• This agreement on the processing of data ("DPA") is an integral part of the General Terms and Conditions ("GTC") of Zesavi GmbH. The DPA becomes legally effective upon signing the service contract and the associated acceptance of the GTC in accordance with the contractual agreements between the parties.
• The Contractor will process personal data on behalf of the Client in the meaning of Article 4 (8) and Article 28 of Regulation (EU) 2016/679. This Agreement governs the rights and obligations of the parties in connection with the processing of personal data.
• Insofar as the term "data processing" or "processing" (of data) is used in this Agreement, it is taken as that defined in Article 4 (2) GDPR.

1. The subject matter, nature and purpose of the processing, the nature of personal data and the categories of data subjects are set out in Annex 1 to this Agreement.

1. The Client is the Controller within the meaning of Art. 4 No. 7 GDPR for the processing of data on behalf of the Client. Pursuant to section 4 (5) of this Agreement, the Contractor has the right to inform the Client if the Contractor is of the opinion that the data processing is in breach of applicable statutory data protection law in this Agreement and/or an instruction.
2. As the controller, the Client is responsible for safeguarding the rights of data subjects. The Contractor shall inform the Client immediately if data subjects assert their data subject rights against the Contractor in connection with this processing of data on behalf of the Client.
3. The Client shall be entitled to issue supplementary instructions concerning the nature, scope and procedure of data processing to the Contractor at any time. Instructions must be given in text form (e.g. email).
4. This shall be without prejudice to any provisions regarding compensation for additional expenses incurred by the Contractor as a result of additional instructions issued by the Client.
5. The Controller shall promptly inform the Processor if he finds errors or irregularities in connection with the processing of personal data by the Processor.
6. In the event of the obligation to provide information to Third Parties pursuant to Articles 33, 34 GDPR or any other statutory reporting obligation applicable to the Controller, the Controller shall be responsible for the fulfillment of those obligations. The Contractor shall support the Client within the scope of its possibilities and the contractually owed service in fulfilling the requests and claims of data subjects in accordance with Chapter III of the GDPR and in complying with the obligations set out in Articles 33 to 36 GDPR.

1. The Contractor shall process personal data only within the framework of this Agreement and/or in compliance with possible additional instructions given by the Client. Excluded from this are legal provisions, which potentially oblige the Contractor to a different processing of data. In such a case, the Contractor shall inform the Client of these legal requirements before the processing, unless the law in question prohibits such notification on account of an important public interest. Purpose, nature and scope of data processing shall be governed exclusively by this Agreement and/or the instructions of the Client. Data processing deviating from this Agreement shall be forbidden, unless the Client has given its written consent.
2. The Contractor undertakes to carry out data processing on behalf of the Client only in member states of the European Union (EU) or the European Economic Area (EEA). Processing of personal data in a third country requires the prior consent of the Client, which must be given at least in text form (e.g. e-mail). The Client’s consent can only be considered if it is ensured that the legal provisions to be complied with in accordance with Art. 44 – 49 GDPR are observed in order to ensure an adequate level of protection for the protection of personal data.
3. The Contractor is obliged to structure its company and its operating procedures in such a way that the data it processes on behalf of the Client is secured to the extent necessary and protected against unauthorized access by third parties.
4. The Contractor shall inform the Client if the Contractor is of the opinion that a Client’s instruction is in breach of statutory data protection laws. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it has been confirmed or amended by the Client. Insofar as the Contractor can demonstrate that processing according to the instructions of the Client can lead to liability of the Contractor according to Article 82 GDPR, the Contractor is free to suspend further processing in this respect until the liability between the parties has been clarified.

‍

1. The Contractor confirms that it – if required by law – appoints a data protection officer in accordance with Article 37 GDPR. The Contractor shall ensure that the data protection officer has the necessary qualifications and expertise. The Contractor shall inform the Client of the name and contact details of its data protection officer separately in text form.
2. The duty of naming a data protection officer pursuant to section 1, may cease to apply if the Contractor can account for that he is not obliged by law to appoint a data protection officer and that company provisions exist which ensure that personal data are processed in compliance with the provisions of law, the provisions of this Agreement, and any such further instructions as the Client may give.

