Data Processing Agreement
according to GDPR Art. 28
1. Subject of this agreement
This agreement is part of the contract for the use of the Intao learning platform and the associated services.
This Agreement shall apply for the duration of any cooperation.
The contractor processes personal data of the customer. The subject of the contract is therefore the processing of data. The parties agree that the provisions of the EU General Data Protection Regulation (GDPR), in particular the provisions on data processing on behalf of the contractor, shall apply to this contract. The contractor declares that he is in a position to perform the ordered services properly in accordance with Art. 28 GDPR.
The contract regulates the data protection measures within the meaning of Art. 28 GDPR and the rights and obligations of the customer and the contractor to fulfill the data protection requirements.
2. Categories of data subjects, purpose of the processing and type of data to be processed
The contractor will process personal data of employees on behalf of the customer within the scope of fulfilling the obligations assumed in the project contract (Art. 4 No. 8, 28 GDPR). The processing is carried out exclusively for the purpose of fulfilling the contractor’s performance obligations according to the project contract.
The type and purpose of the processing as well as the type of personal data and the group of persons concerned are listed below:
Purpose of data collection
- Operating the software
- Maintenance and Support
Type of data
- Registration data (first name, last name, email address, password)
- Technical data required to make the software usable (e.g. whether we are allowed to send push notifications, language settings)
Categories of data subjects
- Users of the admin area
- Users of the mobile app
3. Place of processing
The data processing takes place exclusively on the territory of the Federal Republic of Germany. The data processing by employees or agents of the contractor exclusively on the territory of the European Union. Processing in other states is only permitted with the prior consent of the customer and only to the extent that an adequacy decision of the EU Commission pursuant to Art. 45 para. 3 GDPR exists or an adequate level of data protection is ensured by other suitable guarantees within the meaning of Art. 46 para. 2 GDPR. The contractor shall provide evidence of the existence of the guarantees and an adequate level of protection. Proof can be furnished by submitting a corresponding certificate from an accredited certification body in accordance with Art. 43 GDPR. The contractor undertakes to ensure compliance with the guarantees and an appropriate level of protection. The customer reserves the right to check the existence of the guarantees and compliance with an appropriate level of protection at any time within the framework of his audit and control rights.
4. Control and audit rights of the customer
The customer is solely responsible for assessing the permissibility of the processing of personal data and for the execution of the rights of the data subjects. In the case of data processing on behalf of a customer, in accordance with Art. 28 Para. 1 Sentence 1 GDPR, the customer shall only cooperate with contract processors who offer sufficient guarantees that suitable technical and organisational measures have been put in place to meet the requirements of the GDPR.
The customer is then obliged and authorised to check compliance with the regulations on data protection and the contractual agreements, in particular the technical and organisational measures taken by the contractor, to the extent necessary before data processing begins and at his discretion also repeatedly after prior agreement during normal business hours.
In this regard, the customer shall be entitled to demand written information and the submission of evidence of the data protection measures set up and of the way in which they have been technically and organisationally implemented, to enter the contractor’s premises and business premises, to carry out checks and inspections at his discretion and to inspect processing relevant documents, processing and process protocols, systems and stored data to the extent required and in regulations, guidelines and manuals regulating the commissioned data processing. This also includes evidence of the appointment of a data protection officer, the obligation of employees to maintain confidentiality and technical and organisational concepts, e.g. data protection manual, relevant procedural instructions and also contracts with subcontractors. The same rights also apply to representatives of the customer, e.g. experts, insofar as they are particularly bound to secrecy or are subject to professional duties of confidentiality under criminal law.
The rights of the customer exist during the term of this agreement and beyond until the statute of limitations of claims under this contract, but at least as long as the customer stores personal data from the commissioned processing.
The examination takes place after previous registration. In special cases, in particular if processing problems exist, notifiable incidents have occurred or regulatory measures are pending or have been initiated, the inspection can also be carried out without prior notification.
