability of the personal data. The Controller may at any time request an up-to-date version of the technical and organizational measures taken by the Processor.
(3) The Processor will regularly, and as the occasion may warrant, monitor the effectiveness of the technical and organizational measures it takes The Processor will inform the Controller in the event that there is a need for optimization and/or change.

16. Term of the Agreement

(1) The Agreement begins with the signing of the Agreement and shall be concluded for an indefinite period of time.
(2) It may be ordinarily terminated at the end of a quarter, giving three months’ notice.
(3) The Controller may terminate the Agreement at any time without notice if the Processor has committed a serious violation of the applicable data protection provisions or a breach of duties under this Agreement; the Processor is unable or unwilling to carry out an instruction of the Controller or denies access to the Controller or the competent supervisory authority in breach of the Agreement.

17. Termination

(1) Upon termination of the Agreement, the Processor must hand over or delete all documents, data, and final results of processing or use that are associated with the contractual relationship to the Controller. The erasure must be documented in a suitable manner. Any relevant legal obligations for the storage of data remain unaffected. Data carriers must be destroyed in the event of a destruction request by the Controller and at least security level 3 of the national standard DIN 66399 (Office machines – Destruction of data carriers – Part 1: Principles and definitions) must be observed. The destruction must be verified to the Controller with reference to the security level in accordance with DIN 66399.
(2) The Controller has the right to monitor the complete and contractual return or erasure of the data by the Processor. This may be done also by visual inspection of the data processing systems on the Processor’s business premises. The on-site monitoring is to be announced by the Controller with reasonable notice.
(3) The Contractor may store personal data processed in connection with the order beyond the termination of the contract if and to the extent that the Contractor is subject to a statutory duty of retention. In such cases, the data may only be processed for the purpose of implementing the respective statutory retention obligations. After expiry of the retention obligation, the data must be deleted immediately.
(4) Paragraphs 1 and 2 shall also apply to any third party/client if this is a subcontracting processing agreement and the client here no longer exists factually or legally or is insolvent.

18. Right of retention

The Parties agree that the plea of retention by the Processor in the meaning of section 273 German Civil Code (Bürgerliches Gesetzbuch, BGB) concerning the processed data and associated data storage devices is excluded.

19. Final Provisions

(1) Should the property of the Controller be at risk at the Processor through measures of Third Parties (especially confiscation or seizure of property), by insolvency proceedings or other events, the Processor must inform the Controller immediately. The Processor will inform creditors immediately about the fact that the data are processed on behalf of the Controller.
(2) Written form is compulsory for ancillary agreements.
(3) Should individual parts of this Agreement be invalid, the validity of the Agreement’s other provisions will not be affected thereby. , on , on Place Date Place Date – Controller – – Processor

Annex 1 – Subject matter of the Agreement

1. Subject matter and purpose of the processing

This DPA specifies the obligations of the Parties that arise between Controller and Processor from the Agreement.
The services to be provided by the Processor shall be described as specific as possible here. The purpose of the processing must also be specified, unless this results from the service description.

2. Type(s) of personal data

The following types or categories of personal data are generally collected, processed and used by the Processor:
If possible, the data fields should be specified here. If this is not possible, generalizations are allowed (usage data, inventory data etc.) which shall be specified as detailed as possible.

3. Categories of data subjects

The following data subjects are affected by the handling of their personal data within the framework of this Agreement:
e.g. Clients, Controller, Third Parties etc.

4. Authorized persons of the Controller are:

If necessary, name persons or delete the passage.

5. Processor’s designated person(s) to receive instructions:

Team Key Account Management:

Annex 2 – Subcontractor

For the processing of data on behalf of the Controller, the Processor uses the services of Third Parties who process data on behalf of the Processor (“subcontractors”). These companies are:
  • REISSWOLF Berlin GmbH, Alexander-Meißner-Str. 56, 12526 Berlin, Aktenvernichtung
  • Dtms GmbH, Taunusstraße 57, 55118 Mainz, Rechenzentrum
  • Formware GmbH, Stangenreiterstraße 2, 83131 Nußdorf am Inn
  • AG, Storkower Str. 132, 10407 Berlin, Call Center Service
  • HIB Hanse Inkasso Bureau GmbH & Co. KG, Normannenweg 32, 20537 Hamburg, Inkassounternehmen
  • net group Beteiligungen GmbH & Co. KG, Lise-Meitner-Str. 4, 24941 Flensburg, verbundenes Unternehmen
  • Payconomy GmbH, Am Zirkus 3a, 10117 Berlin; Consulting & Entwicklung
  • Techatvision GmbH, Berliner Allee 65, 64295 Darmstadt, SAP Betreuung
  • vysion consulting gmbh, Kärntner Ring 5-7, A-1010 Wien, Consulting SAP

Annex3 – Technical and organizational measures of the Processor

The Processor shall undertake the following technical and organizational measures for data security in accordance with Art. 32 GDPR. The following provisions shall apply, insofar as applicable, irrespective of the place of work

1. confidentiality

To protect confidentiality, technical and organisational measures are taken that are suitable to protect confidentiality. The following measures protect the confidentiality of personal data:

1.1 Physical access protection
Measures are in place to prevent unauthorised persons from gaining access to data processing equipment with which personal data are processed or used. This is done by:
  • all possible access points are secured against unauthorised entry
  • access to all premises is secured with a locking system and a burglar alarm system
  • areas with a particularly high need for protection are identified
  • Access to security-relevant areas (e.g. data centre) is restricted to a few staff members only
  • all persons have individual access authorisation
  • there are organisational regulations on access authorisations to the company area
  • Defined procedure in case of loss of access means
  • visitors are not allowed to enter the premises unaccompanied
  • A security guard monitors the premises outside of operating hours.

