Data Processing Agreement

Agreement on the processing of personal data on behalf of another party in accordance with Art. 28 (3) GDPR

Preamble

This agreement specifies the obligations between the customer ("Client") and GGC wellplayd UG, Niehler Str. 104, 50733 Cologne, Germany ("Contractor") with regard to data protection, which arise from the contractual order processing described in detail between the parties. It applies to all activities related to the service contract ("Contract") in which employees of the Contractor or agents commissioned by the Contractor process personal data ("Data") of the Client. This agreement is an integral part of the service relationship between the Client and the Contractor and thus has immediate effect. The current version shall always apply and old versions shall be replaced by newer ones.

§ 1 Subject matter, duration, and specification of order processing

The subject matter and duration of the order as well as the type and purpose of the processing are specified in the contract. In particular, the following data are part of the data processing:

The term of this agreement is based on the term of the contract, unless the provisions of this agreement give rise to further obligations.

§ 2 Scope of application and responsibility

(1) The contractor processes personal data on behalf of the client. This includes activities that are specified in the contract and in the service description. Within the scope of this contract, the client is solely responsible for compliance with the legal provisions of data protection laws, in particular for the legality of data transfer to the contractor and for the legality of data processing ("controller" within the meaning of Art. 4 No. 7 GDPR).

(2) The instructions are initially specified in the contract and may subsequently be amended, supplemented, or replaced by the client in writing or in electronic format (text form) to the office designated by the contractor by means of individual instructions (individual instruction). Instructions not provided for in the contract shall be treated as a request for a change in service. Verbal instructions must be confirmed in writing or in text form without delay.

§ 3 Client's right to issue instructions

(1) The contractor may only process data of data subjects within the scope of the contract and the instructions of the client, unless there is an exceptional case within the meaning of Article 28 (3) a) GDPR.

(2) The contractor shall inform the client immediately if it believes that an instruction violates applicable laws. The contractor may suspend implementation of the instruction until it has been confirmed or amended by the client.

(3) The client shall confirm verbal instructions immediately in writing or by email (in text form).

§ 4 General obligations of the contractor

(1) The contractor guarantees that it will collect and use the client's data in accordance with the provisions of this contract and the client's instructions. The contractor confirms that it and its employees who handle client data are familiar with and comply with the provisions of the GDPR and other relevant data protection regulations.

(2) The contractor shall maintain a record of the processing activities carried out by it within the meaning of Art. 30 GDPR, insofar as it is legally obliged to do so. Upon request, it shall provide the client with the information necessary for the overview pursuant to Art. 30 GDPR. Furthermore, it shall make the record available to the supervisory authority upon request.

(3) The contractor shall support the client in the data protection impact assessment with all information available to it. If prior consultation with the competent supervisory authority is necessary, the contractor shall also support the client in this regard.

(4) The contractor must guarantee the protection of telecommunications secrecy in accordance with Section 88 of the German Telecommunications Act (TKG). To this end, the contractor must oblige all persons who, in accordance with the contract, have access to the client's data by means of telecommunications such as telephone or email to maintain telecommunications secrecy and instruct them on the resulting special confidentiality obligations.

(5) The contractor reserves the right to change the security measures taken, but must ensure that the contractually agreed level of protection is not compromised.

(6) The contractor's current data protection officer is
Tim Schabio,
Deputy: Björn Leineweber
from
Datenschutz Ruhr GmbH, Hauptstr. 2, 45219 Essen
. The client must be notified immediately in writing of any change of data protection officer. The contractor guarantees that the requirements for the data protection officer and his activities are fulfilled in accordance with Art. 38 GDPR. If no data protection officer is appointed by the contractor, the contractor shall appoint a contact person for the client.

(7) The contractor shall, to the extent agreed, support the client within the scope of its possibilities in fulfilling the requests and claims of data subjects in accordance with Chapter III of the GDPR and in complying with the obligations set out in Articles 33 to 36 GDPR.

