This supplementary agreement for contract processing supplements the General Terms and Conditions and the Data Protection Agreement on the ActNow applications (including mobile apps), which are completed between ActNow GmbH and the customer and updated from time to time. This supplementary agreement for the contract processing is an agreement between the customer (client) and ActNow GmbH (contractor).
(1) The contractor processes personal data on behalf of the client I.S.D. Article 4 (8) and Art. 28 of Regulation (EU) 2016/679 – Data Protection Basic Ordinance (DSGVO). This supplementary agreement regulates the rights and obligations of the parties in connection with the processing of personal data.
(2) If the term “data processing” or “processing” (of data) is used in this Supplementary Agreement, the definition of “processing” I.S.D. Art. 4 No. 2 DSGVO is based on.
2. Subject of the contract
The order of the client to the contractor includes the automated processing of data in the context of the application of the contractor. If necessary, the client recognizes personal data in the applications. ACTNOW GmbH captures this data and these are arranged, stored, modified, used, unpluged, provided, linked, and possibly deleted. In addition, the data can be further processed for statistical purposes and market comparison in anonymous form. The circle of persons affected by data processing includes the client and the employee of the client responsible for app development and operation.
3. Rights and obligations of the client
(1) The client is responsible I.S.. Art. 4 No. 7 DSGVO for the processing of data on behalf of the contractor. According to para. 4 para. 5, the contractor is the right to point out the client if one of his opinion is legally inadmissible data processing of the order and / or a directive.
(2) The client is responsible for the maintenance of concerned rights. The contractor will inform the client immediately if sufferers assert their affected rights to the contractor.
The client has the right to provide complementary instructions on the nature, scope and procedures of data processing at all times. Instructions must be carried out in text form (eg e-mail).
(4) Regulations on any compensation of additional up walls incurred by complementary instructions of the client at the contractor remain unaffected.
(5) The client informs the contractor immediately if he identifies errors or irregularities in connection with the processing of personal data by the contractor.
(6) In the event that an obligation to information relates to third parties under Article 33, 34 DSGVO or any other statutory obligation to report applicable to the client, the client is responsible for their compliance.
4. General obligations of the contractor
(1) The contractor processes personal data of the client exclusively within the framework of the agreements made and / or in compliance with the complementary instructions granted by the client. Excluded from this are legal regulations which, if necessary, oblige the contractor to another processing. In such a case, the contractor informs the client with these legal requirements before processing, provided that the law in question does not prohibit such a communication because of an important public interest. The purpose, nature and scope of data processing are otherwise depending on this supplementary agreement and / or the instructions of the client. A deviating processing of data is prohibited from the contractor, unless the client has agreed in writing.
(2) The contractor undertakes to carry out data processing on behalf of Member States of the European Union (EU) or the European Economic Area (EEA).
(3) The contractor shall ensure the supplementary agreement processing of all agreed measures in the field of contract processing of personal data.
(4) The contractor is obliged to make its company and its operations in such a way that the data he processed on behalf of the client is secured in the required extent and protected against unauthorized knowledge of third parties. The contractor will submit changes in the organization of data processing on behalf, which are considerable for the safety of the data, in advance with the client.
(5) The contractor shall inform the client immediately if a directive granted by the client infringes his view against legal regulations. The contractor is entitled to suspend the implementation of the instructions in question until it is confirmed or amended by the client. Insofar as the contractor can explain that processing according to the instructions of the client may lead to a liability of the contractor in accordance with Article 82 of DSGVO, the contractor is the right to suspend further processing to the extent to a clarification of liability between the parties.
(6) The contractor will process the data that it processes on behalf of the client separately from other data. Physical separation is not mandatory.
5. Reporting obligations of the contractor
(1) The contractor is obliged to inform the client of any breach of data protection regulations or against the agreements and / or the instructions given by the client, which takes place in the course of the processing of data by him or other persons employed by the processing persons, without delay . The same applies to any violation of the protection of personal data, which the contractor processes on behalf of the client.
(2) Furthermore, the contractor will inform the client immediately if a supervisory authority operates under Article 58 DSGVO compared to the contractor and this also can concerning a control of processing the contractor on behalf of the client.
