Please notice:
This is a translation from German into English for convenience only. In case of diversity of interpretation, the German version shall prevail.

 

Order processing contract

Contract for the processing of personal data on behalf of a controller pursuant to Art. 28 DS-GVO

 

between

the Spacific GmbH customer or user of the products of the Spacific Solution Platform

 

as the responsible party - hereinafter referred to as the "Client" -.

 

and

 

Spacific GmbH

Drögensee 39b

22397 Hamburg

 

as a processor - hereinafter referred to as "Contractor" -

 

- Client and Contractor hereinafter each also "Party" and jointly "Parties" -

 

Preamble

The Contractor shall provide services for the Client from the Spacific Solution Platform products booked by the Contractor. The business relationship between the Contractor and the Client shall commence at the latest when the Client registers on portal.spacific.de. This agreement describes the obligations of the contracting parties arising from registration of the Customer on the Spacific Solution Portal (hereinafter: "Main Contract"). Part of the implementation of the Main Agreement is the processing of personal data within the meaning of the General Data Protection Regulation ("DS-GVO"). In order to meet the requirements of the DS-GVO for such constellations, the parties conclude the following contract, the performance of which is not remunerated separately unless this is expressly agreed.

 

§ 1 Subject matter/scope of the assignment

(1) The cooperation of the Parties in accordance with the Main Agreement entails that the Contractor obtains access to personal data of the Client (hereinafter "Client Data") and processes such data, insofar as commissioned processing exists, exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 4 No. 8 and Art. 28 DS-GVO.

(2) The processing of the Client Data by the Contractor within the scope of commissioned processing shall be carried out exclusively in the manner specified in Annex 1 and to the extent and for the purpose specified therein. The group of persons affected by the data processing is shown in Annex 2 to this contract. The duration of the processing shall correspond to the term of the main contract.

(3) The Contractor is prohibited from processing Client Data in a manner that deviates from or goes beyond the specifications in Annexes 1 and 2. This shall also apply to the use of anonymized data.

(4) The processing of the Client Data shall take place exclusively in the territory of the Federal Republic of Germany, in a member state of the European Union or in another state party to the Agreement on the European Economic Area. Any relocation to a third country may only take place if the special requirements of Art. 44 to 49 DS-GVO are met.

(5) The provisions of this Agreement shall apply to all activities related to the main contract in which the Contractor and its employees or persons commissioned by the Contractor come into contact with personal data originating from the Client or collected for the Client, unless the Contractor itself is the controller within the meaning of Art. 4 No. 7 of the GDPR in the context of a processing operation.

 

§ 2 Powers of instruction of the customer

(1) The Contractor shall process the Client Data within the scope of the commissioned processing only within the scope of the commission and exclusively on behalf of and in accordance with the instructions of the Client within the meaning of Art. 28 DS-GVO (commissioned processing), this shall apply in particular with regard to the transfer of personal data to a third country or to an international organization. In this respect, the Customer shall have the sole right to issue instructions regarding the type, scope and method of the processing activities (hereinafter also referred to as "right to issue instructions"). If the Contractor is required by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Customer of these legal requirements prior to the processing.

(2) Instructions shall generally be issued by the Customer in writing (here and in the following this also includes text form); instructions issued verbally shall be confirmed by the Customer in writing. The persons authorized to give and receive instructions are shown in Annex 3. In the event of a change or long-term prevention of the persons named in Annex 3, the successor or representative shall be named to the other party in text form without delay. The Contractor shall notify the Customer of a change in the person authorized to issue instructions in good time. Until receipt of such notification by the Customer, the designated persons shall continue to be deemed authorized to receive.

(3) If the Contractor is of the opinion that an instruction of the Customer violates data protection provisions, it shall notify the Customer thereof without undue delay. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Customer.

 

§ 3 Protective measures of the contractor

(1) The Contractor shall be obligated to observe the statutory provisions on data protection and not to disclose information obtained from the Client's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

(2) Furthermore, the Contractor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement (hereinafter referred to as "Employees") to maintain confidentiality in writing (obligation to confidentiality, Art. 28 (3) lit. b DS-GVO) and ensure compliance with this obligation with due care. Upon request of the Customer, the Contractor shall provide the Customer with written evidence of the obligation of the employees.

(3) The Contractor shall design its internal organization in such a way that it meets the special requirements of data protection. It undertakes to take all appropriate technical and organizational measures for the adequate protection of the Customer Data pursuant to Art. 32 DS-GVO, in particular the measures listed in Annex 4 to this Agreement, and to maintain them for the duration of the processing of the Customer Data.

