Data Processing Agreement (DPA)

Annex A to the

Terms of Use / Subscription Agreement for the Details Service,

last updated May 15 2018

(hereinafter, the »Agreement«)

concluded by and between the customer of the Subscription Agreement

-hereinafter, the »Company«-

and Berlin 3 Services GmbH, Urbanstr. 70A, 10967 Berlin,

represented by Stephan Rombach, registered in Berlin (HRB 117025 B)

-hereinafter, the »Supplier«-

- both Company and Supplier hereinafter individually referred to as a »Party«, and jointly referred to as the »Parties« on contract data processing on behalf as referred to by section 11 paragraph 2 of the German federal data protection act (»Bundesdatenschutzgesetz«, hereinafter »BDSG«)

Preamble

This annex details the obligations of the Parties related to the protection of data resulting from the scope of the processing of personal data on behalf as defined in detail in the Terms of Use / Subscription Agreement for the Details Service. It shall apply to all activity within the scope of and related to the Agreement, and in whose context the Supplier’s employees or subcontractors may come into contact with Company’s personal data.

§ 1 Scope, Duration and Specification as to Contract Data Processing on Behalf

The scope and duration as well as the extent and nature of the collection, processing and use of personal data shall be as defined in the Agreement. Processing on behalf shall include in particular, but not be limited to, the categories of personal data listed in the table below:

Category of data Purpose of collection, processing or use of data Category of data subjects the data relates to
Contact information (e.g., names, addresses, e-mail, phone numbers) Management of business contacts and integration in business workflows on behalf of the Company Company´s customers, suppliers, service providers, partner companies, any business related companies and their employees.
Content data (e.g., text, documents, images, videos) Management of business documents and integration in business workflows on behalf of the Company Company´s artists, talents, customers, suppliers, service providers, any business related companies and their employees.
Contract data (e.g., legal matters, terms) Management of contractual information and integration in business workflows on behalf of the Company Company´s artists, talents, customers, suppliers, licensors, licencees, any business related companies and their employees.
Accounting and payment data (e.g., invoice details, bank details, payments, liabilities) Management of accounting workflows including invoice and payment management on behalf of the Company Company´s customers, suppliers, service providers, partner companies, any business related companies and their employees.
Usage data (e.g., user ids, access times, log data) Data access control, data entry control and data transfer control Company and their employees, Supplier, their employees and service providers.
Meta / Communication data (e.g., device IDs, IP addresses, location data). Data access control, data entry control and data transfer control Company´s artists, talents, any business related companies and their employees who access Online Applications , Online Questionaires or Online Agreements.
Employee data (e.g., names, e-mail, phone numbers) Management of user contacts and integration of user information in business workflows on behalf of the Company Company´s registered users

Except where this annex expressly stipulates any surviving obligation, the term of this annex shall follow the term of the Agreement.

§ 2 Scope of Application and Distribution of Responsibilities

(1) Supplier shall process personal data on behalf of Company. The foregoing shall include the activities enumerated and detailed in the Agreement and its scope of work. Within the scope of the Agreement, Company shall be solely responsible for complying with the statutory data privacy and protection regulations, including, but not limited to, the lawfulness of the transmission to the Supplier and the lawfulness of processing; Company shall be the responsible body (»verantwortliche Stelle«) as defined in section 3 paragraph 7 BDSG.

(2) Any instruction by Company to Supplier related to processing (hereinafter, a »Processing Instruction«) shall, initially, be defined in the Agreement, and Company shall be entitled to issuing changes and amendments to Processing Instructions and to issue new Processing Instructions. Parties shall treat any Processing Instruction exceeding the scope of work defined in the Agreement as a change request.

§ 3 Supplier’s Obligations and Responsibilities

(1) Supplier shall collect, process, and use data related to data subjects only within the scope of work and the Processing Instructions issued by Company.

(2) Supplier shall, within Supplier’s scope of responsibility, structure Supplier’s internal organisation so it complies with the specific requirements of the protection of personal data. Supplier shall implement and maintain technical and organisational measures to adequately protect Company’s data in accordance with and satisfying the requirements of the BDSG (annex to section 9 BDSG). These measures shall be implemented as defined in the following list and continuously published and updated in our WIKI article “GDPR (General Data Protection Regulation) data regulations” - http://help.detailsdetails.eu/tiki-read_article.php?articleId=494

  1. physical access control
  2. logical access control
  3. data access control
  4. data transfer control
  5. data entry control
  6. control of Processing Instructions
  7. availability control
  8. separation control

Supplier shall be entitled to modifying the security measures agreed upon, provided, however, that no modification shall be permissible if it derogates from the level of protection contractually agreed upon.

(3) Upon Company’s request, and except where Company is able to obtain such information directly, Supplier shall provide all information necessary for compiling the overview defined by § 4g paragraph 2 sentence 1 BDSG.

(4) Supplier shall ensure that any personnel entrusted with processing Company’s data have undertaken to comply with the principle of data secrecy in accordance with § 5 BDSG and have been duly instructed on the protective regulations of the BDSG. The undertaking to secrecy shall continue after the termination of the above-entitled activities.

(5) Supplier shall, without undue delay, inform Company of any material breach of the regulations for the protection of Company’s personal data, committed by Supplier or Supplier’s personnel. Supplier shall implement the measures necessary to secure the data and to mitigate potential adverse effects on the data subjects and shall agree upon the same with Company without undue delay. Supplier shall support Company in fulfilling Company’s disclosure obligations under section 42a BDSG.

