Conditions for data processing pursuant to Art. 28 GDPR

Version: May 2018

Agreement

between

LexCom Informationssysteme GmbH, Rüdesheimer Str. 23, 80686 Munich, Germany

- hereinafter referred to as the “Contractor” or the “data processing company” -

and the customers of agroparts

- hereinafter referred to as the “Client” –

 

Note

This document contains the Contractor’s conditions for the data processing agreement between the Client and the Contractor pursuant to Art. 28 para. 3 of the General Data Protection Regulation (GDPR). The Client agrees to be bound by these conditions by concluding a user contract for agroparts (the “Service Agreement”) or – if a Service Agreement is already in place – through a subsequent declaration when using agroparts.

1. Object and duration of the order

(1) Object

The object of the order for data processing results from the Service Agreement.

(2) Duration

The duration of this order (term) corresponds to the term of the Service Agreement.

2. Specification of the content of the order

(1) Nature and purpose of the intended processing of data
This comprises the following processing operations relating to the use of agroparts:

• Entry of third-party customer data into the online service by the Client in connection with the processing of spare parts orders and deliveries
• Entry of third-party customer data into the online service by the Client in connection with the use of the “Warranty System” (in particular the attachment of customer orders for the settlement of warranty cases)
• Passive processing of third-party customer data (accessibility by the Contractor’s customer service team as part of maintenance and/or support services)

(2) Location where data processing takes place

The contractually agreed processing of data will be performed exclusively in a member state of the European Union or in another contracting state to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the Client and may only take place if the special conditions of Articles 44 et seqq. GDPR are met.

(3) Type of data

The following data types/categories (list/description of the data categories) make up the object of the processing of personal data

• Personal master data
• Communication data (e.g. telephone, e-mail)
• Contract master data (type of contractual relationship, product or contractual interest)
• Client history
• Contract billing and payment data

(4) Categories of data subjects

The categories of data subjects to which the processing relates include:

• End customers of the Client

3. Technical and organisational measures

(1) The Contractor documents the implementation of the required technical and organisational measures set out prior to the award of the contract, in particular with regard to the specific execution of the order, and makes this documentation available to the Client together with this declaration. Upon acceptance by the Client, the documented measures become the basis of the order. Otherwise, the parties will not conclude a Service Agreement.

(2) The Contractor will ensure the level of security pursuant to Articles 28 para. 3 lit. c, 32 GDPR in particular in connection with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk in terms of the confidentiality, integrity, availability and resilience of the systems. In doing so, the Contractor shall take into account the state of the art, the implementation costs and the nature, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR [details in Appendix].

(3) The technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, it will not fall short of the security level of the specified measures. It must document any major changes.

4. Correction, restriction and deletion of data

(1) The Contractor will not correct, delete or restrict the processing of the data to be processed on behalf of the Client on its own authority. It will only correct, delete or restrict the processing of the data in accordance with the documented instructions of the Client. Insofar as a data subject contacts the Contractor directly in this regard, the Contractor will immediately forward this request to the Client.

(2) Insofar as included in the scope of services, the Contractor will immediately ensure a deletion concept, the right to be forgotten, correction, data portability and information in accordance with the Client’s documented instructions. Individual instructions that deviate from the Service Agreement or that present additional requirements, require the prior consent of the Contractor. It must be taken into account that the online services provided by the Contractor are standard products, the adaptation of which to the Client’s data protection requirements can result in high costs. These costs are to be paid in full by the Client in accordance with a corresponding individual agreement.