(4) The Contractor reserves the right to change the technical and organizational measures taken, while ensuring that the contractually agreed level of protection is not undercut. The Contractor shall inform the Customer in writing without delay if it has reason to believe that the measures pursuant to Annex 4 are no longer sufficient and shall consult with the Customer regarding further technical and organizational measures.

(5) At the request of the Customer, the Contractor shall provide the Customer with suitable evidence of compliance with the technical and organizational measures specified in Annex 4.

 

§ 4 Information and support obligations of the contractor

(1) In the event of disruptions, suspected data protection violations or violations of contractual obligations of the Contractor, suspected security-related incidents or other irregularities in the processing of the Client Data by the Contractor, persons employed by it within the scope of the contract or by third parties, the Contractor shall inform the Client without undue delay. The notifications pursuant to Section 4 (1) Sentence 1 shall in each case contain at least the information specified in Article 33 (3) of the GDPR, insofar as this is available to the Contractor.

 (2) In the case of Section 4 (1), the Contractor shall support the Customer in the fulfillment of its relevant clarification, remedial and information measures to the extent reasonable. In particular, the Contractor shall immediately implement the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subjects, inform the Customer thereof and request further instructions from the Customer.

(3) The Contractor undertakes to provide the Customer, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a control pursuant to Section 7 (1) of this Agreement.

 

§ 5 Other obligations of the Contractor

(1) The Contractor shall be obliged to keep a register of all categories of processing activities carried out on behalf of the Customer pursuant to Art. 30(2) of the GDPR.

(2) The Contractor shall be obliged to support the Customer in the preparation of a data protection impact assessment pursuant to Art. 35 of the GDPR and any prior consultation with the supervisory authority pursuant to Art. 36 of the GDPR.

 

§ 6 Subcontractor relationships

(1) The Customer hereby grants the Contractor general approval to involve further processors with regard to the processing of Customer Data. The further processors called in at the time of conclusion of the contract are shown in Annex 5. Contractual relationships with service providers which have as their object the testing or maintenance of data processing procedures or systems by other bodies or other ancillary services, even if access to Customer Data cannot be excluded in the process, are generally not subject to approval, as long as the Contractor makes appropriate arrangements to protect the confidentiality of the Customer Data.

(2) A subcontractor relationship within the meaning of these provisions shall also not exist if the Contractor commissions third parties with services which are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, security services, telecommunication services without any specific reference to services provided by the Contractor to the Customer as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. The obligation of the Contractor to ensure compliance with data protection and data security also in these cases shall remain unaffected.

(3) The Contractor shall inform the Customer of any intended changes with regard to the involvement or replacement of further Processors. In individual cases, the Customer shall have the right to object to the commissioning of a potential further Processor. An objection may only be raised by the Customer for good cause to be proven to the Contractor. If the Customer does not raise an objection within 14 days after receipt of the notification, its right of objection with regard to the corresponding commissioning shall expire. If the Customer raises an objection, the Contractor shall be entitled to terminate the main contract and this contract with a notice period of 3 months.

(4) The contract between the Contractor and the additional Processor shall impose the same obligations on the latter as are imposed on the Contractor by virtue of this Contract. The parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this contract or if the obligations set out in Article 28 (3) of the GDPR are imposed on the further processor.

 

§ 7 Control rights

(1) The Customer shall be entitled to regularly assure itself of compliance with the provisions of this Agreement, in particular the implementation of and compliance with the technical and organizational measures pursuant to Section 3 (3) of this Agreement. For this purpose, it may, for example, obtain information from the Contractor, have existing test certificates from experts, certifications or internal audits presented to it or have the Contractor's technical and organizational measures inspected personally or by a competent third party during normal business hours, provided the third party is not in a competitive relationship with the Contractor.

(2) The Customer shall carry out inspections only to the extent necessary and take reasonable account of the Contractor's operating procedures. The parties shall agree on the time and type of inspection in good time.

(3) The Customer shall document the results of the inspection and notify the Contractor thereof. In the event of errors or irregularities discovered by the Customer, in particular during the inspection of order results, the Customer shall inform the Contractor without delay. If facts are found during the inspection, the future avoidance of which requires changes to the ordered procedure, the Customer shall inform the Contractor of the necessary procedural changes without delay.

