Agreement on Data Processing

in Accordance with Article 28 GDPR of Quanos Service Solutions GmbH

1. Subject matter of data processing agreeement

1.1. The subject matter of this agreement is set forth in the agreement on the licensing of software and IT services, maintenance and support as concluded between Quanos Service Solutions GmbH (“Quanos”) and the customer („Main Agreement“). This Agreement on Data Processing („Data Processing Agreement“) specifies the parties’ duties regarding data protection laws and applies to all services which relate to the commissioned data processing and where Quanos or its personnel may get in contact with personal data, which are provided to Quanos by the customer.

1.2. The type of processed data and categories of data subjects, and the nature and purpose of processing of personal data by Quanos on behalf of the customer and the categories of data subjects are defined in Appendix 1.

1.3. Unless provided otherwise in this Data Processing Agreement any data processing owed under this Data Processing Agreement shall take place in Germany or in a member state of the European Union (EU) or another member state of the European Economic Area (EEA). Any processing in a third country is subject to the specific requirement set forth in Art. 44 et seqq. GDPR.

2. Technical and organizational measures

2.1. Quanos shall establish measures in accordance with Article 28 (3) c, and Article 32 GDPR in particular in conjunction with Article 5 GDPR. The measures to be taken are measures of data security and measures that guarantee an appropriate data protection level taking account of risks for confidentiality, integrity, availability and resilience of systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk for the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account. The measures taken by Quanos are specified in Appendix 2.

2.2. The technical and organizational measures are subject to technical progress and further development. In this respect, Quanos may implement alternative adequate measures. However, the security level of the defined measures shall not be reduced. Substantial changes must be documented.

2.3. Quanos regularly controls the internal processes as well as the technical and organizational measures in order to ensure that the data processing which lies within its responsibility is carried out in accordance with the applicable data protection laws and to ensure the protection of the rights of the data subjects.

3. Rectification, restriction and erasure of data; rights of data subjects

3.1. Quanos may not on its own authority modify or delete the data that is being processed on behalf of the customer, or restrict the processing of such data, but only on documented instructions from the customer. In the event that a data subject contacts Quanos directly concerning a modification or deletion of data, or restriction of processing, Quanos shall immediately forward the data subject’s request to the customer.

3.2. To the extent included in the scope of services, the data deletion policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Quanos in accordance with documented instructions from the customer. Quanos may request payment of fees for assistance which is not owed under the Main Agreement.

4. Quality assurance and other duties of Quanos

4.1. Quanos entrusts only such employees with the data processing outlined in this Data Processing Agreement who have been bound to confidentiality. Unless required by law to process the data, Quanos shall not process the data except as on instructions from the customer, which includes the processing allowed under this Data Processing Agreement and the Main Agreement. The customer shall immediately confirm oral instructions (at the minimum in text form). Quanos shall inform the customer immediately if Quanos considers that an instruction violates data protection laws. Quanos shall then be entitled to suspend the execution of the relevant instructions until the customer confirms or changes them.

4.2. Quanos shall assist the customer in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as stipulated in Articles 32 through 36 GDPR. These include:

4.2.1. The obligation to report a personal data breach immediately to the customer,

4.2.2. The obligation to assist the customer with regard to the customer’s obligation to provide information to the data subject and to immediately provide the customer with all relevant information in this regard.

4.2.3. Supporting the customer with its data protection impact assessment.

4.2.4. Supporting the customer regarding prior consultation with the supervisory authority.

4.3. Quanos may charge a fee for support which is not included in the description of services in the Main Agreement or which is caused by a misconduct of the customer.

5. Subcontracting

5.1. Subcontracting for the purpose of this Data Processing Agreement is to be understood as services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. Quanos shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the customer's data, even in the case of outsourced ancillary services.

5.2. The customer herewith agrees that Quanos may engage sub-processors within the territory of the EU and/or EEA, provided that Quanos and the sub-processor conclude an agreement according to Article 28 (4) GDPR.

5.3. Subject to the condition set forth in Section 5.2 the customer herewith agrees that Quanos engages the companies listed in Appendix 3 as a sub-contractor for the collection, processing and/or use of data.

5.4. Quanos shall notify the customer of any intended change with respect to the addition of, or replacement by, any other processors. The customer may object to such change for good cause by giving notice within one 14 days as of receipt of the notification of change. If the customer does not oppose within such term, the change shall be deemed approved. The customer may not oppose without having an own legitimate interest which prevails over the interests of Quanos.

