Provisions for the Processing of Personal Data on Behalf of a Controller Pursuant to Art. 28 DS-GVO

The following provisions shall apply in the event that Neo Commerce GmbH, Max-Bill-Str. 8, 80807 Munich, Germany (hereinafter "Contractor") is commissioned by the Client to provide contractor services in the area of Guided Selling/Digital Product Consulting as a software solution (SaaS) on the basis of the Cloud Software (SaaS) user agreement designed as a link to the General Terms and Conditions, hereinafter "Main Agreement".

Part of the performance of the Main Contract is the processing of personal data within the meaning of the General Data Protection Regulation (GDPR). In order to meet the requirements of the DS-GVO for such constellations, the following provisions shall apply and conclusively regulate the processing of personal data by the Contractor on behalf of the Customer.

1. Subject Matter / Scope of the Order Processing

1.1
The cooperation of the Parties in accordance with the Main Agreement entails that the Contractor obtains access to personal data of the Client (hereinafter "Client Data") and processes such data exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 4 No. 8 and Art. 28 DS-GVO.

1.2
The processing of the Client Data by the Contractor shall be carried out exclusively in the manner specified in Appendix 1 and to the extent and for the purpose specified therein. The group of persons affected by the data processing is shown in Appendix 2 to this contract. The duration of the processing corresponds to the term of the main contract.

2. The Client’s Authority to Issue Directives

2.1
The Contractor shall process the Client Data only within the scope of the commission and exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 DS-GVO (Order Processing). In this respect, the Client shall have the sole right to issue instructions on the type, scope and method of the processing activities (hereinafter also referred to as "right to issue instructions").

2.2
Instructions shall generally be issued by the Client in writing; instructions issued verbally shall be confirmed by the Client in writing.
The persons authorized to give and receive instructions shall be determined upon request.

• In the event of a change or long-term prevention of the persons authorized to receive instructions, the successor or representative shall be named to the other party in text form without delay.

• The Contractor shall notify the Customer of a change in the person authorized to receive instructions in good time.

• Until receipt of such notification by the Customer, the designated persons shall continue to be deemed authorized to receive.

2.3
If the Contractor is of the opinion that an instruction of the Customer violates data protection provisions, it shall notify the Customer thereof. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.

3. Protective Measures of the Contractor

3.1
The Contractor is obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Client's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

3.2
Furthermore, the Contractor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement (hereinafter referred to as "Employees") to maintain confidentiality in writing (confidentiality obligation, Art. 28(3)(b) DS-GVO) and shall ensure compliance with this obligation with due care.

3.3
The Contractor shall design its internal organization in such a way that it meets the special requirements of data protection. He undertakes to take all appropriate technical and organizational measures for the adequate protection of the Client Data pursuant to Art. 32 DS-GVO and to maintain these measures for the duration of the processing of the Client Data.

3.4
The Contractor reserves the right to change the technical and organizational measures taken, while ensuring that the contractually agreed level of protection is not undercut.

3.5
At the request of the Customer, the Contractor shall provide the Customer with suitable evidence of compliance with technical and organizational measures.

4. Information and Support Obligations of the Contractor

4.1
In the event of significant disruptions, suspicion of significant data protection violations or security-relevant incidents in the processing of the Client Data by the Contractor, by persons employed by it within the scope of the contract or by third parties, the Contractor shall inform the Customer in writing or electronically without undue delay, but no later than within thirty-six (36) hours.
The same shall apply to audits of the Contractor by the data protection supervisory authority.

The notifications pursuant to Section 4.1 Sentence 1 shall in each case contain at least the information specified in Article 33 (3) GDPR.

4.2
In the event of Section 4.1, the Contractor shall support the Client in the fulfillment of its clarification, remedial and information measures in this regard to the extent reasonable. In particular, the Contractor shall immediately implement the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subjects, inform the Customer thereof and request the Client to issue further instructions.

4.3
The Contractor undertakes to provide the Client, upon the latter's written request and within a reasonable period of time, with such information and evidence as may be required to carry out an inspection pursuant to Section 7.1 of this Agreement.

5. Other Obligations of the Contractor

5.1
The Contractor confirms that it has appointed a contact person for data protection.

• Contact details: Dana Nedamaldeen, [email protected], +49 588 05 57 20

• The Client shall be notified in writing of any change in the person of the contact person for data protection.

6. Subcontractor Relationships

6.1
Subcontracting relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. This does not include ancillary services (e.g. telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers).

The Contractor shall nevertheless be obligated to enter into appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Client’s data also in the case of outsourced ancillary services.

6.2
The Client agrees to the engagement of the following subcontractors under the condition of a contractual agreement in accordance with Art. 28 Para. 2-4 DS-GVO: https://bit.ly/3kcRbmc

6.3
Within the scope of its contractual obligations, the Contractor shall be authorized to establish further subcontracting relationships with subcontractors.

• The Contractor shall inform the Customer thereof without delay.

• The Contractor is obliged to carefully select subcontractors according to their suitability and reliability.

• When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and shall ensure that the Customer can also exercise its rights under this Agreement (in particular inspection and monitoring rights) directly against the subcontractors.

