ANNEX TO "GENERAL TERMS AND CONDITIONS FOR GINLO @WORK"
Commissioned-Processing Contract for ginlo @work
(in accordance with Art. 28 GDPR)
Version: 25 May 2018
1 Object of contract
1.1 Processing of personal data.
Brabbler Secure Message and Data Exchange Aktiengesellschaft, Ria-Burkei-Straße 26, 81249 Munich/Germany ("contractor") shall provide the customer ("client") with an online service for the secure, encrypted exchange of messages and other content in accordance with the "General Terms and Conditions for ginlo @work ("service contract") ("ginlo @work"). This commissioned-processing contract governs the processing of personal data by the contractor regarding the provision of ginlo @work in accordance with Art. 28 of Directive (EU) 2016/679 (General Data Protection Regulation "GDPR"). The terms "personal data", "data subject", and "processing" have the meanings defined in Art. 4 GDPR.
This contract only applies to the extent that the client is subject to the requirements of Art. 28 GDPR. This commissioned-processing contract does not apply if the contractor provides telecommunications services and no commissioned-processing contract according to Art. 28 GDPR is legally specified for these.
1.3 Object, nature, and purpose of processing, nature of the personal data, and categories of data subjects.
The object of processing is the provision of ginlo @work, particularly the provision of the server services according to the service agreement. The following types of personal data about users and administrators of ginlo @work shall be processed (referred to hereinafter as "customer data"):
a) User registration data (e-mail address, first and last name, poss. profile picture)
b) Encrypted content data (e.g. ginlo messages sent or received by users); this data is already encrypted on the user's device and is also stored in encrypted form on the contractor's server so that the contractor is unable to access the data.
c) Metadata such as message send times or recipient IDs, device and connection data such as the device ID, operating system version, and IP address of a user’s device.
2 Client's duties
2.1 Party responsible.
In the relationship between the client and contractor, the client remains the party with sole responsibility for the customer data in the sense of the data protection legislation, Art. 4 (7) GDPR, and is solely responsible for the legality of data processing throughout the contractual period as well as for upholding the rights of the data subjects. The client shall inform the data subjects about data processing in accordance with the provisions of the GDPR. Information on the contractor's data protection is available at www.ginlo.net/en/legal/privacy.
The customer data is processed by the contractor as part of the provision of a standardized software solution. The client shall essentially exercise their right to issue instructions (see number 4.2) with respect to the customer data through the setup and use of the ginlo Team Manager software. If necessary, the client shall forward additional instructions for processing customer data exclusively to the following address: firstname.lastname@example.org. If the content of the client's instructions exceeds what the contractor owes to the client in accordance with the service contract, the client shall separately remunerate the contractor for the corresponding services at the contractor's usual hourly rates at that time. If an instruction can only be implemented with a disproportionately high degree of effort, the contractor shall be entitled to extraordinary termination of the service contract and this commissioned-processing contract.
3 Contractor's duties
3.1 Compliance with the client’s instructions.
The contractor shall only process the customer data in accordance with the documented instructions of the client unless the contractor is obliged to do so by the law of the EU or Germany; in such a case, the contractor shall inform the client of these legal requirements prior to processing, unless the respective law prohibits such notification due to reasons of substantial public interest. The client's instructions shall also be observed with regard to the transmission of customer data to a country outside of the EU or an international organization, unless this has already been contractually agreed.
3.2 Compliance with the intended purpose.
The contractor shall process the customer data exclusively as part of and for the purpose of providing ginlo @work for the client and according to the client's instructions.
3.3 Duty of notification.
The contractor shall immediately inform the client if, in the opinion of the contractor, an instruction issued by the client violates the GDPR or other data protection regulations of the EU or Germany. The contractor shall be entitled to suspend the execution of the corresponding instruction until it has been confirmed or modified by the client. The contractor shall not be subject to any duty to legally review instructions.
3.4 Rights of data subjects.
If the data subjects assert their rights to information (Art. 15 GDPR), rectification (Art. 16 GDPR), erasure(Art. 17 GDPR), restriction of processing (Art. 18 GDPR), or data portability (Art. 20 GDPR), the client themselves shall comply with this by using the corresponding software functions, if possible. The same shall apply in the event of objection (Art. 21 GDPR) or the withdrawal of consent. If the contractor is unable to do so, number 3.7 shall apply. Number 6.2 shall primarily apply to the issue and deletion of customer data at the end of the contract.
3.5 Data confidentiality.
The contractor shall guarantee that the persons authorized to process the customer data have entered into a confidentiality commitment or are subject to an appropriate statutory duty of confidentiality.
3.6 Duty of notification in the event of data breaches.
If the contractor becomes aware of a personal data breach, they shall immediately notify the client of this. "Personal data breach" means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, customer data transmitted, stored or otherwise processed by the contractor, Art. 4 (12) GDPR.
3.7 Duty of support.
In view of the nature of the processing, the contractor shall, as far as possible, support the client with appropriate technical and organizational measures to comply with their obligation to respond to requests for ensuring the rights of data subjects referred to in Art. 12 to 23 GDPR. The contractor is under no obligation to provide ginlo @work in such a way that the data subject rights specified in the GDPR can be fulfilled using integrated software functions by the contractor themselves. In addition, the aforementioned duty of support does not oblige the contractor to adapt ginlo @work. In consideration of the nature of the processing and the information available to it, the contractor shall additionally support the persons responsible in complying with the duties specified in Art. 32 to 36 GDPR. The client shall reimburse the contractor for the effort (including working hours) caused by the fulfillment of the duties of support according to this number 3.7 at the contractor's usual hourly rates at that time.
