Data Processing Agreement in Accordance with Article 28 of the General Data Protection Regulation (GDPR)
The subject matter and duration of the Agreement or Contract shall be determined entirely according to the information provided in the respective contractual relationship.
The Supplier shall process personal data for the Client in accordance with Art. 4 No. 2 and Art. 28 GDPR on the basis of this Agreement.
The object, nature and purpose of any possible collection, processing, or use of personal data, the nature of data, and the People Affected shall be described to the Supplier by the Client in accordance with Appendix 1 of this document as completed by the Client, insofar as this is not governed by the contractual relationships described the content of Section 1 of this document. The provision of the contractually agreed upon data processing shall occur exclusively in a member state of the European Union or in another member state party to the Agreement on the European Economic Area. Any transfer to a third country shall require the prior consent
of the Client and may only occur if the special conditions defined in Articles 44 et seq. of the GDPR are fulfilled.
(1) Before the commencement of data processing, the Supplier shall document the execution of the necessary Technical and organizational measures defined in advance of the awarding of the Order or Contract, specifically with regard to the detailed execution of the Agreement or Contract, and shall present these documented measures to the Client for inspection (See Appendix 2 of this document). Upon acceptance of said documents by the Client, the documented measures become the foundation of the contract. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement.
(2) The Supplier shall establish the security of the data in accordance with Art. 28 Para. 3
Sent. 2 Clause c, and Art. 32 GDPR in particular in conjunction with Art. 5 Para. 1 and Para. 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the technology; implementation costs; the nature, scope, and purposes of processing; as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the scope of Art. 32 Para. 1 GDPR must be taken into account.
(3) The technical and organizational measures shall be subject to technical progress and further development. In this respect, the Supplier is permitted to implement alternative adequate measures. The safety level of the specified measures must not be compromised. Substantial changes must be documented.
(1) The Supplier is not entitled of his own authority to delete or restrict the processing of data processed on behalf of third parties. Insofar as an Affected Person contact the Supplier directly in this respect, the Supplier will immediately forward this request to the Client without delay. (2) Insofar as the scope of services includes, the following are to be ensured without undue delay by the Supplier in accordance with the Client’s documented instructions: a deletion policy, the “right to be forgotten”, data correction, data portability, and data disclosure.
In addition to complying with the provisions of this agreement, the Supplier shall comply with statutory obligations in accordance with Articles 28 to 33 GDPR; in this respect, the Supplier shall particularly ensure compliance with the following requirements:
(1) The Client shall have the right to implement inspections in consultation with the Supplier or to have them implemented by inspectors designated in individual cases. The Client shall have the right to verify compliance with this Agreement by the Supplier in his business operations by means of spot inspections, which shall as a general rule be announced in good time.
(2) The Supplier shall ensure that the Client can verify the Supplier’s compliance with the obligations under Article 28 of the GDPR. The Supplier is obligated to provide the Client with the necessary information upon request and in particular to provide proof of the implementation of the Technical and organizational measures.
(3) Evidence of such measures which concern not only this specific Agreement or Contract may be provided by compliance with approved codes of conduct pursuant to Article 40 GDPR; certification according to an approved certification procedure in accordance with Article 42 GDPR; current auditor’s certificates, reports, or excerpts from reports provided by independent bodies (e.g. an auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor); or a suitable certification by IT security or data protection auditing, e.g. according to “BSI-Grundschutz” (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology [BSI]).
(4) The Supplier may assert a claim for remuneration for enabling the Client’s inspections.
(1) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments, and prior consultations referred to in Articles 32 to 36 of the GDPR. These include:
e) Assisting the Client with regard to prior consultation with the supervisory authority.
(2) The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.
(1) The Client shall immediately confirm oral instructions (at the minimum in text form).
(2) The Supplier shall inform the Client immediately if he believes that an instruction violates data protection regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or alters said instructions.
(1) Copies or duplicates of the data shall not be created without the knowledge of the Client, with the exception of backup copies as far as they are necessary to ensure proper data processing as well as data required for compliance with statutory storage obligations.
(2) After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement, the Supplier shall submit to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession in accordance with data protection law. The same applies to any and all connected test and scrap material. Upon request, the Supplier shall provide the Client with information on nature and the time of the data’s deletion. (3) The Supplier shall retain documentation that proves that data was processed in an orderly and contractual manner after the respective contract period has elapsed in accordance with respective retention periods beyond the end of the contract. Alternatively, the Supplier may be absolved of this duty by transferring said documentation to the Client upon the termination of the contract.
A fee for this contract is not required.
If the Client requires assistance in answering inquiries from Affected People as described in section 4 of this Agreement, the Client shall be required to reimburse the Supplier for such assistance.
If the Client exercises monitoring rights as described in section 7 of this Agreement, the amount of remuneration to be agreed upon will be based on the fixed hourly rate of the Supplier’s employee who is instructed to supervise the auditor.
If the Client issues instructions to the Supplier as described in section 9 of this Agreement, the Client shall be required to pay any costs that result from these instructions.
11.2. Duration of contract
This Agreement is dependent on the existence of a principal contractual relationship
as described in section 1 of this document. The cancellation or other termination of the principal contractual relationship as described in section 1 shall simultaneously invalidate this Agreement.
The right to isolated extraordinary notice of cancellation hereby remains intact as do statutory rights of rescission.
11.3. Choice of law
The laws of the Federal Republic of Germany shall apply.
11.4. Place of jurisdiction
The parties agree that the place of jurisdiction shall be the location of the court responsible for Gunzenhausen.
Types of data
The following types and categories of data are the object of this additional agreement: • Personal master data
Those affected as a result of this additional agreement include: • The Client’s customers and interested parties
The Supplier shall prevent unauthorized access by applying security updates regularly by using state of the art technology.
a revision-proof, compulsory process for allocating authorization for Supplier employees
Appendix 2 of the Agreement Pursuant to Art. 28 GDPR: Technical and Organizational Measures
in Accordance with Art. 32 GDPR and Amendments
• Physical access control
• Data center parks in Nürnberg and Falkenstein
• electronic physical entry control system with log
• high security perimeter fencing around the entire data center park
• documented distribution of keys to employees and colocation customers
for colocation racks (each Client only for his rack)
• policies for accompanying and designating guests in the building • data center staff present 24/7
• video monitoring at entrances and exits; security door interlocking
systems and server rooms
• For people outside of the employment of Hetzner Online GmbH (data
center visitors), entrance to the building is only permitted in the company
of a Hetzner Online employee. • Monitoring
• electronic physical access control system with log
• video surveillance for all entrances and exits • Electronic access control
• Access is password-protected and only employees of the Supplier have access to the passwords. Passwords must meet a minimum length, and new passwords shall be changed on a regular basis.
• Internal access control
• for the Supplier’s internal administration systems
• Transfer control
• Data center parks in Nürnberg and Falkenstein
• Isolation control
• The Client is responsible for pseudonymization.
II. Integrity (Art. 32 Para.1 Clause b GDPR)
• Data transfer control
• Availability control
backup and recovery concept with daily backups of all relevant data depending upgon the services booked for the principal commission employment of disk mirroring
employment of an uninterruptible power supply system or emergency power supply system
employment of software firewalls and restricted ports permanently active DDoS protection
• Rapid recovery measures (Art. 32 Para. 1 Clause c GDPR)
• For all internal systems, there is a defined escalation chain which specifies who is to be informed in the event of an error in order to restore the system as quickly as possible.
IV. Procedures for regular testing, assessment, and evaluation (Art. 32 Para. 1 Clause d GDPR; Art. 25 Para. 1 GDPR)
• Agreement or contract control