Data protection agreement
Agreement on commissioned data processing pursuant to Art. 28 DS-GVO
This Commissioned Data Processing Agreement governs the processing of data by Lywand in accordance with the EU General Data Protection Regulation. It is an agreement between Lywand Software GmbH, located in Austria, Josefstrasse 46a/6, A-3100 St.Pölten ("Contractor") and you or the company you represent ("Client "). In these license terms, "we", "us" or "our" means Lywand and its affiliates.
Principal and Contractor are hereinafter collectively referred to as the "Parties". This Agreement is hereinafter referred to as the "Agreement".
1. Preamble
1.1 The EU General Data Protection Regulation (GDPR) has been applicable since 25 May 2018. The associated regulatory obligations regarding the relationship between the Controller and the Processor are fulfilled with this Agreement.
1.2 The Contracting Parties agree that with regard to the data processing on which this Agreement is based, the Principal shall be deemed to be the Controller (pursuant to Art. 4 No. 7 of the GDPR) and the Contractor shall be deemed to be the Processor (pursuant to Art. 4 No. 8 of the GDPR).
1.3 In the event of future assignments or contractual relationships, the contracting parties may make the present agreement part of the contract.
2. Subject of the agreement
2.1 The subject of the Order is the performance of the following tasks by the Contractor for the Client:
Activity and purpose of data processing
Provision of the Lywand portal
Communication via e-mail within the scope of the function of the Lywand portal
Communication via e-mail within the scope of the license agreement
License management and invoicing
The more detailed description of services is based on the main contract, in particular as listed and described in the contractor's offer.
2.2 In the process - especially when importing and maintaining the data stock - the following categories of data may be processed by the following categories of data subjects:
no. | Affected category | Data categories |
1 | Customer | Contact details |
2 | Customer | Billing data |
3 | Customer | Contract data |
3. Duration of the agreement
3.1 If the Agreement is used as a supplement to a specific Agreement (cf. Section 1.3.) and the latter contains separate provisions on the term and termination modalities, the term and termination modalities of this Agreement shall also be governed by the provisions of the latter. Otherwise the following shall apply:
3.2 The present Agreement shall be concluded for an indefinite period of time. Both contracting parties shall be entitled to terminate this Agreement by giving 4 months' notice to the end of each calendar year.
3.3 In addition, each Party shall be entitled to terminate the present Agreement with immediate effect without observing notice periods or dates in the event of good cause. Such good cause shall be deemed to exist, for example, if
an underlying agreement has been terminated;
insolvency proceedings should be instituted against the assets of the other contracting party or should such proceedings not be instituted for lack of cost recovery;
the respective other contracting party should prove to be unsuitable for the performance of the agreed obligations of this agreement.
Notwithstanding any termination, the confidentiality obligations shall continue to have unlimited effect even after termination of the agreement.
4. Duties of the contractor
4.1. Bound by instructions
The Contractor undertakes to process data and processing results exclusively within the scope of the Customer's written orders. If the Contractor receives an official order to release data of the Customer, the Contractor shall - to the extent permitted by law - immediately inform the Customer thereof and refer the authority to the Customer. Similarly, any processing of the data for the Contractor's own purposes shall require a written order.
The Contractor shall inform the Customer without undue delay if it is of the opinion that an instruction of the Customer violates data protection provisions of the Union or the Member States.
Unauthorized third-party installations on devices of the Customer or data downloads from devices of the Customer via USB sticks and laptops are strictly prohibited. Photographs of employees, of devices or other equipment of the client are expressly prohibited. USB sticks, laptops, cell phones, and photo cameras or other devices for downloading and external data storage in the possession of the Contractor shall fall under the full responsibility and liability of the Contractor.
The Contractor is informed that for the present data processing he has to establish a processing directory with all categories of activities carried out on behalf of the Client in accordance with Art 30 DSGVO.
4.2. Secrecy and confidentiality obligation
The Contractor declares in a legally binding manner that it has obligated all persons entrusted with the data processing to maintain confidentiality prior to commencement of the activity or that they are subject to appropriate statutory confidentiality obligations.
The confidentiality obligation shall not apply to information which was already known to this contracting party or to the general public at the time it was obtained by one of the contracting parties or which later became known to this party without any action or breach of contract on its part. Furthermore, the obligations shall not apply vis-à-vis authorities or courts, unless there is a statutory right to refuse to testify.
The confidentiality obligation of the persons entrusted with data processing shall remain in force even after termination of their activity and leaving the Contractor.
4.3. Technical and organizational measures
The Processor declares in a legally binding manner that it has taken all necessary measures to ensure the security of the Processing pursuant to Art. 32 of the GDPR, i.e. for the confidentiality, integrity, availability and resilience of the data as well as procedures for regular review, assessment and evaluation, as well as procedures for pseudonymization and encryption), furthermore, the implementation of data security measures (privacy by design and privacy by default), the appointment of a data protection officer and the naming of the same vis-à-vis the Customer, if the appointment is required of the Processor under the GDPR, the performance of a risk analysis of the data applications, if this is required of the Processor under the GDPR.
The Contractor further declares in a legally binding manner that the level of protection during data processing also covers risks that could unlawfully or unintentionally lead to loss, destruction, modification or unauthorized disclosure of or access to personal data stored or processed.
With its signature, the Contractor hereby provides the Client with sufficient guarantee that appropriate technical and organizational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements pursuant to Art 28 (1) of the GDPR and will ensure the protection of the rights of the data subjects.
Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes as well as the risk of the processing must be taken into account.