3.8. Data security.
Within their area of responsibility, the contractor shall implement all measures necessary in accordance with Art. 32 GDPR. Documentation of the measures implemented at the start of the contract is available at https://www.ginlo.net/en/legal/privacy. The measures are to be checked by the client before conclusion of the contract and are considered to be accepted if the client has not expressly objected to them before conclusion of the contract. The contractor shall be entitled to adapt these measures according to the respective requirements as long as the overall data protection level is not reduced as a result. Any changes must be documented.
3.9 Inquiries from supervisory authorities.
The contractor shall respond independently to inquiries from supervisory authorities (Art. 31 GDPR) with respect to the client's duties arising directly from the GDPR (see Art. 30, 32, 46 (1) GDPR), and shall only inform the client if the matter has a direct legal bearing on the client.
4 Client's rights of inspection
4.1 Right of inspection.
The client shall have the right to carry out inspections in consultation with the contractor or to have them carried out by auditors to be designated in individual cases. The client shall have the right to convince themselves of the contractor's compliance with this commissioned-processing contract within their business operations by means of spot checks, which must be announced in good time. Inspections shall be carried out without significantly affecting the contractor's business operations. The contractor shall ensure that the client can satisfy themselves of compliance with the contractor's duties in accordance with Art. 28 GDPR. On request, the contractor shall provide the client with the necessary information and, in particular, explain the implementation of the technical and organizational measures.
As the contractor so chooses, measures that not only apply to the specific contract can be proved by
a) adherence to approved codes of conduct in accordance with Art. 40 GDPR;
b) certification according to an approved certification process in accordance with Art. 42 GDPR;
c) current attestations, reports or report excerpts from independent bodies (e.g. auditors, auditing department, data protection officer, IT security department, privacy auditors, quality auditors);
d) suitable certification through an IT security or privacy audit (e.g. according to BSI IT-Grundschutz).
The client shall reimburse the contractor for costs incurred due to inspections. This also includes a cost allowance for the working time of the personnel used by the contractor at the contractor's usual hourly rates at that time. The contractor may demand a reasonable advance from the client in the case of an announced inspection.
4.4 Contractor interests requiring protection.
Insofar as inspections can reveal the contractor's operating and business secrets or endanger the contractor's intellectual property or the system security, the client shall have the inspections carried out by a competent and independent third party that shall undertake to maintain the contractor's confidentiality in advance in writing.
5 Sub-contractual relationships
5.1 Approval of subcontractors.
The contractor shall be entitled, at their own discretion, to engage further contractors (subcontractors) for the purpose of commissioned processing, particularly hosters, provided that data processing is carried out by a provider based in Germany and the data processing systems are located in Germany. The client hereby approves the engagement of such subcontractors. Only co-location providers that provide Internet connection and space in a data center are currently used by the contractor. These are not subcontractors.
The contractor shall inform the client (e.g. by e-mail) of any intended change in relation to the addition or replacement of subcontractors. The client may object to this within a period of four weeks as of notification. The client shall only object due to objective reasons. In the event of an objection, the contractor shall have an extraordinary right to terminate the service contract and this commissioned-processing contract; fees paid in advance shall then be repaid pro rata by the contractor.
5.3 Contracts with subcontractors.
If the contractor uses the services of a subcontractor, the contractor shall contractually obligate the subcontractor to the same data protection obligations as those specified in this commissioned-processing contract. If the subcontractor fails to comply with their duties of data protection, the contractor shall be liable to the client for compliance with the subcontractor's duties.
The period of this contract corresponds to the period of the main contract. The right of termination for good cause remains unaffected.
6.2 Data at the end of the contract.
At the end of the contract period, the following shall apply with respect to the deletion and issue of customer data:
a) Deletion. At the end of a test phase or at the end of a paid subscription, the customer data will be stored for another 7 days, so that the client can continue to use ginlo @work to its full extent. After that, all user accounts of the client as well as user management features are disabled. Data will be retained for another 60 days (recovery period). During this recovery period, the client can re-activate their business account without data loss or export all content in cleartext for future access outside ginlo @work. At the end of the recovery period, all customer data is deleted – except data subject to a legal retention period. If the client does not wish to make use of the recovery period, they can send a request to the ginlo Customer Care to have their data deleted immediately upon account termination.
Communication content can still remain in the mailboxes of third parties. If deletion is only possible with disproportionate effort (e.g. in backups), the contractor shall be entitled to initially block the customer data and subsequently delete it as scheduled. Final deletion from all server backups can take up to 30 days.
b) Issue/export. The client shall be obliged to export the customer data prior to the end of the contract period with the help of the ginlo Team Manager software export function (in accordance with the service description at www.ginlo.net) and to store it at their premises for further use. The contractor shall not be obliged to issue the customer data beyond this (e.g. provision of further data or provision in a specific format).
7 Final provisions
The provisions of number 12 of the General Terms and Conditions for ginlo @work shall also apply to this commissioned-processing contract.
Version: 25 May 2018