Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the main agreement ("Agreement") between Oktus GmbH ("Oktus", "we", "us", or "our") and the customer ("Customer") for the provision of services by Oktus (the "Services") as defined in the Agreement. All annexes and attachments mentioned in the following agreement can be found in the original, pre-signed document.
The contracting parties have entered into an order processing relationship with the service agreement. In order to specify the resulting rights and obligations in accordance with the provisions of the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC - GDPR) and the German Federal Data Protection Act (BDSG), the contracting parties conclude the following agreement.
The agreement applies to:
- Collecting
- Recording
- Organizing
- Arranging
- Saving
- Customize
- Read out
- Query
- Modify
- Utilize
- Disclose
- Disseminate
- Restriction
- Deletion
- Destruction
- Comparison and linking
(hereinafter: processing) of all personal data (hereinafter: data) that is the subject of the service agreement or that arises in the course of its implementation or becomes known to the processor. The scope of application does not include data of employees of the processor, insofar as they relate exclusively to the employment relationship with the processor.
(1) The subject matter and duration of the commissioned processing as well as the scope, type and purpose of the intended processing of data shall be determined by the service agreement.
(2) The following types or categories of data are subject to processing by the processor:
- Personal master data
- Payment data
- Communication data
- Address data
- Contract data
- Dates and times
- Behavioral data
- Location data
- Image and video data
- Planning / control data
- Identification numbers
(3) The group of persons affected by the handling of their data is limited to employees of the company where it is necessary to process data within the scope of the agreement.
(1) The contracting parties shall be responsible for compliance with the provisions of data protection law. The Controller may at any time request the disclosure, rectification, adaptation, erasure and restriction of the processing of the data.
(2) In order to ensure the protection of the rights of the data subjects, the Processor shall provide appropriate support to the Controller, in particular by ensuring appropriate technical and organizational measures.
(3) If a data subject contacts the Processor directly to assert a data subject right, the Processor shall forward this request to the Controller without undue delay.
(4) The processor may only process data in accordance with the controller's instructions, unless the processor is obliged to do so by Union or Member State law to which the processor is subject (e.g. investigations by law enforcement or state security authorities); in such a case, the processor shall notify the controller of these legal requirements prior to processing, unless the law in question prohibits such notification on grounds of important public interest (Art. 28 para. 3 sentence 2 lit. a GDPR). An instruction is a written, electronic or verbal order issued by the controller to the processor to handle data in a certain way. The instructions must be documented. The instructions are initially defined by the service agreement and can then be amended, supplemented or replaced by the controller in documented form by means of an individual instruction.
(5) The processor shall inform the controller immediately if it is of the opinion that an instruction violates data protection regulations. The processor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the controller.
(6) Changes to the object of processing with procedural changes must be jointly agreed and documented. The processor may only provide information to third parties or the data subject with the prior express written consent of the controller. The processor shall not use the data for any other purposes and, in particular, shall not be entitled to pass them on to third parties. Copies and duplicates for third parties shall not be created without the knowledge of the controller.
(7) The controller shall keep a record of processing activities within the meaning of Art. 30 (1) GDPR. The processor shall provide the controller with information for inclusion in the register at the request of the controller. The processor shall keep a record of all categories of processing activities carried out on behalf of the controller in accordance with the requirements of Art. 30 para. 2 GDPR.
(8) The processing of data on behalf of the controller shall take place exclusively on the territory of the European Union. Processing in a country outside the territory referred to in sentence 1 is only permitted if it is ensured that the level of protection guaranteed by the GDPR is not undermined, taking into account the requirements of Chapter V of the GDPR, and requires the prior express written consent of the controller. The basic requirements for the lawfulness of the processing remain unaffected.
(9) The processor shall ensure that natural persons under its authority who have access to data only process it on the instructions of the controller. Any processing of data outside the premises of the processor (e.g. teleworking, working from home, home office, mobile working) requires the prior express written consent of the controller, which can only be granted after appropriate technical and organizational measures for the processing situation have been defined.
(1) The processor shall ensure that the persons authorized to process the data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality and shall provide evidence of this to the controller upon request. This shall also include instruction on the instruction and purpose limitation existing in this order processing relationship.
(2) The contracting parties shall support each other in proving and documenting their accountability with regard to the principles of proper data processing, including the implementation of the necessary technical and organizational measures (Art. 5 para. 2, Art. 24 para. 1 GDPR). The processor shall provide the controller with appropriate information on this if required.
(3) The Processor shall appoint a data protection officer who shall carry out his/her activities in accordance with the statutory provisions. The contact details of the data protection officer shall be communicated to the controller for the purpose of direct contact.
(4) The Processor shall inform the Controller without undue delay of any inspections and measures by the supervisory authorities or if a supervisory authority, within the scope of its competence, inquires, investigates or makes other inquiries with the Processor.
(1) The contracting parties agree on the specific technical and organizational security measures set out in the Annex “Technical and Organizational Measures” to this Agreement. The Annex is the subject of this Agreement.
(2) Technical and organizational measures are subject to technical progress. In this respect, the Processor is permitted to implement alternative adequate measures. In doing so, the security level of the measures specified in the Annex “Technical and Organizational Measures” may not be undercut. Significant changes must be documented.
