Commissioned Data Processing Agreement pursuant to Art. 28 GDPR

between
the customer
- hereinafter referred to as the Customer -
and
alfaview gmbh, Kriegsstr. 100, 76133 Karlsruhe
(alfaview® Video Conferencing Systems)

- hereinafter referred to as Contractor -

Preamble

The Contractor provides the Customer with the alfaview® application and in this context provides services on the basis of an agreement concluded between the parties (hereinafter referred to as the ‘main contract’). As part of this service provision, it is necessary, or at least it cannot be excluded, that the Contractor will handle personal data for which the Customer acts as the responsible body within the meaning of data protection regulations. This contract specifies the data protection rights and obligations of the contracting parties in connection with the Contractor’s handling of Customer data for the execution of the main contract.

Clause 1 Scope of application, subject and duration of the processing

  • This data protection agreement applies to all activities that are related to the main contract and in which employees of the Contractor or third parties commissioned by the Contractor may come into contact with the Customer’s personal data.
  • The purpose and duration of the order as well as the scope, type and purpose of the processing of personal data by the Contractor for the Customer result from the main contract and this agreement.
  • The term of this agreement is determined by the term of the main contract. Termination of the main contract automatically results in termination of this agreement. The right to extraordinary termination shall remain unaffected.
  • The following data types and categories are subject to the collection and processing of personal data: Personal data which is collected by alfaview® from the users in online meetings within the scope of the intended use. This is usually participant login details as well as video and audio data, which contain images and voices of the users; it also includes personal master data, communication data and other personal data exchanged by users of alfaview® in the context of communication.
  • The categories of data subjects affected by the processing include the Customer, the Customer’s employees and the communication partners of authorised users.
  • The contractually agreed data processing shall take place exclusively within a Member State of the European Union, or in another state that is party to the Agreement on the European Economic Area. Any transfer to a third country may only take place if the special requirements of Articles 44 et seq. GDPR are fulfilled (e.g. adequacy decision adopted by the Commission, standard data protection clauses, approved codes of conduct).

Clause 2 Definitions

1. Personal data
Personal data is all information that relates to an identified or identifiable natural person (Art. 4 [1] GDPR).
2. Commissioned data processing
Commissioned data processing is the processing of personal data by the Contractor on behalf of the Customer within the meaning of Art. 28 GDPR.
3. Instructions
An instruction is the written order of the Customer directing the Contractor to handle personal data in a specific way (e.g. anonymisation, blocking, deletion, disclosure). The instructions are initially defined by the main contract as well as this agreement and can thereafter be amended, supplemented or replaced by the Customer in written form by individual instructions (individual instruction). 

Clause 3 Responsibility for data processing

  • Within the framework of this contract, the Customer is responsible for compliance with the statutory provisions of data protection laws, in particular for the legality of data transfer to the Contractor and for the legality of data processing (‘controller’ within the meaning of Art. 4 [7] GDPR). Should third parties assert claims against the Contractor due to the collection, processing or use of the Customer’s data, the Customer will release the Contractor from all such claims upon first request.
  • It is the responsibility of the Customer to provide the Contractor with the data in good time for the performance of the service under the main contract and the Customer is responsible for the quality of the data. The Customer shall inform the Contractor immediately and in full if they find errors or irregularities regarding data protection regulations or their instructions when examining the work results of the Contractor.

Clause 4 Technical and organisational measures

  • The Contractor ensures implementation of and compliance with the technical and organisational measures set out in advance of awarding the contract in accordance with Art. 32 GDPR before processing begins. These are documented by the Contractor in the attached Annex 1 ‘Overview of technical and organisational measures’.
  • The measures documented in the aforementioned annex form the basis of this agreement. The Customer is aware of these technical and organisational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed. If the Customer’s review/audit results in a need for adjustment, this must be implemented by mutual agreement.
  • The technical and organisational measures are subject to technical progress and development. In this respect, the Contractor is permitted to implement alternative adequate measures, provided that the security level of the specified measures is not undercut. Significant changes to the measures require the prior written consent of the Customer and shall be documented by the Contractor and made available to the Customer on request.

