Datenschutz

Website
Product

1. Data Protection at a Glance

General information

The following information provides a simple overview of what happens to your personal data when you visit this website. Personal data is any data that can be used to identify you personally. For detailed information on the subject of data protection, please refer to our data protection declaration listed below this text.

Data collection on this website

Who is responsible for data collection on this website?
Data processing on this website is carried out by the website operator. You can find their contact details in the "Information on the controller" section of this privacy policy.

How do we collect your data?
On the one hand, your data is collected when you provide it to us. This may, for example, be data that you enter in a contact form; other data is collected automatically or with your consent by our IT systems when you visit the website. This is primarily technical data (e.g. internet browser, operating system or time of page view). This data is collected automatically as soon as you enter this website.

What do we use your data for?
Some of the data is collected to ensure that the website is provided without errors. Other data may be used to analyse your user behaviour.

What rights do you have regarding your data?
You have the right to receive information about the origin, recipient and purpose of your stored personal data free of charge at any time. You also have the right to request the correction or deletion of this data. If you have given your consent to data processing, you can revoke this consent at any time for the future. You also have the right, under certain circumstances, to request the restriction of the processing of your personal data.

Application procedure

In the course of handling application procedures in our company, we work together with the application platform of the service provider Workwise GmbH, Imprint (https://www.workwise.io/impressum). Recruitment on behalf of job seekers or employers is not order processing, but the use of a third-party specialist service provided by an independent controller (LDA-Bayern, FAQ list dated 20 July 2018). Further information on the data protection of the service provider Workwise GmbH can be found in the privacy policy (https://www.workwise.io/datenschutz).

Analysis tools and tools from third-party providers

When you visit this website, your surfing behaviour may be statistically analysed. This is mainly done using so-called analysis programmes, detailed information on these analysis programmes can be found in the following privacy policy.

Copyright

The content and works created by the site operators on these pages are subject to German copyright law. Duplication, processing, distribution and any form of commercialisation of such material beyond the scope of the copyright law shall require the prior written consent of its respective author or creator. Downloads and copies of this site are only permitted for private, non-commercial use and, insofar as the content on this site was not created by the operator, the copyrights of third parties are respected. In particular, third-party content is labelled as such. Should you nevertheless become aware of a copyright infringement, please inform us accordingly. If we become aware of any infringements, we will remove such content immediately.

2. Hosting and content delivery networks (CDN)

External hosting

This website is hosted by an external service provider (hoster). The personal data collected on this website is stored on the hoster's servers. This may include IP addresses, contact requests, meta and communication data, contract data, contact details, names, website accesses and other data generated via a website. the hoster is used for the purpose of fulfilling the contract with our potential and existing customers (Art. 6 para. 1 lit. b GDPR) and in the interest of a secure, fast and efficient provision of our online offer by a professional provider (Art. 6 para. 1 lit. f GDPR) Our hoster will only process your data to the extent necessary to fulfil its performance obligations and follow our instructions with regard to this data.

We use the following hoster:

Webflow, Inc.
398 11th Street, 2nd Floor
San Francisco, CA 94103

Conclusion of an order processing contract

In order to ensure data protection-compliant processing, we have concluded an order processing contract with our hoster.

3. General notes and mandatory information

Data protection

The operators of these pages take the protection of your personal data very seriously. We treat your personal data confidentially and in accordance with the statutory data protection regulations and this data protection declaration. Personal data is data that can be used to identify you personally. This privacy policy explains what data we collect and what we use it for. It also explains how and for what purpose this is done and points out that data transmission over the Internet (e.g. when communicating by email) may be subject to security vulnerabilities. Complete protection of data against access by third parties is not possible.

Note on the responsible body

The controller responsible for data processing on this website is

doinstruct Software GmbH

Rheinstrasse 10

49090 Osnabrück

Phone: 054193935391

E-mail: post@doinstruct.com

The controller is the natural or legal person who alone or jointly with others determines the purposes and means of the processing of personal data (e.g. names, e-mail addresses, etc.).