(8) The contractor shall ensure that employees involved in the processing of the client's data and other persons working for the contractor are prohibited from processing the data outside the scope of the instructions. Furthermore, the contractor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The confidentiality/non-disclosure obligation shall continue to apply even after the contract has been terminated.

(9) The contractor shall inform the client immediately if it becomes aware of any breaches of the protection of the client's personal data.

(10) In the event of a claim against the client by a data subject pursuant to Art. 82 GDPR, the contractor undertakes to support the client in defending the claim to the best of its ability.

(11) The contractor is obliged to treat all knowledge of trade secrets and data security measures of the client obtained within the scope of the contractual relationship as confidential.

(12) The contractor may not make any copies or duplicates of the client's data within the scope of order data processing without the prior consent of the client. However, this does not apply to copies that are necessary to ensure proper data processing and the proper provision of services in accordance with the main contract (including data backup), as well as copies that are necessary to comply with statutory retention obligations.

(13) If the client is subject to an inspection by the supervisory authority, administrative or criminal proceedings, a liability claim by a data subject or a third party, or any other claim in connection with the order processing at the contractor, the contractor shall support the client to the best of its ability.

§ 5 General obligations of the client

(1) The client is solely responsible for assessing the permissibility of data processing and for safeguarding the rights of data subjects. The client shall ensure within its area of responsibility that the legally necessary conditions (e.g., by obtaining declarations of consent for the processing of data) are created so that the contractor can provide the agreed services without infringing any laws.

(2) The client shall inform the contractor immediately and in full if it discovers errors or irregularities in the order results with regard to data protection regulations.

(3) The client is responsible under data protection law for the procedures used by the contractor and approved by the client for the automated processing of personal data and, in addition to the contractor's own obligations, is also obliged to keep a record of processing activities.

(4) The client is responsible for the information obligations towards the supervisory authority or those affected by a breach of the protection of personal data resulting from Articles 33 and 34 of the GDPR.

(5) The client shall provide the contractor with the name of the contact person for data protection issues arising within the scope of the contract.

§ 6 Place of performance

(1) The contractor shall provide the contractual services in the European Union (EU) or the European Economic Area (EEA) or in a third country. This applies equally to any subcontractors. If services are provided in a third country, the contractor guarantees compliance with the relevant provisions of the GDPR and shall provide evidence of this upon request.

(2) The client agrees to a relocation of a place of performance within the country of performance for which consent has been given, if it can be proven that the same level of security is provided there and no legal provisions applicable to the client speak against this relocation. The burden of proof for this lies with the contractor.

(3) The client shall be informed in writing of any relocation of the place of performance to countries that are members of the EU/EEA and have a level of data protection that satisfies this contract and has been verified.

(4) If the client does not inform the contractor within a period of four weeks after receipt of the notification pursuant to paragraph 3 about reasons that do not allow a transfer, the client's consent to this transfer shall be deemed to have been given.

(5) If the contractor wishes to provide the services owed in whole or in part from a location outside the EU/EEA in a so-called safe "third country" or plans to transfer the provision of services there, the contractor shall obtain the client's prior written consent.

(6) In the case of service provision in a safe third country, the client shall not unreasonably withhold its consent to the relocation. Compliance with the relevant provisions of the GDPR shall be ensured by the contractor.

(7) If the transfer of services to another country is possible in accordance with the above provisions, this shall apply accordingly to any access or viewing of the data by the contractor, e.g., in the context of internal controls or for the purposes of development, testing, administration, or maintenance.

(8) If data processing under this agreement and the legal requirements for the processing of personal data on behalf of or for the transfer of personal data abroad is permitted outside Germany, the contractor shall ensure compliance with and implementation of the legal requirements to ensure an adequate level of data protection in the event of relocations and cross-border data traffic.

§ 7 Technical and organizational measures

(1) The contractor must ensure security in accordance with Art. 28 (3) (c) and Art. 32 GDPR, in particular in conjunction with Art. 5 (1) and (2) GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability, and resilience of the systems. In doing so, the state of the art, the implementation costs, and the nature, scope, and purposes of the processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 (1) GDPR, must be taken into account.

