DPA and TOM

The Contractor provides the Customer with the alfaview® application and in this context provides services based on an Agreement concluded between the parties consisting of the order form and the Terms and Conditions (hereinafter referred to as “Main Agreement”). As part of this service provision, it is necessary, or at least it cannot be excluded, that the Contractor will handle personal data for which the Customer acts as the responsible body within the meaning of the data protection provisions (hereinafter referred to as “Order Data”). This Agreement specifies the data protection rights and obligations of the contracting parties in connection with the Contractor’s handling of Oder Data for the performance of the Main Agreement.

• This Data Protection Agreement applies to all activities that are related to the Main Agreement and where employees of the Contractor or third parties commissioned by the Contractor may treat personal Order Data within the scope of this commissioned processing.
• In providing the alfaview® application and the services defined in the Main Agreement, the Contractor processes personal data on behalf of the Customer; details hereto are listed in the Main Agreement (subject-matter of the processing). Personal data for the purpose of providing the alfaview® application and the services as defined in the Main Agreement is processed, as well as data that users enter and/or collect in the online meetings while using alfaview® (scope, nature and purpose of the processing).
• Duration of processing: The duration of the processing is determined by the term of the Main Agreement. 
• The following data types and categories are subject to the processing of personal data: 

• Personal data necessary to provide the alfaview® application and to establish communication (user profile): access data of registered users, such as name and e-mail address; users can also provide further information in their user profiles, such as title, initials, location. In case of invitations via guest links, only the guest user’s name or pseudonym is required or, in case of so-called individualised guest links, the guest user’s name and e-mail address.
• Personal data collected and processed by the users during the communication in online meetings using the alfaview® application: text messages (chats), video and audio data containing images and voices of the users; this video and audio data as well as text messages in chats may contain other personal master data, communication data and other personal data exchanged by users of alfaview® in the context of communication. Audio, video and chat messages are in principle not stored or only temporarily stored until the end of communication, unless the Customer manually creates a recording.

5. The categories of data subjects affected by the processing include the Customer (if the application is used by individuals), the Customer’s employees or other authorised users on the part of the Customer (e.g. freelancers, lecturers, contract teachers) and the communication partners of authorised users as well as the persons communicated about.
6. The contractually agreed data processing shall take place exclusively within a Member State of the European Union, or in another state that is party to the Agreement on the European Economic Area. 

Within the framework of this Agreement, the Customer is solely responsible for the legality of the processing of Oder Data and for the protection of the rights of the data subjects in line with Art. 12 to 22 GDPR (“Controller” within the meaning of Art. 4 [7] GDPR). The Contractor shall process personal data on behalf of the Customer only on the Customer's instruction.

• The Contractor is obliged to comply with the legal data protection provisions and to not disclose or expose Order Data to unauthorised third parties. Documents and data must be secured against unauthorised access, taking into account the state of the art.
• Within their area of responsibility, the Contractor shall design the internal organisation in such a way that it meets the special requirements for data protection. He shall take all technical and organisational measures necessary for appropriate protection of the Oder Data in accordance with Art. 32 GDPR, in particular at least the measures indicated in Annex 1.
• The technical and organisational measures are subject to technical progress and development. In this respect, the Contractor is permitted to implement alternative adequate measures, ensuring that the security level of the specified measures is not undercut.