Storage period

Unless a more specific storage period has been specified in this privacy policy, your personal data will remain with us until the purpose for data processing no longer applies. If you assert a justified request for deletion or revoke your consent to data processing, your data will be deleted unless we have other legally permissible reasons for storing your personal data (e.g. retention periods under tax or commercial law); in the latter case, the deletion will take place after these reasons no longer apply.

Note on data transfer to the USA and other third countries

Among other things, we use tools from companies based in the USA or other third countries that are not secure under data protection law. If these tools are active, your personal data may be transferred to these third countries and processed there. We would like to point out that a level of data protection comparable to that in the EU cannot be guaranteed in these countries. For example, US companies are obliged to hand over personal data to security authorities without you as the data subject being able to take legal action against this. It can therefore not be ruled out that US authorities (e.g. secret services) may process, analyse and permanently store your data on US servers for surveillance purposes. We have no influence on these processing activities.

Revocation of your consent to data processing

Many data processing operations are only possible with your express consent. You can withdraw your consent at any time. The legality of the data processing carried out until the revocation remains unaffected by the revocation.

Right to object to data collection in special cases and to direct advertising (Art. 21 GDPR)

IF THE DATA PROCESSING IS BASED ON ART. 6 ABS. 1 LIT. E OR F GDPR, YOU HAVE THE RIGHT TO OBJECT TO THE PROCESSING OF YOUR PERSONAL DATA AT ANY TIME ON GROUNDS RELATING TO YOUR PARTICULAR SITUATION; THIS ALSO APPLIES TO PROFILING BASED ON THESE PROVISIONS. THE RESPECTIVE LEGAL BASIS ON WHICH PROCESSING IS BASED CAN BE FOUND IN THIS PRIVACY POLICY. IF YOU OBJECT, WE WILL NO LONGER PROCESS YOUR PERSONAL DATA CONCERNED UNLESS WE CAN DEMONSTRATE COMPELLING LEGITIMATE GROUNDS FOR THE PROCESSING WHICH OVERRIDE YOUR INTERESTS, RIGHTS AND FREEDOMS OR THE PROCESSING SERVES THE ESTABLISHMENT, EXERCISE OR DEFENCE OF LEGAL CLAIMS (OBJECTION PURSUANT TO ART. 21 PARA. 1 GDPR). IF YOUR PERSONAL DATA ARE PROCESSED FOR DIRECT MARKETING PURPOSES, YOU HAVE THE RIGHT TO OBJECT AT ANY TIME TO THE PROCESSING OF PERSONAL DATA CONCERNING YOU FOR THE PURPOSE OF SUCH MARKETING, WHICH INCLUDES PROFILING TO THE EXTENT THAT IT IS RELATED TO SUCH DIRECT MARKETING.

Right to lodge a complaint with the competent supervisory authority

In the event of violations of the GDPR, data subjects have the right to lodge a complaint with a supervisory authority, in particular in the Member State of their habitual residence, place of work or place of the alleged violation. The right to lodge a complaint is without prejudice to any other administrative or judicial remedy.

Right to data portability

You have the right to have data that we process automatically on the basis of your consent or in fulfilment of a contract handed over to you or to a third party in a commonly used, machine-readable format. If you request the direct transfer of the data to another controller, this will only take place if it is technically feasible.

SSL or TLS encryption

This site uses SSL or TLS encryption for security reasons and to protect the transmission of confidential content, such as orders or enquiries that you send to us as the site operator. You can recognise an encrypted connection by the fact that the address line of the browser changes from "http://" to "https://" and by the lock symbol in your browser line. If SSL or TLS encryption is activated, the data you transmit to us cannot be read by third parties.

Information, erasure and rectification

Within the framework of the applicable legal provisions, you have the right at any time to request information free of charge.

Right to restriction of processing

You have the right to request the restriction of the processing of your personal data. You can contact us at any time to do this. The right to restriction of processing exists in the following cases:

- If you dispute the accuracy of your personal data stored by us, we generally need time to verify this. For the duration of the review, you have the right to request that the processing of your personal data be restricted.

- If the processing of your personal data was/is unlawful, you can request the restriction of data processing instead of erasure.

- If we no longer need your personal data, but you need it for the exercise, defence or assertion of legal claims, you have the right to request the restriction of the processing of your personal data instead of its erasure.

