Agreement on Contract Data Processing according to Art. 28 GDPR


between

the Customer

- hereinafter referred to as "controller" resp. "person responsible" -

and

Converia GmbH
Kaufstr. 2-4
99423 Weimar
Deutschland

- hereinafter referred to as "processor" resp. "data processor" -

 

This Data Processing Agreement (hereinafter referred to as the Agreement) regulates the rights and obligations of the Customer/Controller and the Contractor/Processor under data protection law within the meaning of Article 28 (3) of the GDPR. It applies to all processes that are related to the contract and in which the contractor or its employees or agents process personal data of the customer.

Terms used in this Contract shall be understood as defined in Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation, hereinafter "GDPR").

1. Objects and Duration of the Contract Data Processing

Objects and duration of the contract data processing shall follow the terms of the underlying main contract. If there are multiple main contracts between the controller and the processor, this agreement applies to all main contracts, in each case for the duration of the corresponding main contract.

Scope, nature and purpose of the contract data processing, nature of the personal data as well as categories of the data subjects are described in Annex 1.

2. Technical and Organizational Measures

The processor will take all technical and organizational measures according to art. 32 GDPR that are required within the framework of this contract data processing in order to guarantee the implementation of the data protection rules. For details on the technical and organizational measures that shall be regarded as binding within this contractual relationship, please refer to Annex 2.

The technical and organizational measures are subject to technical progress and advancement. The processor is therefore authorized to deviate from the measures as previously agreed upon with the controller in order to replace them with alternative adequate measures as long as the level of protection of the measures originally agreed upon will not be reduced.

3. Obligations of the Controller towards the Data Subjects

For fulfilling the statutory duties towards the data subjects, i.e. the duty to implement the statutory information and reporting obligations as well as the obligation to respond to and implement requests of the data subjects in order to exercise their rights (hereinafter summarized as "obligations towards the data subjects") including examining the lawfulness, the controller is solely responsible. Apart from the information and reporting obligations the controller has to fulfill, it is the controller's particular obligation to respond to and implement the rights of the data subjects regarding information, corrections, deletion, limitation of processing, data portability and objection as well as responding to and implement rights regarding automated individual decisions including profiling.

The processor supports the controller in view of the nature of processing with suitable technical and organizational measures if possible so that the obligations towards the data subjects can be fulfilled. The processor's obligation to support the controller shall be limited to situations in which the controller is not able to fulfill his obligations towards the data subjects himself due to the specific configuration of the contract data processing or the information required is not available. This means, in particular, that the controller must primarily use the information or instruments the processor provides for fulfilling his obligations towards the data subjects, particularly the information or instruments provided in the provided software.

The processor provides the controller, if possible, with suitable technical and organizational measures to fulfill the aforementioned obligations towards the data subjects within a period of one month of receipt of the request by a data subject if there are no reasons for extending this period under current legislation.

If in the context of a request by a data subject an identification of the data subject is required, and, as the case may be, requiring additional information, the controller shall be responsible.

In case a data subject directly turns to the processor with an inquiry regarding the controller's obligations towards data subjects, the processor will forward this inquiry to the controller who will then decide on how to proceed. If the processor is directly required fulfill the obligations towards the data subjects, the processor is only obligated to take action when the controller provides a documented directive in terms of item 9 of this agreement.

The processor shall only provide third parties (e.g. police, prosecution, courts, supervisory authorities or other authorities) with information that concern individual-related data for which the controller is responsible according to the GDPR if the controller has provided a documented directive to do so or if the processor is legally obligated to provide information (e.g. obligation to testify and non-existence of the right to refuse to give evidence). The processor shall notify the controller without delay on the nature, scope and substance of the provided information.

The expenses that arise from supporting the controller shall be remunerated according to item 11 of this agreement.

4. Obligations of the Processor

The processor provides support to the controller with regard of the nature of the data processing and the available information in terms of fulfilling the obligations as stated in the articles 32-36 GDPR.

According to the aforementioned terms, the processor has appointed a data protection official (art. 37-39 GDPR).

You will find the contact details of the data protection official at https://www.converia.de/de/datenschutz.html

The processor only appoints persons for contract data processing tasks who have made a written commitment to data secrecy or to confidentiality in accordance with the GDPR rules. Regarding the controller's obligation to execute a privacy impact assessment which may be required as well as the obligation to consult the supervisory authority which might also be required in this context (art. 35, 36 GDPR), the processor provides support to the controller in terms of compiling the necessary information to the required extent, only if and in so far as the relevant information is not already available to the controller, e.g. due to the controller's ability to access the provided software. The expenses that arise from supporting the controller shall be remunerated according to item 11 of this agreement.

5. Subcontractor Relationships (Additional Processors)

"Additional processors" within the meaning of the GDPR will hereinafter be referred to as "subcontractors".

Annex 1 contains a current list of all subcontractors.