(4) In order to carry out inspections in accordance with Paragraph 1, the Customer shall be entitled to enter the Contractor's business premises where Customer Data are processed during normal business hours (Monday to Friday from 10 a.m. to 6 p.m.) at its own expense after timely advance notice (as a rule at least two weeks in advance), without disrupting business operations and with strict confidentiality of the Contractor's business and trade secrets.

(5) If the Customer commissions a third party to carry out the inspection, the Customer shall obligate the third party in writing in the same way as the Customer is obligated to the Contractor on the basis of this section. In addition, the Customer shall oblige the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. Upon request of the Contractor, the Customer shall immediately submit the obligation agreements with the third party to the Contractor.

 

§ 8 Rights of data subjects

(1) The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling the Client's obligations pursuant to Articles 12 to 22 and Articles 32 to 36 of the GDPR. It shall provide the Customer with the requested information on Customer Data without undue delay, unless the Contractor has the relevant information itself.

(2) If the data subject asserts his rights pursuant to Art. 16 to 18 DS-GVO, the Contractor shall be obliged to correct, delete or restrict the Customer Data without undue delay upon instruction of the Customer.

(3) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his data, directly against the Contractor, the Contractor shall immediately forward this request to the Client and await the Client's instructions. The Contractor shall not contact the data subject without corresponding individual instructions.

 

§ 9 Term and termination

(1) The term of this Agreement shall correspond to the term of the main Agreement. If the main contract can be terminated by ordinary notice, the provisions on ordinary notice of termination shall apply accordingly. In case of doubt, a termination of the main contract shall also be deemed a termination of this contract and a termination of this contract shall be deemed a termination of the main contract.

(2) The Customer shall be entitled to extraordinary termination of this Agreement for good cause at any time. Good cause shall be deemed to exist if the Contractor fails to comply with its obligations under this Agreement, intentionally or grossly negligently violates provisions of the GDPR or is unable or unwilling to carry out an instruction of the Customer. In the case of simple - i.e. neither intentional nor grossly negligent - violations, the Customer shall first set the Contractor a reasonable deadline within which the Contractor can remedy the violation. After fruitless expiry of this period, the Customer shall then be entitled to extraordinary termination.

 

§ 10 Deletion and return after the end of the contract

(1) After termination of the main contract, the Contractor shall completely and irrevocably delete all documents and data provided to it, unless there is a statutory retention period. This shall also apply to copies of the Client's data at the Contractor's premises, such as data backups.

(2) The parties shall be obligated to treat any data of which they become aware in connection with the main contract as confidential, even after the end of the main contract.

 

§ 11 Liability

(1) The liability of the parties shall be governed by Art. 82 DS-GVO. Any liability of the Contractor towards the Customer due to breach of obligations under this Agreement or the Main Agreement shall remain unaffected.

(2) The Parties shall each release themselves from liability if a Party proves that it is not responsible in any respect for the circumstance that caused the damage to a Data Subject. § Section 11 (2) sentence 1 shall apply mutatis mutandis in the event of a fine imposed on a party, whereby the indemnification shall be made to the extent that the respective other party bears a share of the responsibility for the violation sanctioned by the fine.

 

§ 12 Final provisions

(1) Amendments and supplements to this Agreement must be made in writing. This shall also apply to any waiver of this formal requirement.

(2) In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main contract. Should individual provisions of this agreement prove to be invalid or unenforceable in whole or in part or become invalid or unenforceable as a result of changes in legislation after conclusion of the agreement, this shall not affect the validity of the remaining provisions. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision which comes as close as possible to the meaning and purpose of the invalid provision.

(4) This agreement is subject to German law. The exclusive place of jurisdiction is Hamburg.

 


Annexes

Annex 1 - Specification of type, scope and purpose of data processing

The Contractor offers augmented reality solutions, including for the creation and processing of digital measurements and 3D models. To use the solutions, the client sets up a digital user account with the contractor, in which the client manages its projects, which it in turn carries out for its customers (e.g., the creation of a measurement). As a rule, the data typically generated in the course of the contractual relationship between the Client and the Contractor as well as the data typically generated in the course of the projects between the Client and its customers are stored in the user account. In particular, this involves official contact data (surname, first name, e-mail address) of the Client's employees and, if applicable, corresponding data of the Client's customers or third parties, as the Client can manage its projects (including image material) in its user account within the framework of a client structure. The purpose of the data processing is to make the above-mentioned augmented reality solutions available.

