Contract on the processing of personal data under joint responsibility of the parties pursuant to Art.26 DS-GVO
§1 Concretization of data processing
(1) This contract regulates the joint data processing by BestEffect GmbH, Euro Center, Wörthstraße 13-15, 97082 Würzburg (hereinafter: "BestEffect") and the Partner.
(3) The respective purposes, means and scope of the data processing as well as the type of data processed and the categories of data subjects are conclusively defined in Annex 1. The categories of data subjects, the type of personal data and the means and purposes of the data processing have been and will be determined by BestEffect.
§ 2 Division of responsibilities and accountability in data processing
(1) BestEffect is responsible for the data processing in the scope of application according to § 1 para. 1.
§ 3 Information requirements
(1) The information obligations according to Article 13 and 14 DS-GVO are fulfilled by BestEffect.
§ 4 Exercise of other rights of the person concerned
§ 5 Data security
(1) The Parties shall implement the technical and organizational measures specified in Annex 2 which are suitable and necessary in accordance with Articles 32 and 25 of the GDPR to ensure a level of protection appropriate to the risk to the rights and freedoms of the data subjects and to comply with the data protection principles.
(3) If the measures implemented in accordance with Annex 2 prove to be no longer sufficient or if technical progress or legal changes make further measures necessary, the parties shall inform each other of this without delay and coordinate with regard to further measures. The implementation of further measures shall require the written consent of both parties and shall be documented accordingly.
§ 6 Procedure in the event of data protection breaches/communication with supervisory authorities
(1) BestEffect is responsible for the examination and processing of all breaches of the protection of personal data, including the fulfillment of therefore existing notification obligations towards the competent supervisory authority (Article 33 DS-GVO) or the data subjects (Article 34 DS-GVO).
(3) Notwithstanding the allocation of responsibilities pursuant to Section 6 (1) of this Agreement, the Parties shall notify the other Party without undue delay if a supervisory authority approaches them in connection with this Agreement. The Parties agree that they will in principle comply with the requests of competent supervisory authorities, in particular with regard to inquiries and the provision of information.
§ 7 Other duties
(1) The parties will oblige all persons involved in the data processing in writing to maintain confidentiality with regard to the data.
§ 8 Involvement of processors
(1) The Parties may only engage Processors within the meaning of Art. 4 No. 8 of the GDPR for Processing Activities under this Agreement for the tasks assigned to them under this Agreement and only with the prior written consent of the other Party.
(3) In addition, the Party willing to commission the Processor shall confirm to the other Party in writing and by submitting appropriate documentation of the results that it has carefully selected the Processor, taking particular account of its suitability, and has satisfied itself of compliance with the technical and organizational measures taken by the Processor.
(5) The parties shall account to each other at regular intervals about the level of data protection in the commissioned processing. If circumstances become known which indicate a data protection breach, this shall be reported to the other party without delay.
§ 9 Liability
(1) The parties shall be liable to the data subjects in accordance with Art. 82 GDPR.
§ 10 Final provisions
(1) The provisions of the main contract shall apply to the term and termination of the contract. In the event of contradictions between this Agreement and the main Agreement, the provisions of this Agreement shall prevail.