(2) The technical and organizational measures are subject to technical progress and further development. In this respect, the contractor is permitted to implement alternative adequate measures. However, the security level of the specified measures must not be reduced. Significant changes must be documented.

(3) The contractor guarantees to fulfill its obligations under Art. 32 (1) lit. d) GDPR to implement a procedure for regularly reviewing the effectiveness of the technical and organizational measures to ensure the security of processing.

(4) A current version of the technical and organizational measures will be provided upon request.

§ 8 Contractor's notification and support obligations regarding the security of personal data

(1) The contractor shall support the client in complying with the obligations regarding the security of personal data, reporting obligations in the event of data breaches, and data protection impact assessments specified in Articles 32 to 36 of the GDPR. In particular, the contractor is obliged to inform the client immediately of any breach of the protection of personal data ("data breaches") in accordance with Art. 33 (2) GDPR.

(2) The contractor shall, in consultation with the client, take appropriate measures to secure the data and mitigate any adverse consequences for data subjects.

§ 9 Correction, restriction, portability, and deletion of data

(1) If a data subject contacts the contractor directly for the purpose of obtaining information, rectification, erasure, or blocking of data concerning them, the contractor shall forward this request to the client without delay.

(2) The contractor is obliged to support the client in fulfilling the claims of data subjects for information, correction, blocking, portability, or deletion of client data upon first request within the scope of what is reasonable. In particular, the contractor shall immediately, but at the latest within five working days, provide the client with information about the stored client data (including information relating to the purpose of storage), the recipients of client data to whom the contractor passes on such data in accordance with the contract, and the purpose of storage, unless the client already has this information.

(3) The contractor is obliged to correct, delete, block or transfer client data immediately, but at the latest within a period of five working days, on the instructions of the client (Articles 16 - 20 GDPR). The contractor shall confirm the correction, blocking and deletion in accordance with the instructions to the client in writing upon request.

(4) If it is not possible to delete the data in accordance with data protection regulations or to restrict data processing accordingly, the contractor shall destroy data carriers and other materials in accordance with data protection regulations on the basis of an individual order from the client or return these data carriers to the client, unless already agreed in the contract.

§ 10 Information to third parties

If the contractor is required by law to provide third parties with information about the client's data, the contractor shall be obliged to inform the client in writing or in text form in good time before providing the information about the recipient, the time and content of the information to be provided and its legal basis.

§ 11 Return and deletion of data and data carriers provided

(1) The contractor shall delete all client data after completion of the contractual services (in particular in the event of termination or other termination of the main contract) and return to the client any data carriers received from the client that still contain client data at that time, or destroy them in accordance with data protection regulations after obtaining prior consent. The same applies to test and reject material.

(2) The contractor shall draw up a log of the deletion or destruction of client data, which shall be submitted to the client upon request.

(3) Documentation serving as proof of proper and orderly data processing shall be retained by the contractor beyond the end of the contract in accordance with the respective retention periods. The contractor may hand it over to the client at the end of the contract for the purpose of discharging its obligations.

§ 12 Requests from data subjects

If a data subject contacts the contractor with requests for correction, deletion, or information, the contractor shall refer the data subject to the client, provided that it is possible to assign the request to the client based on the information provided by the data subject. The contractor shall forward the data subject's request to the client without delay. The contractor shall support the client within the scope of its capabilities and as instructed, if agreed. The contractor shall not be liable if the client does not respond to the data subject's request, or does not respond correctly or in a timely manner.

§ 13 Rights of inspection

(1) The client has the right to carry out checks in consultation with the contractor or to have them carried out by auditors to be appointed in individual cases. The client has the right to verify the contractor's compliance with this agreement in its business operations by means of random checks, which must generally be announced in good time.