 

Annex 2 - Description of the types of data and categories of data subjects

 

See the information in Annex 1

 

Annex 3 - Persons authorized to give and receive instructions

Contractor: Dennis Ahrens, Managing Director

Client: The first user who has taken over the registration for the client.

 

Annex 4 - Technical and organizational measures of the contractor (Art. 32 DS-GVO)

 

Annex 5 - Current subprocessors

Microsoft Cloud services (Server location in the EU): Cloud storage services; service providers: Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399 USA; Website: https://microsoft.com/de-de; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement, Safety instructions: https://www.microsoft.com/de-de/trustcenter.

CRM system: Service provider: HubSpot Germany GmbH, Am Postbahnhof 17, 10243 Berlin, Website: https://www.hubspot.de/; Privacy policy: https://legal.hubspot.com/de/privacy-policy; DPA: https://legal.hubspot.com/de/dpa

Invoicing system: Service provider SevDesk GmbH, Hauptstraße 115
77652 Offenburg Germany. Privacy Policy
https://sevdesk.de/sicherheit-datenschutz/#datenschutz 

 

TOM Checklist

 

  1. Access

 

 

Yes

No

Remarks

1.

The entrances to the workstations are sufficiently secured (lockable doors and windows).

x

 

Mobile Working Policy

2.

The premises are monitored (video surveillance, alarm system).

 

x

Mobile Working Policy

3.

There is a doorman/reception.

 

x

Mobile Working Policy

4.

There is an access control system (for example, with chip cards).

 

x

Mobile Working Policy

5.

A list of key holders is kept.

 

x

Mobile Working Policy

6.

The key output is acknowledged.

 

x

Mobile Working Policy

7.

At the start and end of work, the individual offices are opened or closed.

 

X

Mobile Working Policy

8.

There is a concept of which employees have access to which areas of the company.

 

X

Mobile Working Policy

9.

The employees/persons authorized to enter are easily recognizable externally (official clothing, visible ID cards)

 

X

Mobile Working Policy

10.

Visits are documented.

X

 

Mobile Working Policy

11.

Publicly accessible areas (public zones) are clearly separated from the rest of the company

 

X

Mobile Working Policy

12.

Cleaning staff is carefully selected and obliged to maintain confidentiality in the handling of data.

 

X

Mobile Working Policy

13.

Security guards are carefully selected and obliged to maintain confidentiality in the handling of data.

 

X

Mobile Working Policy

14.

The presence and absence of employees is checked (time clock).

 

x

Mobile Working Policy

15.

Advice on burglary protection by the police or a specialized service provider was used and the results were evaluated.

 

x

Mobile Working Policy

  1. Physical access control

 

 

Yes

No

Remarks

1.

A firewall is used.

X

 

 

2.

A virus scanner is used.

X

 

 

3.

There is an intrusion detection system.

X

 

 

4.

External access is via VPN.

 

X

 

5.

All computers are password protected.

X

 

 

6.

Each employee has their own user account.

X

 

 

7.

There are presets for the passwords (length, special characters, ...).

X

 

 

8.

There are specifications as to how often the password must be changed.

X

 

 

9.

It logs how often passwords have been entered incorrectly.

 

X

 

10.

The logs for incorrect password entry are regularly evaluated.

 

X

 

11.

For a certain number of incorrect entries, access is blocked.

X

 

 

12.

After an incorrect entry, the new registration is only possible with a time delay.

X

 

 

13.

Two-factor authentication is used.

X

 

 

14.

Computers in sensitive areas have neither USB slots nor DVD/CD drives.

 

X

 

15.

Disks are encrypted.

X

 

 

  1. Access control

 

 

Yes

No

Remarks

1.

There is a concept of tiered access rights.

X

 

 

2.

Methods are used to detect unwanted data outflows.

 

X

 

3.

Penetration tests are carried out regularly

 

X

 

4.

An inventory list of existing data carriers is maintained.

X

 

 

5.

Backup disks are kept outside the company

 

X

 

6.

There are separate data carriers for each customer.

 

X

 

7.

The use of private data carriers is prohibited

X

 

 

8.

Accesses and access attempts are logged

X

 

 

9.

Logs of access attempts are kept and evaluated.

X

 

 

10.

Disks are completely cleaned of data before use.

X

 

 

11.

Before a transfer (e.B. Sale of old equipment) existing data is completely deleted.

X

 

 

12.

There is a concept for disposing of documents including misprints and notes.

X

 

 

13.

Disks are properly destroyed.

X

 

 

14.

