Jingga/Organization-Guide
1
0
Fork 0
mirror of https://github.com/Karaka-Management/Organization-Guide.git synced 2026-01-11 12:58:42 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Create DPA_en.md

Browse Source 
Signed-off-by: Dennis Eichhorn <spl1nes.com@googlemail.com>
This commit is contained in:
Dennis Eichhorn 2024-05-11 22:12:18 +02:00 committed by GitHub
parent 9a2f8b8402
commit fd5b4c15bb
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 93 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
Legal/DPA_en.md Normal file
View File

@ -0,0 +1,93 @@
# Agreement on commissioned processing
According to Art. 28 para. 3 General Data Protection Regulation (GDPR)
## Subject matter and duration of processing
The subject matter of the agreement is the rights and obligations of the parties in the context of the provision of services in accordance with the service description and GTC, insofar as personal data is processed by Jingga e.K. (hereinafter referred to as the Contractor) as the processor for the customer as the controller (hereinafter referred to as the Client) in accordance with Art. 28 GDPR. This includes all activities that the contractor performs to fulfill the order and that constitute order processing. This also applies if the order does not expressly refer to this agreement on order processing.
The duration of the processing depends on the actual processing of the client's personal data by the contractor.
## Type and purpose of processing
The type of processing includes all types of processing within the meaning of the GDPR to fulfill the contract.
The purposes of the processing are all purposes necessary for the provision of the contractually agreed service, in particular in the area of cloud services, hosting, software as a service (SaaS) and IT support.
## Type of personal data and categories of data subjects
The type of data processed is determined by the client through the choice of product, configuration, use of services and transmission of data.
The categories of data subjects are determined by the client through the choice of product, the configuration, the use of the services and the transmission of data.
## Responsibility and processing on documented instructions
Within the scope of this agreement, the client is solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of data transfer to the contractor and for the lawfulness of data processing (“controller” within the meaning of Art. 4 No. 7 GDPR). This also applies with regard to the purposes and means of processing regulated in this agreement.
The instructions are initially defined by the GTC and may subsequently be amended by the client in writing or in an electronic format (text form) by means of individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. In the event of proposed changes, the Contractor shall inform the Client of the effects on the agreed services, in particular the possibility of service provision, deadlines and remuneration. If the Contractor cannot reasonably be expected to implement the instruction, the Contractor shall be entitled to terminate the processing and to terminate the contract extraordinarily. The Client's obligation to pay remuneration shall cease to apply if the Contractor discontinues the service. Unreasonableness exists in particular if the services are provided in an infrastructure that is used by several clients / customers of the Contractor (shared services) and a change in processing is not possible or not reasonable for individual clients.
The contractually agreed data processing shall take place in a member state of the European Union or in another state party to the Agreement on the European Economic Area, unless the transfer of data to third countries is necessary for the provision of the service. In the event that a transfer to a third country takes place, the contractor shall ensure that the requirements of Art. 44 et seq. GDPR are fulfilled.
## Rights of the client, obligations of the contractor
1. the contractor may only process data of data subjects on the basis of documented instructions from the client. The instructions shall be set out in the contract at the outset. However, there is no obligation to follow instructions if an exceptional case within the meaning of Article 28 (3) a) GDPR exists (obligation under the law of the European Union or a Member State). This also applies to transfers of personal data to third countries or international organizations; if there is a processing obligation contrary to an instruction, the contractor shall inform the client of the corresponding legal requirement prior to processing. Unless the law in question prohibits such information due to an important public interest. The Contractor shall inform the Client immediately if it believes that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client. The instructions must be documented by the Client and kept for at least the duration of the contractual relationship.
2. in view of the nature of the processing, the Contractor shall, where possible, support the Client with appropriate technical and organizational measures to meet the claims of the data subjects in accordance with Chapter III of the GDPR. The Contractor shall be entitled to demand reasonable remuneration from the Client for these services, unless the support was necessary due to a breach of law or contract by the Contractor. The Contractor shall provide the Client with cost information in advance.
3. the Contractor shall support the Client in complying with the obligations set out in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to it. The Contractor shall be entitled to demand reasonable remuneration from the Client for these services, unless the support was necessary due to a breach of law or contract by the Contractor. The Contractor shall provide the Client with cost information in advance.
4. the Contractor warrants that the employees involved in the processing of the Client's data and other persons working for the Contractor are prohibited from processing the data outside the instructions. Furthermore, the Contractor warrants that the persons authorized to process the personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The same applies to social secrecy, telecommunications secrecy in accordance with § 3 TTDSG and - in the knowledge of criminal liability - to the protection of secrets of persons subject to professional secrecy in accordance with § 203 StGB. The duty of confidentiality/secrecy shall continue to exist even after termination of the order.
5. the Contractor shall inform the Client immediately if it becomes aware of any breaches of the protection of the Client's personal data. The Contractor shall take the necessary measures to secure the data and to minimize possible adverse consequences for the persons concerned.
6. the contractor guarantees the written appointment of a data protection officer who carries out his activities in accordance with Art. 38 and 39 GDPR. A contact option shall be published on the Contractor's website.
7. after completion of the provision of the processing services, the contractor shall, at the client's discretion, either delete all personal data or return it to the client, unless there is an obligation to store the personal data under Union law or the applicable law of a Member State. If the client does not exercise this right of choice, deletion shall be deemed to have been agreed. If the Client chooses to return the data, the Contractor may demand appropriate remuneration. The Contractor shall provide the Client with cost information in advance.