(3) The contractor is aware that the client may provide a reporting obligation in the case of privacy violations under Article 33, 34 DSGVO, which provides for a notification to the supervisory authority within 72 hours of recognition. The contractor will support the client in the implementation of the reporting obligations. The contractor shall immediately inform the client of any unauthorized access to personal data, which are processed on behalf of the client, immediately, at the latest within 48 hours of knowledge of access. The notification of the contractor to the client must in particular contain the following information: a description of the type of infringement of the protection of personal data, as far as possible with the indication of the categories and the approximate number of persons concerned, the affected categories and the approximate number of persons related personal data sets; A description of the measures taken or proposed by the contractor to resolve the breach of the protection of personal data and, where appropriate, measures to mitigate their potential adverse effects.
6. Conducting obligations of the contractor
(1) The contractor shall support the client in its obligation to answer applications for perception of concerned rights under Art. 12-23 DSGVO. The regulations of para. 10 of this supplementary agreement apply.
(2) The contractor acts on the preparation of the directories of processing activities by the client. He must notify the client in the appropriate manner in this respect.
(3) The contractor shall support the client taking into account the type of processing and the information available to him in compliance with the obligations set out in Art. 32-36 DSGVO.
7. Control powers
(1) The client has the right to control compliance with the statutory provisions on data protection and / or compliance with the regulations taken between the parties and / or compliance with the client’s instructions by the contractor at any time.
(2) The contractor is obliged to the client for informational disclosure, insofar as this is necessary for the implementation of the control I.S.D. Paragraph 1.
(3) The client may require inspection into the data processed by the contractor for the client and into the data processing systems and programs used.
(4) The client may, after prior notification with a reasonable period, may take control within the meaning of paragraph 1 in the contractor’s permanent establishment at the usual business hours. The client will ensure that the controls are only carried out in the required extent to disproportionate the operations of the contractor by the controls.
(5) The contractor is obliged to grant the necessary information to the client in the case of measures of the supervisory authority to the client ISD Art. 58 DSGVO, in particular with regard to information and control obligations, and the responsible supervisory authority is an on-site control to enable. The client must be informed about appropriate planned measures from the contractor.
(1) The commissioning of subcontractors by the contractor is permitted.
(2) The contractor shall carefully select the subcontractor and to examine prior to commissioning that it can comply with the agreements made between clients and contractors. The contractor has to control in particular in advance and regularly during the duration of the contract that the subcontractor has made the technical and organizational measures required under Article 32 DSGVO to protect personal data. The result of the control must be documented by the contractor and to submit to the client on request.
(3) The contractor shall ensure that the regulations agreed in this supplementary agreement and, if necessary, supplementary instructions of the client also apply to the subcontractor.
(4) The contractor shall conclude a contract processing agreement with the subcontractor, which corresponds to the requirements of Art. 28 DSGVO. In addition, the contractor must order the subcontractor to impose the same obligations to protect personal data which are set between the client and the contractor. The contracting authority shall be submitted to the order data processing contract upon request in copy.
(5) The contractor is obliged in particular to ensure through contractual regulations that the control powers (point 7 of this supplementary agreement) of the client and regulatory authorities also apply to the subcontractor and appropriate control rights of clients and supervisory authorities are agreed. It is also contractual to regulate that the subcontractor has to tolerate these control measures and any on-site controls.
(6) Not as a subcontracting conditions I.S.D. Paragraphs 1 to 6 are to be regarded by the contractor in third parties as a pure additional benefit to exercise business activities. These include, for example, cleaning services, pure telecommunications services without concrete reference to services provided by the contractor for the client, postal and courier services, transport services, security services. The contractor is nevertheless obliged to ensure that adequate provisions and technical and organizational measures were taken to ensure that adequate provisions and technical and organizational measures were made to ensure the protection of personal data. The maintenance and maintenance of IT system or applications provides a subcontracting ratio and order processing of ISD Art. 28 DSGVO if the maintenance and examination concerns such IT systems which are also used in connection with the provision of services for the client and at Maintenance can be accessed on personal data, which are processed on behalf of the client.