5. Quality assurance and other duties of the Contractor

In addition to complying with the regulations of this order, the Contractor also has legal duties in accordance with Articles 28 to 33 GDPR; in particular, it must ensure compliance with the following requirements:

1. Written appointment of a Data Protection Officer, who carries out his duties pursuant to Articles 38 and 39 GDPR. His contact details are communicated to the Client for the purpose of direct contact. A change of Data Protection Officer will be communicated to the Client immediately.
2. Safeguarding of confidentiality in accordance with Articles 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor will use only employees who have been obliged to maintain confidentiality and who have previously been familiarised with the data protection regulations relevant to them. The Contractor and any person reporting to the Contractor who has access to personal data, must process such data only in accordance with the instructions of the Client, including the powers granted in this Contract, unless they are legally obliged to process the data.
3. Implementation and compliance with all technical and organisational measures necessary for this order in accordance with Articles 28 para. 3 sentence 2 lit. c, 32 GDPR [details in Appendix].
4. The Client and the Contractor will work together with the supervisory authority on request to fulfil the relevant tasks.
5. Immediate informing of the Client regarding audit activities and measures by the supervisory authority, insofar as they relate to this order. This also applies if a competent authority investigates the Contractor due to an administrative offence or criminal proceedings with regard to the processing of personal data for the commissioned data processing.
6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative offence or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with the data processing by the Contractor, the Contractor will support the Client to the best of its ability.
7. The Contractor will regularly review the internal processes and technical and organisational measures to ensure that the processing within its area of responsibility complies with the requirements of applicable data protection law and ensures the protection of the data subject’s rights.
8. Verifiability vis-à-vis the Client of the technical and organisational measures taken within its supervisory powers in accordance with Section 7 of this Contract.

6. Subcontractual relations

(1) For the purposes of this regulation, subcontractual relationships are those services that relate directly to the provision of the main service. This does not include ancillary services provided by the Contractor e.g. telecommunication services, postal/transport services, maintenance and user services or the disposal of data storage devices as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software for data processing systems. However, even in the case of outsourced ancillary services, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the protection and security of the Client’s data.

(2) The Client hereby grants the Contractor general permission to call in additional data processing companies for the processing of client data. The additional data processing companies involved at the time of conclusion of the contract are shown in the following overview:

Subcontractor’s company	Address/country	Service
Belenus LOB GmbH	Rüdesheimer Str. 23 80686 Munich Germany	Provision of all internal and external IT operations

 

(3) The Contractor will inform the Client of any intended changes with regard to the involvement or replacement of additional data processing companies. In individual cases, the Client is entitled to object to the commissioning of a potential additional data processing company. An objection may only be raised by the Client on significant grounds to be demonstrated to the Contractor. If the Client does not object within 14 days of receipt of the notification, his right of objection with respect to the corresponding commissioning expires. If the Client objects, the Contractor is entitled to terminate the Main Contract and this Contract with a notice period of 3 months.

(4) The transfer of the Client’s personal data to the subcontractor and its commencing work are only permitted if all conditions for subcontracting are met.

(5) Any further outsourcing by the subcontractor requires the express consent of the main contractor (in text form as a minimum); all contractual regulations in the contracting chain must also be imposed on the additional subcontractor.

7. Monitoring rights of the Client

(1) In consultation with the Contractor, the Client is entitled to carry out inspections or have them carried out by auditors who are to be named in individual cases. It is entitled to carry out spot checks to verify that the Contractor is in compliance with this Agreement in its business operations. The Client must notify the Contractor in good time that it intends to conduct such a spot check. Such spot checks must be carried out during normal business hours without disturbing the Contractor’s course of operations, while maintaining strict confidentiality with regard to the Contractor’s operating and business secrets.

(2) The Contractor will make sure that the Client can satisfy itself of the compliance with the duties of the Contractor in accordance with Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organisational measures. As a rule, the Client can carry out one inspection per calendar year; additional checks are permitted in the case of specific incidents.

(3) The Contractor is entitled, at its sole discretion and taking into account the statutory obligations of the Client, not to disclose information that is sensitive with regard to the Contractor’s business or if the Contractor would breach any legal or contractual obligations by disclosing such information.

(4) At the Contractor’s discretion, the proof of such measures that relate not only to the specific order can be made by the following means instead of an on-site inspection

1. Compliance with approved codes of conduct pursuant to Art. 40 GDPR
2. Certification in accordance with an approved certification mechanism pursuant to Art. 42 GDPR
3. Current attestations, reports or excerpts of reports from independent entities (e.g. auditors, review, Data Protection Officer, IT security department, data protection auditors, quality auditors)
4. Appropriate certification from an IT security audit or data protection audit (e.g. in accordance with the baseline security of the German Federal Office for Information Security (BSI)).