8. if data subjects assert claims for damages pursuant to Art. 82 GDPR, the Contractor shall support the Client in the defense against the claims within the scope of its possibilities. The Contractor may demand reasonable remuneration for this, provided that the claims for damages are not based on a breach of law or contract by the Contractor.
## Obligations of the client
1. the client must inform the contractor immediately and completely if he discovers errors or irregularities with regard to data protection regulations during the execution of the order.
2. in the event of termination, the client undertakes to delete the personal data that it has stored in the services prior to termination of the contract.
3. at the request of the contractor, the client shall name a contact person for data protection matters.
## Requests from data subjects
The Contractor shall inform the Client immediately of any request received from the data subject. It shall not respond to the request itself unless it has been authorized to do so by the Client. Taking into account the nature of the processing, the Contractor shall assist the Client in fulfilling its obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations, the Contractor shall follow the Client's instructions. The Contractor shall not be liable if the data subject's request is not answered by the Client, is not answered correctly or is not answered on time.
## Measures for the security of processing in accordance with Art. 32 GDPR
1. the contractor shall take appropriate technical and organizational measures in his area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and to ensure the protection of the rights and freedoms of the data subject. The client shall take appropriate technical and organizational measures in its area of responsibility in accordance with Art. 32 GDPR to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term.
2. the Contractor's current technical and organizational measures can be viewed at this link. The contractor clarifies that the technical and organizational measures listed under the link are merely descriptions of a technical nature, which are not to be regarded as part of this agreement.
3. the Contractor shall operate a procedure for regularly reviewing the effectiveness of the technical and organizational measures to ensure the security of processing in accordance with Art. 32 para. 1 lit. d) GDPR
4. the contractor shall adapt the measures taken over time to developments in the state of the art and the risk situation. The contractor reserves the right to change the technical and organizational measures taken, provided that the level of protection in accordance with Art 32 GDPR is not undercut.
## Proof and verification
1. the Contractor shall provide the Client with all information necessary to prove compliance with the obligations set out in Art. 28 GDPR and, in individual cases, shall enable audits - including inspections - to be carried out by the Client or another auditor commissioned by the Client. The Contractor is entitled to request a confidentiality agreement from the Client and its commissioned auditor, but this shall not prevent the Client from providing evidence to the supervisory authority responsible for it. The contractor may reject direct competitors of the client or persons who work for direct competitors of the client as auditors.
2. the Contractor may demand reasonable remuneration for information and assistance, unless the inspection was necessary due to a breach of law or contract by the Contractor. The Contractor shall provide the Client with cost information in advance.
## Subcontractors (further processors)
1. the client grants the contractor general authorization to use further processors within the meaning of Art. 28 GDPR to fulfill the contract.
2. the other processors currently used are listed in Annex 1. The Client agrees to their use.
3. the Contractor shall inform the Client if it intends to make a change with regard to the involvement or replacement of additional processors. The Client may object to such changes.
4. the objection to the intended change can only be raised against the Contractor for a material reason within 14 days of receipt of the information about the change. In the event of an objection, the Contractor may, at its own discretion, provide the service without the intended change or - if the provision of the service without the intended change is unreasonable for the Contractor - discontinue the service affected by the change vis-à-vis the Client within a reasonable period (at least 14 days) after receipt of the objection. The Client's obligation to pay shall lapse at the time the Contractor discontinues the service.
5. if the Contractor places orders with other processors, the Contractor shall be responsible for transferring its data protection obligations under this contract to the other processor. In particular, the Contractor shall ensure through regular checks that the other processors comply with the technical and organizational measures.
## Liability and compensation for damages
In the event of the assertion of a claim for damages by a data subject pursuant to Art. 82 GDPR, the parties undertake to support each other and to contribute to the clarification of the underlying facts.
The liability provision agreed between the parties in the GTCs shall also apply to claims arising from this agreement on commissioned processing and in the internal relationship between the parties for claims of third parties pursuant to Art 82 GDPR, unless expressly agreed otherwise.
## Contract term, miscellaneous
1. the agreement shall commence upon conclusion by the client. It ends at the end of the last contract under the respective customer number. If commissioned processing takes place after the end of this agreement, the provisions of this agreement shall apply until the actual end of processing.
2. the Contractor may amend the agreement at its reasonable discretion with a reasonable period of notice. In particular, it expressly reserves the right to amend this agreement unilaterally if there are significant legal changes in relation to this agreement. The Contractor shall inform the Client separately of the significance of the planned amendment and shall also grant the Client a reasonable period of time to declare an objection. The Contractor shall point out to the Client in the notice of change that the change shall take effect if it does not object within the set period. In the event of an objection by the Client, the Contractor shall be entitled to an extraordinary right of termination.
3. the client recognizes this agreement as part of the GTC for the product(s) booked by the client. In the event of any contradictions, the provisions of this agreement on order processing shall take precedence over the provisions of the GTCs. Should individual parts of this agreement be invalid, this shall not affect the validity of the remaining provisions.
4. the exclusive place of jurisdiction for all disputes arising from and in connection with this contract shall be the Contractor's registered office. This shall apply subject to any exclusive statutory place of jurisdiction. This contract is subject to the statutory provisions of the Federal Republic of Germany.
5. should the client's data at the contractor's premises be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the contractor must inform the client immediately. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the “controller” within the meaning of the GDPR.
# Appendix 1
1. server hosting: IONOS SE - Elgendorfer Str. 57 56410 Montabaur
2. maps: https://openlayers.org/ (if address data is provided by the client, for display on maps)
3. geo location: https://nominatim.org/ (if address data is provided by the client, for conversion to geolocation)
4. VAT validation: https://ec.europa.eu/taxation_customs/vies/#/vat-validation (if VAT is validated by the customer)