5. Technical and organisational measures
The contractor garantuees a level of protection of personal data adequate to the risk to the rights and freedoms of the data subjects. For this purpose, the contractor undertakes to design and continuously update its internal organisation and the necessary technical and organisational measures, taking into account the current state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing and the varying probability and severity of the risk to the rights and freedoms of the data subjects, in such a way that these correspond to the special requirements of data protection under the GDPR and guarantee the protection of the rights of the data subjects.
The technical and organisational measures include in particular the permanent safeguarding of the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of the data, the rapid restoration of the availability of and access to personal data in the event of a physical or technical incident, and the establishment and maintenance of procedures to regularly review, evaluate the effectiveness of technical and organisational measures to ensure the security of processing.
The contractor warrants compliance with the measures and regulations specified in the self-disclosure of 24.08.2018. These measures shall be deemed agreed and the description of the measures shall become part of this contract.
The technical and organisational measures are subject to technical progress and further development. To this extent, the contractor shall be permitted to implement alternative adequate measures. The safety level of the specified measures may not be undercut. Essential changes shall be documented.
The contractor can prove the suitability of the technical-organisational measures to be taken in accordance with Art. 32 GDPR by observing approved rules of conduct in accordance with Art. 40 GDPR or a data protection seal or test mark in accordance with Art. 42 GDPR, which is issued for the contractual processing procedures and locations and is relevant for the processing procedures covered by this agreement. The contractor shall immediately notify the customer of any changes to the certificate or its expiry. The control and audit rights of the customer remain unaffected.
The following technical and organisational measures shall be binding: See Section 15
6. Correction, deletion and blocking of data
The processed data may only be corrected, deleted or blocked after instruction or prior consent of the customer. The contractor shall immediately forward to the customer any corrections, deletions or blockages of data requested by the data subject.
7. Duties of the contractor
The contractor shall execute the order exclusively within the framework of the agreements made and in accordance with the instructions of the customer. The contractor shall not use the data for any other purpose and shall in particular not be entitled to pass them on to third parties.
Extracts, copies or duplicates of data or data carriers may only be produced and used without the knowledge of the customer if this is necessary for the execution of the order or to guarantee proper data processing or if there is a legal or other obligation to retain data. Any excerpts, copies or duplicates which may have been produced must be securely deleted by the contractor immediately after processing or use has been completed or destroyed in accordance with data protection regulations or handed over to the customer.
Decisions regarding the organisation of data processing and the procedures applied which are significant in terms of security shall be coordinated with the customer. The contractor may not provide information to third parties or to the party concerned or only do so in accordance with the instructions of the customer. The contractor may only provide information to employees of the customer to authorised persons.
The contractor undertakes to use only such software, data or data carriers which have been reliably tested for absence from harmful software in order to avoid the infiltration of viruses, etc..
Obligations to tolerate inspections
The contractor undertakes to demonstrate compliance with the technical and organisational measures taken in tests carried out by the customer, to provide information and to submit the relevant documents or to allow inspection of the necessary documents and systems and, after prior agreement, to tolerate and support the customer’s on-site inspections. He undertakes to provide all necessary information in the event of incidents relevant to data protection and data security and to support the clarification of such incidents as far as possible.
Evidence of appropriate technical and organisational measures can also be provided by submitting certificates or by certification or a data protection audit by an independent institution or an authorised expert. Irrespective of this evidence, the contractor shall be obliged to tolerate checks by the customer pursuant to section 6 of this agreement.
The contractor shall be obliged to notify the customer without being requested to do so of any essential changes in the technical and organisational conditions which reduce the safety and regularity of the performance of the services ordered.
The contractor shall inform the customer about controls by the supervisory authority for data protection, in particular in accordance with Art. 58 GDPR, and about possible measures and requirements for the protection of personal data.
The contractor undertakes to provide the customer, upon request, with the information required to comply with his obligation to inspect the order and to make the relevant evidence available. He shall inform the Principal immediately of the expiry or revocation of certificates or measures pursuant to Art. 41 para. 4 GDPR.
The contractor shall inform the customer of the name and contact details and changes in the person of the company data protection officer or, if there is no obligation to place an order, the name and contact details of the other competent authority.