A prerequisite for this is that this measure enables the Client to reasonably satisfy itself of the compliance with the technical and organisational measures as specified in the Appendix to this Agreement.

(5) The Contractor may assert a claim for compensation for enabling the Client to perform checks.

8. Notification in case of violations on the part of the Contractor

(1) The Contractor shall assist the Client in complying with the obligations relating to the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as set out in Articles 32 to 36 GDPR. This includes but is not limited to:

1. Ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing and the predicted likelihood and severity of a possible breach of rights due to security vulnerabilities, and enable the immediate detection of relevant violation events
2. The duty to report personal data breaches to the Client without delay
3. The obligation to support the Client in its duty to provide information to the data subject and to provide it with all relevant information in this context without delay
4. Providing assistance to the Client for its data protection impact assessment
5. Supporting the Client in the context of prior consultations with the supervisory authorities

(2) The Contractor may claim reasonable compensation for provision of support that is not included in the Service Agreement or is not the result of misconduct by the Contractor.

9. Authority of the Client

(1) The Client shall confirm verbal instructions immediately (in text form as a minimum).

(2) The Contractor will inform the Client immediately if it believes that an instruction violates data protection regulations. The Contractor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Client. The Contractor may assert a claim for compensation against the Client for expenses that it incurs as a result of this.

10. Deletion and return of personal data

(1) Copies or duplicates of the data will not be created without the knowledge of the Client. This does not include backup copies, to the extent that these are necessary to ensure proper data processing, and data that is required for compliance with statutory retention requirements.

(2) Upon completion of the contractually agreed work or earlier at the request of the Client – at the latest upon termination of the Service Agreement – the Contractor must hand over to the Client all documents that have come into its possession, results of processing and utilisation as well as datasets created in connection with the contractual relationship or, with prior consent, destroy them in line with data protection guidelines. The same applies to test material and discarded material. The log documenting the deletion must be submitted on request.

(3) The Contractor will retain documentation that serves to provide evidence of the proper data processing as per the order beyond the end of the Contract in accordance with the respective retention periods. It can hand this documentation over to the Client at the end of the contract term.

 

 

Appendix – Technical and organisational measures

1. Confidentiality (Art. 32 para. 1 lit. b GDPR)

Controlling access to equipment

• Permits
• Access code cards / access transponders
• Access authorisation concept
• Monitoring devices (e.g. video surveillance)
• Regulations regarding the use of keys
• Regulation for external visitors, badges
• Internal staff to accompany visits
• Attendance records of visitors
• Securing the building outside of working hours with an alarm system and/or plant security
• Defined security areas and controlled access
• Secured entrance for incoming and outgoing deliveries
• Door safety device (electric door closer, ID card reader, TV monitor, porter)
• Monitoring by employees (dual control principle)
• Measures for securing the property (e.g. special glazing, alarm system, security patrols)
• Separate secure access to the data centre
• Storage of servers in lockable rooms
• Storage of data storage devices under lock and key or in locked rooms
• Storage of backups (e.g. tapes, CDs) in the safe
• Instructions for issuing keys

Controlling access to data

• Encryption of networks
• Storage of data processing equipment under lock and key
• Identification of a user of the data processing system
• Issuing and securing of identification codes
• Password protection of computer workstations
• Functional and/or temporally limited use of workstations and identifiers
• Regulations for user authorisation
• Use of individual passwords
• Automatic blocking of user accounts after multiple incorrect entries of passwords
• Automatic screen lock with password protection after inactivity (screensaver)
• Password policy with minimum requirements for password complexity and update interval
• Hashing of stored passwords
• Rights assignment process for new employees
• Rights withdrawal process when employees change departments
• Rights withdrawal process when employees leave the company
• Commitment to data secrecy pursuant to Art. 28 para. 3 lit. b GDPR
• Guidelines for file organisation
• Logging and evaluation of system usage
• Controlled destruction of data storage devices
• Work instruction and processing procedure for data acquisition
• Program review and approval process