(3) The Processor shall provide the Controller with all information necessary to demonstrate compliance with the provisions of this Agreement and the legal requirements. In particular, it shall facilitate audits/inspections carried out by the Controller or another auditor commissioned by the Controller and support their implementation. Proof of the implementation of such measures, which do not only concern the specific order, can also be provided by submitting a current certificate, reports from sufficiently qualified and independent bodies (e.g. auditors, independent data protection auditors), by compliance with approved rules of conduct in accordance with Art. 40 GDPR, certification in accordance with Art. 42 GDPR or suitable certification through IT security or data protection audits (e.g. in accordance with BSI basic protection). The processor undertakes to inform the controller immediately of the exclusion of approved codes of conduct pursuant to Art. 41 para. 4 GDPR, the revocation of a certification pursuant to Art. 42 para. 7 and any other form of revocation or significant change to the aforementioned evidence.
(4) The controller may, at any time during normal business hours, inspect the adequacy of the measures taken to comply with the legal requirements or the technical and organizational requirements necessary for the performance of this contract at the processor's premises for inspection purposes without disrupting operations.
(5) In addition, the Processor shall provide the Controller with all information necessary for the audits pursuant to paragraph 4 and for an assessment of the consequences of the intended processing operations for the protection of the data (data protection impact assessment within the meaning of Art. 35 GDPR).
(6) The processor shall, in consultation with the controller, take all necessary measures to safeguard the data or the security of the processing, in particular also taking into account the state of the art, and to mitigate possible adverse consequences for data subjects.
The processor shall inform the controller immediately in the event of serious disruptions to its operations, suspected violations of this agreement and statutory data protection provisions, violations of such provisions or other irregularities in the processing of the controller's data. This applies in particular with regard to the reporting obligation pursuant to Art. 33 para. 2 GDPR and corresponding obligations of the controller pursuant to Art. 33 and Art. 34 GDPR. The processor assures to support the controller appropriately, if necessary, in its obligations under Art. 33 and 34 GDPR. The Processor may only carry out notifications for the Controller pursuant to Art. 33 or 34 GDPR following prior instruction in accordance with § 3 of this Agreement.
(1) Data carriers and data records provided shall remain the property of the Controller.
(2) After completion of the contractually agreed services or earlier at the request of the Controller, but at the latest upon termination of the service agreement, the Processor shall hand over to the Controller all documents, processing and usage results and data sets (as well as copies or reproductions made thereof) that have come into its possession in connection with the contractual relationship or, with the prior consent of the Controller, destroy them in accordance with data protection regulations. The same applies to test and scrap material. A deletion log shall be submitted to the Controller upon request.
(3) The processor may retain documentation that serves as proof of proper data processing in accordance with the respective retention periods until the end of the retention period, even beyond the end of the contract. Alternatively, it may hand them over to the controller at the end of the contract to relieve the controller. The obligations under paragraph 2 shall apply to the data stored in accordance with sentence 1 after the end of the retention period.
(1) The processor may only use other processors (subcontractors) with the prior express written consent of the controller. The subcontractors engaged for the performance of this contract are listed in detail in the Subcontractors Annex. The controller agrees to their commissioning. If this is a general written approval, the Processor shall inform the Controller immediately of any intended change with regard to the involvement or replacement of subcontractors. The Controller may object to such changes. Services provided by subcontractors within the meaning of this provision shall not include services that the Processor uses from third parties as an ancillary service to support the execution of the order, such as telecommunications services. However, the processor is obliged to make appropriate and legally compliant contractual agreements and to take control measures to ensure the protection and security of the controller's data, even in the case of outsourced ancillary services.
(2) If subcontractors are engaged by the Processor, the Processor shall ensure that its contractual agreements with the subcontractor are designed in such a way that the level of data protection at least corresponds to the agreement between the Controller and the Processor and that all contractual and legal requirements are observed; this shall also apply in particular with regard to the use of appropriate technical and organizational measures to ensure an appropriate level of security of the processing.
(3) The controller shall be granted control and inspection rights in the contractual agreement with the subcontractor in accordance with this agreement. The controller shall also be entitled, upon written request, to obtain information from the processor about the content of the contract concluded with the subcontractor and the implementation of the subcontractor's data protection obligations contained therein.
(4) If the subcontractor fails to comply with its obligations under data protection law, the processor shall be liable to the controller for the subcontractor's compliance with its obligations. In this case, the processor shall, at the request of the controller, terminate the employment of the subcontractor in whole or in part or terminate the contractual relationship with the subcontractor if and to the extent that this is not disproportionate.
The processor undertakes to grant the data protection officer(s) of the controller and the competent supervisory authority access at any time during normal business hours in order to fulfill their respective legally assigned tasks in connection with this order. In addition to the statutory data protection supervision applicable to it, the Processor shall submit to the control of the data protection supervision applicable to the Controller and to the control by the Controller's data protection officer(s), with the exception of those areas that have no relation to the performance of the contract. In particular, it shall tolerate the right of access, inspection and questioning of the aforementioned, including access to documents protected by professional secrecy. He shall instruct his employees to cooperate with the named parties, in particular to answer their questions truthfully and completely. The existing statutory duties of confidentiality and rights to refuse to testify of the named persons remain unaffected.
(1) Amendments and supplements to this Annex and all its components - including any assurances given by the Processor - shall require a written agreement and an express reference to the fact that this is an amendment or supplement to these Terms and Conditions. This also applies to the waiver of this formal requirement.
(2) Should individual provisions of this agreement be invalid or unenforceable, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision whose effects come closest to the objective pursued by the contracting parties with the invalid or unenforceable provision. The above provisions shall apply accordingly in the event that the agreement proves to be incomplete.
If you have any questions about this DPA or data processing by Oktus, please contact legal@oktus.io.