The controller hereby authorizes the processor (in case a separate written agreement has not yet been made by the controller, e.g. as part of placing an product order during which a subcontractor relationship was explicitly pointed out) to work with subcontractors, if

the processor has informed the controller about the intended subcontractor relationship in advance in writing, digitally or in text form, and

the processor places privacy duties that are consistent with the privacy duties of this agreement on the subcontractor as part of a contractual agreement which is done in writing or digitally.

The obligation to inform the controller also applies for every intended modification regarding appointing or replacing subcontractors.

In justified cases, the controller is authorized to object against the appointment or intended modifications in terms of appointing subcontractors if there are reasonable grounds to believe that the new subcontractor is not capable of protecting the controller's personal data. The controller's objection against appointing a subcontractor must take place within one month, starting from the end of the month during which the processor received the information. After this period of time has expired, objecting is not possible anymore.

If the controller objects against appointing a subcontractor, the processor receives a special termination right regarding the part of the service that is affected by it. The special termination right has to be exercised within one month, starting from the end of the month during which the objection has been made. By exercising the special termination right, the contractual relationship in terms of the part of the service that is affected ends within a three-month period, starting from the end of the month during which the special termination right has been exercised. The processor is not liable for costs, expense or damages which arise from such a termination (particularly not for migration costs), except when there is a justified reason in terms of this item 5.

The controller is authorized to request a current list of all subcontractors that have been appointed by the processor upon conclusion of the contract as well as within the scope of checks according to item 6 of this agreement. The processor remains solely and fully liable to the controller for the compliance by its sub-processors with the data protection laws. In particular, it is the initial processor's responsibility to ensure that the sub-processors provide the same sufficient guarantees to implement appropriate technical and organizational measures in such a manner that processing meets the requirements of the data protection laws.

Within the context of this contract data processing agreement, only third parties that fully or partly provide services that were contractually agreed upon or are involved in fulfilling these service objectives are regarded as subcontractors. Third parties the processor relies on as ancillary services for executing the order, who provide services that are permitted by law or who directly provide services for the controller and are therefore part of a direct contractual agreement with the controller are not regarded as subcontractors (e.g. banks including acquirers, i.e. banks of the organizer that process customers' credit card payments, credit agencies, telecommunication service providers, postal services operators, transport services providers, cleaning personnel or providers for the disposal of data carriers). However, the processor will also establish appropriate contractual agreements to ensure privacy and data security with these third parties as well as implement effective control measures if that is legally required (particularly if the respective ancillary services in the relationship between processor and third party serve as a contract data processing).

The processor may monitor the subcontractors appointed by the processor in accordance with the applicable law. A direct right of control of the controller towards the subcontractors appointed by the processor does not apply.

6. The Controller's Right to Control

Prior to the data processing and thereupon regularly, the controller is authorized to make sure that all technical and organizational measures agreed upon as well as the statutory obligations regarding the contract data processing are being met by the processor. The controller is furthermore entitled to appoint third parties to carry out these inspections.

The processor is obligated to tolerate and cooperate during these inspections. An appointment for an inspection has to be set up in advance between controller and processor.

The expenses that arise from supporting the controller shall be remunerated according to item 11 of this agreement.

7. The Processor's Obligation to Report Violations

The processor is obligated to promptly notify the controller, without undue delay, if the processor becomes aware of any data breaches in the context of contract data processing which might require the obligation to inform the supervisory authority as well as the obligation to inform the data subjects. This applies regardless of whether the respective data breach was due to a violation against the provision of data protection regulations on the processor's part or the part of the processor's personnel or a violation against the provisions previously agreed upon or unforeseeable circumstances (such as third-party attacks or acts of nature). Art. 33 and 34 GDPR apply.

The controller is in charge of fulfilling potential information and reporting obligations in the aforementioned sense. The processor supports the controller to the required extent in consideration of the nature of the data processing and the information available to the processor in meeting these requirements. The processor's support in these cases is limited to providing information that are crucial to fulfill the controller's obligations but which are unknown to the controller or to which the controller has no access (e.g. via access to the provided software).

8. Extent of the Controller's Authority

The controller is responsible for the lawful execution of the contract data processing and that the rights of the data subjects are safeguarded. In accordance with this, the controller is in charge of defining the framework for the processor. The basic conditions are specified in this agreement and the underlying main contracts. The processor and the staff that reports to the processor are only authorized to process the controller's personal data within this framework, any processing that goes beyond the framework needs the controller's documented instruction. Processing data beyond a documented instruction is only permitted if the processor is obligated to do so according to European Union law or the law of member states he is subject to.

Instructions have to be issued in written form or via email, preferably via the processor's support portal: https://support.converia.de

The controller's authority is limited to the fulfillment of data protection laws which are justified by the current legal situation regarding data protection laws according to the provisions of this agreement, and are only applicable within the framework of the services provided by the processor and the corresponding options and modalities the processor provides. The processor is not obligated to fulfill any instructions beyond this. That also applies if an instruction refers to taking certain technical or organizational measures. Regularly, such adjustments require an amicable agreement between controller and processor by way of an extension of the main contract and by defining an appropriate remuneration.