‍

1. The Contractor shall inform the Client immediately of each breach of statutory data protection laws or contractual agreements and/or the Client’s instructions which has occurred during the processing of the data by him or other persons involved in processing the data. The same shall apply to any violation of the protection of personal data which the Contractor processes on behalf of the Client.
2. Furthermore, the Contractor shall inform the Client immediately if a regulatory authority pursuant to Art. 58 GDPR is operating against the Contractor and this operation may also affect controlling of the processing which the Contractor makes on behalf of the Client.
3. The Contractor is aware that the Client may be subject to a notification obligation pursuant to Articles 33, 34 GDPR, which provides that notification must be made to the supervisory authority within 72 hours after detection. The Contractor shall assist the Client in implementing the notification obligations. The Contractor shall notify the Client, in particular, of any unauthorized access to personal data processed on behalf of the Client, without delay, but at the latest within 48 hours of knowledge of such access. In particular, the notification of the Processor to the Controller shall include the following information:

• a description of the nature of the breach of the protection of personal data, indicating, as far as possible, the categories and approximate number of data subjects concerned, the categories concerned and the approximate number of personal data sets concerned.
• a description of the measures taken or proposed by the Processor to remedy the breach of the protection of personal data and, where appropriate, to mitigate its potential adverse effects.

1. The Contractor shall assist the Client in fulfilling his duty to respond to requests for the exercise of rights of the data subjects in accordance with Art. 12–23 GDPR. The provisions of section 11 of this Agreement shall apply.
2. The Contractor assists the Client in compiling the lists of processing activities. The Contractor must provide the Client with the required particulars by suitable means.
3. Taking into account the type of processing and the information available to him, the Contractor shall assist the Client in complying with the obligations set out in Articles 32–36 GDPR.

‍

1. The Contractor may allow its employees who are commissioned to process personal data for the Client to process personal data at mobile workstations outside the Contractor's business premises.
2. The Contractor shall ensure that compliance with the contractually agreed technical and organizational measures is also guaranteed when using mobile workstations of the Contractor's employees. Deviations from individual contractually agreed technical and organizational measures must be agreed with the Client in advance and approved by the Client in text form.
3. In particular, the Contractor shall ensure that when processing personal data at mobile workstations, the storage locations are configured in such a way that local storage of data on IT systems is excluded. If this is not possible, the Contractor shall ensure that local storage is exclusively encrypted and that other persons at the location of the respective mobile workstation do not have access to this data.
4. The Contractor is obliged to ensure that effective control of the processing of personal data on behalf of the Client at mobile workstations is possible.

1. The Client has the right to monitor compliance with statutory laws regarding data protection and/or compliance of the regulations agreed between the Parties and/or compliance with the instructions of the Client by the Contractor at any time to the extent necessary.
2. The Contractor shall be obliged to provide the Client with information to the extent necessary to carry out an inspection in the meaning of paragraph 1.
3. The Client may carry out the inspection within the meaning of paragraph 1 at the Contractor's business premises during normal business hours after prior notification with reasonable notice. The Contractor shall ensure that the inspections are only carried out to the extent necessary in order not to disproportionately disrupt the Contractor’s business operations as a result of the inspections. The parties assume that an inspection is required no more than once a year. Further inspections must be justified by the Client, stating the reason. In the event of on-site inspections, the Client shall reimburse the Contractor for the expenses incurred, including the personnel costs for the supervision and support of the inspectors on site to an appropriate extent. The basis of the cost calculation shall be communicated to the Client by the Contractor before the inspection is carried out.
4. At the Contractor’s discretion, proof of compliance with the technical and organizational measures may also be provided instead of an on-site inspection by submitting a suitable, current certificate, reports or report extracts from independent bodies (e.g. auditors, internal audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification, if the audit report enables the Client to reasonably satisfy itself of compliance with the technical and organizational measures in accordance with Annex 3 to this Agreement. If the Client has reasonable doubts about the suitability of the test document within the meaning of sentence 1, an on-site inspection may be carried out by the Client. The Client is aware that an on-site inspection in data centers is not possible or only possible in justified exceptional cases.
5. The Contractor shall be obliged to provide necessary information to the Client in case of measures of a supervisory body against the Client according to Art. 58 GDPR, especially regarding obligations of information and monitoring and to grant the competent supervisory body on-site inspections. The Contractor shall inform the Client about such relevant intended measures.
6. The Parties agree that the control measures for the processing of personal data at mobile workplaces to protect the personal rights of other persons at these mobile workplaces shall primarily be carried out by monitoring the measures to be taken by the Processor in accordance with Section 8 (2) and (3).

