ORDER PROCESSING AGREEMENT ACCORDING TO ART. 28 GDPR

1. Scope, nature (Art. 4 No. 2 GDPR) and purpose of the data processing:

Personal data (names, e-mail addresses, telephone numbers as well as titles) of employees of the Client or its customers are processed, provided that they
a) communicate electronically or non-electronically with the Contractor as the contact person of the Client,
b) operate the software developed by the Contractor as a user, or
c) are identifiably mentioned in business documents processed by the Contractor (e.g. inquiries, offers, orders, etc.).
Furthermore, personal data of contact persons at contract partners of the Client are processed if these are
a) are identifiably mentioned in business documents processed by the Contractor (e.g. inquiries, offers, orders, etc.). The processing includes all types of processing according to Art. 4 No. 2 GDPR.

2. Type of data:

Data category List of specifically processed data
Professional contact and organization data Name, first name, gender, address, e-mail address, telephone number, cell phone number
Data on professional conditions Job title, tasks, activities, qualifications
Other Professional email and chat messages, actions performed in the contractor's software.

3. Circle of affected persons:

Affected group Description Examples
Employees of the Client/responsible party Own employees of the Client, i.e. employees in sales or order processing as well as contact persons in the IT department Employees, trainees, applicants, former employees
Employees of other companies Employees of other companies whose personal data are processed for the Client/responsible party, i.e. employees in purchasing and contacts in the IT department Employees, trainees, applicants, former employees
Customers of the Client/responsible party Any person with whom a business relationship exists (with the respective responsible entity) Purchaser, insurance holder, tenant, Client of a service
Other business partners Any natural person with whom a business relationship exists (with the client) except customers Suppliers, importers, service providers, intermediaries, freelancers

4. SUBCONTRACTOR

The approved subcontractors at the time of entering into this OPA include:
Nr. Subcontractor (name, address, contact person) Categories of data processed Activity description Place of data processing
1 DigitalOcean, LLC All of the above-mentioned in clause 2 Email, calendar and file storage services Germany
2 Google, LLC All of the above-mentioned in clause 2 Various data processing services (Azure Cloud) EU
3 Microsoft Corp. All of the above-mentioned in clause 2 Email services EU
4 Twilio Inc. All of the above-mentioned in clause 2 Datenübertragung (X.400 network) Worldwide
5 Telekom Deutschland GmbH All of the above-mentioned in clause 2 Various data processing services (AWS) Germany
6 Amazon.com, Inc. All of the above-mentioned in clause 2 Various data processing services EU
7 Workist GmbH All of the above-mentioned in clause 2 Various data processing services Germany

5. TECHNICAL AND ORGANIZATIONAL MEASURES

5.1 Template for the technical and organizational measures:

5.1.1 Access control to premises and facilities where data is processed

Unauthorized access must be prevented, whereby the term is to be understood spatially
Responsible for this is: DigitalOcean, LLC. Data center in Frankfurt am Main, subject to European law; Appropriate measures include: architectural measures such as "physical" entry barriers both in the perimeter and to the buildings, separate buildings and separate server rooms each with separate locks / technical measures such as security locking systems to the buildings and server rooms, access control systems (code and/or badge readers, magnetic and/or chip cards), two-factor authentication of specially authorized employees for data center floors, video surveillance, intrusion detection systems, alarm systems / organizational measures such as access controls by professional security personnel, monitoring of all employees and logging of all work on data center floors, etc.

5.1.2 Access control

Unauthorized persons must be prevented from entering the data processing (IT) systems. Likewise, activities in data processing (IT) systems outside granted authorizations as well as unauthorized access to the system from outside shall be prevented. 

The Processor has taken the following measures:

In addition to the technical measures described in Section 8.2.1, access authorizations and user accounts for IT systems shall be limited to the "minimum necessary". Direct access to servers is only possible for the system administrators appointed for this purpose and only from end devices specially designated for this purpose. The use of "insecure" passwords is prevented by the system wherever possible. As an additional security measure, multi-factor authentication is required (where supported by the system) for access to data processing systems. An authorization system based on user roles is used to grant each employee of the contractor only the access necessary to perform his tasks.

5.1.3 Input control

The traceability or documentation of data management and maintenance must be ensured. Measures for subsequent verification of whether and by whom data has been entered, modified or removed (deleted). 

The Processor has taken the following measures: 

It is only possible to enter, change or delete data in the Contractor's data processing systems via personalized user accounts. Each user account or each employee of the Contractor and the Client can be identified by an individual, uniquely assigned user ID. All actions performed by employees of the Contractor or the Client in the Contractor's data processing systems - at least, however, those that concern or contain personal data described in clause 3 - shall be automatically logged with user ID and time stamp.

5.1.4 Order control

Order data processing in accordance with instructions must be ensured. Data processing by third parties (cf. Art. 28 GDPR) is permitted in accordance with the instructions of the principal/data exporter. Measures (technical and organizational) to delimit the competences between the principal/data exporter and the contractor/data importer. 

The processor has taken the following measures - detailed description:

There are clear contract regulations, appointment of a data protection officer at the Contractor, instruction of all employees of the Contractor and its subcontractors to maintain data protection secrecy, and careful selection of subcontractors.

5.1.5 Separate processing of data/separation control

Separate processing of data collected for different purposes must be ensured. Measures for separate processing of data from different clients must be ensured. 

The Contractor has taken the following measures:

Logical separation of the data of different principals is carried out in the Contractor's data processing systems. It shall be ensured that the data of one client are not visible or accessible to other clients.

5.1.6 Transfer control

Aspects of personal data transfer must be regulated (electronic transfer, data transport, transfer control, etc.) to prevent loss, modification or unauthorized publication. Measures shall be taken regarding transport, transfer, transmission or storage on data carriers (manually or electronically) and subsequent verification. 

The Contractor has taken the following measures: 

Connections secured exclusively by SSL encryption are established in both directions between the client's browser and the data centers of DigitalOcean, LLC.

5.1.7 Availability and resilience (Art. 32 para. 1 lit. b GDPR)

The data must be protected against accidental destruction and loss. Data backup measures (physical/logical). 

The Contractor has taken the following measures:

There is a daily backup in the form of backup copies of all data. Backup copies are physically stored separately on servers specially designed for maximum fail-safety by the subcontractor DigitalOcean, LLC.

5.1.8 Organizational control

How is the smooth organization of data protection and security ensured in the company? The Contractor has taken the following measures: 

Processes and workflows are defined for the processing of data in the company, and the implementation of and compliance with the processes are monitored. Our employees are trained/obligated in the following:
  • Principles of data protection and IT security
  • Obligation to maintain confidentiality about company and business secrets
  • Proper and careful handling of data, files, data carriers and other documents
  • Contractor ensures that the provision of services is carried out in compliance with data protection law
LinkedIn Logo Youtube Logo
© 2021 - 2022 Procuros GmbH. All rights reserved.