The purposes, means and scope of the data processing, as well as the type of data processed and the categories of data subjects
Purposes:
- Presentation of the company to the outside world
- Initiation and processing of orders or other contracts
Type of data/categories of data subjects
- personal data (name, birthday, legal representative)
- Contact details (address, e-mail address, contact person)
- Financial data (name of the account holder, IBAN, BIC)
- Contract data (contract duration, purchased services, cancellations)
I. |
Access control Access to buildings, offices or other rooms equipped with IT systems, in particular data centers for the operation of databases, storage systems or web servers, must be controlled. This also includes rooms equipped with employees' workstations and rooms with network components or cabling. |
A |
Premises where there is an increased risk of data breaches due to high concentration of data processing or other use of personal data shall be identified as secure areas. |
B |
The areas identified must be protected against unauthorized access by third parties by means of technical and organizational measures, such as locking systems, a gatekeeper, burglar alarm systems, turnstiles including a chip card system, separation systems or similar. The records obtained via access control must be kept for a period of at least three months for re-inspection. To prevent misuse, the records must be evaluated at regular intervals. |
C |
Access without authorization must always be denied. General access criteria must be defined on the basis of authorization groups. In addition, the designated security areas may only be made accessible in accordance with the "principle of minimum authorization". Keys or other means of access must be distributed individually for each person, with the possibility of passing them on to third parties being ruled out. The attention of authorized persons must be drawn to this. |
E |
Application for, approval of, and issuance of access authorization shall be recorded in general procedures, as shall general administration and eventual withdrawal. Compliance with these specifications must be ensured. This also includes a procedure for blocking authorizations. If an access authorization holder resigns, changes his or her area of assignment or leaves the company, he or she must be denied access to all areas or those areas relevant to his or her previous activities as quickly as possible. Persons familiar with monitoring the security areas must be informed of these changes. |
F |
Persons from outside the company are only granted access in accordance with the regulations provided for this purpose. At a minimum, these requirements must demand that non-facility personnel be able to show proof of their identity upon request, for example in the form of a special ID card for guests or suppliers. When issuing these IDs, the name and origin (client or business or private address) must be noted. Employees of the responsible party are occasionally required to check the legitimacy of the external party. If this appears necessary for security reasons, external persons must be followed during their activities. |
G |
Guarding of the above-mentioned buildings or premises must also be ensured during the time when operations are not in progress. |
|
|
II. |
Access control |
A |
The data processing systems may only be made accessible after prior identification and authentication of the respective persons. This requires state of the art control (for example in the form of user identification including password controls or chip cards including PIN to be queried). If more stringent authentication is necessary due to the need to protect the data, this can be achieved on the one hand by combining various elements (e.g., physical card with cognitive PIN; one-time-use TAN with permanent user password, etc.) or on the other hand by means of a unique characteristic of the person authorized to access (e.g., biometric features). |
B |
Provided that a special need for protection as described above is not necessary, minimal requirements must nevertheless be placed on authentication. These include specifying a minimum password length, which is ensured by default settings. Such passwords must consist of at least 8 characters containing three of the following four character elements, namely a combination of uppercase or lowercase letters (abcde.../ABCDE...), digits (1,2,3,4...) and special characters (!,",§,$,%...). It is not allowed to use thematic or otherwise easy to understand password variants. During the input, the password must not be visible on the screen in the so-called "plain text". There is no obligation to change passwords on a regular basis. However, if it cannot be ruled out that passwords were accessed as part of an attack on the system, all passwords that may have been affected must be changed immediately. Any replacement passwords issued in the meantime shall be replaced as soon as possible. The initial passwords must be securely transmitted to the recipients, which you replace with others after initial use. |
C attempts |
Attempts to gain access, whether successful or not, must be recorded with details of the access data used, the data processing system used and the IP address. This data must be kept for 6 months and regularly rechecked on a random basis to prevent misuse. |
D |
Access data must not be passed on unsecured via the network. Passwords must not be left on the memory of the data processing system or in its immediate environment (e.g. form entry in the browser, password tables on system memory, notes at the workstation). |
E |
If authentication is attempted several times without success, the respective access must be blocked. A procedure is set up and used to reset the identifier or reactivate the access. In the event that an access is not active for more than 180 days, it must also be technically blocked independently. |
F |
In accordance with the principle of minimum authorization, access to data processing systems must be limited to those areas that are required to perform the respective tasks or functions of the authorized persons. If persons are only to be given temporary access to data processing systems (e.g., in the course of internships, training or consulting activities), these must be assigned individually per person and the respective identifier may not be used again after the end of the activity (intern 1, intern 2, etc.). |
G |
Procedures are set up and used for requesting, approving, granting and withdrawing access to data processing systems and the associated plastic authentication means. The extent to which access is granted always depends on the respective area of responsibility for which access to data processing systems is required. Accesses, including authentication means, are assigned separately for each person with an individual access combination. In addition, accesses may not be passed on to third parties, and the authorized persons must be made aware of this in a special manner. |
H |
Users shall be effectively instructed to lock data processing systems (in particular PC workstations) even if they are left for a short time, whereby at least the entry of a password must be required for reactivation. The data processing systems must be set in such a way that after no more than five minutes of inactivity by the user, the system is automatically locked and the password must be entered. |
