Order processing contract
1. General
(1) The Contractor is nexnet GmbH (Schöneberger Str. 21 A, Berlin, Germany) The Contractor processes personal data on behalf of the Client within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data. The client is you as a customer of nexnet Subscription Billing Cloud.
(2) Insofar as the term “data processing” or “processing” (of data) is used in this Agreement, the definition of “processing” within the meaning of Art. 4 No. 2 of the GDPR shall apply.
2. subject of the order
The subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in Annex 1 to this Agreement.
3. rights and obligations of the client
(1) The Client is the responsible party within the meaning of Art. 4 No. 7 DSGVO for the processing of data on behalf of the Contractor. Pursuant to Section 4 (3), the Contractor shall have the right to notify the Client if data processing which it considers to be legally inadmissible is the subject of the order and/or an instruction.
(2) As the responsible party, the Customer shall be responsible for safeguarding the rights of data subjects. The Contractor shall inform the Client without delay if data subjects assert their data subject rights against the Contractor.
(3) The Customer shall have the right to issue supplementary instructions to the Contractor at any time regarding the type, scope and procedure of data processing. Instructions must be given in text form (e.g. e-mail).
(4) Regulations on any remuneration of additional expenses incurred by the Contractor due to supplementary instructions of the Customer shall remain unaffected.
(5) The Customer may appoint persons authorized to issue instructions. Insofar as persons authorized to issue instructions are to be named, they shall be named in Annex 1. In the event that the persons authorized to issue instructions change at the Customer, the Customer shall notify the Contractor thereof in text form.
(6) The Customer shall inform the Contractor without undue delay if it discovers errors or irregularities in connection with the processing of personal data by the Contractor.
(7) In the event that there is an obligation to inform third parties pursuant to Art. 33, 34 DSGVO or any other statutory notification obligation applicable to the Client, the Client shall be responsible for compliance therewith.
4. general obligations of the contractor
(1) The Contractor shall process personal data exclusively within the scope of the agreements made and/or in compliance with any supplementary instructions issued by the Client. Exceptions to this are legal regulations which may require the Contractor to process data in a different manner. In such a case, the Contractor shall notify the Client of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest. The purpose, nature and scope of the data processing shall otherwise be governed exclusively by this Agreement and/or the Client’s instructions. The Contractor is prohibited from processing data in a manner deviating from this unless the Client has consented to this in writing.
(2) The Contractor shall generally carry out data processing on behalf of the Customer in member states of the European Union (EU) or the European Economic Area (EEA). The Contractor shall also be permitted to process data outside the EU or EEA if corresponding subcontractors in the third country comply with the requirements of Sec. 9 and the requirements of Art. 44-48 of the GDPR are met or an exception within the meaning of Art. 49 of the GDPR applies.
(3) The Contractor shall inform the Customer without delay if, in its opinion, an instruction issued by the Customer violates statutory regulations. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Client. If the Contractor can demonstrate that processing in accordance with the Client’s instructions may lead to liability on the part of the Contractor pursuant to Art. 82 of the GDPR, the Contractor shall be free to suspend further processing in this respect until the liability between the parties has been clarified.
(4) The Contractor may designate to the Customer the person(s) authorized to receive instructions from the Customer. If persons authorized to receive instructions are to be named, they are named in Appendix 1. In the event that the persons authorized to receive instructions change at the Contractor, the Contractor shall notify the Client thereof in text form.
5. data protection officer of the contractor
The Contractor confirms that it has appointed a data protection officer in accordance with Art. 37 DSGVO. The Contractor shall ensure that the data protection officer has the required qualifications and expertise. You can reach the data protection officer at datenschutz@nexnet.cloud.
6. reporting obligations of the contractor
(1) The Contractor shall be obliged to notify the Customer without undue delay of any infringement of data protection regulations or of the contractual agreements made and/or the instructions issued by the Customer which has occurred in the course of the processing of data by the Contractor or other persons involved in the processing. The same applies to any violation of the protection of personal data processed by the Contractor on behalf of the Client.
(2) Furthermore, the Contractor shall inform the Customer without undue delay if a supervisory authority takes action against the Contractor pursuant to Art. 58 of the GDPR and this may also concern a control of the Processing that the Contractor provides on behalf of the Customer.
(3) The Contractor is aware that the Client may be subject to a notification obligation pursuant to Art. 33, 34 DSGVO, which provides for notification to the supervisory authority within 72 hours of becoming aware of it. The Contractor shall support the Client in the implementation of the reporting obligations. In particular, the Contractor shall notify the Client of any unauthorized access to personal data processed on behalf of the Client immediately upon becoming aware of such access. The Contractor’s notification to the Client shall include, in particular, the following information:
- A description of the nature of the personal data breach, including, to the extent possible, the categories and approximate number of individuals affected, the categories affected, and the approximate number of personal data records affected;
- A description of the measures taken or proposed by the Contractor to address the personal data breach and, if applicable, measures to mitigate its potential adverse effects.