Controlling access to systems

• Definition of access authorisation, authorisation concept
• Definition of the power to enter, modify
• or delete data
• Distinction between authorisation granting (organisational) and
• authorisation assignment (technical)
• Concept of drive usage and allocation
• Regulations on restoring data from backups (who,
• when, at whose request)
• Regular verification of authorisations
• Limitation of free and unregulated
• query capability of databases
• Regular evaluation of log files
• ID card reader at the terminal
• Restricted access to databases and functions (read, write, execute)
• Logging file accesses, deletions, changes
• Malware scanner on workstation computers
• Malware filtering for Internet
• Malware/spam filtering for e-mail
• Firewalls
• Intrusion detection/prevention (IDS/IPS)
• Limited access to log data (only log administrators)
• Storage of log data on a dedicated log server

Separation control

• Separation of clients / legal entities
• Separation of development, test and productive system

2. Integrity (Art. 32 para. 1 lit. b GDPR)

>Disclosure control

• Secure file exchange (SFTP/FTPS)
• Data exchange via HTTPS connection (TLS 1.1 and 1.2)
• Definition of transmission authorisation, authorisation concept
• Monitoring by employees (dual control principle)
• Secured entrance for incoming and outgoing deliveries
• Management of data storage devices, inventory control
• Designated areas in which data storage devices must be located
• Encryption of confidential data storage devices
• Encryption of laptops
• Storage of personal data in lockable
• security cabinets
• Prohibition against carrying bags and other items of baggage in security areas
• Secure deletion of data storage devices (e.g. physical destruction, repeated overwriting)
• Secure paper disposal: Locked containers made of metal (secure collection bins)
• Regulations for making copies
• Backup copies of data storage devices that need to be transported
• Packaging and shipping instructions
• Direct collection, courier service, accompanied transportation
• Completeness and accuracy inspection

Entry control

• Labelling / classification of collected data
• Definition of user permissions (roles/profiles)
• Differentiated user permissions (reading, editing, deleting data, restricted access to data or functions)
• Organisational specification of data entry responsibilities
• Logging of data entries/deletions
• Regulation on retention periods for revision/verification purposes

3. Availability and resilience (Art. 32 para. 1 lit. b GDPR)

Availability control

• Data protection and backup concept
• Regular review of the data protection and backup concept
• Access restriction in server rooms to necessary personnel only
• Fire alarm systems in server rooms
• Automatic fire extinguishing systems in server rooms
• Waterless fire extinguishing agents (e.g. CO2 extinguishers) in server rooms
• Air-conditioned server rooms
• Lightning/surge protection
• Uninterruptible power supply (UPS)
• Emergency power systems
• Water sensors in server rooms
• Storage of backup systems in separate rooms and fire zones
• Storage of data in data cabinets, safes
• Regular check of the ability to restore the backup storage media
• Ensuring the technical readability of backup storage media in the future
• Storage of backup storage media under necessary storage conditions (air conditioning, protection requirements, etc.)
• Agreement to transfer the (data) backups
• Regular vulnerability analysis (site protection, building protection, intrusion into networks and IT systems)
• Redundant storage system
• Alternate data centres

4. Restoration of availability and access (Art. 32 para. 1 lit. c GDPR)

• Crisis or emergency plan (e.g. water, fire, explosion, threat of attacks, crash, earthquake)

5. Monitoring, assessment and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

Process for regular monitoring, assessment and evaluation

• Defined process for data protection management
• Defined process for incident response management
• Privacy by default settings (Art. 25 GDPR)

Order control

• Selection of subcontractor under due diligence (in particular regarding data security)
• Contract design according to legal requirements (Art. 28 GDPR)
• Centralised recording of existing subcontractors (standard contract management)
• On-site inspections of the subcontractor before the contract begins
• Regular on-site inspections of the subcontractor after the contract starts (during the contract period)
• Verification of the subcontractor’s data security concept
• Reviewing existing information security certificates for the subcontractor
• Issuing instructions to improve the data protection procedures of subcontractors
• Obligation of subcontractor employees to comply with data protection regulations