6. Supervisory rights of the customer

6.1. The customer has the right, after consultation with Quanos, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The customer has the right to convince itself in the Quanos’ business premises of Quanos’ compliance with this Data Processing Agreement by means of random checks, which are, as a rule, to be announced in good time.

6.2. Quanos shall ensure that the customer is able to verify compliance with the obligations of Quanos in accordance with Article 28 GDPR. Quanos undertakes to give the customer the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.

6.3. Evidence of such measures may be provided by

6.3.1 Compliance with approved codes of conduct pursuant to Article 40 GDPR;

6.3.2 Certification according to an approved certification procedure in accordance with Article 42 GDPR;

6.3.3 Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor);

6.3.4 A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT baseline protection certification developed by the German Federal Office for Security in Information Technology (BSI) or ISO/IEC 27001).

6.4. Quanos may claim remuneration for enabling customer inspections.

7. Deletion and return of personal data

7.1. Copies or duplicates of the data shall not be created without the knowledge of the customer, with the exception of (i) backup copies as far as they are necessary to ensure appropriate data processing, and (ii) retention of data required to meet statutory data retention laws.

7.2. After having completed the services owed by the Distributor under the Main Agreement, or earlier upon request by the customer, Quanos shall hand over to the customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the Main Agreement that have come into its possession, in a data-protection compliant manner. The log of the destruction or deletion shall be provided on request. Quanos’s obligations under this Section 7.2 do not apply to the extent that Union or EU Member State law requires storage of the personal data.

7.3. Documentation which is used to demonstrate data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by Quanos in accordance with the respective retention periods. Quanos may hand such documentation over to the customer at the end of the contract duration to relieve Quanos of this contractual obligation.

8. Terms of processing; termination

The duration of this Data Processing Agreement corresponds to the term of the Main Agreement and includes the term after termination of the Main Agreement until full return of deletion of the personal data, which have been provided by the customer to Quanos in connection with the performance of the Main Agreement. This does not affect the right to terminate this Data Processing Agreement with good cause.

9. General provisions

9.1. This Data Processing Agreement shall be governed by and construed in accordance with German law, with the exception of its conflict of laws rules. Place of performance and jurisdiction is Starnberg, Germany.

9.2. Any amendments or additions to this Data Processing Agreement, including this Section 9.2, require written form.

9.3. Should certain provisions of this Data Processing Agreement be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be deemed to be replaced by a provision that comes as close as possible to fulfilling the economic intent and purpose of the invalid provision. The same applies to any loopholes in the Data Processing Agreement.


Appendix 1: Nature and Purpose of Processing, Subject Matter of Processing, Type of Data, Categories of Data Subjects

Appendix 2: Technical and Organizational Measures

Appendix 3: Subcontractors



Appendix 1: Nature and Purpose of Processing, Subject Matter of Processing, Type of Data, Categories of Data Subjects

Categories of data subjects

In particular:

  • Users of the software (in particular employees of customer)
  • Employees of customer’s business partners

Type of data

Contact Data

Data on the use of the software (protocol data)


Quanos and sub-processors

Nature and purpose of processing

Rendering IT services, including support services

Appendix 2: Technical and Organizational Measures

If personal data is processed or used automatically, the internal company organisation must be designed such that it meets the specific data protection requirements. This includes implementing measures that are suitable based on the type of personal data or data categories requiring protection. Quanos Service Solutions GmbH ensures that the following measures are implemented:


1 Confidentiality (Article 32(1)(b) GDPR)

1.1 Entry control

Measures that prevent unauthorised access to data processing equipment

  • Key management for employees; controlled entry to offices
  • Defined entry authorisations for the server room
  • Rules for visitors and maintenance personnel

1.2 Access control

Measures that prevent unauthorised persons from being able to use data processing equipment

  • Control of access to data processing systems by means of a user and authorisation concept ("principle of least privilege")
  • Assignment of personalised user accounts with appropriate password guidelines (minimum password length ten characters, complexity requirements, regularly changed)
  • Access blocked after ten unsuccessful log-in attempts
  • Workstations are locked when employees leave the workplace (automatic after 15 minutes or manual lock with reactivation password)
  • Administrator accesses are documented and stored securely
  • Login and logout processes are logged
  • Implementation of a firewall (including an intrusion prevention system), spam filter and anti-virus software
  • Encryption of mobile data carriers/smartphones