• The Contractor shall process Order Data only as instructed by the Customer and in compliance with Clause 6 of this Agreement. The Contractor shall correct or delete Order Data or restrict the processing of this data exclusively in accordance with the Customer’s instructions. If a data subject contacts the Contractor directly for the purpose of correcting or deleting their data or requesting information about the stored data of the Customer, the Contractor will forward this request to the Customer without undue delay.
• The Contractor shall ensure and regularly verify that the processing and use of data in their area of responsibility, which includes Subcontractors according to Clause 9 of this Agreement, is carried out in accordance with the provisions of this Agreement.
• Without prior consent from the Customer, the Contractor may not make copies or duplicates of the Order Data. However, this does not apply to copies, as far as they are necessary to ensure proper data processing and proper performance of the services in accordance with the Main Agreement (including backups).
• The Contractor shall support the Customer regarding inspections by the supervisory authority within the scope of what is reasonable and necessary, insofar as these inspections relate to data processing by the Contractor. The Contractor may request reimbursement for the demonstrable expenses and costs incurred by these support services (pure reimbursement of expenses), unless the inspection is connected with a violation of data protection provisions or stipulations in this Agreement for which the Contractor is responsible.
• The Contractor shall disclose to the Customer the contact details of the company data protection officer and the contact person for data protection issues arising under the Agreement.
• The Contractor shall oblige the persons employed in the processing of the Customer’s data to confidentiality in accordance with Art. 28 [3] [2] [b], 29, 32 [4] GDPR.
• The Contractor shall notify the Customer without undue delay of any disturbances and infringements of data protection provisions or the stipulations made in the order as well as of any suspected data protections violations or irregularities in the processing of personal data by the Contractor, by the Contractor’s employees or a subcontractor employed in accordance with Clause 9. This shall apply in particular with regard to any notification obligations of the Customer pursuant to Art. 33 and Art. 34 GDPR. The Contractor ensures that, if necessary, they will provide the Customer with appropriate support in meeting their obligations under Art. 33 and 34 GDPR (Art. 28 [3] [2] [f] GDPR). The Contractor may only give notification for the Customer in accordance with Art. 33 or 34 GDPR upon prior instructions from the Customer.

• The Customer is solely responsible for the assessment of admissibility of the commissioned data processing as well as for the protection of the rights of the data subjects concerned.
• The Customer shall inform the Contractor immediately and in full if they find errors or irregularities regarding data protection provisions while examining the order results.
• The Customer is responsible for the notification obligations resulting from Art. 33 and Art. 34 GDPR.

• The Contractor processes the Customer’s data exclusively in accordance with the Customer’s instructions as particularly expressed in the provisions of this Agreement and the stipulations of the Main Agreement, unless he is obliged by the law of the Union or the Member States to which the Contractor is subject; in this case, the Contractor notifies the Customer of these legal requirements, unless the law concerned prohibits such notification on the grounds of an important public interest. The Customer may modify, amend or replace individual instructions in writing or in text form. The Customer is entitled to issue instructions at all times. If individual instructions entail additional costs, particularly if these go beyond the contractually agreed scope of services, these shall be reimbursed to the Contractor. There is no obligation to pay remuneration if the instruction is necessary due to a violation of data protection provisions or stipulations in this contract for which the contractor is responsible.
• The Customer shall immediately confirm verbal instructions in writing or in text form (e.g. by e-mail).
• The Contractor shall inform the Customer immediately if, in their opinion, any instructions issued by the Customer violate legal provisions (Art. 28 [3] [3] GDPR). The Contractor is entitled to suspend the implementation of the corresponding instruction until it is confirmed or modified by the person responsible at the Customer.

• If, by virtue of applicable data protection laws, the Customer is obliged vis-à-vis an individual to provide information or particulars on the processing of this person’s data or to guarantee the rights of data subjects in accordance with Chapter III (Articles 12 to 23) of the GDPR, the Contractor shall assist the Customer in the fulfilment of these obligations with suitable technical and organisational measures in accordance with Art. 28 [3] [e] GDPR.
• The Contractor shall assist the Customer in complying with the obligations set out in Art. 32 to 36 GDPR in accordance with Art. 28 [3] [f] GDPR.
• The demonstrable costs incurred (pure reimbursement of expenses) for providing the assistance according to paragraphs 1 and 2, shall be reimbursed by the Customer, unless the assistance is connected with a violation of data protection provisions or stipulations in this Agreement for which the Contractor is responsible.

