1.1. The subject matter of the contract is derived from the agreement concluded between the parties on the provision of software for access via the Internet (SaaS) and/or the provision of maintenance, support, and/or IT services by Quanos (hereinafter “Contractor”) to the Client (hereinafter “Client”), to which reference is made herein (hereinafter “Main Contract”). This contract for data processing (the “Contract”) shall apply to all activities related to data processing in the provision of services pursuant to the Main Contract and during which the Contractor may come into contact with personal data transmitted or disclosed to the Contractor by the Client.
1.2. The type of data processed, the categories of data subjects and the type and purpose of the collection, processing, and use of personal data by the Contractor for the Client are specified in detail in Annex 1 to this Contract.
1.3. Unless expressly stated otherwise in this Contract, provision of the contractually agreed data processing takes place exclusively in Germany, a European Union (EU) Member State, or another country party to the Agreement on the European Economic Area (EEA). Any transfer to a third country shall only take place if the special requirements of Art. 44 et seq. GDPR are fulfilled.
2.1. The Contractor shall establish security in accordance with Art. 28 Para. 3, lit. c, 32 GDPR, in particular in connection with Art. 5 Para. 1 and Para. 2 GDPR. As a whole, the measures to be executed are measures for data protection and measures to guarantee a protection level appropriate to the risk in terms of confidentiality, integrity, availability, and capacity of the systems. The state of the art, the implementation costs, and the type, scope, and purpose of the processing, as well as the varying probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 Para. 1 GDPR must thereby be considered. The Contractor documents the individual measures in a plan of action in Annex 2.
2.2. The technical and organizational measures are subject to technical progress and development. The Contractor is therefore permitted to implement adequate alternative measures. The security level of the specified measures shall thereby not fall below the minimum requirement. Substantial changes must be documented.
2.3. The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that processing within Contractor's area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
3.1. The Contractor shall not modify or delete data that is processed in the order or restrict its processing on their own authority, and shall only do so after receiving documented instructions from the Client. Should a data subject contact the Contractor directly in this respect, the Contractor will immediately forward this request to the Client.
3.2. The Contractor shall assist the Client with suitable technical and organizational measures to ensure the rights of data subjects with regards to data deletion, rectification, portability, and information. The Contractor may claim compensation for support services that are not owed under the Main Contract.
4.1. In performing the work, the Contractor shall only use employees who have been obliged to maintain confidentiality. The Contractor shall only process the data in accordance with the instructions issued by the Client, including the authorizations granted in this Contract and in the Main Contract, unless the Contractor is legally obliged to process the data. The Client shall confirm verbal instructions immediately (in text form as a minimum). The Contractor must inform the Client immediately if the Contractor believes that an instruction violates data protection regulations. The Contractor is entitled to suspend implementation of the corresponding instruction until it is confirmed or modified by the Client.
4.2. The Contractor shall assist the Client in complying with the obligations set out in Art. 32-36 GDPR regarding the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments, and prior consultations. This includes:
4.2.1. The obligation to immediately report breaches of personal data to the Client;
4.2.2. The obligation to support the Client within the scope of their duty to inform data subjects and to make all relevant information available to the data subject in this context without delay;
4.2.3. Supporting the Client in their data protection impact assessment;
4.2.4. Supporting the Client within the framework of prior consultations with the supervisory authority.
4.3. The Contractor may claim compensation for support services that are not included in the service description of the Main Contract, or that cannot be attributed to a failure on the part of the Contractor.
5.1. For the purpose of this provision, subcontracting relationships are services that relate directly to the provision of the main service. These do not include secondary services that the Contractor uses. e.g., in the form of telecommunication services, post/transport services, maintenance and user services, or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity, and capacity of the hardware and software of data processing systems. However, the Contractor is obliged to use appropriate and lawful contractual agreements and control measures to guarantee the data protection and data privacy of the Client's data, even in the case of outsourced secondary services.
5.2. The Contractor is entitled to engage subcontractors based within the EU or the EEA, provided that the Contractor concludes a contractual agreement with the subcontractor in accordance with Art. 28 Para. 4 GDPR.
5.3. Subject to the condition specified in clause 5.2, the Client hereby permits the Contractor to engage the companies specified in Annex 3 as subcontractors.
5.4. The Contractor shall inform the Client in advance of any intended change in relation to the addition or replacement of subcontractors. The Client can submit an objection to this change to the Contractor within 14 days of receipt of the information by the Client. If no objection is forthcoming within this period, consent to the change is deemed to have been granted. An objection shall not be made unless an interest of the Client outweighs the interests of the Contractor.
6.1. The Client has the right, in consultation with the Contractor, to carry out reviews or have reviews carried out by inspectors named on a case-by-case basis. The Client has the right to satisfy themselves of the Contractor's compliance with this Contract within their business operations by means of random checks, whereby notification of such checks shall be provided in a timely manner.
6.2. The Contractor shall ensure that the Client is able to satisfy themselves of the former's compliance with the obligations in accordance with Art. 28 GDPR. The Contractor is obliged to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.