9. Confidentiality obligation
(1) The contractor is obliged in the processing of data for the client to maintain confidentiality on data he obtained in connection with the order or to be aware of the knowledge. The contractor undertakes to observe the same secret protection rules as they obtain the client. The client is obliged to communicate any special mystery protection rules to the contractor.
(2) The contractor shall ensure that the applicable data protection regulations are known and he is familiar with the application of this. The contractor also ensures that he relies his employees with the relevant provisions of data protection and obliged to confidentiality. The contractor also ensures that he has committed to confidentiality in particular to the employees operating in the implementation of the work and informed these about the instructions of the client.
10. Maintaining affected rights
(1) The client is responsible for the preservation of concerned rights alone. The contractor is obliged to support the client in his obligation to edit applications of those affected under Art. 12-23 DSGVO. In particular, the contractor shall ensure that the information required insofar must be granted immediately to the client, so that it can comply in particular its obligations under Art. 12 para. 3 DSGVO.
(2) Insofar as a participation of the contractor for the preservation of concerned rights – in particular to information, correction, blocking or deletion – is required by the client, the contractor will take the necessary measures according to the instructions of the client. The contractor will support the client if possible with appropriate technical and organizational measures to comply with its obligation to answer requests for perception of affected rights.
(3) Regulations on any compensation of additional expenses incurred by participatory services in connection with assertion of concerned rights against the client in the contractor remains unaffected.
(4) In the event that a concerned asserts his rights under the Art. 12-23 DSGVO in the contractor, although this obviously relates to a processing of personal data for which the client is responsible, the contractor is entitled to communicate to the person concerned that the client is responsible for data processing. The contractor must inform the person concerned in this context the contact data of the responsible person.
11. Secrecy Obligations
(1) Both parties undertake to treat all the information they obtained in connection with the implementation of this supplementary agreement in terms of indefinitely confidential and to use only for the implementation of the supplementary agreement. No party is entitled to use this information in whole or in part to other purposes other than the purposes just mentioned or to make this information accessible to third parties.
(2) The above obligation shall not apply to information that one of the parties has demonstrably received from third parties without being obliged to secrecy or publicly known.
12. Technical and organizational measures for data security
(1) The contractor undertakes to the client for compliance with the technical and organizational measures necessary to comply with the data protection requirements to be applied. This includes in particular the specifications of Art. 32 DSGVO.
(2) The parties agree that changes to technical and organizational measures may be required to adapt to technical and legal circumstances. Significant changes that can affect the integrity, confidentiality or availability of personal data will vote the contractor in advance with the client. Measures that bring merely minor technical or organizational changes and do not adversely affect the integrity, confidentiality and availability of personal data may be implemented by the contractor without coordination with the client.
(3) The contractor will regularly and also control the technical and organizational measures taken by him and also to their effectiveness.
13. Duration of the order
The term of this supplementary agreement depends on the term of the application for application use within the respective app stores of Apple and Google.
(1) Upon termination of the supplementary agreement, the contractor has all in its possession of documents, data and manufactured processing or usage results, which are related to the order ratio, has returned or deleted to the client. The deletion must be documented appropriately. Any statutory storage requirements or other obligations to store the data remain unaffected. For data carriers, these are to be destroyed in the case of a deletion desired by the client, whereby at least the security level 3 of DIN 66399 is to be observed; The annihilation must be proven to the client with reference to the security level in accordance with DIN 66399.
(2) The client has the right to control the complete return and deletion of the data from the contractor. This can also be done by inspection of the data processing systems in the permanent establishment of the contractor. The on-site control should be announced by the client with a reasonable time.
(3) The Contractor shall store personal data which has been processed in the context of the contract beyond the termination of the supplementary agreement, if and as and as the contractor meets a statutory duty for storage. In these cases, the data may only be processed for purposes of implementing the respective statutory storage requirements. After expiration of storage obligation, the data must be deleted immediately.
15. Final provisions
Should individual parts of this supplementary agreement be ineffective, this does not affect the effectiveness of the remaining regulations of the Supplementary Agreement.