- If you have lodged an objection in accordance with Art. 21 para. 1 GDPR, a balance must be struck between your interests and ours. As long as it has not yet been determined whose interests prevail, you have the right to request the restriction of the processing of your personal data.

If you have restricted the processing of your personal data, this data - apart from its storage - may only be processed with your consent or for the establishment, exercise or defence of legal claims or for the protection of the rights of another natural or legal person or for reasons of important public interest of the European Union or of a Member State.

4. Data collection on this website

Cookies

Our Internet pages use so-called "cookies". Cookies are small text files and do not cause any damage to your end device. They are stored on your device either temporarily for the duration of a session (session cookies) or permanently (permanent cookies). Session cookies are automatically deleted at the end of your visit. Permanent cookies remain stored on your end device until you delete them yourself or they are automatically deleted by your web browser.

In some cases, cookies from third-party companies may also be stored on your device when you visit our website (third-party cookies). These enable us or you to use certain services of the third-party company (e.g. cookies for processing payment services).

Cookies have various functions. Many cookies are technically necessary, as certain website functions would not work without them (e.g. the shopping basket function or the display of videos). Other cookies are used to evaluate user behaviour or display advertising.

Cookies that are required to carry out the electronic communication process (necessary cookies) or to provide certain functions that you have requested (functional cookies, e.g. for the shopping basket function) or to optimise the website (e.g. cookies to measure the web audience) are stored on the basis of Art. 6 para. 1 lit. f GDPR, unless another legal basis is specified. The website operator has a legitimate interest in the storage of cookies for the technically error-free and optimised provision of its services. If consent to the storage of cookies has been requested, the cookies in question are stored exclusively on the basis of this consent (Art. 6 para. 1 lit. a GDPR); consent can be revoked at any time.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If cookies are deactivated, the functionality of this website may be restricted.

If cookies are used by third-party companies or for analysis purposes, we will inform you about this separately in this privacy policy and, if necessary, request your consent.

This website uses cookies. We use cookies to optimise content and advertisements.

By law, we can store cookies on your device if they are absolutely necessary for the operation of this site. We need your permission for all other types of cookies.

This site uses different types of cookies. Some cookies are placed by third parties that appear on our pages.

You can change or withdraw your consent at any time from the cookie statement on our website.

Find out more about who we are, how you can contact us and how we process personal data in our Privacy Policy.

Please provide your consent ID and date if you wish to contact us regarding your consent.

Cookie consent with Usercentrics

This website uses Usercentrics' cookie consent technology to obtain your consent to the storage of certain cookies on your device or to the use of certain technologies and to document this in compliance with data protection regulations. The provider of this technology is Usercentrics GmbH, Rosental 4, 80331 Munich, Germany, website: https://usercentrics.com/de/ (hereinafter referred to as "Usercentrics").

When you visit our website, the following personal data is transmitted to Usercentrics:

- Your consent(s) or the revocation of your consent(s)

- your IP address

- Information about your browser

- Information about your end device

- Time of your visit to the website

In addition, Usercentrics stores a cookie in your browser in order to be able to assign the consents given or their revocation to you. The data collected in this way is stored until you ask us to delete it, delete the Usercentrics cookie yourself or the purpose for storing the data no longer applies. Mandatory statutory retention obligations remain unaffected.

Usercentrics is used to obtain the legally required consent for the use of certain technologies. The legal basis for this is Art. 6 para. 1 lit. c GDPR.

Contract on order processing

We have concluded an order processing contract with Usercentrics. This is a contract required by data protection law, which ensures that Usercentrics processes the personal data of our website visitors only in accordance with our instructions and in compliance with the GDPR.

Contact form

If you send us enquiries via the contact form, your details from the enquiry form, including the contact details you provide there, will be stored by us for the purpose of processing the enquiry and in the event of follow-up questions. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

We will retain the data you provide on the contact form until you request its deletion, revoke your consent for its storage, or the purpose for its storage no longer pertains (e.g. after fulfilling your request). Mandatory statutory provisions - in particular retention periods - remain unaffected.

