Data Processing Agreement

1. Subject matter and duration of processing

1.1 The subject matter of the agreement is the rights and obligations of the parties within the scope of the provision of services in accordance with the General Terms and Conditions (hereinafter Main Agreement), insofar as a processing of personal data by synetics (hereinafter contractor) as a processor for the customer as the responsible party (hereinafter client) pursuant to Art. 28 DSGVO. This includes all activities that the contractor performs to fulfil the order and that constitute commissioned processing. This shall also apply if the order does not expressly refer to this agreement on commissioned processing.

1.2 The duration of the processing shall correspond to the term agreed in the main contract.

2. Type and purpose of the processing

2.1 The type of processing includes all types of processing within the meaning of the GDPR to fulfil the order.

2.2 The purposes of the processing are all purposes necessary for the provision of the contractually agreed service (see also GTC), in particular in the area of cloud services, hosting, software as a service (SaaS) and IT support.

3. Type of personal data and categories of data subjects

3.1 The type of data processed is determined by the customer through the use of the product, the configuration, the use of the services and the transmission of data.

3.2 The categories of data subjects are determined by the customer through the product use, the configuration, the use of the services and the transmission of data.

4. Responsibility and processing on documented instructions

4.1 Within the scope of this agreement, the customer shall be solely responsible for compliance with the statutory provisions of data protection laws, in particular for the lawfulness of the transfer of data to the contractor as well as for the lawfulness of the data processing ("Responsible Party" within the meaning of Art. 4 No. 7 GDPR). This shall also apply with regard to the purposes and means of processing regulated in this agreement.

4.2 The instructions shall initially be determined by the main agreement and may thereafter be amended by the client in writing or in an electronic format (text form) by means of individual instructions. Verbal instructions shall be confirmed immediately in writing or in text form. In the case of proposed changes, the contractor shall inform the customer of the effects on the agreed services, in particular the possibility of providing the service, deadlines and remuneration. If the contractor cannot reasonably be expected to implement the instruction, the contractor shall be entitled to terminate the processing. Unreasonableness shall be deemed to exist in particular if the services are provided in an infrastructure which is used by several clients/customers of the contractor (shared services) and a change in the processing is not possible or not reasonable for individual clients.

4.3 The contractually agreed data processing shall take place predominantly in a member state of the European Union or in another state party to the agreement on the European Economic Area, unless the transfer of data to third countries becomes necessary in order to provide the service. In the event that a transfer to a third country takes place, the contractor shall ensure that the requirements pursuant to Art. 44 et seq. DSGVO are fulfilled.

5. Rights of the customer, obligations of the contractor

5.1 The contractor may only process data of data subjects within the scope of the order and the documented instructions of the customer, unless there is an exceptional case within the meaning of Article 28 (3) a) DSGVO (obligation under the law of the European Union or a Member State). This also refers to transfers of personal data to third countries or international organisations. If there is a processing obligation contrary to an instruction, the contractor shall inform the client of the relevant legal requirement prior to the processing. Unless the relevant law prohibits such information due to an important public interest. The contractor shall inform the customer without any undue delay if it believes that an instruction violates applicable laws. The contractor may suspend the implementation of the instruction until it has been confirmed or amended by the customer. The instructions shall be documented by the customer and kept for at least the duration of the contractual relationship.

5.2 In view of the nature of the processing, the contractor shall, if possible, support the client with suitable technical and organisational measures in fulfilling the claims of the data subjects pursuant to Chapter III of the GDPR. The contractor shall be entitled to demand reasonable remuneration from the customer for these services, unless the support becomes necessary due to a breach of law or a breach of contract by the contractor. The contractor shall provide the customer with cost information in advance.

5.3 The contractor shall support the customer in complying with the obligations set out in Articles 32 to 36 of the GDPR, taking into account the type of processing and the information available to it. The contractor shall be entitled to demand reasonable remuneration from the customer for these services, unless the support becomes necessary due to a breach of law or a breach of contract by the contractor. The contractor shall provide the customer with cost information in advance.

5.4 The contractor warrants that the employees involved in the processing of the customer's data and other persons working for the contractor are prohibited from processing the data outside the scope of the instruction. Furthermore, the contractor warrants that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The same shall apply to social secrecy, telecommunications secrecy pursuant to Section 3 TTDSG and - in knowledge of the criminal liability - to the protection of secrets of professional secrecy holders pursuant to Section 203 StGB (German Criminal Code). The confidentiality/secrecy obligation shall continue to exist after termination of the order.

5.5 The contractor shall inform the client immediately if it becomes aware of any violations of the client's personal data protection. The contractor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the persons concerned.

5.6 The contractor shall ensure the written appointment of a data protection officer who shall carry out his activities in accordance with Articles 38 and 39 of the GDPR. A contact option shall be published on the contractor's website.

5.7 After completion of the provision of the processing services, the contractor shall, at the option of the customer, either delete all personal data or return it to the customer, unless there is an obligation to store the personal data under Union law or under the applicable law of a Member State or unless otherwise specified in respective contractual agreements. If the client does not exercise this right of choice, deletion shall be deemed agreed. If the customer chooses to return the data, the contractor may demand reasonable compensation. The contractor shall provide the customer with cost information in advance.

5.8 If the data subject asserts claims for damages pursuant to Art. 82 DSGVO, the contractor shall support the customer in defending the claims within the scope of its possibilities. The contractor may demand reasonable remuneration for this.