‍

1. The Contractor shall be entitled to use the subcontractors specified in Annex 2 to this Agreement for the processing of data on behalf of the Contractor. The change of subcontractors or the commissioning of further subcontractors is permitted under the conditions specified in paragraph 2.
2. The Contractor shall carefully select the subcontractor and check before commissioning that the subcontractor can comply with the agreements made between the Client and the Contractor. In particular, the Contractor shall check in advance and regularly during the term of the contract that the subcontractor has taken the technical and organizational measures required under Art. 32 GDPR to protect personal data. In the event of a planned change of subcontractor or the planned commissioning of a new subcontractor, the Contractor shall inform the Client in text form in good time, but no later than 4 weeks before the change or new commissioning ("Information"). The Client shall have the right to object to the change or new assignment of the subcontractor in text form within three weeks of receipt of the "Information", stating the reasons. The objection may be withdrawn by the client in text form at any time. In the event of an objection, the Contractor may terminate the contractual relationship with the Client with a notice period of at least 14 days to the end of a calendar month. The Contractor shall consider the interests of the Client in the notice period. If no objection is made by the Client within three weeks of receipt of the "Information", this shall be deemed to constitute the Client's consent to the change or reassignment of the subcontractor concerned.
3. The Contractor shall be obliged to obtain confirmation from the subcontractor that the subcontractor has appointed a data protection officer in accordance with Art. 37 GDPR. In the event that no data protection officer has been appointed at the subcontractor, the Contractor shall inform the Client of this and provide information indicating that the subcontractor is not legally obliged to appoint a data protection officer.
4. The Contractor shall ensure that the provisions agreed in this contract and any supplementary instructions of the Client also apply to the subcontractor.
5. The Contractor shall conclude an order processing contract with the subcontractor that meets the requirements of Art. 28 GDPR. In addition, the contractor shall impose the same obligations on the subcontractor to protect personal data as are stipulated between the client and the contractor. The client shall be provided with a copy of the order processing contract upon request.
6. In particular, the Contractor shall be obliged to ensure by means of contractual provisions that the supervisory powers (Section 9 of this contract) of the Client and supervisory authorities also apply to the subcontractor and that corresponding supervisory rights of the Client and supervisory authorities are agreed. It must also be contractually stipulated that the subcontractor must tolerate these control measures and any on-site inspections.
7. Services which the Contractor uses from third parties as a purely ancillary service in order to carry out the business activity are not to be regarded as subcontracting relationships within the meaning of paragraphs 1 to 6. These include, for example, cleaning services, pure telecommunication services with no specific connection to services that the Contractor provides for the Client, postal and courier services, transportation services, security services. The Contractor is nevertheless obliged to ensure that appropriate precautions and technical and organizational measures have been taken to ensure the protection of personal data, even in the case of ancillary services provided by third parties. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship requiring consent and order processing within the meaning of Art. 28 GDPR if the maintenance and testing concerns IT systems that are also used in connection with the provision of services for the Client and personal data processed on behalf of the Client can be accessed during maintenance.

1. When processing data on behalf of the Client, the Contractor shall be obliged to maintain confidentiality of data which he receives or obtains in connection with the data processing order.
2. The Contractor warrants that it has familiarized its employees with the data protection provisions applicable to them and has obligated them to maintain confidentiality. The Contractor further warrants that it has in particular obligated the employees involved in carrying out the work to maintain confidentiality and has informed them of the Client's instructions. The duty of confidentiality and non-disclosure shall continue to exist even after completion of the order.
3. Proof for such an obligation for the employees pursuant to paragraph 2 must be presented to the Client on request.

