1.1. The subject matter of this agreement is set forth in the agreement on the licensing of software and IT services, maintenance and support as concluded between Quanos Service Solutions GmbH (“Quanos”) and the customer („Main Agreement“). This Agreement on Data Processing („Data Processing Agreement“) specifies the parties’ duties regarding data protection laws and applies to all services which relate to the commissioned data processing and where Quanos or its personnel may get in contact with personal data, which are provided to Quanos by the customer.
1.2. The type of processed data and categories of data subjects, and the nature and purpose of processing of personal data by Quanos on behalf of the customer and the categories of data subjects are defined in Appendix 1.
1.3. Unless provided otherwise in this Data Processing Agreement any data processing owed under this Data Processing Agreement shall take place in Germany or in a member state of the European Union (EU) or another member state of the European Economic Area (EEA). Any processing in a third country is subject to the specific requirement set forth in Art. 44 et seqq. GDPR.
2.1. Quanos shall establish measures in accordance with Article 28 (3) c, and Article 32 GDPR in particular in conjunction with Article 5 GDPR. The measures to be taken are measures of data security and measures that guarantee an appropriate data protection level taking account of risks for confidentiality, integrity, availability and resilience of systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk for the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account. The measures taken by Quanos are specified in Appendix 2.
2.2. The technical and organizational measures are subject to technical progress and further development. In this respect, Quanos may implement alternative adequate measures. However, the security level of the defined measures shall not be reduced. Substantial changes must be documented.
2.3. Quanos regularly controls the internal processes as well as the technical and organizational measures in order to ensure that the data processing which lies within its responsibility is carried out in accordance with the applicable data protection laws and to ensure the protection of the rights of the data subjects.
3.1. Quanos may not on its own authority modify or delete the data that is being processed on behalf of the customer, or restrict the processing of such data, but only on documented instructions from the customer. In the event that a data subject contacts Quanos directly concerning a modification or deletion of data, or restriction of processing, Quanos shall immediately forward the data subject’s request to the customer.
3.2. To the extent included in the scope of services, the data deletion policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by Quanos in accordance with documented instructions from the customer. Quanos may request payment of fees for assistance which is not owed under the Main Agreement.
4.1. Quanos entrusts only such employees with the data processing outlined in this Data Processing Agreement who have been bound to confidentiality. Unless required by law to process the data, Quanos shall not process the data except as on instructions from the customer, which includes the processing allowed under this Data Processing Agreement and the Main Agreement. The customer shall immediately confirm oral instructions (at the minimum in text form). Quanos shall inform the customer immediately if Quanos considers that an instruction violates data protection laws. Quanos shall then be entitled to suspend the execution of the relevant instructions until the customer confirms or changes them.
4.2. Quanos shall assist the customer in complying with the obligations concerning the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as stipulated in Articles 32 through 36 GDPR. These include:
4.2.1. The obligation to report a personal data breach immediately to the customer,
4.2.2. The obligation to assist the customer with regard to the customer’s obligation to provide information to the data subject and to immediately provide the customer with all relevant information in this regard.
4.2.3. Supporting the customer with its data protection impact assessment.
4.2.4. Supporting the customer regarding prior consultation with the supervisory authority.
4.3. Quanos may charge a fee for support which is not included in the description of services in the Main Agreement or which is caused by a misconduct of the customer.
5.1. Subcontracting for the purpose of this Data Processing Agreement is to be understood as services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. Quanos shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the customer's data, even in the case of outsourced ancillary services.
5.2. The customer herewith agrees that Quanos may engage sub-processors within the territory of the EU and/or EEA, provided that Quanos and the sub-processor conclude an agreement according to Article 28 (4) GDPR.
5.3. Subject to the condition set forth in Section 5.2 the customer herewith agrees that Quanos engages the companies listed in Appendix 3 as a sub-contractor for the collection, processing and/or use of data.
5.4. Quanos shall notify the customer of any intended change with respect to the addition of, or replacement by, any other processors. The customer may object to such change for good cause by giving notice within one 14 days as of receipt of the notification of change. If the customer does not oppose within such term, the change shall be deemed approved. The customer may not oppose without having an own legitimate interest which prevails over the interests of Quanos.
6.1. The customer has the right, after consultation with Quanos, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. The customer has the right to convince itself in the Quanos’ business premises of Quanos’ compliance with this Data Processing Agreement by means of random checks, which are, as a rule, to be announced in good time.