Enquiry by e-mail, telephone or fax

If you contact us by e-mail, telephone or fax, your enquiry including all personal data (name, enquiry) will be stored and processed by us for the purpose of processing your request. We will not pass on this data without your consent.

This data is processed on the basis of Art. 6 para. 1 lit. b GDPR if your enquiry is related to the fulfilment of a contract or is necessary for the implementation of pre-contractual measures. In all other cases, the processing is based on our legitimate interest in the effective processing of the enquiries addressed to us (Art. 6 para. 1 lit. f GDPR) or on your consent (Art. 6 para. 1 lit. a GDPR) if this has been requested.

The data you send to us via contact requests will remain with us until you ask us to delete it, revoke your consent to storage or the purpose for data storage no longer applies (e.g. after your request has been processed). Mandatory statutory provisions - in particular statutory retention periods - remain unaffected.

5. analysis tools and advertising

Google Analytics

This website uses functions of the web analysis service Google Analytics. The provider is Google Ireland Limited ("Google"), Gordon House, Barrow Street, Dublin 4, Ireland.

Google Analytics enables the website operator to analyse the behaviour of website visitors. In doing so, the website operator receives various usage data, such as page views, length of visit, operating systems used and origin of the user. This data may be summarised by Google in a profile that is assigned to the respective user or their end device.

We can also use Google Analytics to record your mouse and scroll movements and clicks, among other things. Google Analytics also uses various modelling approaches to supplement the data records collected and uses machine learning technologies for data analysis.

Google Analytics uses technologies that enable the recognition of the user for the purpose of analysing user behaviour (e.g. cookies or device fingerprinting). The information collected by Google about the use of this website is generally transmitted to a Google server in the USA and stored there.

The use of this analysis tool is based on Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in analysing user behaviour in order to optimise both its website and its advertising. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission. You can find details here: https://privacy.google.com/businesses/controllerterms/mccs/.

IP anonymisation

We have activated the IP anonymisation function on this website. This means that your IP address will be truncated by Google within member states of the European Union or in other signatory states to the Agreement on the European Economic Area before being transmitted to the USA. Only in exceptional cases will the full IP address be transmitted to a Google server in the USA and truncated there. On behalf of the operator of this website, Google will use this information to analyse your use of the website, to compile reports on website activity and to provide the website operator with other services relating to website activity and internet usage. The IP address transmitted by your browser as part of Google Analytics will not be merged with other Google data.

Browser plugin

You can prevent the collection and processing of your data by Google by downloading and installing the browser plugin available at the following link: https://tools.google.com/dlpage/gaoptout?hl=de. You can find more information on how Google Analytics handles user data in Google's privacy policy: https://support.google.com/analytics/answer/6004245?hl=de.

Order processing

We have concluded an order processing contract with Google and fully implement the strict requirements of the German data protection authorities when using Google Analytics.

Storage duration

Data stored by Google at user and event level that is linked to cookies, user IDs or advertising IDs (e.g. DoubleClick cookies, Android advertising ID) is anonymised or deleted after 2 months. For details, please see the following link: https://support.google.com/analytics/answer/7667196?hl=de

6. plugins and tools

Adobe Fonts

This website uses web fonts from Adobe for the standardised display of certain fonts. The provider is Adobe Systems Incorporated, 345 Park Avenue, San Jose, CA 95110-2704, USA (Adobe).

When you access this website, your browser loads the required fonts directly from Adobe in order to display them correctly on your device. In doing so, your browser establishes a connection to Adobe's servers in the USA. This gives Adobe knowledge that this website has been accessed via your IP address. According to Adobe, no cookies are stored when the fonts are provided.

The data is stored and analysed on the basis of Art. 6 para. 1 lit. f GDPR. The website operator has a legitimate interest in the uniform presentation of the typeface on its website. If a corresponding consent has been requested (e.g. consent to the storage of cookies), the processing is carried out exclusively on the basis of Art. 6 para. 1 lit. a GDPR; the consent can be revoked at any time.

Data transfer to the USA is based on the standard contractual clauses of the EU Commission.

Details can be found here: https://www.adobe.com/de/privacy/eudatatransfers.html.