1.3 Data access control

Measures that prevent unauthorised reading, copying, modification or deletion within the system

  • Assignment of access rights according to user group
  • Authorisation concepts and needs-based access rights ("principle of least privilege")
  • Annual review of access controls
  • Destruction of written documents no longer required, in accordance with DIN 66399 security level P3 (paper)
  • Irreversible erasure/destruction of electronic data carriers once out of service

1.4 Separation control

Measures to separate processing of data that has been collected for different purposes

  • IT systems with multi-client capability
  • Separation of development environment and production environment
  • Access authorisations in accordance with functional responsibility

1.5 Pseudonymisation (Article 32(1)(a) GDPR; Article 25(1) GDPR)

The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without referring to additional information, provided that this additional information is stored separately and is subject to adequate technical and organisational measures

  • Not relevant to the contract


2 Integrity (Article 32(1)(b) GDPR)

2.1 Transfer control

Measures that prevent unauthorised reading, copying, modification or deletion during electronic transfer or transport

  • Transfer of data by electronic means in accordance with the capabilities of the Customer
  • Remote maintenance concept
  • Logging of data transmission or data transport
  • Encrypted data connections (VPN, SFTP, HTTPS)

2.2 Data entry control

Determination of whether personal data has been entered, modified or deleted in the data processing systems, and by whom

  • Control of organisational responsibilities
  • System-based logging
  • Control of access authorisations to log data


3 Availability and resilience (Article 32(1)(b) GDPR)

3.1 Availability control

Measures to protect against accidental or malicious loss or destruction

  • Redundant data storage (e.g. RAID)
  • Backup Internet connection
  • Uninterruptible power supply (UPS)
  • Fire extinguishers/fire alarms
  • Backup strategy
  • Secure storage of backup media (e.g. fire-proof/anti-theft safe)
  • Regular installation of security updates
  • Temperature-controlled server room
  • Reporting channels and disaster recovery plans
  • Rapid recoverability (Article 32(1)(c) GDPR)
  • Cloud services


4 Process for regular testing, assessment and evaluation (Article 32(1)(d) GDPR; Article 25(1) GDPR)

4.1 Data protection management

Measures that ensure a structure is in place that satisfies the fundamental legal data protection requirements

  • Guidelines/instructions to ensure the implementation of technical and organisational data security measures
  • Appointment of a data protection officer
  • Obligating employees to maintain confidentiality (data secrecy)
  • Providing adequate training on data protection matters to employees
  • Maintaining an overview of processing activities (Article 30 GDPR)
  • Performing data protection impact assessments where required (Article 35 GDPR)
  • Periodic review by data protection officer

4.2 Incident response management

Measures that ensure a reporting process is triggered in the event of data protection breaches

  • Reporting process for breaches of contract and data protection with respect to the Customer in accordance with Article 28(3)(3), Article 33 and Article 34 GDPR
  • Reporting process for data protection breaches in accordance with Article 4(12) GDPR with respect to the supervisory authorities
  • Support for the Customer during the reporting process for data protection breaches in accordance with Article 4(12) GDPR with respect to the supervisory authorities (Article 33 GDPR)

4.3 Default privacy settings

Measures that ensure that as a default the minimum possible data is collected, saved and shared

  • Privacy by design
  • Privacy by default

4.4 Contract control

Measures that ensure personal data is only processed in accordance with the Customer's instructions

  • Sub-contractors with written data protection agreements in accordance with Article 28 GDPR
  • Agreement on Commissioned Processing with provisions on the rights and obligations of the Contractor and Customer
  • Appointment of contact persons and/or responsible employees
  • Obligating employees to maintain data secrecy
  • Formal contract management system
  • Standardised contract management system to control service providers

Appendix 3: Subcontractors

Subcontractor incl. address

Specification of services

PlusServer GmbH

Hohenzollernring 72

50672 Köln


Server hosting

Hetzner Online GmbH

Industriestr. 25

91710 Gunzenhausen


Server hosting

TeamViewer AG

Bahnhofsplatz 2

73033 Göppingen


Software for remote maintenance

Host Europe GmbH

Hansestraße 111

51149 Köln


Hosting prototype catalogues, hosting Partner Portal, hosting FTP server, E-Mail service for spare parts catalogues