Other than that, the controller shall always be able to instruct the processor to cancel a certain service within a period that appears appropriate to the circumstances of the particular case. The contract period of the main contract as well as the controller's duty to remunerate shall remain unaffected by this. The main contract remains in effect regarding the service affected by it, until it is terminated by effluxion of time, an ordinary notice of termination, an extraordinary termination right or an exceptional right of termination.

The processor notifies the controller without undue delay whenever he believes that an instruction might contradict the current data protection laws.

9. Termination of the Contract Data Processing

Upon the controller's request or at the latest upon the completion of the contract data processing, i.e. upon the completion of the data processing service, the processor will either delete all individual-related data following the controller's documented instruction to do so or hand the data over to the controller unless the processor is obligated to store individual-related data according to European Union law or the law of the member states (if statutory storage obligations apply for the processor).

If no other provision is adopted in the underlying main contract and the controller does not give a separately documented instruction to the processor, the following applies: The conference data for one-off conferences will be deactivated within three months after the end of the conference and will be deleted from the database within 12 months after the end of the conference. In case of a continuing main contract (e.g. framework contract), the user is able to deactivate the data themselves after the end of a conference or delete them from the database. Therefore, it is the controller's duty to delete the data. Prior to their deletion, the data are made available for viewing, analyzing and secure downloading. As the controller's access to the provided software will be deactivated upon contract termination, the controller is obligated to download the required data prior to the termination date.

10. Liability

Liability of the processor towards the controller for claims for damages due to violations of data protection regulations are based on the following terms. A violation of data protection obligations occurs when the processor violates applying statutory obligations of statutory data protection regulations in the way they are defined in the specifications of this agreement as well as in the controller's documented instructions that are lawful in terms of data protection law and permitted by this agreement.

In case controller and processor are liable to pay compensation to a data subject or another person due to a joint liability according to the GDPR or any other data protection regulation which also applies to the processor, the following applies to the internal relationship balance between controller and processor: The processor is liable for a violation of data protection obligations as they are specified in this agreement. The processor is also liable for intentional or grossly negligent violations of duty unless it concerns claims for compensation relating to injury to life, body, health, or claims due to violation of data protection obligations that are directly connected to the fulfillment of major contractual obligations (cardinal obligations). Major contractual obligations are obligations whose fulfillment is strictly required for the purpose of the contract. Liability for violating data protection obligations relating to cardinal obligations is limited to the reimbursement of the foreseeable, typically occurring damage. There shall be no liability for reimbursement of futile expenses or lost profits of data subjects or of other persons, unless they were caused by an intentional or grossly negligent breach of duty. There shall also be no liability for reimbursement of consequential damages of data subjects or of other persons. Further liability of the processor is excluded. Regulations of the product liability law shall remain unaffected as far as this is applicable in an individual case. The burden of proof for the existence of any of the prerequisites in this paragraph, particularly for the existence of a violation of data protection obligations by the processor as defined above as well as representing the processor as defined above lies with the controller.

For damages that have occurred to the controller due to a violation of data protection obligations by the processor and that are not connected to damages of data subjects or other persons, liability only exists in case of a violation of data protection regulations as defined in this agreement, and if the violation of data protection obligations is directly connected to the fulfillment of major contractual obligations (cardinal obligations). Major contractual obligations are obligations whose fulfillment is strictly required for the purpose of the contract. The extent and amount of the processor's liability is determined by the main contract's regulations. The regulations of the main contract also determine the processor's liability for damages resulting from other violations of obligations.

11. Remuneration

If the fulfillment of obligations defined in this agreement causes expenses for the processor that exceed the main service contractually agreed upon as well as the day-to-day operations, particularly in the context of items 3, 4, 6, 7 and 8 of this agreement, the controller and the processor will agree on a remuneration that shall correspond with the expenses and shall be paid in addition. The processor will execute a received documented instruction by the controller when the processor receives a commitment regarding the remuneration for the particular case by the controller. If it involves exercising a right of control in the sense of item 6 of this agreement and will create a considerable amount of extra work, the processor will be able to refuse the cooperation related to the inspection until the processor receives a commitment by the controller regarding remuneration for the inspection.

12. Final Provisions

If individual provisions of this agreement are incomplete, ineffective or impracticable, the effectiveness of the remaining provisions shall not be affected. In this case, the incomplete, ineffective or impracticable provision shall be replaced by a regulation that corresponds with what the parties would have intended had they considered the incompleteness, ineffectiveness or impracticability.

Already existing agreements between the parties regarding contract data processing or contract processing will be completely replaced by this agreement. Regulations relevant to data protection in other contractual components (e.g. general terms and conditions) only precede this agreement if they extend this agreement's provisions. If they change the main intent of this agreement's provision or if they fall short of this agreement's data privacy level, they will be supplanted by this agreement.

The law of the Federal Republic of Germany applies. Place of jurisdiction is Weimar.