Compliance with the disposal concept is regularly monitored.

X

 

 

15.

The official use of private devices is prohibited.

 

X

 

16.

There is a security concept for working with PCs and mobile devices that employees perform at home or on the go.

 

X

 

17.

Administrator rights are assigned to the smallest possible group of people.

X

 

 

18.

In multi-person offices, there is a privacy screen for employees who regularly process sensitive data.

 

X

 

19.

Sensitive data on paper is stored in lockable cabinets.

X

 

 

  1. Sharing Control

 

 

Yes

No

Remarks

1.

It is specified who is allowed to issue and receive data carriers.

X

 

 

2.

The transfer of data carriers and the persons involved are logged.

X

 

 

3.

When returning data carriers, their completeness is checked and noted

X

 

 

4.

There are specifications as to which persons may be used as messengers.

X

 

 

5.

Encrypted connections (https, sftp, ...) are provided.

X

 

 

6.

Emails are encrypted.

 

X

 

7.

Employees are instructed to anonymize or pseudonymize data before passing it on if possible.

X

 

 

  1. Input control

 

 

Yes

No

Remarks

1.

The input of data is logged.

 

X

 

2.

It logs who entered the data.

 

X

 

3.

ES logs the time of an input

x

 

 

4.

The change is logged compared to before.

X

 

 

5.

Entered data is checked for plausibility.

X

 

 

6.

Recorded documents are stamped.

 

x

 

  1. Discharge control

 

 

Yes

No

Remarks

1.

(Sub-) Contractors are carefully selected according to fixed criteria.

X

 

 

2.

Subcontractors of (sub-)contractors are also checked.

X

 

 

3.

Written contracts are concluded for order processing.

X

 

 

4.

Responsibilities and responsibilities are clearly defined in relation to the subcontractors.

X

 

 

5.

Work results of (sub-)contractors are regularly checked.

X

 

 

6.

The technical and organizational measures of the (sub‑)contractor are reviewed before the start of the order and at regular intervals.

X

 

 

7.

Instructions to the (sub-)contractor are documented.

X

 

 

 

  1. Availability check

 

 

Yes

No

Remarks

1.

Smoke detectors are available.

X

 

 

2.

Fire extinguishers are available.

X

 

 

3.

There is an uninterruptible power supply.

x

 

 

4.

Backups are made regularly.

X

 

 

5.

Disks for backups are encrypted.

X

 

 

6.

There is an emergency plan (e.g. according to BSI-Grundschutz).

X

 

 

7.

It is regularly checked whether the system is recoverable from backups.

X

 

 

8.

Stress tests are carried out regularly.

X

 

 

9.

In case of high load, additional servers are connected.

X

 

 

10.

Temperature and humidity in the server rooms are monitored.

X

 

 

11.

The server room is under video surveillance.

X

 

 

 

Additions/Explanations:

Statements apply to Logistic Hub Hamburg and the company headquarters. The servers are connected from the cloud.

 

  1. Separation control

 

 

Yes

No

Remarks

1.

Data belonging to the special categories of personal data are specially protected.

X

 

 

2.

Data collected for different contractual purposes may be processed, transmitted and deleted separately.

X

 

 

3.

There is a system that allows access to records only for individual contractual purposes (multi-client capability).

X

 

 

4.

For software tests and simulations, only anonymized data is used.

X

 

 

5.

Production and test environments are separate.

X

 

 

6.

Systems and databases are physically separated from each other.

X

 

 

 

  1. Organizational control

 

 

Yes

No

Remarks

1.

There is a security policy of the company management.

X

 

 

2.

There are security guidelines for implementing the security policy.

X

 

 

3.

Documents and instructions on IT security and data protection are stored centrally and freely accessible to employees during working hours.

X

 

 

4.

There is an (internal or external) data protection officer.

X

 

 

5.

There is an IT security officer (internal or external).

X

 

 

6.

Employees are regularly trained on safety-related topics.

X

 

 

7.

Compliance with safety-relevant instructions is constantly checked; in the event of violations, warnings are issued or labour law measures are taken.

X

 

 

8.

There are established processes for dealing with data protection incidents and requests from data subjects.

X

 

 

9.

Technical facilities for IT security are regularly maintained and updated.

X

 

 

10.

There is a concept for controlling the deletion periods.

X

 

 

11.

No more data is collected than required (privacy-friendly default settings).

X

 

 

12.

The information obligations according to Art. 13f. GDPR are fulfilled.

X