Clause 5 Obligations of the Contractor

  • The Contractor shall process data only as instructed by the Customer and in compliance with clause 7 of this agreement. The Contractor shall correct or delete data processed on behalf of the Customer or restrict processing exclusively in accordance with the instructions of the Customer. If a data subject should contact the Contractor directly for the purpose of correcting or deleting their data or requesting information about the stored data of the Customer, the Contractor will promptly forward this request to the Customer.
  • The Contractor shall ensure and regularly check that data processing and use within the scope of the provision of services in accordance with the main contract in their area of responsibility, which includes subcontractors according to clause 10 of this agreement, is carried out in accordance with the provisions of this agreement.
  • Without prior consent from the Customer, within the scope of the commissioned data processing, the Contractor may not make copies or duplicates of the Customer’s data. However, this does not apply to copies if they are necessary to ensure proper data processing and proper performance of the services in accordance with the main contract (including backups), as well as copies that are required to comply with legal retention obligations.
  • The Contractor shall support the Customer regarding inspections by the supervisory authority within the scope of what is reasonable and necessary, insofar as these inspections relate to data processing by the Contractor against reimbursement of the expenses and costs incurred by the Contractor which need to be proven to the Customer.
  • The Contractor shall inform the Customer of the contact details of the company data protection officer (if such is to be appointed by the Contractor in accordance with the statutory provisions) and the contact person for data protection questions arising under the contract.
  • The Contractor shall ensure that persons employed in the processing of the Customer’s data are bound to confidentiality in accordance with Articles 28 (3) (2) (b), 29, 32 (4) GDPR.
  • The Contractor shall inform the Customer without undue delay if they find that they or any employee have processed data of the Customer in breach of data protection regulations or stipulations from this agreement and the conditions of Art. 33, 34 GDPR are fulfilled. Insofar as the Customer is subject to legal information obligations due to unlawfully obtaining the Customer’s data (in particular in accordance with Art. 33, 34 GDPR), the Contractor shall support the Customer in the fulfilment of the information obligations upon request of the Customer within the scope of what is reasonable and necessary against reimbursement of the expenses and costs incurred by the Contractor which need to be proven to the Customer. Communication pursuant to Art. 33 or 34 GDPR on behalf of the Customer may only be carried out by the Contractor subject to prior instruction.

Clause 6 Obligations of the Customer

  • The Customer is solely responsible for the assessment of admissibility of the commissioned data processing as well as for the protection of the rights of the data subjects concerned.
  • The Customer shall inform the Contractor immediately and in full if they find errors or irregularities regarding data protection regulations or when examining the work results of the Contractor.
  • The Customer is responsible for the reporting obligations resulting from Art. 33, 34 GDPR. 

Clause 7 Customer authority to issue instructions

  • The Contractor processes the data of the Customer exclusively in accordance with the instructions of the Customer as they are particularly regulated in the provisions of this agreement and the stipulations of the main contract. Instructions from the Customer must not make the contractually agreed performance obligations from the main contract impossible. Individual instructions that deviate from the stipulations of this agreement or impose additional requirements require the prior consent of the Contractor. If individual instructions entail additional costs, particularly if these go beyond the contractually agreed scope of services, these shall be reimbursed to the Contractor.
  • The Customer shall immediately confirm verbal instructions in writing or in text form (e.g. by e-mail).
  • The Contractor shall inform the Customer immediately if, in their opinion, any instructions issued by the Customer violate legal provisions (Art. 28 [3] [3] GDPR). The Contractor is entitled to suspend implementation of the corresponding instruction until it is confirmed or modified by the person responsible at the Customer.

Clause 8 Support obligations

  • If, by virtue of applicable data protection laws, the Customer is obliged vis-à-vis an individual to provide information or particulars on the processing of this person’s data or to guarantee the rights of data subjects in accordance with Chapter III (Articles 12 to 23) of the GDPR, the Contractor shall support the Customer in the fulfilment of these obligations, as far as agreed upon, with suitable technical and organisational measures in accordance with Art. 28 (3) (e) GDPR.
  • To the extent agreed, the Contractor shall support the Customer in complying with the obligations set out in Articles 32 to 36 GDPR within the scope of their possibilities in accordance with Art. 28 (3) (f) GDPR.
  • The costs incurred and proven by the Contractor for providing the support services according to paragraphs 1 and 2, shall be reimbursed by the Customer.
  • In the event of a claim against one of the contracting parties by a data subject with regard to any claims under Art. 82 GDPR, the contracting party against which a claim is asserted shall inform the other contracting party immediately. The contracting parties will support each other in defending against the claim. 