6.2. Quanos shall ensure that the customer is able to verify compliance with the obligations of Quanos in accordance with Article 28 GDPR. Quanos undertakes to give the customer the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
6.3. Evidence of such measures may be provided by
6.3.1 Compliance with approved codes of conduct pursuant to Article 40 GDPR;
6.3.2 Certification according to an approved certification procedure in accordance with Article 42 GDPR;
6.3.3 Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor);
6.3.4 A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT baseline protection certification developed by the German Federal Office for Security in Information Technology (BSI) or ISO/IEC 27001).
6.4. Quanos may claim remuneration for enabling customer inspections.
7.1. Copies or duplicates of the data shall not be created without the knowledge of the customer, with the exception of (i) backup copies as far as they are necessary to ensure appropriate data processing, and (ii) retention of data required to meet statutory data retention laws.
7.2. After having completed the services owed by the Distributor under the Main Agreement, or earlier upon request by the customer, Quanos shall hand over to the customer or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the Main Agreement that have come into its possession, in a data-protection compliant manner. The log of the destruction or deletion shall be provided on request. Quanos’s obligations under this Section 7.2 do not apply to the extent that Union or EU Member State law requires storage of the personal data.
7.3. Documentation which is used to demonstrate data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by Quanos in accordance with the respective retention periods. Quanos may hand such documentation over to the customer at the end of the contract duration to relieve Quanos of this contractual obligation.
The duration of this Data Processing Agreement corresponds to the term of the Main Agreement and includes the term after termination of the Main Agreement until full return of deletion of the personal data, which have been provided by the customer to Quanos in connection with the performance of the Main Agreement. This does not affect the right to terminate this Data Processing Agreement with good cause.
9.1. This Data Processing Agreement shall be governed by and construed in accordance with German law, with the exception of its conflict of laws rules. Place of performance and jurisdiction is Starnberg, Germany.
9.2. Any amendments or additions to this Data Processing Agreement, including this Section 9.2, require written form.
9.3. Should certain provisions of this Data Processing Agreement be or become invalid, this shall not affect the validity of the remaining provisions. The invalid provision shall be deemed to be replaced by a provision that comes as close as possible to fulfilling the economic intent and purpose of the invalid provision. The same applies to any loopholes in the Data Processing Agreement.
Appendix 1: Nature and Purpose of Processing, Subject Matter of Processing, Type of Data, Categories of Data Subjects
Appendix 2: Technical and Organizational Measures
Appendix 3: Subcontractors
Categories of data subjects | In particular:
|
Type of data | Contact Data Data on the use of the software (protocol data) |
Recipients | Quanos and sub-processors |
Nature and purpose of processing | Rendering IT services, including support services |
If personal data is processed or used automatically, the internal company organisation must be designed such that it meets the specific data protection requirements. This includes implementing measures that are suitable based on the type of personal data or data categories requiring protection. Quanos Service Solutions GmbH ensures that the following measures are implemented:
1 Confidentiality (Article 32(1)(b) GDPR)
1.1 Entry control
Measures that prevent unauthorised access to data processing equipment
1.2 Access control
Measures that prevent unauthorised persons from being able to use data processing equipment
1.3 Data access control
Measures that prevent unauthorised reading, copying, modification or deletion within the system
1.4 Separation control
Measures to separate processing of data that has been collected for different purposes
1.5 Pseudonymisation (Article 32(1)(a) GDPR; Article 25(1) GDPR)
The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without referring to additional information, provided that this additional information is stored separately and is subject to adequate technical and organisational measures
2 Integrity (Article 32(1)(b) GDPR)
2.1 Transfer control
Measures that prevent unauthorised reading, copying, modification or deletion during electronic transfer or transport
2.2 Data entry control
Determination of whether personal data has been entered, modified or deleted in the data processing systems, and by whom
3 Availability and resilience (Article 32(1)(b) GDPR)
3.1 Availability control
Measures to protect against accidental or malicious loss or destruction
4 Process for regular testing, assessment and evaluation (Article 32(1)(d) GDPR; Article 25(1) GDPR)
4.1 Data protection management
Measures that ensure a structure is in place that satisfies the fundamental legal data protection requirements
4.2 Incident response management
Measures that ensure a reporting process is triggered in the event of data protection breaches
4.3 Default privacy settings
Measures that ensure that as a default the minimum possible data is collected, saved and shared
4.4 Contract control
Measures that ensure personal data is only processed in accordance with the Customer's instructions
Subcontractor incl. address | Specification of services |
PlusServer GmbH Hohenzollernring 72 50672 Köln Germany | Server hosting |
Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen Germany | Server hosting |
TeamViewer AG Bahnhofsplatz 2 73033 Göppingen Germany | Software for remote maintenance |
Host Europe GmbH Hansestraße 111 51149 Köln Germany | Hosting prototype catalogues, hosting Partner Portal, hosting FTP server, E-Mail service for spare parts catalogues |