Provisions for the Processing of Personal Data on Behalf of a Controller Pursuant to Art. 28 DS-GVO

Provisions for the processing of personal data on behalf of a controller pursuant to Art. 28 DS-GVO

The following provisions shall apply in the event that Neo Commerce GmbH, Max-Bill-Str. 8, 80807 Munich, Germany (hereinafter "Contractor") is commissioned by the Client to provide  contractor services in the area of Guided Selling/Digital Product Consulting as a software solution (SaaS) on the basis of the Cloud Software (SaaS) user agreement designed as a link to the General Terms and Conditions, hereinafter "Main Agreement". 

Part of the performance of the Main Contract is the processing of personal data within the meaning of the General Data Protection Regulation ("GDPR"). In order to meet the requirements of the DS-GVO for such constellations, the following provisions shall apply and conclusively regulate the processing of personal data by the Contractor on behalf of the Customer. 

1. Subject matter/scope of the order processing

   1. The cooperation of the Parties in accordance with the Main Agreement entails that the Contractor obtains access to personal data of the Client (hereinafter "Client Data") and processes such data exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 4 No. 8 and Art. 28 DS-GVO.

   2. The processing of the Client Data by the Contractor shall be carried out exclusively in the manner specified in Appendix 1 and to the extent and for the purpose specified therein. The group of persons affected by the data processing is shown in Appendix 2 to this contract. The duration of the processing corresponds to the term of the main contract.

2. The client’s authority to issue directives 

   1. The Contractor shall process the Client Data only within the scope of the commission and exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 of the German Data Protection Regulation (Order Processing). In this respect, the Client shall have the sole right to issue instructions on the type, scope and method of the processing activities (hereinafter also referred to as "right to issue instructions").

   2. Instructions shall generally be issued by the Client in writing; instructions issued verbally shall be confirmed by the Client in writing. The persons authorized to give and receive instructions shall be determined upon request. In the event of a change or long-term prevention of the persons authorized to receive instructions, the successor or representative shall be named to the other party in text form without delay. The Contractor shall notify the Customer of a change in the person authorized to receive instructions in good time. Until receipt of such notification by the Customer, the designated persons shall continue to be deemed authorized to receive.

   3. If the Contractor is of the opinion that an instruction of the Customer violates data protection provisions, it shall notify the Customer thereof. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.

3. Protective measures of the contractor

   1. The Contractor is obliged to observe the statutory provisions on data protection and not to disclose information obtained from the Client's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

   2. Furthermore, the Contractor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement (hereinafter referred to as "Employees") to maintain confidentiality in writing (confidentiality obligation, Art. 28(3)(b) DS-GVO) and shall ensure compliance with this obligation with due care. 

   3. The Contractor shall design its internal organization in such a way that it meets the special requirements of data protection. He undertakes to take all appropriate technical and organizational measures for the adequate protection of the Client Data pursuant to Art. 32 DS-GVO and to maintain these measures for the duration of the processing of the Client Data.

   4. The Contractor reserves the right to change the technical and organizational measures taken, while ensuring that the contractually agreed level of protection is not undercut.

   5. At the request of the Customer, the Contractor shall provide the Customer with suitable evidence of compliance with technical and organizational measures.

4. Information and support obligations of the contractor

   1. In the event of significant disruptions, suspected material data protection breaches, or security-relevant incidents in the processing of the Client's data by the Processor, by persons engaged by the Processor in connection with this agreement, or by third parties, the Processor shall notify the Client without undue delay upon becoming aware thereof, in written or electronic form. The same applies to audits of the Processor by the data protection supervisory authority. Notifications pursuant to Section 4.1 sentence 1 shall contain at minimum the information specified in Art. 33 para. 3 GDPR.

   2. In the event of Section 4.1, the Contractor shall support the Client in the fulfillment of its clarification, remedial and information measures in this regard to the extent reasonable. In particular, the Contractor shall immediately implement the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subjects, inform the Customer thereof and request the Client to issue further instructions.

   3. The Contractor undertakes to provide the Client, upon the latter's written request and within a reasonable period of time, with such information and evidence as may be required to carry out an inspection pursuant to Section 7.1 of this Agreement. 