4.4. Support of the client with regard to the data subject rights
The Contractor shall take the technical and organizational measures to ensure that the Client can fulfill the rights of the data subject under Chapter III of the GDPR (information, access, correction and deletion, data portability, objection, as well as automated decision-making in individual cases) at any time within the statutory time limits and shall provide the Client with all information necessary for this purpose. If a corresponding request is directed to the Contractor and the Contractor indicates that the Applicant mistakenly believes it to be the client of the data application operated by it, the Contractor shall forward the request to the Client without undue delay and notify the Applicant accordingly.
4.5. Support of the client with the duties according to Art 32 to 36
The Contractor shall support the Client in complying with the obligations set forth in Art 32 to 36 GDPR (data security measures, notifications of personal data breaches to the supervisory authority, notification of the person affected by a personal data breach, data protection impact assessment, prior consultation).
In particular, a Databreach of data of the Customer via devices or employees of the Contractor must be reported to the Customer immediately, the legal and financial consequences of such Databreach shall be borne entirely by the Contractor.
4.6. Obligation to delete
The Contractor is obliged to hand over all processing results and documents containing data to the Customer after termination of this Agreement. If the Contractor processes the data in a special technical format, it shall be obliged to hand over the data after the termination of this Agreement either in this format or, at the request of the Customer, in the format in which it received the data from the Customer or in another common format. Data contained in storage media in devices or parts of devices which are exchanged or replaced by the Contractor as part of maintenance shall be demonstrably destroyed by the Contractor.
5. Place of data processing
5.1 All data processing activities of the Contractor shall - subject to the following provisions - be carried out exclusively within the EEA.
5.2 Transfers of personal data to a third country and processing activities carried out in third countries shall only be permissible if there is a valid adequacy decision of the Commission for this third country within the meaning of Article 45 (3) of the GDPR. If no such decision of the Commission exists, the Contractor shall provide other suitable guarantees for an adequate level of data protection, including the effective enforceability of the rights of the data subjects in accordance with the GDPR. For this purpose, the Contractor shall have all the possibilities of Art. 46 (2) and (3) of the GDPR at its disposal, whereby it shall be the Contractor's sole obligation to ensure the effectiveness of the possibilities used and, if necessary, to obtain the approval of the supervisory authority.
6. Subcontracting
6.1 Subcontracting relationships within the meaning of this provision shall be understood to be those services which relate directly to the provision of the main service. Subcontracting relationships within the meaning of this provision shall not include services which the Contractor uses from third parties as ancillary services to support the performance of the order. This includes, for example, ancillary services which the Contractor uses, e.g. as telecommunications services, pure hosting services, postal/transport services, maintenance and user service or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems.
6.2 The contracting parties may use order processors to carry out order processing. The use of such processors for the purpose of processing personal data shall only be permitted with the prior express written or documented consent of the contractual partner. For the use of cloud services for the processing and management of customer information in the CRM (company, telephone, e-mail, name) and for the execution of communication with partners and customers (via Office 365) as well as for the data processing of the application itself (Amazon Web Services EMEA SARL, Frankfurt location), the Customer already now gives its consent.
6.3 However, the Contractor shall be obligated to enter into appropriate and legally compliant agreements as well as control measures to ensure data protection and data security of the Client's data, even in the case of outsourced ancillary services.
7. Control rights of the client
7.1 With regard to the processing of the data provided by the Customer, the Customer shall be granted the right to inspect and control the Contractor's data processing facilities at any time, either by the Contractor itself or by professionally suitable third parties commissioned by it.
7.2 The Contractor undertakes to make available to the Customer such information as is necessary to monitor compliance with the obligations set forth in this Agreement with regard to the data provided. The Contractor shall not be entitled to claim any remuneration for enabling controls by the Client.
8. Liability
8.1 The Contractor acknowledges that data subjects, in addition to available administrative or extrajudicial remedies, also have the right to an effective judicial remedy against the Contractor in the event of an infringement by the Contractor. They may sue for material or non-material damage, and any party involved in a processing operation shall be liable for the damage caused by unlawful processing. Liability shall not apply if the lack of responsibility for the circumstance that caused the damage can be proven.
8.2 If more than one Contractor or more than one Client or both the Contractor and the Client are responsible for a damage, each Contractor and each Client shall be liable for the entire damage. In the event of non-compliance by the Contractor with the contractual agreements on the protection of the rights of the data subjects and/or compliance with the requirements of the General Data Protection Regulation and/or compliance with data security and any resulting damage to the Client, the Client may indemnify and hold harmless the Contractor.
8.3 Without prejudice to Articles 82, 83 and 84 of the GDPR, a Contractor who determines the purposes and means of the Processing in breach of the GDPR shall be deemed to be the controller pursuant to Article 28(10) of the GDPR with respect to such Processing.
9. Final provisions
9.1 Should one or more provisions contained in this Agreement be void or ineffective or lose their effect due to subsequent circumstances or should there be a contractual loophole mutually determined by the contracting parties, this shall not affect the validity of the remaining provisions. In this case, the contracting parties undertake to effectively supplement the agreement with a provision corresponding to the legal and economic purpose of the invalid or incomplete contractual provisions.
9.2 This agreement shall be governed exclusively by the substantive law of the Republic of Austria, excluding the conflict of laws provisions and the UN Convention on Contracts for the International Sale of Goods. This shall also apply to the question of the formation of this Agreement as well as to the legal consequences of its after-effects.
9.3 The contracting parties shall endeavor to settle any disputes arising from or concerning the implementation of this Agreement amicably. If an amicable settlement cannot be reached, it is agreed that the competent court in St. Pölten shall have jurisdiction over all disputes arising from or in connection with this present agreement or its validity.