You can find more information about Adobe Fonts at: https://www.adobe.com/de/privacy/policies/adobe-fonts.html.

You can find Adobe's privacy policy at: https://www.adobe.com/de/privacy/policy.html

Product Data Processing Agreement

The client, as described in the T&C, as Controller (hereinafter "Controller"), and doinstruct Software GmbH, Rheinstraße 10, 49090 Osnabrück, Germany, as Data Processor (hereinafter "Data Processor"), collectively referred to as the "Parties."

Preamble

The Controller has commissioned the Data Processor in a contract already concluded (hereinafter referred to as the "Main Contract") for the services specified therein. Part of the execution of the contract is the processing of personal data. In particular, Art. 28 GDPR imposes specific requirements on such commissioned processing. To comply with these requirements, the Parties enter into the following Data Processing Agreement (hereinafter referred to as the “Agreement”), the performance of which shall not be remunerated separately unless expressly agreed.

 

1. Definitions

(1) Pursuant to Art. 4 (7) GDPR, the Controller is the entity that alone or jointly with other Controllers determines the purposes and means of the processing of personal data.

(2) Pursuant to Art. 4 (8) GDPR, a Data Processor is a natural or legal person, authority, institution, or other body that processes personal data on behalf of the Controller.

(3) Pursuant to Art. 4 (1) GDPR, personal data means any information relating to an identified or identifiable natural person(hereinafter "Data Subject");an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(4) Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of Data Subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offenses or related security measures, as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4(14) GDPR, health data pursuant to Art. 4 (15) GDPR, and data on the sex life or sexual orientation of a natural person.

(5) According to Article 4 (2) GDPR, the processing is any operation or set of operations that is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(6) Pursuant to Article 4 (21) GDPR, the supervisory authority is an independent state body established by a Member State pursuant to Article 51 GDPR.

 

2. Subject of the contract

(1) The Data Processor provides the services specified in the Main Contract for the Controller. In doing so, the Data Processor obtains access to personal data, which the Data Processor processes for theController exclusively on behalf of and in accordance with the Controller's instructions. The scope and purpose of the data processing by the DataProcessor are set out in the Main Contract and any associated service descriptions. The Controller shall be responsible for assessing the admissibility of the data processing.

(2) The Parties conclude the present Agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the Main Contract.

(3) The provisions of this contract shall apply to all activities related to the Main Contract in which the Data Processor and its employees or persons authorized by the Data Processor come into contact with personal data originating from the Controller or collected for the Controller.

(4) The term of this Agreement shall be governed by the term of the Main Contract unless the following provisions give rise to further obligations or termination rights.

 

3. Right of instruction

(1) The Data Processor may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the Controller. If the Data Processor is required to carry out further processing by the law of the European Union or the Member States to which it is subject, it shall notify the Controller of these legal requirements prior to the processing.

(2) The instructions of the Controller shall initially be determined by this Agreement. Thereafter, they may be amended, supplemented, or replaced by the Controller in writing or text form by individual instructions (Individual Instructions). The Controller shall be entitled to issue such instructions at any time. This includes instructions with regard to the correction, deletion, and blocking of data.

(3) All instructions issued shall be documented by theController. Instructions that go beyond the service agreed in the Main Contracts hall be treated as a request for a change in service.

(4) If the Data Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Data Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Data Processor may refuse to carryout an obviously unlawful instruction.

 

4. Types of data processed, group of Data Subjects, third country

(1) Within the scope of the implementation of the MainContract, the Data Processor shall have access to the personal data specified in more detail in Annex 1.

(2) The group of Data Subjects affected by the data processing is listed in Annex 2.

(3) A transfer of personal data to a third country may take place under the conditions of Art. 44 et seq. GDPR.

5. Protective measures of the Data Processor

(1) The Data Processor shall be obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Controller's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

(2) The Data Processor shall organize the internal organization within its field of responsibility in such a way that it meets the special requirements of data protection. It shall have taken the technical and organizational measures specified in Annex3 to adequately protect the Controller's data pursuant to Art. 32 GDPR, which the Controller acknowledges as adequate. The Data Processor reserves the right to change the security measures taken while ensuring that the contractually agreed level of protection is not undercut.