6. Obligations of the Customer

6.1 The customer shall inform the contractor immediately and in full if it discovers errors or irregularities with regard to data protection provisions during the execution of the order.

6.2 In the event of termination, the customer undertakes to delete the personal data which it has stored in the services before the termination of the contract.

6.3 Upon request of the contractor, the customer shall name a contact person for data protection issues.

7. Inquiries by data subjects

If a data subject approaches the contractor with requests for correction, deletion or information, the contractor shall refer the data subject to the client, provided that an assignment to the client is possible according to the data subject.

The contractor shall immediately forward the request of the data subject to the customer. The contractor shall support the customer within the scope of its possibilities. The contractor shall not be liable if the request of the data subject is not answered, not answered correctly or not answered in time by the customer.

8. Measures for the security of the processing in accordance with Art. 32 DSGVO.

8.1 The contractor shall take appropriate technical and organisational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and guarantees protection for the rights and freedoms of the data subject. The client shall take appropriate technical and organisational measures in its area of responsibility in accordance with Article 32 of the GDPR to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing on a permanent basis.

8.2 The contractor's current technical and organisational measures can be requested and viewed at any time. The contractor clarifies that the technical and organisational measures listed are merely descriptions of a technical nature which are not to be regarded as part of this agreement.

8.3 The contractor shall operate a procedure for the regular review of the effectiveness of the technical and organisational measures to ensure the security of the processing pursuant to Art. 32 (1) lit. d) DSGVO.

8.4 The contractor shall adapt the measures taken over time to developments in the state of the art and the risk situation. The contractor reserves the right to change the technical and organisational measures taken, provided that the level of protection pursuant to Art 32 DSGVO is not undercut.

9. Proof and verification

9.1 The Contractor shall provide the Customer with all necessary information to prove compliance with the obligations set forth in Art. 28 of the GDPR and shall enable reviews - including inspections - to be carried out by the customer or another auditor commissioned by the customer in individual cases. The contractor shall be entitled to demand a confidentiality declaration from the client and from its appointed auditor, which shall not, however, prevent the client from providing evidence itself to the supervisory authority responsible for it. The contractor may reject direct competitors of the client or persons who work for direct competitors of the client as auditors.

9.2 The contractor may demand reasonable remuneration for information and support activities, unless the inspection becomes necessary due to a breach of law or a breach of contract by the contractor. The contractor shall provide the customer with cost information in advance.

10. Subcontractors

10.1 The customer grants the contractor general permission to use further processors within the meaning of Article 28 of the GDPR for the performance of the contract.

10.2 The additional processors currently used are listed in Annex 1. The customer declares its consent to their use.

10.3 The contractor shall inform the customer if it intends to make a change with regard to the use or replacement of further processors. The customer may object to such changes.

10.4 The objection to the intended change may only be raised for a factual reason within 14 days after receipt of the information about the change to the contractor. In the event of an objection, the contractor may, at its own discretion, provide the service without the intended change or - if the provision of the service without the intended change is not reasonable for the contractor - discontinue the service affected by the change vis-à-vis the customer within a reasonable period (at least 14 days) after receipt of the objection.

10.5 If the contractor places orders with further processors, it shall be incumbent on the contractor to transfer its data protection obligations under this agreement to the further processor. The contractor shall ensure, in particular by means of regular checks, that the further processors comply with the technical and organisational measures.

11. Liability and damages

11.1 In the event that a data subject asserts a claim for damages pursuant to Art. 82 GDPR, the parties undertake to support each other and to contribute to the clarification of the underlying facts.

11.2 The liability provision agreed between the parties in the main contract for the provision of services shall also apply to claims arising from this agreement on commissioned processing and in the internal relationship between the parties for claims by third parties pursuant to Art 82 of the GDPR, unless expressly agreed otherwise.

12. Term of the agreement, miscellaneous

12.1 The agreement shall commence upon conclusion by the principal. It ends with the end of the last contract under the respective customer number. If commissioned processing still takes place after the end of this agreement, the provisions of these agreements shall apply until the actual end of the processing.

12.2 The contractor may amend the agreement at its reasonable discretion with reasonable notice. In particular, it expressly reserves the right to unilaterally amend this agreement if material legal changes occur with respect to this agreement. The contractor shall separately inform the customer of the significance of the planned amendment and shall furthermore grant the customer a reasonable period of time to declare an objection. The contractor shall inform the customer in the notice of amendment that the amendment will become effective if the customer does not object within the set period. In the event of an objection by the customer, the contractor shall have an extraordinary right of termination.

12.3 The customer shall recognise this agreement as part of the General Terms and Conditions for the product(s) booked by it. In the event of any contradictions, provisions of this agreement on commissioned processing shall take precedence over the provisions of the main contract. Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

12.4 The exclusive place of jurisdiction for all disputes arising from and in connection with this agreement shall be the contractor's registered office. This shall apply subject to any exclusive statutory place of jurisdiction. This contract is subject to the statutory provisions of the Federal Republic of Germany.

12.5 If the customer's data with the contractor is endangered by seizure or attachment, by insolvency or composition proceedings or by other events or measures of third parties, the contractor shall inform the customer thereof without any undue delay. The contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the client as the person responsible within the meaning of the GDPR.