Clause 9 Inspection rights of the Customer

  • With regard to the inspection obligations of the Customer in accordance with Art. 28 (3) (h) GDPR, the Contractor ensures that the Customer can satisfy themselves of the compliance with the technical and organisational measures taken in accordance with the annex to this agreement.
  • The Contractor grants the Customer the access, information and inspection rights necessary to carry out these inspections.
  • The Contractor is entitled, at their own discretion, taking into account the legal obligations of the Customer, not to disclose information that is sensitive with regard to the business of the Contractor or if the Contractor’s disclosure would violate legal or other contractual regulations. The Customer is not entitled to receive access to data or information about other customers of the Contractor regarding information on costs, quality inspection and contract management reports, as well as all other confidential data of the Contractor that is not directly relevant for the agreed inspection purposes.
  • The Customer is entitled to enter the business premises of the Contractor, in which the Customer’s data is processed, during normal office hours, at their own expense, without disrupting the business process and with strict confidentiality of the Contractor’s business and trade secrets, in order to satisfy themselves of the compliance with the technical and organisational measures in accordance with the annex to this agreement.
  • At the choice of the Contractor, evidence of compliance with the technical and organisational measures in accordance with the annex to this agreement can instead of by an on-site inspection also be provided by submitting a suitable, up-to-date certificate, suitable reports or report extracts by independent bodies (e.g. auditors, revision, data protection officer, IT security department, data protection auditor or quality auditor) or a suitable certification by IT security or data protection audit (e.g. in accordance with BSI baseline protection), a confirmation of compliance with approved rules of conduct in accordance with Art. 40 GDPR or certification in accordance with an approved certification procedure in accordance with Art. 42 GDPR if these audit reports enable the Customer in a reasonable way to satisfy themselves of the compliance with the technical and organisational measures in accordance with the annex to this agreement.
  • The Contractor must only allow a person to carry out the inspection if they are, in particular, obliged to maintain confidentiality, especially with regard to information about the operation of the Contractor, their equipment, the business secrets of the Contractor, and security measures. The Customer may not commission a competitor of the Contractor with the inspection. A person carrying out the inspection on behalf of the Customer must prove their legitimation by the Customer at least one week before the inspection is carried out in writing or by fax.
  • The Customer shall inform the Contractor in good time (usually at least two weeks in advance) of any planned inspections and all circumstances associated with carrying out the inspection. As a rule, the Customer may carry out one inspection per calendar year. This does not affect the right of the Customer to carry out further inspections in the event of serious incidents.
  • The cost of carrying out the inspection is borne by the Customer. The result of the inspection will be made available to the Contractor in a suitable form on request (expert opinion, attestation, reports, report extracts, etc.). The Contractor shall receive from the Customer a lump-sum compensation in the amount of 70 euros per hour per inspection for their expenses incurred in connection with these inspections.

Clause 10 Subcontractors (further processors in accordance with Art. 28 [2] and [4] GDPR)

  • The transfer of orders to subcontractors in the context of the activities specified in the main contract by the Contractor requires the prior separate or general written authorisation of the Customer. The same shall apply to the replacement of an existing subcontractor.
  • The Customer hereby grants general authorisation to use additional subcontractors. The subcontractors involved at the time of the contract being concluded are listed in Annex 2, where authorisation is deemed to have been granted upon signature of this agreement. The Contractor shall inform the Customer in advance of any intended change with regards to the involvement or replacement of subcontractors, giving the Customer the opportunity to object to this change (Art. 28 [2] GDPR). An objection by the Customer may only be raised for good cause that can be proved to the Contractor. If there is no objection within 14 days of the announcement, the consent to the change shall be deemed to have been given. If the Customer objects, the Contractor is entitled to terminate the main contract and this contract with a notice period of 3 weeks.
  • If the Contractor issues orders to subcontractors in compliance with paragraph 1, they shall endeavour to transfer their obligations under this contract to the subcontractor to the greatest extent possible, however they shall transfer the essential content as a minimum. If the subcontractor performs the agreed service outside the EU/EEA, the Contractor shall take appropriate measures to ensure the admissibility under data protection law in accordance with Articles 44 et seq. GDPR.
  • No consent is required to deploy subcontractors where the subcontractor only performs an ancillary service to support the provision of services under the main contract, even if access to the data of the Customer cannot be ruled out; these include in particular telecommunications services, postal or transport services, maintenance and user service or the disposal of data carriers. In such cases, the Contractor shall also take appropriate measures to guarantee the confidentiality, availability, integrity and resilience of the data processing systems’ hardware and software as well as the Customer’s data. In particular, the Contractor shall conclude confidentiality agreements standard in the industry with such subcontractors.