(6) Supplier shall notify to Company the point of contact for all issues related to data privacy and protection within the scope of the Agreement.

(7) Supplier represents and warrants that Supplier complies with Supplier’s obligations under sections 4f and 4g BDSG (section 11 paragraph 2 no. 5 in connection with section 11 paragraph 4 BDSG). The foregoing shall include in particular, but not be limited to, Supplier’s obligations to appoint a data protection official where required by law.

(8) Supplier shall not use data transmitted to Supplier for any purpose other than to fulfil Supplier’s obligations under the Agreement.

(9) Where Company so instructs Supplier, Supplier shall correct, delete or block data in the scope of this Agreement. Unless stipulated differently in the Agreement, Supplier shall, at Company’s individual request, destroy data carrier media and other related material securely and beyond recovery of the data it contains. Where Company so instructs Supplier, Supplier shall archive and/or provide to Company, such carrier media and other related material.

(10)Supplier shall, upon Company’s order, provide to Company or delete any data, data carrier media - solely if physically owned by Supplier - after the termination or expiration of the Agreement.

Where Company’s requests exceed the scope of work of the Agreement, Company shall reimburse Supplier for any expenses incurred through Supplier’s compliance with Company’s instructions to transfer or delete the data.

§ 4 Company’s Obligations

(1) Company shall, without undue delay and in a comprehensive fashion, inform Supplier of any defect Company may detect in Supplier’s work results and of any irregularity in the implementation of statutory regulations on data privacy.

(2) Company shall be obliged to maintain the public register of processing in accordance with section 4g paragraph 2 sentence 2 BDSG.

§ 5 Enquiries by Data Subjects

(1) Where, in accordance with applicable data privacy laws, Company is obliged to answer a data subject’s enquiry related to the collection, processing or use of such data subject’s data, Supplier shall support Company in providing the required information. The foregoing shall be apply only where Company has so instructed Supplier in writing or in text form, and where Company reimburses Supplier for the cost and expenses incurred in providing such support. Supplier shall not directly respond to any enquiries of data subjects and shall refer such data subjects to Company.

(2) Where a data subject requests Supplier correct, delete or block data, Supplier shall refer such data subject to Company.

§ 6 Audit Obligations

(1) Company shall, prior to the commencement of the processing of data and at regular intervals thereafter [alternatively, an interval may be expressly stipulated], audit the technical and organisational measures implemented by Supplier and shall document the result of such audit.

In the course of such audit, Company may, in particular, conduct the following measures, but shall not be limited to the same:

  • Company may obtain information from Supplier.
  • Company may request Supplier to submit to Company an existing attestation or certificate by an independent professional expert.
  • Company may, upon reasonable and timely advance agreement, during regular business hours and without interrupting Supplier’s business operations, conduct an on-site inspection of Supplier’s business operations or have the same conducted by a qualified third party which shall not be a competitor of Supplier.

(2) Supplier shall, at Company’s written request and within a reasonable period of time, submit to Company any and all information, documentation and other means of factual proof necessary for the conduction of an audit.

§ 7 Subcontractors

(1) Supplier may subcontract any part of the scope of work defined in the Agreement to a subcontractor without Company’s prior written approval for each individual act of subcontracting. Supplier shall diligently select any subcontractor, duly taking into account their qualification.

(2) Company hereby permits Supplier to use third-party legal entities as subcontractors for the scope of work defined in the Agreement, in whole or in part, and to subcontract to said third-party legal entities the parts of the scope of work enumerated below.

(3) Where Supplier subcontracts deliverables to subcontractors, Supplier shall be obliged to extend any and all of Supplier’s obligations under the Agreement to all subcontractors. Sentence 1 shall apply in particular, but not be limited to, the requirements on the confidentiality and protection of data as well as data security, each as agreed upon between the Parties. Company shall be entitled to auditing Supplier’s subcontractors only upon prior agreement with Supplier to that effect.

At Company’s written request, Supplier shall be required to provide to Company comprehensive information on the obligations of all subcontractors as they relate to data privacy and protection; this information shall, where necessary, include Company’s right to inspect the relevant contract documents.

(4) The approval requirements for subcontracting shall not apply in cases where Company subcontracts ancillary deliverables to third parties; such ancillary deliverables shall include, but not be limited to, the provision of external contractors, mail, shipping and receiving services, and maintenance services.
Supplier shall conclude, with such third parties, any agreement necessary to ensure the adequate protection of data.

§ 8 Duties to Notify, Mandatory Written Form, Choice of Law

(1) Where Company’s data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Supplier’s control, Supplier shall notify Company of such action without undue delay. Supplier shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Company’s sole property and area of responsibility, that data is at Company’s sole disposition, and that Company is the responsible body in the sense of the BDSG.

(2) No modification of this annex and/or any of its components – including, but not limited to, Supplier’s representations and warranties, if any – shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form.

(3) In case of any conflict, the regulations of this annex shall take precedence over the regulations of the Agreement. Where individual regulations of this annex are invalid or unenforceable, the validity and enforceability of the other regulations of this annex shall not be affected.

(4) This annex is subject to the laws of the Federal Republic of Germany.

Technical and Organisational Measures