7. cooperation obligations of the contractor
(1) The Contractor shall support the Client in its obligation to respond to requests for the exercise of data subject rights pursuant to Art. 12-23 GDPR. The provisions of sec. 12 of this contract.
(2) The Contractor shall participate in the preparation of the registers of processing activities by the Client. He shall provide the Customer with the information required in this respect in a suitable manner.
(3) The Contractor shall support the Client in complying with the obligations set out in Art. 32-36 GDPR, taking into account the nature of the processing and the information available to it.
8. “Home office” regulation
(1) The Contractor may allow its employees who are tasked with processing personal data for the Client to process personal data in private residences or a mobile workplace (“home office” / “remote work”).
(2) The Contractor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed in the “home office” or “remote work” of the Contractor’s employees. Deviations from individual contractually agreed technical and organizational measures must be agreed in advance with the Customer and approved by the latter in text form.
(3) The Contractor shall in particular ensure that, in the case of processing of personal data in the “home office” or in the case of “remote work”, the storage locations are configured in such a way that local storage of data on IT systems used in the “home office” is excluded. If this is not possible, the Contractor shall ensure that local storage is exclusively encrypted and that other persons in the household do not have access to this data.
(4) The Contractor shall be obliged to ensure that effective control of the processing of personal data on behalf of the Customer in the “home office” or “remote work” is possible. In doing so, the personal rights of the employees and other persons living in the respective household as well as other affected persons, if applicable, must be adequately taken into account.
(5) If employees are also to be deployed in the “home office” or via “remote work” at subcontractors, the provisions of Paragraphs 1 to 4 shall apply accordingly.
9. control powers
(1) The Customer shall have the right to monitor the Contractor’s compliance with the statutory provisions on data protection and/or compliance with the contractual provisions made between the Parties and/or compliance with the Customer’s instructions to the extent necessary.
(2) The Contractor shall be obligated to provide information to the Customer to the extent that this is necessary for the performance of the control within the meaning of Paragraph 1.
(3) The Customer may carry out the inspection within the meaning of Paragraph 1 at the Contractor’s premises during normal business hours after prior notification with a reasonable period of notice. In doing so, the Customer shall ensure that the inspections are only carried out to the extent necessary so as not to disproportionately disrupt the Contractor’s operations as a result of the inspections. The parties assume that inspection is required no more than once a year. Further tests must be justified by the client, stating the reason. In the event of on-site inspections, the Customer shall reimburse the Contractor for the expenses incurred, including the costs of the on-site inspections. of the personnel costs for the supervision and accompaniment of the control persons on site to a reasonable extent. The bases of the cost calculation shall be communicated to the Customer by the Contractor before the control is carried out.
(4) At the Contractor’s discretion, proof of compliance with the technical and organizational measures may also be provided instead of an on-site inspection by submitting a suitable, current audit certificate, reports or report excerpts from independent bodies (e.g., auditors, auditing department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification, if the audit report reasonably enables the Customer to satisfy itself of compliance with the technical and organizational measures pursuant to Annex 3 to this Agreement. If the Client has reasonable doubts about the suitability of the test document within the meaning of sentence 1, an on-site inspection may be carried out by the Client. The Customer is aware that an on-site inspection in data centers is not possible or only possible in justified exceptional cases.
(5) The Contractor shall be obligated to provide the necessary information to the Customer in the event of measures taken by the supervisory authority vis-à-vis the Customer within the meaning of Article 58 of the GDPR, in particular with regard to information and control obligations, and to enable the respective competent supervisory authority to conduct an on-site inspection. The Client shall be informed by the Contractor of any corresponding planned measures.
(6) The Parties agree that the control measures in the case of a processing of personal data in the “Home Office” or in the case of “Remote Work” for the protection of the personal rights of employees of the Contractor and any other persons in the respective household shall primarily consist of a control of the safeguarding of the personal rights of the Contractor pursuant to sec. 8 para. 2 and 3 to be taken is carried out. If necessary, the customer shall also be enabled by the contractor to carry out checks in the “home office” or at the “remote” workplace of employees.
10. subcontracting relationships
(1) The Contractor shall be entitled to use the subcontractors specified in Annex 2 to this Agreement for the processing of data on behalf of the Contractor. The change of subcontractors or the commissioning of further subcontractors is permissible under the conditions specified in paragraph 2.