Clause 11 Deletion of data and return of data carriers

  • Upon completion of the contractual work or earlier upon request by the Customer—at the latest on termination of the main contract—the Contractor shall delete all of the Customer’s data obtained, which is the subject matter of this agreement, and hand over to the Customer any data carriers received from the Customer which at this time still contain data from the Customer. The deletion log must be presented upon request.
  • If any deletion of the Customer’s data as requested by the Customer means that the Contractor can no longer properly perform their performance obligations under the main contract, the Contractor is released from the obligation to perform.
  • Documentation that serves as proof of proper data processing as ordered must be kept by the Contractor beyond the term of the agreement in accordance with the respective retention periods.

Clause 12 Liability

A liability regulation agreed between the contracting parties in the main contract also applies to order processing, unless the contracting parties have expressly agreed otherwise.

Clause 13 Final provisions

  • Insofar as no special regulations are contained in this agreement, the provisions of the main contract apply. In the event of contradictions between this agreement and regulations from other contractual agreements, in particular from the main contract, the regulations from this agreement take precedence.
  • Changes and additions to this agreement and all of its components—including any assurances given by the Contractor or changes to the annex—require a written agreement and an express reference to the fact that it is a change or supplement to these terms. This also applies to the waiver of this form requirement.
  • The exclusive place of jurisdiction for all disputes arising from this contract is the registered office of the Contractor.
  • German law is applicable.

Annex 1 
Overview of the technical and organisational measures 

In connection with clause 4 of the agreement on commissioned processing, the contracting parties undertake to implement the technical and organisational measures in accordance with Art. 32 GDPR in their respective fields of responsibility and in accordance with the subject matter of the contract to the required and appropriate extent and according to the generally recognised state of the art.
More specifically, these measures are:

I. Confidentiality (Art. 32 [1] [b] GDPR)

1. Access control
Unauthorised persons are to be denied access to data processing facilities with which personal data is processed and used.
  • Use of magnetic or chip cards for authorised users
  • Video surveillance
  • Determination of persons with access authorisation
  • Closed shop operation
  • Capacity for revision regarding access authorisation
  • Use of an access control system
  • Key regulation and current key list
  • Logging of entry and exit
  • Reception/gatekeeper
  • Office doors and windows locked during periods of absence 
2. Access and user access control
The objective of access control is to prevent data processing systems from being used by unauthorised persons. The user access control must ensure that authorised users of a data processing system can access data exclusively referring to their access rights and that data cannot be read, copied, modified or removed unauthorised during processing, use and after storage.
  • Identification and authentication of users/password protection
  • Automatic checking of authorisations
  • Introduction of restrictive measures (e.g. read-only authorisation)
  • Time limitation of access options
  • User-related logging of (failed) access
  • Use of encryption procedures
  • Central registry of user rights 
3. Separation control
It must be ensured that data collected for different purposes can be processed separately.
  • Separation of testing and production systems
  • Client separation—logical separation of the data (e.g. different file directories)
  • Use of different types of encryption 
4. Pseudonymisation
The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without additional information being provided, given that such additional information is kept separately and is subject to appropriate technical and organisational measures.
  • Definition of the pseudonymisation rule, possibly based on personnel, customer or patient identification numbers (use of UUID v4)
  • Authorisation: Determination of persons who are authorised to manage the pseudonymisation process and carry out pseudonymisation and, if necessary, de-pseudonymisation
  • Random generation of assignment tables or secret parameters used in an algorithmic pseudonymisation
  • Protection of assignment tables or secret parameters, both against unauthorised access and against unauthorised use
  • Separation of data to be pseudonymised into the identifying and the further information to be replaced 

II. Integrity (Art. 32 [1] [b] GDPR)

1. Disclosure control
It must be ensured that personal data cannot be read, copied, modified, or removed by unauthorised parties during electronic transmission, during transport or during storage to data carriers and that it can be checked and determined to which locations or sites a transmission of personal data is provided for by means of data transfer.
  • Documentation of retrieval and transmission processes
  • Determination of the persons authorised for transmission or transport
  • Regulations regarding dispatch method and determination of transport route
  • Use of safe transport containers
  • Securing of the transmission and transport route
  • Data encryption
  • Monitoring of transportation time
  • Completeness and correctness check (after the transfer)
  • Use of a VPN 
2. Input control
The possibility to subsequently verify and determine whether, and by whom, personal data was entered into, changed or removed from data processing systems must be ensured.
  • Definition of entry authorisation
  • Recording of logins 