Obligations to cooperate and provide support
Within the framework of Art. 28 Para. 3 lit. e and f GDPR, the contractor undertakes to immediately provide the information required for the list of processing activities as well as for risk assessment and any data protection impact assessment and, insofar as it concerns his area of responsibility, to cooperate to the extent necessary in determining the risks and any data protection impact assessment as well as to support the customer in fulfilling the rights of those affected.
The contractor undertakes to set up measures and documentation which enable the control and traceability of all activities and processing processes associated with the processing operations in the sense of order control and the correctness of data processing. Data protection incidents and other security-relevant processing disturbances, including their effects and the remedial measures taken, must be documented and reported to the customer. The documentation shall be made available to the customer without delay.
The data shall be processed at the respective place of work. This can be an office, a private home or a third place. The contractor undertakes to ensure the confidentiality of the data as well as the security and controllability of the processing to the same extent as is the case with the performance of the service from the contractor’s location by means of suitable regulations and security precautions. Any deviation from this shall require the separate written consent of the customer.
The involvement of subcontractors is only permissible if the customer has agreed in writing prior to the award of the contract. The customer may revoke his consent to subcontracting if there is an important reason, in particular in the event of a breach of law or a breach of contract. Subcontracting shall then be discontinued immediately. The contractor shall formulate the contractual agreements with the subcontractor in such a way that they comply with the data protection provisions of this contract. He shall regularly check compliance with these obligations. The forwarding of data to the subcontractor is only permissible if a contract has been concluded in accordance with these conditions and the subcontractor has fulfilled all requirements of this contract.
In the case of subcontracting, the same contractual regulations shall be imposed on the subcontractor as apply to the contractor. The customer shall grant the subcontractor the same rights of instruction, control and inspection in accordance with this agreement and Art. 28 GDPR as apply to the contractor. This shall also include the customer’s right, upon written request, to obtain from the contractor information on the essential content of the contract and implementation of the data protection obligations in the subcontracting relationship, if necessary by inspecting the relevant contractual documents.
Subcontracting relationships within the meaning of this provision shall not include services which the contractor makes use of with third parties as an ancillary service to support the execution of the order. These include, for example, telecommunications services, maintenance and user service, cleaning staff, inspectors or the disposal of data media. The contractor is, however, obliged to make appropriate and legally compliant contractual agreements and to take control measures in order to guarantee the protection and security of the customer’s data, even in the case of third-party ancillary services.
An assignment of subcontractors outside the territory of the Federal Republic of Germany or the European Union or the states of the European Economic Area is only permissible with the prior consent of the customer and only to the extent that an adequacy decision of the EU Commission pursuant to Art. 45 Para. 3 GDPR exists or an adequate level of data protection is ensured by other suitable guarantees within the meaning of Art. 46 Para. 2 GDPR. Furthermore, the provisions of section 5 of this agreement also apply to the commissioning of subcontractors.
The personal data of the users will only be collected and used by the contractor. We do not pass on any personalised user data to third parties. We have concluded contracts for data processing with the external partners whose services we use and have ensured that all our partners work in compliance with the GDPR.
The systems and providers relevant for the app are:
- Amazon AWS
- Big Query
- Google Analytics
9. Rights of data subjects
The customer is solely responsible and responsible for safeguarding the rights of the parties concerned. The contractor may only implement the rights of the parties concerned in accordance with the customer’s instructions. However, the contractor shall support the customer in the fulfilment of inquiries and claims by the persons concerned.
Requests for information, corrections, deletions of data made by data subjects regarding their rights or requested by data subjects shall be forwarded immediately by the contractor to the customer for settlement. Information to third parties may only be provided in accordance with the instructions of the customer or must be forwarded to the customer for execution. Similarly, information may not be passed on directly to employees of the customer, but only via the agreed contact persons.
10. Reporting obligations in the event of disruption and data protection violations
In the event of a disruption of processing or a breach of data protection, the contractor shall immediately initiate all appropriate and necessary measures to secure the data and to reduce any possible damage for the parties concerned and for the customer.