6.3. Evidence of such measures, which do not only relate to the specific order, can be provided by:
6.3.1 Compliance with approved rules of conduct in accordance with Art. 40 GDPR;
6.3.2 Certification per an approved certification process in accordance with Art. 42 GDPR;
6.3.3 Current attestations, reports or report extracts from independent entities (e.g., auditors, audits, data protection officers, IT security departments, data protection auditors, quality auditors);
6.3.4 Suitable certification by means of IT security or data protection audits (e.g., in accordance with BSI Baseline Protection or ISO/IEC 27001).
6.4. The Contractor can assert a claim for compensation for facilitating inspections by the Client.
7.1. Copies or duplicates of data shall not be produced without the knowledge of the Client. Exceptions are backup copies, if these are necessary to guarantee proper data processing, and data that is necessary in terms of compliance with statutory retention obligations.
7.2. Following completion of the contractually agreed work or earlier upon request by the Client (and at the latest upon termination of the Main Contract) the Contractor must hand over all documents, processing and usage results produced, and databases that the Contractor obtains in connection with the contractual relationship with the Client, or destroy these items in accordance with data protection law after obtaining prior permission. The deletion log must be presented on request. The obligations of the Contractor according to this clause 7.2 do not apply if there is an obligation to store the personal data under European Union or Member State law.
7.3. Documentation that serves as proof of the order-related data processing must be retained by the Contractor in accordance with the respective retention periods beyond the end of the Contract. The Contractor can transfer this to the Client for the Contractor’s discharge at the end of the Contract.
The term of this Contract corresponds to the term of the Main Contract and also includes the period after the end of the Main Contract until complete return or deletion of the data provided to the Contractor by the Client in connection with the execution of the Main Contract. The right of each party to terminate the Contract with good reason shall not be affected.
9.1. The Contract shall be governed by German law, excluding the provisions of private international law which would lead to the application of a different law.
9.2. The exclusive place of jurisdiction for all disputes arising from or in connection with the Contract is Nuremberg. Quanos is also entitled to take legal action at the Customer's place of business or at any other competent court.
9.3. No verbal agreements have been made.
9.4. Should individual provisions of the Contract be or become totally or partly ineffective, this shall not affect the validity of the remaining provisions. In such cases, both parties undertake to replace any invalid provision with a provision that reflects insofar as possible the commercial purpose of the invalid provision. The same applies to any loopholes in the Contract.
Annex 1: Type and purpose of processing, object of processing, type of data, group of data subjects
Annex 2: Technical and organizational measures
Annex 3: Subcontracting relationships
Data subjects and data subject groups | In particular:
|
Type of data or categories of data |
|
Recipients | Contractors and subcontractors |
Type and purpose of processing |
|
If personal data is processed or used automatically, the internal company organisation must be designed such that it meets the specific data protection requirements. This includes implementing measures that are suitable based on the type of personal data or data categories requiring protection. Quanos Service Solutions GmbH ensures that the following measures are implemented:
1 Confidentiality (Article 32(1)(b) GDPR)
1.1 Entry control
Measures that prevent unauthorised access to data processing equipment
1.2 Access control
Measures that prevent unauthorised persons from being able to use data processing equipment
1.3 Data access control
Measures that prevent unauthorised reading, copying, modification or deletion within the system
1.4 Separation control
Measures to separate processing of data that has been collected for different purposes
1.5 Pseudonymisation (Article 32(1)(a) GDPR; Article 25(1) GDPR)
The processing of personal data in such a manner that the data can no longer be attributed to a specific data subject without referring to additional information, provided that this additional information is stored separately and is subject to adequate technical and organisational measures
2 Integrity (Article 32(1)(b) GDPR)
2.1 Transfer control
Measures that prevent unauthorised reading, copying, modification or deletion during electronic transfer or transport
2.2 Data entry control
Determination of whether personal data has been entered, modified or deleted in the data processing systems, and by whom
3 Availability and resilience (Article 32(1)(b) GDPR)
3.1 Availability control
Measures to protect against accidental or malicious loss or destruction
4 Process for regular testing, assessment and evaluation (Article 32(1)(d) GDPR; Article 25(1) GDPR)
4.1 Data protection management
Measures that ensure a structure is in place that satisfies the fundamental legal data protection requirements
4.2 Incident response management
Measures that ensure a reporting process is triggered in the event of data protection breaches
4.3 Default privacy settings
Measures that ensure that as a default the minimum possible data is collected, saved and shared
4.4 Contract control
Measures that ensure personal data is only processed in accordance with the Customer's instructions
Subcontractor including address | Service description |
PlusServer GmbH Hohenzollernring 72 50672 Cologne Germany | Server hosting |
Hetzner Online GmbH Industriestr. 25 91710 Gunzenhausen Germany | Server hosting |
IONOS SE Elgendorfer Str. 57 56410 Montabaur Germany | Server hosting |
noris network AG Thomas-Mann-Straße 16-20 90471 Nürnberg Germany | Server hosting |
TeamViewer AG Bahnhofsplatz 2 73033 Göppingen Germany | Software for remote maintenance |
Host Europe GmbH Hansestraße 111 51149 Cologne Germany | Hosting prototype catalogs, hosting partner portal, hosting FTP server |