(3) The persons employed in the data processing by theData Processor are prohibited from collecting, processing or using personal data without authorization. The Data Processor shall oblige all persons entrusted by it with the processing and performance of this contract(hereinafter "Employees")accordingly (obligation of confidentiality, Art. 28 (3) lit. b GDPR) and shall ensure compliance with this obligation with due care.

(4) The Data Processor has appointed a data protection officer. The Data Processor’s data protection officer is heyData GmbH, Schützenstr. 5, 10117 Berlin, datenschutz@heydata.eu, www.heydata.eu.

 

6. Information obligations of the Data Processor

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the DataProcessor, suspected security-related incidents or other irregularities in the processing of personal data by the Data Processor, by persons employed by it within the scope of the contract or by third parties, the Data Processor shall inform the Controller without undue delay. The same shall apply to audits of the Data Processor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

(a) a description of the nature of the personal data breach, including, to the extent possible, the categories and the number of Data Subjects affected, the categories affected and the number of personal data records affected;

(b) a description of the measures taken or proposed by the Data Processor to address the breach and, where applicable, measures to mitigate its possible adverse effects;

(c) a description of the likely consequences of the personal data breach.

(2) The Data Processor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the Data Subjects, inform the Controller thereof and request further instructions.

(3) In addition, the Data Processor shall be obligedto provide the Controller with information at any time insofar as theController's data are affected by a breach pursuant to paragraph 1.

(4) The Data Processor shall inform the Controller ofany significant changes to the security measures pursuant to Section 5 (2).

 

7. Control rights of the Controller

(1) The Controller may satisfy itself of the technical and organizational measures of the Data Processor prior to the commencement of data processing and thereafter regularly on a yearly basis. For this purpose, the Controller may, for example, obtain information from the Data Processor, obtain existing certificates from experts, certifications or internal audits or, after timely coordination, personally inspect the technical and organizational measures of the Data Processor during normal business hours or have them inspected by a competent third party, provided that the third party is not in a competitive relationship with the Data Processor. The Controller shall carry out checks only to the extent necessary and shall not disproportionately disrupt the operations of the Data Processor in the process.

(2) The Data Processor undertakes to provide theController, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the technical and organizational measures of the Data Processor.

(3) The Controller shall document the results of the inspection and notify the Data Processor thereof. In the event of errors or irregularities which the Controller discovers, in particular during the inspection of the results of the inspection, the Controller shall inform theData Processor without undue delay. If facts are found during the control, the future avoidance of which requires changes to the ordered procedure, theController shall notify the Data Processor of the necessary procedural changes without delay.

 

8. Use of service providers

(1) The contractually agreed services shall be performed with the involvement of the service providers named in Annex 4 (hereinafter “Sub-processors”). The Controller grants the Data Processor its general authorization within the meaning of Article 28(2) s. 1 GDPR to engage additional Sub-processors within the scope of its contractual obligations or to replace Sub-processors already engaged.

(2) The Data Processor shall inform the Controller before any intended change in relation to the involvement or replacement of aSub-processor. The Controller can object to the intended involvement or replacement of a Sub-processor for an important reason under data protection law.

(3) The objection to the intended involvement or replacement of a Sub-processor must be raised within 2 weeks of receiving the information about the change. If no objection is raised, the involvement or replacement shall be deemed approved. If there is an important reason under data protection law and an amicable solution is not possible between theController and the Processor, the Controller has a special right of termination at the end of the month following the objection.

(4) When engaging Sub-processors, the Data Processors hall oblige them in accordance with the provisions of this Agreement.

(5) A Sub-processor relationship within the meaning of these provisions does not exist if the Data Processor commissions third parties with services that are regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services provided by the Data Processor to the Controller and guarding services. Maintenance and testing services constitute Sub-processor relationships requiring consent in so far as they are provided for IT systems that are also used in connection with the provision of services for the Controller.

 

9. Requests and rights of Data Subjects

(1) The Data Processor shall support the Controller with suitable technical and organizational measures in fulfilling theController's obligations pursuant to Articles 12-22 and 32 to 36 GDPR.