The contractor undertakes to inform the customer without delay of any infringements of the provisions for the protection of personal data or of the provisions made in this agreement. This shall also apply in the event of serious disruptions to operations, suspicion of other breaches of regulations for the protection of personal data or other irregularities in the handling of the customer’s personal data which could have an effect on the persons concerned or the customer or cause damage. Violations of data protection include in particular the loss of confidentiality and the loss or destruction or falsification of data of the customer or other confidential information within the meaning of this contract.
The notification to the customer includes all information which is necessary for the customer to assess the incident and his obligation to report it to the supervisory authority and the duty of the persons concerned to provide information in accordance with Art. 33 and 34 GDPR and, if necessary, to be able to report it to the supervisory authority and, if necessary, to inform the persons concerned in due time. The notification to the customer includes in particular information on the nature of the incident and the violation of the protection of personal data, a description of the probable risks to the interests, fundamental rights and fundamental freedoms of the persons concerned and a description of the measures already taken to remedy or reduce possible damage or other risks for the persons concerned and the customer.
The contractor shall document the incident and support the customer in fulfilling its reporting and information obligations pursuant to Art. 33 and 34 GDPR and shall take all measures within its area of responsibility to mitigate adverse consequences for those affected and to clarify the incident and its consequences. This shall also apply after termination of the contractual relationship.
11. Authority of the customer to issue directives
The processing of the data takes place exclusively within the framework of the agreements made and according to the instructions of the customer. The customer reserves the right to issue instructions in the form of individual instructions on the type, scope and procedure of data processing and on changes to processing within the framework of the order description. In particular, but not exclusively, the instructions concern data protection-compliant order processing and other actions to ensure legal order processing. The instructions shall be issued in writing or in another suitable electronic format. Oral instructions shall be confirmed immediately in writing or in an electronic format. The instructions shall be kept for the duration of the contractual relationship, but at least for the duration of their validity.
The contractor shall inform the customer without delay if he is of the opinion that an instruction violates the GDPR or other data protection regulations. The contractor may suspend the execution of the instruction until it has been confirmed by the customer. The customer shall be liable for unlawful instructions and shall indemnify the contractor against claims for damages and other claims in this respect.
A contact person for the customer is defiened in advance.
Kathrin Krönig is the recipient of instructions from the contractor.
Changes to the person or recipient of the instruction who is authorised to issue instructions must be notified immediately.
Changes to the object of processing and procedural changes must be jointly agreed and documented.
12. Post-contract procedures
After completion of the processing, at the latest after termination of this contract, the contractor must hand over to the customer all documents and processing or usage results or personal or other confidential data produced or copied for the performance of the service which have come into his possession and which are related to the contractual relationship, or destroy or securely delete them in accordance with data protection regulations in coordination with the customer. Test and scrap material must be destroyed or handed over to the customer without delay in accordance with data protection regulations. This obligation shall also apply to the same extent to any subcontractors commissioned. Data whose deletion is not possible for technical reasons or would cause a disproportionately high expense shall remain unaffected, as well as copies which are necessary to prove the correctness of the data processing or to fulfil liability and warranty claims.
The processing of these data must be restricted in accordance with Art. 18 GDPR. The data may be stored by the contractor beyond the end of the contract in accordance with the respective retention periods and must be securely deleted immediately after expiry of the retention period. The customer must be informed of the type and scope of this stored data. The contractor may hand over this data to the customer at the end of the contract in order to relieve the contractor of its responsibility.
Upon termination of this contract, the contractor shall confirm in writing to the customer the secure deletion or destruction of all documents in his possession.
13. Protection of confidentiality and other secrets
Personal and other data or information which become known to the contractor within the framework of the fulfilment of this contract may only be used by the contractor for the purposes of the commissioned service. The contractor undertakes to maintain the confidentiality and integrity of the personal data and to treat all personal data and other internal company circumstances, data and information (trade secrets) of which he becomes aware in connection with the acceptance and processing of the order as confidential as well as to obligate the employees who become active within the scope of this contract to maintain confidentiality in writing even after the termination of the employment relationship and to instruct them about the data protection obligations arising from this contract, the obligation to process the data in accordance with instructions and their purpose. This confidentiality obligation shall also apply beyond the termination of the contractual relationship.