• If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed (e.g. EU standard contractual clauses).

Upon request, the Contractor shall provide the Customer with evidence of the conclusion of the aforementioned agreements with its subcontractors.

7. Control Rights

7.1
The Client shall be entitled to regularly assure itself of compliance with the provisions of this Agreement. For this purpose, it may:

• Obtain information from the Contractor

• Request test certificates from experts, certifications, or internal audits

• Inspect the Contractor's technical and organizational measures personally or through an expert third party during normal business hours and after at least one week's advance notice

Provided that the third party is not in a competitive relationship with the Contractor.

7.2
The Client shall carry out inspections without cause no more than once a year and only to the extent necessary and shall take reasonable account of the Contractor's operating procedures. The parties shall agree on the time and type of inspection in good time.

7.3
The Client shall document the inspection result and notify the Contractor thereof.

• In the event of errors or irregularities discovered by the Client, the Client shall inform the Contractor without delay.

• If facts are found during the inspection requiring changes to the procedure, the Client shall inform the Contractor of the necessary changes without delay.

8. Rights of Affected Persons

8.1
The Contractor shall support the Client with suitable technical and organizational measures in fulfilling the Client's obligations pursuant to Articles 12–22 and 32–36 GDPR. The Contractor shall provide the Client with requested information on Client Data without undue delay, but no later than five (5) business days, unless the Client already has the relevant information.

8.2
If a data subject asserts rights under Articles 16–18 GDPR, the Contractor shall, upon instruction of the Client, correct, delete, or restrict the Client Data without undue delay (at the latest within fourteen (14) working days). The Contractor shall provide written evidence of such action upon request.

8.3
If a data subject asserts rights (e.g. access, correction, or deletion) directly against the Contractor, the Contractor shall forward this request to the Client without undue delay, but no later than three (3) business days, and shall await instructions.

9. Term and Termination

9.1
The term of this Agreement corresponds to the term of the Main Agreement. If the Main Agreement can be terminated by ordinary notice, the provisions on ordinary notice of termination apply accordingly. In case of doubt, termination of one Agreement shall be deemed termination of the other.

9.2
The Client may terminate this Agreement for good cause at any time. Good cause exists if:

• The Contractor fails to comply with material contractual obligations

• The Contractor violates GDPR provisions with intent or gross negligence

• The Contractor is unable or unwilling to carry out an instruction of the Client

For simple (non-intentional, non-grossly negligent) violations, the Client shall grant the Contractor a remedy period of at least fifteen (15) business days. After expiry without remedy, the Client may terminate extraordinarily.

10. Deletion and Return After End of Contract

10.1
After termination of the Main Agreement, at the Client’s written request, all documents, data, and data carriers shall be:

• Returned to the Client, or

• Deleted completely and irrevocably by the Contractor (unless statutory retention applies)

This also applies to data backups and copies, except for documentation serving as evidence of proper processing. The Contractor shall confirm deletion in writing.

11. Liability

11.1
The liability of the parties is governed by the Main Agreement.

12. Final Provisions

12.1
Amendments and supplements to this Agreement must be in writing. This also applies to waiving this formal requirement.

12.2
In case of doubt, this Agreement takes precedence over the Main Agreement.
If provisions prove invalid or unenforceable, the remaining provisions remain valid. The invalid provision shall be replaced by a valid one closest in meaning and purpose.

12.3
This Agreement is subject to German law. Exclusive place of jurisdiction: Munich.

Appendices

Appendix 1 — Specification of Type, Scope and Purpose of Data Processing

Data processing in relation to the Client

• The Client receives personal access to the Contractor's software

• The Contractor creates a user profile for the Client for this purpose

• The following Client information is stored in this profile:

  • Admin user email address

  • Admin user password

  • First & last name of the admin user

  • Company and company address of the admin user

Data processing in relation to customers of the Client

1. The Contractor provides the Client with software enabling digital product consulting.

2. The consultation is conducted in a quiz-like process; the customer then receives a product recommendation.

3. Standard browser HTTP information is processed (see Appendix 2).

4. At the end of the consultation, the customer may opt to receive results via e-mail.

5. In a form, the customer enters their e-mail address and, with consent to the Client’s privacy policy, receives the results.

6. For sending e-mails, the Contractor uses e-mail marketing software (see Section 6.2 GTC).

7. Browser data is processed to provide performance data to the Client.

8. The customer’s e-mail is collected to send results; with consent, the Client may use it for advertising.

Appendix 2 — Description of the Types of Data and the Categories of Data Subjects

Categories of data subjects affected by processing:

• Website visitors of the Client

• Employees of the Client

Types of personal data processed:

Browser HTTP information

1. User agent

2. IP address (not stored)

3. Accept-Language

4. Neocom session ID (consulting/browser session)

5. Neocom conversation ID (single consultation)

6. Neocom user ID (cross-session identification for conversion tracking, cookie stored on Client’s domain)

User information of the Client

• Admin user email address

• Admin user password

• First & last name of the admin user

• Company and company address of the admin user

Last updated: 28.10.22