(2) If a Data Subject asserts rights, such as the right of access, correction or deletion with regard to his or her data, directly against the Data Processor, the latter shall not react independently but shall refer the Data Subject to the Controller and await the Controller's instructions.

 

10. Liability

(1) In the internal relationship with the DataProcessor, the Controller alone shall be liable to the Data Subject for compensation for damage suffered by a Data Subject due to inadmissible or incorrect data processing under data protection laws or use within the scope of the commissioned processing.

(2) The Data Processor shall have unlimited liability for damage insofar as the cause of the damage is based on an intentional or grossly negligent breach of duty by the Data Processor, its legal representative or vicarious agent.

(3) The Data Processor shall only be liable for negligent conduct in the event of a breach of an obligation, the fulfillment of which is a prerequisite for the proper performance of the contract and the observance of which the Controller regularly relies on and may rely on, but limited to the average damage typical for the contract. In all other respects, the liability of the Processor - including for its vicarious agents - shall be excluded.

(4) The limitation of liability pursuant to § 10.3shall not apply to claims for damages arising from injury to life, body, health or from the assumption of a guarantee.

 

11. Termination of the MainContract

(1) After termination of the Main Contract, the DataProcessor shall return to the Controller all documents, data and data carriers provided to it or - at the request of the Controller, unless there is an obligation to store the personal data under Union law or the law of the FederalRepublic of Germany - delete them. This shall also apply to any data backups at the Data Processor. The Data Processor shall on request provide documented proof of the proper deletion of any data.

(2) The Controller shall have the right to control the complete and contractual return or deletion of the data at the Data Processor in an appropriate manner.

(3) The Data Processor shall be obligated to keep confidential the data of which it has become aware in connection with the MainContract even beyond the end of the Main Contract. The present Agreement shall remain valid beyond the end of the Main Contract as long as the Data Processor has personal data at its disposal which have been forwarded to it by theController or which it has collected for the Controller.

 

12. Final provisions

(1) To the extent that the Data Processor does not expressly perform support actions under this Agreement free of charge, it may charge the Controller a reasonable fee therefore, unless the Data Processor's own actions or omissions have made such support directly necessary.

(2) Amendments and supplements to this Agreement must be made in writing. This shall also apply to any waiver of this formal requirement. The priority of individual contractual agreements shall remain unaffected.

(3) If individual provisions of this Agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.

(4) This agreement is subject to German law.

Annex

 

Annex 1 - Description of the data/data categories

● First name and surname

●Language

●Mobile phone number and / or e-mail address, if applicable

●Personnel number

●First day of work

●Gender, if applicable

●Clothing and shoe size, if applicable

●Information on the progress of the training

●IP address

●Fields filled with data by the user, if applicable

 

Annex 2 - Description of affectedData Subject/groups of affected Data Subjects

 

● Employees of the client or employees of companies affiliated with the client

●Visitors of the client

 

 

Annex 3 - Technical and organizational measures of the Data Processor
 

1. Introduction

1.1 Data protection officer

Our data protection officer is heyData GmbH, Schützenstraße 5, 10117 Berlin, www.heydata.eu, e-mail: datenschutz@heydata.eu.

2. Confidentiality (Art. 32 para. 1 lit. b GDPR)

2.1 Physical access control

The following implemented measures prevent unauthorised persons from gaining access to the data processing systems:

●     Automatic access control system

●     Chip card/transponder locking system

●     Key regulation / key book

●     Careful selection of cleaning staff

●     Working from home: unauthorised persons have no access to employees' homes

●     Work in the home office: instruction to employees to work ina separate office from their living rooms if possible

2.2 System access control

The following implemented measures prevent unauthorised persons from gaining access to the data processing systems:

●     Authentication with user and password

●     Authentication with biometric data

●     Use of firewalls

●     Encryption of data carriers

●     Automatic desktop lock

●     Encryption of notebooks / tablets

●     Management of user authorisations

●     Creating user profiles

●     Central password rules

●     Use of 2-factor authentication

●     General instruction to manually lock the desktop when leavingthe workstation

2.3 Data access control

The following implemented measures ensure that unauthorised persons have no access to personal data:

●     Physical deletion of data carriers before they are reused

●     Number of administrators is kept as small as possible

●     Management of user rights by system administrators

2.4 Separation control

The following measures ensure that personal data collected for different purposes is processed separately:

●     Separation of production and test system

●     Encryption of data records that are processed for the same purpose

●     Logical client separation (on the software side)

●     Definition of database rights

●     Internal instruction to anonymise/pseudonymise personal data in the event of disclosure or after expiry of the statutory deletion period, if possible.