The contractor confirms that he is aware of the relevant data protection regulations. The contractor warrants that he will only use his own personnel to carry out the work and that it will familiarise the employees involved in carrying out the order with the data protection provisions applicable to them and that he will undergo regular training.
The contractor undertakes to observe all other secrets relevant to processing, such as social secrecy, telecommunications secrecy and other professional secrets in accordance with § 203 of the German Criminal Code (StGB Strafgesetzbuch) as well as to obligate and instruct employees to ensure that these secrets are kept.
The contractor is obliged to keep secret all knowledge of the customer’s administrative access data and data security measures obtained within the framework of the contractual relationship and in no case to disclose this to third parties. The contractor may only make use of the access rights granted to him to the extent necessary for the performance of data processing. The obligation to maintain confidentiality and other secrets shall also apply beyond the termination of this contract.
The supervisory authority responsible for the contractor is the Berliner Beauftragte für Datenschutz und Informationsfreiheit (Berlin Comissioner for Data Protection and Freedom of Information), Friedrichstraße 219, 10969 Berlin Germany.
Liability is governed by the provisions of Art. 82 GDPR. In addition, the following is agreed:
The contractor shall be liable to the customer for any damage caused by the contractor, its employees or the persons appointed by the contractor to perform the contract in a negligent or culpable manner during the performance of the contract. This also applies to the infiltration of harmful software (viruses, worms, trojans, etc.) as well as the destruction or alteration of data or their unauthorised disclosure.
The customer shall be liable to the affected parties for compensation for damages suffered by the affected party as a result of data processing that is inadmissible or incorrect under the terms of the Federal Data Protection Act (Bundesdatenschutzgesetz) or other data protection regulations within the scope of the contractual relationship. Insofar as the customer is obliged to pay damages to the party concerned, he reserves the right to recourse against the contractor. Other liability claims from purchase or work contract remain unaffected.
15. Annex to the technical and organisational measures
(August 24, 2018)
Confidentiality and encryption (Art. 32 para. 1 lit. a and b GDPR)
Measures to prevent unauthorised persons from gaining access to the data processing equipment used to process personal data:
- Central locking system with security locks
- Inputs and outputs are kept closed and can be locked
- Visitors are personally accompanied to the responsible employee
Measures to protect access to data processing equipment from strangers:
- All computers are provided with user names and passwords
- All computers have up-to-date firewalls and virus scanners installed
- Access rights are assigned by administration of rights
Measures to ensure that only authorized persons have access to the data processing system:
- A distinction is made between read and write authorisation
- Changes to the rights are documented
Measures to ensure that collected data is processed separately (e.g. per order/customer):
- Productive and test systems are managed in separate databases
- Customer data is stored separately on the software side
Integrity (Art. 32 para. 1 lit. b. GDPR)
Measures to ensure that personal data cannot be read, copied or removed without authorisation during electronic transmission or during their transport or storage. It will be checked and established where personal data is to be transmitted:
- Personal data is always transmitted in encrypted form
- Mobile data carriers are not used
- Destruction of data carriers is carried out by a certified disposal company
- Visitors do not have access to corporate wifi
Measures to ensure that it can be verified whether and by whom personal data can be entered, modified or removed in the data processing systems:
- Log activities of the system administrator and users
- Rights are always assigned according to minimum principle
Availability, resilience and recoverability (Art. 32 para. lit. b and c GDPR)
Measures to ensure that personal data is protected against destruction or loss:
- Regular backups are made of all data
- If a data breach is detected, the reporting obligation is met by an emergency plan
Procedures for regular review, assessment and evaluation (Art. 25 para. 1 GDPR and Art. 32 para. 1 lit. d GDPR)
Measures to ensure that personal data processed on behalf of the customer is only processed in accordance with the instructions of the customer:
- All contractors are carefully selected
- The control of the contractors is carried out by the management and the data protection officer
- Employees are required to report data protection violations