5. Other obligations of the contractor

   1. The Contractor confirms that it has appointed a contact person for data protection. The contact details of the contact person for data protection are Dana Nedamaldeen, [email protected], +49 588 05 57 20. The Client shall be notified in writing of any change in the person of the contact person for data protection. 

6. Subcontractor relationships

   1. Subcontracting relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. This does not include ancillary services which the Contractor uses, for example, as telecommunications services, postal/transport services, maintenance and user service or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, the Contractor shall be obligated to enter into appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security of the Client’s data also in the case of outsourced ancillary services. 

   2. The Client agrees to the engagement of the following subcontractors under the condition of a contractual agreement in accordance with Art. 28 Para. 2-4 DS-GVO: https://bit.ly/3kcRbmc

   3. The Processor is entitled, within the scope of its contractual obligations, to engage additional sub-processors. The Processor shall notify the Client thereof without undue delay. The Client may object to the engagement or replacement of a sub-processor within two weeks of receipt of such notification, provided there is good cause for the objection. If the Client does not raise an objection within this period, consent to the change shall be deemed granted. In the event of a justified objection, the Processor shall be entitled to terminate the contractual relationship with four weeks' notice to the end of a calendar month, provided that performance of the contractually agreed services without the use of the relevant sub-processor is unreasonable for the Processor. The Processor shall carefully select sub-processors based on their suitability and reliability. When engaging sub-processors, the Processor shall bind them to the provisions of this agreement and ensure that the Client may exercise its rights under this agreement — in particular its audit and inspection rights — directly against the sub-processors as well. Where sub-processors are to be engaged in a third country, the Processor shall ensure that an adequate level of data protection is guaranteed at the respective sub-processor (e.g. by entering into an agreement based on the EU Standard Contractual Clauses). Upon request, the Processor shall provide the Client with evidence that the aforementioned agreements with its sub-processors have been concluded.

7. Control rights

   1. The Client shall be entitled to regularly assure itself of compliance with the provisions of this Agreement. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or have the Contractor's technical and organizational measures inspected personally or by an expert third party during normal business hours and after at least one week's advance notice in consultation with the Contractor, provided that the third party is not in a competitive relationship with the Contractor.

   2. The Client shall carry out inspections without cause no more than once a year and only to the extent necessary and shall take reasonable account of the Contractor's operating procedures. The parties shall agree on the time and type of inspection in good time.

   3. The Client shall document the inspection result and notify the Contractor thereof. In the event of errors or irregularities discovered by the Client, in particular during the inspection of order results, the Client shall inform the Contractor without delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Client shall inform the Contractor of the necessary procedural changes without delay.

8. Rights of affected persons

   1. The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling the Client's obligations pursuant to Articles 12 to 22 and Articles 32 to 36 of the GDPR. The Contractor shall provide the Client with the requested information on Client Data without undue delay, but no later than within five (5) business days, unless the Client has the relevant information itself.

   2. If the data subject asserts its rights pursuant to Articles 16 to 18 of the GDPR, the Contractor shall be obligated to correct, delete or restrict the Client Data without undue delay, at the latest within a period of fourteen (14) working days, upon instruction of the Client. The Contractor shall provide the Client with written evidence of the deletion, correction or restriction of the data upon request.

   3. If a data subject asserts rights, such as the right to information, correction or deletion with regard to his data, directly against the Contractor, the Contractor shall forward this request to the Client without undue delay, but no later than within three (3) business days and shall await the Client's instructions.

9. Term and termination

   1. The term of this agreement corresponds to the term of the main agreement. If the main contract can be terminated by ordinary notice, the provisions on ordinary notice of termination shall apply accordingly. In case of doubt, a termination of the main contract shall also be deemed a termination of this contract and a termination of this contract shall be deemed a termination of the main contract.

   2. The Client shall be entitled to extraordinary termination of this contract for good cause at any time. Good cause shall be deemed to exist if the Contractor fails to comply with its material contractual obligations, violates provisions of the GDPR with intent or gross negligence or is unable or unwilling to carry out an instruction of the Client. In the case of simple - i.e. neither intentional nor grossly negligent - violations, the Client shall first set the Contractor a reasonable deadline of at least fifteen (15) business days within which the Contractor can remedy the violation. After fruitless expiry of this period, the Client shall then be entitled to extraordinary termination.