3. Integrity(Art. 32 para. 1 lit. b GDPR)

3.1 Transfer control

It is ensured that personal data cannot be read, copied, changed or removed without authorisation during transmission or storage on data carriers and that it is possible to check which persons or bodies have received personal data.The following measures have been implemented to ensure this:

●     E-mail encryption

●     WLAN encryption (WPA2 with strong password)

●     Logging of accesses and retrievals

●     Provision of data via encrypted connections such as SFTP orHTTPS

3.2 Input control

The following measures ensure that it is possible to check who has processed personal data in data processing systems and at what time:

●     Logging the entry, modification and deletion of data

4. Availability and resilience (Art. 32 para. 1 lit. b GDPR)

The following measures ensure that personal data is protected against accidental destruction or loss and is always available to the client:

We store all data at AWS. AWS holds several key information security certifications, including ISO/IEC 27001:2013, ISO/IEC 27017:2015, ISO/IEC27018:2019, ISO/IEC 27701:2019, SOC 1 (SSAE 18/ISAE 3402), SOC 2, SOC 3, PCIDSS Level 1, FedRAMP, HIPAA, NIST 800-53, and CSA STAR. These certifications underscore AWS' commitment to providing a secure cloud environment and ensuring availability.

5. Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR;Art. 25 para. 1 GDPR)

5.1 Data protection management

The following measures are intended to ensure that the organisation meets the basic requirements of data protection law:

●      Use of the heyData platform for data protection management

●      Appointment of the data protection officer heyData

●      Obligation of employees to maintain data secrecy

●      Regular data protection training for employees

●      Maintaining an overview of processing activities (Art. 30 GDPR)

5.2 Incident response management

The following measures are intended to ensure that reporting processes are triggered in the event of data protection violations:

●      Reporting process for data protection violations in accordance with Art. 4 (12) GDPR to the supervisory authorities (Art. 33 GDPR)

●      Notification process for data breaches in accordance with Art. 4 (12) GDPR to the data subjects (Art. 34GDPR)

●      Involvement of the data protection officer in security incidents and data breaches

●      Use of firewalls

5.3 Data protection-friendly default settings (Art. 25 para. 2 GDPR)

Thefollowing implemented measures take into account the requirements of theprinciples of "privacy by design" and "privacy by default":

●      Training of employees in"privacy by design" and "privacy by default"

●      No more personal data is collected than is necessary for the respective purpose.

5.4 Order control

The following measures ensure that personal data can only be processed in accordance with the instructions:

●      Written instructions to thecontractor or instructions in text form (e.g. through an order processingcontract)

●      Ensuring the destruction of data after completion of the order, e.g. by requesting corresponding confirmations

●      Confirmation from contractors that they commit their own employees to data secrecy (typically in the order processing contract)

●     Ongoing review of contractors and their activities

 

Annex 4 – Current Sub-processors

Amazon Web Services EMEA SARL

38 Avenue John F. Kennedy

L-1855, Luxemburg

Function: Backend infrastructure and databases

Server location: EU

Datadog, Inc.

620 8th Ave, 45th Floor

New York, 10018 NY, USA

Function: Monitoring applications, tracking bugs in applications or on websites, and managing log files

Server location: EU

Mixpanel, Inc.

One Front Street 28

San Francisco, 94111 CA, USA

Function: Analysis

Server location: EU


Vercel, Inc.

340 S Lemon Ave Unit

Walnut, 4133 CA, USA

Function: Hosting of Manager and Web-App

Server location: Global CDN

Twilio, Inc.

375 Beale Street, Suite 300

San Francisco, 94105 CA, USA (Sendgrid)

Function: Sending mails

Server location: EU