III. Availability, resilience (Art. 32 [1] [b] GDPR) and rapid recoverability (Art. 32 [1] [c] GDPR)

1. Availability
Personal data must be protected against accidental destruction or loss.
  • UPS (uninterrupted power supply)
  • Redundant line supply
  • Emergency power system
  • Fire protection and disaster regulations
  • Fire detector
  • Spatially separated storage of the data backups created
  • Redundant server structure
  • Property security, especially for server rooms
  • Virus protection concept
  • Climate control 
2. Rapid recoverability
Appropriate measures must be taken to restore the data in the event of loss, destruction or undesired changes to personal data.
  • Backup systems to restore lost data
  • Recovering testing
  • Emergency concept with recovery plan 
3. Resilience 
Appropriate measures must be taken to maintain the functionality of the systems in the event of an incident.
  • Update or patch management
  • Intrusion detection and response system
  • Training employees to identify incidents and avoid future incidents
  • Switch to fail-safe mode in the event of an incident 

IV. Procedure for regular review, assessment and evaluation (Art. 32 [1] [d] GDPR; Art. 25 [1] GDPR)

1. Order control
Commissioned data processing in accordance with the order and the instructions must be guaranteed.
  • Clear contract design and execution
  • Delimitation of competencies and duties between Contractor and Customer
  • Careful selection of the Contractor
  • Formalisation of order placement
  • Logging and monitoring of proper contract execution
  • Sanctions for breach of contract
  • Information about emerging vulnerabilities and other risk factors, possibly revision of the risk analysis and assessment
  • Audits by the data protection officer 
2. External inspections, audits, certifications
  • Only ISO 27001 certified data centres are used. ISO 27001 is an international standard for information security. It documents the security and quality of the respective data centre in accordance with international standards with respect to security management, security policy, access and admission controls, IT incident management and compliance with legal obligations, among other things.

Annex 2 
Overview of the subcontractors used by the Contractor in accordance with clause 10 (2)

Company subcontractor Address/country Description of the partial service assumed
alfatraining Bildungszentrum
GmbH 
Kriegsstr. 100
76133 Karlsruhe
Germany
Parent company, provision of infrastructure, support and development.
Amazon AWS (Data Center
Frankfurt, Germany
)
Amazon Web Services Ireland
Limited
One Burlington Plaza
Burlington Road
Dublin
Ireland
Data centre (ISO 27001 certified)
The following data is transported encrypted via AWS:
- Audio streams (AES encrypted)
- Real-time events (e.g. chat messages, use of the pause button)
This data is not stored, but transported encrypted (TLS) via AWS.

The following data is processed on the basis of the EU standard contract clauses in the ISO-27001 certified AWS data centre in Frankfurt:
- Authentication service
- User service (e-mail addresses, billing data, user data)
- Customer database (all data stored during registration, e.g. name, e-mail address, company)

In addition, AWS has an encrypted backup of the customer database. The data is encrypted before it is sent to AWS.
SysEleven SysEleven GmbH
Umspannwerk – Aufgang C
Ohlauer Straße 43
10999 Berlin
Germany
Data centre (ISO 27001 certified)
The following data is transported encrypted (TLS) via SysEleven:
- Audio streams (AES encrypted)
- Video streams
- Real-time events (e.g. chat messages, use of the pause button)
Google (Data Center
Frankfurt, Germany
Google Ireland Ltd
Gordon House
Barrow Street
Dublin 4
Ireland
Data centre (ISO 27001 certified)
The following data is processed on the basis of the EU standard contract clauses in the ISO-27001 certified Google data centre in Frankfurt:
- Authentication service
- User service (e-mail addresses, user data, billing data)
- Company service (e.g. create user)
- Customer database
noris noris network AG
Thomas-Mann- Straße 16 - 20
D-90471 Nuremberg
Germany
Data centre (ISO 27001 certified)
The following data is transported encrypted (TLS) via noris:
- Audio streams (AES encrypted)
- Video streams
- Real-time events (e.g. chat messages, use of the pause button)
Hetzner Hetzner Online GmbH
Industriestr. 25
91710 Gunzenhausen
Germany
Data centre (ISO 27001 certified)
The following data is transported encrypted (TLS) via Hetzner:
- Audio streams (AES encrypted)
- Video streams
- Real-time events (e.g. chat messages, use of the pause button)
- TLS-encrypted synchronisation of updates between providers (e.g. user updates, change of permissions via user IDs)

The following data is processed by Hetzner:
- Customer database
- Metadata log (e.g. login times or who wrote a chat message and when)
1und1 Cloud 1&1 Internet SE
Elgendorfer Str. 57
56410 Montabaur
Germany
Data centre (ISO 27001 certified)
The following data is processed via 1und1 Cloud:
- Customer database