10. Deletion and return after the end of the contract

    1. After termination of the main contract at any time upon the Client’s written request, all documents, data and data carriers provided to the Contractor shall be returned to the Client or, upon the Client's written request, deleted completely and irrevocably by the Contractor, unless a statutory retention period exists. This shall also apply to copies of the Client Data at the Contractor's premises, such as data backups, but not to documentation that serves as evidence of the proper processing of the Client Data in accordance with the order. The Contractor shall confirm the deletion to the Client in writing. 

11. Liability

    1. The liability of the parties is governed by the main contract.

12. Final provisions

    1. Amendments and supplements to this agreement must be made in writing. This shall also apply to any waiver of this formal requirement.

    2. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract. Should individual provisions of this agreement prove to be invalid or unenforceable in whole or in part, or become invalid or unenforceable as a result of changes in legislation after conclusion of the agreement, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by the valid and enforceable provision that comes as close as possible to the meaning and purpose of the invalid provision.

    3. This agreement is subject to German law. The exclusive place of jurisdiction is Munich.

Attachments

Appendix 1 - Specification of type, scope and purpose of data processing

Appendix 2 - Description of the types of data and the categories of data subjects

Appendix 1 - Specification of type, scope and purpose of data processing

Data processing in relation to the Client 

• The Client receives personal access to the Contractor's software

• The Contractor creates a user profile for the Client for this purpose

• The following information of the Client is stored in this profile:

• Admin user email address

• Admin user password

• First & last name of the admin user

• Company and company address of the admin user

Data processing in relation to customers of the Client 

1. The Processor provides the Client with software that enables the Client's customers to receive digital product advice. This advisory service is offered either via a quiz-based flow or via a text-based chatbot.

2. Quiz-based product advisory:

   1. The digital advisory is conducted with the Client's customer through a quiz-like process. Upon completion, the customer receives a product recommendation. 

   2. During the advisory, standard browser HTTP information is processed (see Annex 2). 

   3. At the end of the advisory, the customer has the option to have the results sent to them by email. 

   4. In a form field, the customer enters their email address and, upon consent to the Client's privacy policy, can receive the results. 

   5. For email delivery to the customer, the Processor uses an email marketing software listed under Section 6.2 of the DPA. 

   6. Browser data is processed to provide the Client with performance data. 

   7. The customer's email address is collected to send them the advisory results. Subject to the customer's consent, the Client may use the email address for its own marketing purposes.

3. Chat-based product advisory (LLM use):

   1. LLM use & chat content: Free-text inputs (prompts) submitted by users are transmitted to a large language model (LLM) of a third-party provider (listed under Section 6.2) for the purpose of generating responses.

   2. No model training: It is contractually ensured that the transmitted chat content will not be used to train the provider's AI models.

   3. Unstructured data: The chatbot does not actively request personal data. Should users voluntarily enter such data, it will be processed as unstructured data within the text context.

   4. Analytics, debug logs & backups: For the purpose of error analysis and performance measurement, analytics events (pseudonymised) and debug logs/tracing data (technical metadata) are recorded. Encrypted backups are created to ensure availability.

Appendix 2 - Description of the types of data and the categories of data subjects

The categories of data subjects affected by the processing include:

• Website visitors of the Client

• Employees of the Client

The subject of the processing of personal data are the following types/categories of data:

Browser HTTP information

1. User agent

2. IP address (will not be stored)

3. Accept-Language

4. Neocom session ID to identify a consulting session/ browser session

5. Neocom conversation ID to identify a single consultation by Neocom

6. Neocom user ID to identify a user across multiple browser sessions (necessary for conversion tracking). No cookie is stored on the Neocom domain, but on the Client’s domain.

User information of the Client

• Admin user email address

• Admin user password

• First & last name of the admin user

• Company and company address of the admin user

Chat & telemetry data:

• Free-text inputs (prompts) in the chatbot

• Analytics events, debug logs, and tracing data (technical metadata, no IP address storage)