1.2 Organizational access protection
Data processing systems are prevented from being used by unauthorised persons. This is done by:
  • password conventions that are based on the current BSI standards.
  • Authorisations are limited to the necessary minimum
  • user accounts are only set up for persons who need access to the data processing systems
  • Automatic screen lock
  • Disabling/blocking of unneeded services andnetwork ports.
  • Access data is transmitted over the network in encrypted form

1.3 Access protection and authorisation concept
Measures to ensure that those authorised to use a data processing system can only access the data subject to their access authorisation and that personal data are not read, copied, changed or removed without authorisation during processing, use and after storage. This is achieved by:
  • Task and role-based authorisation concept
  • Authorisations are limited to a necessary minimum
  • authorisations can be restricted to individual data sets (need-to-know principle)
  • the release and allocation process is documented
  • Use of standard technologies for encryption of the transmission path
  • Smartphones for official use have an encrypted “Personal Information Manager” with only company information.

1.4 Separation control It must be ensured that data collected for different purposes can be processed separately.
  • there is a separate infrastructure for development, testing and production
  • there are separate data areas with access rights for authorised personnel
  • personal data collected for different purposes are processed separately from each other

2. Integrity

The factual and technical accuracy and the completeness of all information and data during the processing of personal data is guaranteed. The following controls ensure the integrity of personal data:
2.1 Transfer control and input control.
It shall be ensured that it is possible to verify and establish retrospectively whether and by whom personal data have been entered into, modified or removed from data processing systems. This shall be achieved by the following measures:
  • a cryptographic concept for encrypted data transmission is established
    • Logging for subsequent verification of the data processing systems of:
    • system logins of users for a period of at least 12 months
    • firewall logging (TCP/IP)
    • administrative activities

2.2 Data media control, secure deletion, disposal and destruction
It must be ensured that adequate protection is provided when disposing of information carriers. The following measures shall be applied to prevent unauthorised persons from accessing sensitive data.
  • regulations are in place for the destruction of data carriers and documents in accordance with data protection requirements
  • the physical destruction of data media is recorded.

2.3 Organisational control
The internal organisation must be designed in such a way that it meets the special requirements of data protection.
  • processes and workflows are defined for the processing of data within the company
  • the implementation of and compliance with the processes is monitored
  • there is a separation between operational and administrative functions

3. availability / availability control

It must be ensured that personal data are protected against the risk of accidental destruction or loss. The following measures have been taken for this purpose:
  • regular checks of the emergency equipment and computer centres
  • redundant hardware is used
  • there is an IT on-call service
  • daily complete backup of all systems
  • data backups are kept in separate fire compartments and separate data centres
  • the server rooms are
    • sufficiently air-conditioned
    • protected against burglary
    • have an Agron gas extinguishing system
    • have fire detectors, smoke aspiration systems, humidity sensors, heat sensors
    • have a UPS and NEA

4. load capacity of the systems / protection against overloading

Continuous operation is ensured by the following technical and organisational measures:
  • Networks are separated by firewall and router (intranet, DMZ, internet).
  • End-point security is permanently activated and cannot be deactivated by the user.
  • the back-end systems are sufficiently hardened

5. restoration of availability / recovery mechanisms

Measures are in place to ensure that personal data is protected against accidental destruction or loss.
  • the recovery of virtual servers can be hardware-independent
  • in the event of a technical incident, the virtual server is fully restored from the backup
  • regular recovery tests are carried out on a random basis
  • There is a contingency plan in which corresponding regulations for recovery are in place.

6. procedures for reviewing, assessing and evaluating the TOMs.

The following points ensure compliance with and implementation of the measures in this document: 6.1 Awareness raising
  • Employees are trained on the principles of data protection and information security, including the TOMs.
  • obligation to maintain confidentiality about company and business secrets, including the client’s operations
  • There are rules on access to data processing systems for external parties, e.g. guests, suppliers.
  • External persons are only granted access if they have been trained and obligated in writing to maintain data secrecy.
  • Regular audits are carried out to check data protection and information security.

6.2 Data protection
  • a data protection management system in the form of a workflow consisting of a notification, file and ticket system is implemented
  • there are guidelines and directives on data protection and data security
  • the guidelines are regularly evaluated and adapted with regard to their effectiveness
  • A data protection and information security (DST) team is in place to plan, implement, evaluate and adjust data protection and data security measures.
  • a data protection officer is appointed
  • it is ensured that data protection incidents are recognised by all employees and reported immediately to the data protection team
  • if data is affected that is processed on behalf of customers, care is taken to ensure that they are informed immediately of the type and scope of the incident
  • when processing data for own purposes, a report to the supervisory authority will be made within 72 hours of becoming aware of the incident if the requirements of Art. 33 of the GDPR are met.

7. order control

The personal data processed on behalf of the client will only be processed in accordance with the client’s instructions:
  • Documentation of the individual work steps required within the scope of the execution of the order.
  • the data is processed exclusively in the Federal Republic of Germany
  • there is a documenöted interface specification
  • it is defined which type of personal data is processed for which purpose (see processing specifications, order processing contract)