(2) The Contractor shall carefully select the subcontractor and check before commissioning that the subcontractor is able to comply with the agreements made between the Client and the Contractor. In particular, the Contractor shall check in advance and regularly during the term of the contract that the subcontractor has taken the technical and organizational measures required under Art. 32 GDPR to protect personal data. In the event of a planned change of a subcontractor or in the event of a planned commissioning of a new subcontractor, the Contractor shall inform the Customer in text form in due time, but no later than 4 weeks before the change or the new commissioning (“Information”). The Customer shall have the right to object to the change or the new assignment of the subcontractor in text form within three weeks after receipt of the “Information”, stating the reasons. The objection can be withdrawn by the client at any time in text form. In case of an objection, the Contractor may terminate the contractual relationship with the Client with a notice period of at least 14 days to the end of a calendar month. The Contractor shall reasonably take into account the interests of the Customer in the notice period. If no objection is raised by the Customer within three weeks of receipt of the “Information”, this shall be deemed to be the Customer’s consent to the change or new commissioning of the subcontractor concerned.
(3) The Contractor shall be obliged to obtain confirmation from the subcontractor that the latter has appointed a data protection officer in accordance with Art. 37 of the GDPR, provided that the subcontractor is legally obliged to appoint a data protection officer.
(4) The Contractor shall ensure that the provisions agreed in this Agreement and, if applicable, any supplementary instructions of the Customer also apply vis-à-vis the subcontractor.
(5) The Contractor shall conclude a contract processing agreement with the subcontractor that complies with the requirements of Art. 28 GDPR. In addition, the Contractor shall impose on the subcontractor the same obligations for the protection of personal data that are established between the Client and the Contractor. The Customer shall be provided with a copy of the order processing agreement upon request.
(6) The Contractor shall in particular be obliged to ensure by contractual provisions that the control powers (Clause 9 of this Agreement) of the Client and of supervisory authorities also apply vis-à-vis the subcontractor and that corresponding control rights of the Client and supervisory authorities are agreed. It must also be contractually stipulated that the subcontractor must tolerate these control measures and any on-site inspections.
(7) Services which the Contractor uses from third parties as a purely ancillary service in order to carry out the business activity shall not be regarded as subcontracting relationships within the meaning of paragraphs 1 to 6. These include, for example, cleaning services, pure telecommunications services without any specific reference to services provided by the Contractor to the Client, postal and courier services, transport services, guarding services. The Contractor shall nevertheless be obliged, also in the case of ancillary services provided by third parties, to ensure that appropriate precautions and technical and organizational measures have been taken to guarantee the protection of personal data. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship requiring consent and commissioned processing within the meaning of Art. 28 DSGVO if the maintenance and testing concerns such IT systems that are also used in connection with the provision of services for the Client and personal data processed on behalf of the Client can be accessed during the maintenance.
11. confidentiality obligation
(1) When processing data for the Client, the Contractor shall be obliged to maintain confidentiality with regard to data that it receives or becomes aware of in connection with the order.
(2) The Contractor has familiarized its employees with the data protection provisions applicable to them and has obligated them to maintain confidentiality.
(3) The obligation of the employees pursuant to paragraph 2 shall be proven to the Client upon request.
(4) In the event of insolvency, the Client’s personal data governed by this Agreement shall not be released to the insolvency administrator.
12. safeguarding of data subject rights
(1) The Client shall be solely responsible for safeguarding the rights of the data subjects. The Contractor is obliged to support the Client in its duty to process requests from data subjects pursuant to Art. 12-23 GDPR. In this context, the Contractor shall in particular ensure that the information required in this respect is provided to the Client without delay so that the Client can in particular fulfill its obligations under Art. 12 Para. 3 GDPR can comply with.
(2) Insofar as the cooperation of the Contractor is necessary for the protection of data subject rights – in particular for information, correction, blocking or deletion – by the Customer, the Contractor shall take the measures required in each case in accordance with the Customer’s instructions. The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests to exercise data subject rights.
(3) This shall be without prejudice to any provisions on the remuneration of additional expenses incurred by the Contractor as a result of cooperation services in connection with the assertion of data subject rights vis-à-vis the Client.
13. confidentiality obligations
(1) Both parties undertake to treat all information received in connection with the performance of this contract as confidential for an unlimited period of time and to use it only for the performance of the contract. Neither party is entitled to use this information in whole or in part for purposes other than those just mentioned or to make this information available to third parties.
(2) The above obligation shall not apply to information which one of the parties has demonstrably received from third parties without being obliged to maintain confidentiality or which is publicly known.