The Contractor agrees that the Customer - in principle by appointment, that may only be waived in exceptional cases - is entitled to audit compliance with the data protection and data security provisions and with the contractual Agreements to an appropriate and necessary extent, either himself or through third parties commissioned by the Customer, in particular by obtaining information and inspecting the stored data and the data processing programs as well as by on-site audits and inspections (Art. 28 [3] [2] [h] GDPR). The Contractor guarantees that he will assist in these audits if necessary. The costs for the performance of the inspection shall be borne by the Client, unless the inspection is connected with a violation of data protection provisions or stipulations in this Agreement for which the Contractor is responsible.

• The Customer hereby grants general authorisation to use other processors (hereinafter referred to as “Subcontractors”). The Subcontractors involved at the time of the Agreement being concluded are listed in Annex 2; the Customer grants authorisation to use these Subcontractors upon signature of this Agreement. The Contractor shall inform the Customer in advance of any intended change with regards to the addition or replacement of Subcontractors, giving the Customer the opportunity to object to this change (Art. 28 [2] GDPR). If no objection is made within 14 days of the announcement, the consent to the change shall be deemed to have been given. If the Customer objects, the Contractor is entitled to terminate the Main Agreement and this Agreement with a notice period of 3 weeks.
• The Contractor is obliged to carefully select their Subcontractors according to their qualification and reliability. When using Subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and thereby ensure that the Customer is able to exercise its rights under this Agreement (in particular its audit and inspection rights) directly against the Subcontractors.

Upon completion of the contractual work or earlier upon request by the Customer - at the latest on termination of the Main Agreement - the Contractor shall, upon the Customer’s option hand over or destroy according to data protection requirements all obtained documents, generated results of processing and use as well as datasets associated with the contractual relationship. The deletion log must be presented upon request.

• Insofar as no special provisions are contained in this Agreement, the provisions of the Main Agreement apply. In case of contradictions between this Agreement and provisions from other contractual agreements, in particular from the Main Agreement, the provisions from this Agreement take precedence.
• Changes and additions to this Agreement and all of its components – Including any assurances given by the Contractor or changes to the annex – require a written Agreement and an express reference to the fact that it is a change or supplement to these terms. This also applies to the waiver of this form requirement.
• The rights and obligations of the contract shall remain in force as long as the contractor processes the customer's data.
• Exclusive place of jurisdiction for all disputes arising from this Agreement is the Contractor's registered office.
• German law applies.

1. Equipment access control 
Unauthorised persons are to be denied access to data processing facilities where personal data is processed and used.

• Use of magnetic or chip cards for authorised users
• Video surveillance
• Determination of persons with access authorisation
• Closed shop operation
• Capacity for revision regarding access authorisation
• Use of an access control system
• Key regulation and current key list
• Logging of entry and exit
• Reception/gatekeeper
• Office doors and windows locked during periods of absence

2. User control and data access control 
The objective of user control is to prevent data processing systems from being used by unauthorised persons. Data access control must ensure that authorised users of a data processing system can access data exclusively referring to their access rights and that data cannot be read, copied, modified or removed unauthorised during processing, use and after storage.

4. Pseudonymisation
Personal data is processed in such a way that the data can no longer be assigned to a specific data subject without additional information being provided, given that such additional information is kept separately and is subject to appropriate technical and organisational measures.

1. Disclosure control
It must be ensured that personal data cannot be read, copied, modified, or removed by unauthorised parties during electronic transmission, during transport or during storage to data carriers and that it can be verified to which locations or sites a transmission of personal data is provided for by means of data transfer.t.

2. Input control
The possibility to subsequently verify and determine whether, and by whom, personal data was entered into, changed or removed from data processing systems must be ensured.

2. Rapid recoverability
Appropriate measures must be taken to restore data in the event of loss, destruction or undesired changes to personal data.

3. Resilience
Appropriate measures must be taken to maintain the functionality of the systems in the event of an incident.

• Clear structure and execution of Agreements
• Delimitation of responsibilities and obligations between Contractor and Customer
• Careful selection of the Contractor
• Formalisation of order placement
• Logging and monitoring of proper execution of the Agreement
• Sanctions for breach of Agreement
• Information about emerging vulnerabilities and other risk factors, if necessary revision of the risk analysis and assessment
• Audits by the data protection officer