1. The Client is solely responsible for safeguarding data subjects' rights. The Contractor is obliged to support the Client in his duty to process requests from data subjects in accordance with Articles 12–23 GDPR. The Contractor shall in particular ensure that the information required in this respect is provided to the Client without delay so that the Client is able to fulfil his obligations under section 12 (3) GDPR in particular.
2. As far as a participation of the Contractor for the protection of data subjects' rights by the Client is necessary – especially regarding access, rectification, blocking or deleting –, the Contractor will undertake the necessary measures on instruction by the Client. Where possible, the Contractor shall assist the Client with appropriate technical and organizational measures to fulfill his obligation to respond to requests for the exercise of the data subjects' rights.
3. Provisions concerning remuneration of additional expenses incurred through participation of the Contractor in connection with assertion of data subjects' rights against the Client remain unaffected.
4. In the event that a data subject asserts his or her rights under Art. 12–23 GDPR with the Contractor, although this obviously concerns the processing of personal data for which the Client is responsible, the Contractor is entitled to inform the data subject that the Client is the Controller for the data processing. In this context, the Contractor may provide the data subject with the contact details of the Controller.

1. Both Parties hereby undertake to treat all information received in connection with the processing of this Agreement indefinitely confidential and to use the information only for carrying out the Agreement. No Party has the right to use the information in part or as a whole for other than those mentioned purposes or to make this information available to Third Parties.
2. The foregoing obligation shall not apply for information that one Party received demonstrably from Third Parties, without being bound by secrecy or which are publicly known.

1. The Contractor's remuneration is provided for by way of a separate agreement.

1. The Contractor shall pledge against the Client to comply with all technical and organizational measures that are required for compliance with applicable data protection regulations. This includes, in particular the dispositions in Art. 32 GDPR.
2. The technical and organizational measures as of the time at which this Agreement is made are attached as Annex 3 to this contract. The Parties agree that changes to technical and organizational measures may be required to adapt to technical and legal requirements. The Contractor will inform the Client in advance and within a reasonable period of any material changes affecting the integrity, confidentiality or availability of personal data. The Contractor may implement without consulting with the Client measures that entail only slight technical or organizational changes and that do not negatively affect the integrity, confidentiality or availability of the personal data. The Client may at any time request an up-to-date version of the technical and organizational measures taken by the Contractor.

1. The Agreement begins with the start of the service order and ends at the same time as the end of the service order.
2. The Client may terminate the Agreement at any time without notice if the Contractor has committed a serious violation of the applicable data protection provisions or a breach of duties under this Agreement; the Contractor is unable or unwilling to carry out an instruction of the Client or denies access to the Client or the competent supervisory authority in breach of the Agreement.

1. Upon termination of the Agreement, the Contractor must hand over or delete all documents, data, and final results of processing or use that are associated with the contractual relationship to the Client. The erasure must be documented in a suitable manner. Any relevant legal obligations for the storage of data remain unaffected. Data carriers must be destroyed in the event of a destruction request by the Client and at least security level 3 of the national standard DIN 66399 (Office machines – Destruction of data carriers – Part 1: Principles and definitions) must be observed. The destruction must be verified to the Client with reference to the security level in accordance with DIN 66399.
2. The Client has the right to monitor the complete and contractual return or erasure of the data by the Contractor. This may be done also by visual inspection of the data processing systems on the Contractor's business premises. The on-site monitoring is to be announced by the Client with reasonable notice.
3. The Contractor may store personal data that has been processed in connection with the order beyond the termination of the contract if and to the extent that the Contractor has a legal obligation to retain it. In these cases, the data may only be processed for the purposes of implementing the respective statutory retention obligations. After expiry of the retention obligation, the data must be deleted immediately.

1. Should the property of the Client be at risk at the Contractor through measures of Third Parties (especially confiscation or seizure of property), by insolvency proceedings or other events, the Contractor must inform the Client immediately. The Contractor will inform creditors immediately about the fact that the data are processed on behalf of the Client.
2. Written form is compulsory for ancillary agreements.
3. Should individual parts of this Agreement be invalid, the validity of the Agreement’s other provisions will not be affected thereby.
4. Insofar as the Contractor processes personal data that is subject to the (joint) responsibility of a company affiliated with the Client (“Group Controller”), the respective Group Processor shall also be deemed the Client. The Client is commissioned and authorized by the group controller(s) to conclude this agreement and to act as the exclusive contact vis-à-vis the Contractor.