14. remuneration
The remuneration is the subject of the main contract concluded between the parties.
15. technical and organizational data security measures
(1) The Contractor undertakes vis-à-vis the Customer to comply with the technical and organizational measures required to comply with the applicable data protection provisions. This includes in particular the requirements of Art. 32 GDPR.
2) The status of technical and organizational measures existing at the time of the conclusion of the contract is attached as Annex 3 to this contract. The parties agree that changes to the technical and organizational measures may be necessary in order to adapt to technical and legal circumstances. The Contractor shall coordinate any significant changes that may affect the integrity, confidentiality or availability of the personal data with the Client in advance. Measures that involve only minor technical or organizational changes and do not negatively affect the integrity, confidentiality and availability of the personal data may be implemented by the Contractor without coordination with the Client. The Customer may request an up-to-date version of the technical and organizational measures taken by the Contractor once a year or on justified occasions.
16. duration of the order
(1) The Contract shall commence upon signature and shall run for the duration of the main contract existing between the Parties on the use of the Contractor’s services by the Customer.
(2) The Customer may terminate the contract at any time without notice if there is a serious breach by the Contractor of the applicable data protection provisions or of obligations under this contract, if the Contractor is unable or unwilling to carry out an instruction of the Customer or if the Contractor refuses access by the Customer or the competent supervisory authority in breach of the contract.
17. termination
(1) After termination of the contract, the Contractor shall return to the Client or delete, at the Client’s discretion, all documents, data and processing or utilization results created in its possession that are related to the contractual relationship. The deletion must be documented in a suitable manner.
(2) The Contractor may store personal data that have been processed in connection with the order beyond the termination of the contract if and to the extent that the Contractor has a legal obligation to store such data. In these cases, the data may only be processed for the purpose of implementing the respective statutory retention obligations. After expiry of the retention period, the data must be deleted immediately.
18. right of retention
The Parties agree that the defense of the right of retention by the Contractor within the meaning of Section 273 of the German Civil Code (BGB) is excluded with regard to the processed data and the associated data carriers.
19. final provisions
(1) Should the property of the Customer with the Contractor be endangered by measures of third parties (for example by seizure or attachment), by insolvency proceedings or by other events, the Contractor shall inform the Customer immediately. The Contractor shall immediately inform the creditors of the fact that it is data processed on behalf.
(2) The written form is required for ancillary agreements.
(3) Should individual parts of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract.
Annex 1 – Subject of the order
1. subject and purpose of processing
The Client’s order to the Contractor shall include the following work and/or services:
The nexnet.cloud is a software-as-a-service service that can be used to create invoices and accounting documents in particular under one’s own responsibility.
2. type(s) of personal data
The following types of data are regularly subject to processing:
- Inventory data (e.g. personal master data, names or addresses).
- Contact information (e.g. email, phone numbers).
- Data of the ordered product and/or service.
3. categories of person concerned
Group of persons affected by the data processing:
- Client
- Employees of the client
- End customers of the client
4. persons authorized to give instructions to the client
Authorized signatories of the client.
5. persons authorized to receive instructions from the Contractor
Mario Kaiser, datenschutz@nexnet.cloud
Annex 2 – Subcontractor
For the processing of data on behalf of the Client, the Contractor shall use the services of third parties who process data on its behalf (“subcontractors”).
This involves the following company(ies):
There are currently no subcontractors employed by nexnet.cloud.
Annex 3 – Technical and organizational measures of the contractor
The Contractor shall take technical and organizational measures for data security within the meaning of Art. 32 DSGVO. The following provisions shall apply, insofar as applicable, irrespective of the place of work.
- Confidentiality
To protect confidentiality, technical and organizational measures are taken that are suitable to protect confidentiality. The following measures protect the confidentiality of personal data:
1.1 Access protection
Measures are in place to prevent unauthorized persons from accessing data processing equipment used to process or use personal data. This is done by:
- all possible accesses are secured against unauthorized entry
- access to all premises is secured by a locking system and burglar alarm system
- Areas with a particularly high need for protection are identified
- Access to security-relevant areas (e.g. data center) is only granted to a few employees.
- all persons have individual access authentication
- Organizational regulations exist regarding access authorizations to the company area
- Defined procedure in case of loss of access means
- Visitors are not allowed to be on the premises unaccompanied
- a security guard monitors the premises outside operating hours
1.2 Access protection
It prevents data processing systems from being used by unauthorized persons. This is done by:
- Password conventions that are aligned with the current state of the BSI.