(2) The contractor shall ensure that the client can verify the contractor's compliance with its obligations under Art. 28 GDPR. The contractor undertakes to provide the client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

(3) The contractor shall grant the client the access, information, and inspection rights necessary to carry out the checks permitted under this contract.

(4) Instead of an on-site inspection, proof of the implementation of technical and organizational measures may also be provided by demonstrating compliance with approved codes of conduct in accordance with Art. 40 GDPR, the submission of a suitable, current attestation, reports or report extracts from independent bodies (e.g., auditors, auditors, data protection officers, IT security departments, data protection auditors, or quality auditors), suitable certification by IT security or data protection audits – e.g., in accordance with BSI basic protection – ("audit report") or approved certification procedures in accordance with Art. 42 GDPR, if the audit report enables the client to satisfy itself in an appropriate manner that the technical and organizational measures in their current version are being complied with.

§ 14 Subcontractors (additional processors)

(1) The client hereby agrees to the establishment of subcontracting relationships in accordance with Appendix 1 and grants the contractor general approval to engage additional processors within the meaning of Art. 28 (2) GDPR.

(2) Before engaging additional processors or replacing those listed, the contractor shall inform the client of the change in good time. The client may object to the planned change within 14 calendar days for important reasons relating to data protection law.

(3) If the contractor assigns orders to subcontractors, it is the contractor's responsibility to transfer its data protection obligations under this contract to the subcontractor.

(4) In the case of subcontracting, the client shall be granted rights of control and review in accordance with this agreement and Art. 28 GDPR and Art. 32 GDPR with regard to the subcontractor. This also includes the right of the client to receive information from the contractor, upon written request, about the essential content of the contract and the implementation of the data protection-related obligations in the subcontracting relationship, if necessary by inspecting the relevant contract documents.

(5) No consent is required for the involvement of subcontractors where the subcontractor only provides ancillary services to support the provision of services, even if access to the client's data cannot be ruled out; this includes, in particular, transport services provided by postal or courier services, cash-in-transit services, telecommunications services, security services, and cleaning services, but not testing and maintenance services. The contractor shall enter into confidentiality agreements with such subcontractors in accordance with industry standards.

(6) If the subcontractor provides the agreed service outside the EU/EEA, the contractor shall ensure compliance with data protection laws by taking appropriate measures. The same applies if service providers within the meaning of paragraph 5 are to be used.

§ 15 Liability and compensation

(1) The client and contractor shall be jointly liable for damages caused by processing that does not comply with the GDPR in their external relationship with the respective data subject.

(2) The contractor shall be liable exclusively for damage resulting from processing carried out by it in which

a. it has failed to comply with the obligations arising from the GDPR and specifically imposed on processors, or

b. it acted in disregard of the client's lawfully issued instructions, or

c. he acted contrary to the lawful instructions of the client.

(3) Insofar as the client is obliged to pay damages to the data subject, it reserves the right to recourse against the contractor.

(4) In the internal relationship between the client and the contractor, however, the contractor shall only be liable for damage caused by processing if it

a. has failed to comply with its obligations specifically imposed on it by the GDPR, or

b. has failed to comply with the lawful instructions of the client or has acted contrary to these instructions.

(5) Further liability claims under general law remain unaffected.

§ 16 Information obligations, written form clause, choice of law

(1) If the client's data at the contractor's premises is endangered by seizure or confiscation, by insolvency or composition proceedings, or by other events or measures taken by third parties, the contractor must inform the client immediately. The contractor shall immediately inform all parties responsible in this context that the sovereignty and ownership of the data lies exclusively with the client as the "controller" within the meaning of the General Data Protection Regulation.

(2) Amendments and additions to this agreement and all its components—including any assurances made by the contractor—require a written agreement, which may also be in electronic format (text form), and an express reference to the fact that this is an amendment or addition to these terms and conditions. This also applies to any waiver of this formal requirement.

(3) In the event of any contradictions, the provisions of this agreement on data protection shall take precedence over the provisions of the contract. Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

(4) German law shall apply.

Appendix 1: Subcontractors