- Permissions are limited to the necessary minimum
- User accounts are created only for persons who need access to the data processing facilities
- automatic screen lock
- Disabling/blocking of unneeded services and
- Access data is transmitted encrypted over the network
1.3 Access protection and authorization concept
Measures that ensure that the persons authorized to use a data processing system can only access the data subject to their access authorization and that personal data are not read, copied, changed or removed without authorization during processing, use and after storage. This is done by:
- Task and role based authorization concept
- Permissions are limited to a necessary minimum
- Authorizations can be restricted to individual data sets (need-to-know principle)
- the release and award process is documented
- Use of standard technologies for encryption of the transmission path
- Smartphones for business use have an encrypted “Personal Information Manager” with exclusively business information
1.4 Separation control
Ensure that data collected for different purposes can be processed separately.
- there is a separate infrastructure for development, test and production
- there are separate data areas with access rights for authorized personnel
- Personal data collected for different purposes are processed separately from each other
- Integrity
The factual and professional correctness and the completeness of all information and data during the processing of personal data is guaranteed. The following controls ensure the integrity of personal data:
2.1 Transfer control and input control
It must be ensured that it is possible to check and establish retrospectively whether and by whom personal data have been entered into data processing systems, modified or removed. This is done through the following actions:
- a cryptographic concept for encrypted data transmission is established
- Logging for retrospective review of the data processing systems of:
- System logins of users for a period of min. 12 months
- Firewall logging (TCP/IP)
- administrative activities
2.2 Data carrier control, secure deletion, disposal and destruction
Ensure that adequate protection is provided when disposing of information carriers. The following measures are used to deny unauthorized persons access to sensitive data.
- there are regulations for the destruction of data carriers and documents in compliance with data protection requirements
- there are regulations for the destruction of data carriers and documents in compliance with data protection requirements
2.3 Organizational control
The internal organization must be designed in such a way that it meets the special requirements of data protection.
- processes and workflows are defined for the processing of data in the company
- the implementation of and compliance with the processes is controlled
- there is a separation between operational and administrative functions
- Availability / Availability control
It must be ensured that personal data is protected against the risk of accidental destruction or loss. The following measures have been taken for this purpose:
- Regular inspection of the emergency equipment and data centers
- redundant hardware is used
- there is an IT on-call service
- daily full backup of all systems
- Data backups are stored in separate fire compartments and separate data centers
- are the server rooms:
- Sufficiently air conditioned
- Protected against burglary
- have an Agron gas extinguishing system
- have fire detectors, smoke aspiration systems, humidity sensors, heat sensors
- have a UPS and NEA
- Load capacity of the systems / protection against overload
Ongoing operation is ensured by the following technical and organizational measures:
- Networks are separated by firewall and router (Intranet, DMZ, Internet)
- End-Point-Secruity are permanently activated and cannot be deactivated by the user
- the backend systems are sufficiently hardened
- Availability recovery / recovery mechanisms
Measures to ensure that personal data is protected against accidental destruction or loss.
- virtual server recovery can be hardware independent
- in case of technical incident, the virtual server is fully restored from backup
- regular recovery tests are carried out on a random basis
- There is a contingency plan in place, in which appropriate regulations for recovery are in place
- Procedures for review, assessment, and evaluation of TOMs.
The following points ensure compliance and implementation of the measures in this document:
6.1 Sensitization
- employees are trained on data protection and information security principles, including TOMs
- Obligation to maintain confidentiality about business and trade secrets, including the operations of the client
- There are regulations on access to data processing systems for external parties, e.g. guests, suppliers.
- External persons are only granted access if they are obligated in writing to maintain data secrecy and are trained to do so
- Regular audits are carried out to check data protection and information security
6.2 Data protection
- implement a data protection management system in the form of a workflow consisting of a notification, file and ticket system
- there are guiding principles and guidelines on data protection and data security
- the guidelines are regularly evaluated and adjusted with regard to their effectiveness
- A data protection and information security team (DST) is in place to plan, implement, evaluate and make adjustments to data protection and data security measures
- a data protection officer is appointed
- It is ensured that data protection incidents are recognized by all employees and reported to the data protection team without delay
- Insofar as data processed on behalf of customers are affected, care is taken to ensure that they are informed immediately of the nature and scope of the incident
- when processing data for own purposes, if the conditions of 33 DSGVO are met, a notification to the supervisory authority will be made within 72 hours after becoming aware of the incident
- Order control
The personal data processed in the order, are processed only in accordance with the instructions of the client:
- Documentation of the individual work steps required within the scope of the order execution
- the processing of the data takes place exclusively in the Federal Republic of Germany
- there is a documented interface specification
- it is defined what kind of personal data is processed for what purpose (see processing directories, order processing contract)