|
|
III. |
Access control Those authorized to access the respective data processing systems must only be permitted to access the data that is necessary for them. The aim of the control is to ensure that personal data may not be read, copied, modified or deleted without authorization. |
A |
A procedure must be set up that regulates the authorizations of users and administrations so that access to data in the system is only possible to the extent that the respective users need it to perform their tasks. In this context, the scope determines the division of tasks and functions. A process for creating, changing and removing authorizations must also be created. It must be possible to decisively show which task owners are responsible for the administration of the system and which user groups can perform individual actions in the system. |
B |
If access authorization is granted, this must be associated with access authorization. This can be done in particular by naming predefined roles in the system. Users may only use programs and the associated data on which they depend for their specific job or the processes required for it and for which they are individually authorized by their role. If data from several sources, in particular several clients, are stored in the system or accessible from data processing systems, (logical) restrictions must be set up so that access is granted only to the client being processed. In addition, processing must be reduced to the minimum necessary for processing. With regard to granting access to data, the principle of minimum authorization also applies. Access may only be granted to a scope of data that is indispensable for the fulfillment of tasks or functions. Access must also be limited in terms of time, provided that there is no loss of quality. |
C Access authorizations |
A procedure is introduced for the application, approval, allocation and withdrawal of access authorizations, which also regulates, among other things, how these processes can be controlled. The granting and withdrawal of authorizations and the assignment to role groups must be regulated separately. The IT system's rights management then ensures that access rights are implemented. Since authorizations are each tied to a single person with an individual user ID or account, the use of group IDs or group passwords is not possible. According to the need-to-know principle, access rights are to be assigned by distributing authorizations or assigning user roles only insofar as this is necessary for the task to be accomplished. If a previously authorized person leaves the company or a specific area of activity, the access authorizations of all data processing systems and storage systems or those that fall within the area no longer being processed are immediately revoked. All affected departments must also be informed of any changes (esp. authorization management). This data must be retained for 6 months. |
D |
The accumulation of roles and, linked to this, the accumulation of functions must be counteracted. It must be prevented that several roles of the access system are combined in one person and thus an individual obtains access possibilities which in an overall view result in a too powerful role, which in turn can lead to a danger for effective control. For example: If an application user simultaneously acts as the administrator of the database system and misuses this information in the course of transactions or can access data that does not correspond to his authorization. In particular, logging administration with regard to access to personal data must not coincide with an application user role due to a possible conflict of interest, where unauthorized access may occur. |
E |
A record must be made of all read, input, change and delete actions, from which at least the respective system user and the corresponding transaction can be identified. The recorded data must be stored in an audit-proof manner for 3 months, unless otherwise agreed. Random checks and, if there is reason to do so, evaluations must be carried out by means of suitable processes coordinated with data protection. |
|
|
IV. |
Transfer control |
A |
Recording of the transfer of personal data, be it an IT system or NT system, must be ensured. The extent of recording is determined on the basis of the reasonableness of the effort involved, as well as on the basis of between whom the data is sent or how the data is sent. This shall be used to determine whether the transmission is documented in full or only on the basis of indicators (such as type of data; sender; recipient). The recorded data must be stored in an audit-proof manner for 3 months, unless other periods have been defined. Random checks and, if there is reason to do so, evaluations must be carried out by means of suitable processes coordinated with data protection. Abroad, the collection or processing of data is only possible after obtaining the client's approval in writing. |
B |
Since personal data is mainly transmitted in networks, the security of transmissions and protection against unauthorized copying or modification must be enhanced by authentication, encryption and an appropriate network architecture. These measures must always be based on the state of the art. State-of-the-art encryption must be used between client and server in the course of data transmissions, for example by encrypting the transmission path. Encryption must always be used when personal data is transported to a third-party system. Upon request, the Customer shall be provided with information about the type of encryption. |
C |
It must be checked separately how a transfer of personal data within the backend between individual systems can be secured against unauthorized access. If the transfer takes place within the same data center and the administration of the network infrastructure cannot access transferred data, encryption is not required for the exchange of data with normal, non-enhanced protection requirements. However, if the transfer takes place over longer distances, especially between different data centers, encryption must always be used. |
D |
To increase security, the logical access of the system must be reduced to a minimum. In particular, communication relationships must be reduced to the bare minimum and monitored. IT systems must be separated by network segments to protect them from unauthorized access when transferring personal data in the network. These can be set up using switches or routers. The purpose of these segments is to ensure that data packets reach or leave the IT systems exclusively via interfaces, from which the transfer of data can be checked. At the very least, the minimum requirement is segmentation between the front-end and back-end systems. However, further subdivision in the backend is also strongly recommended to increase the security level. |
E |
In order to counteract the risk of unauthorized access or data flows, whether from the company's own network or from a third-party network, state-of-the-art devices must be installed, in particular firewalls on IT/NT systems. These firewalls must be kept in an active state at all times, regardless of whether they are operated on the hardware, the network or host-based. It must be ensured that it is not possible for the users of the systems to deactivate or bypass them. If communication relationships have not been active for some time, they must be automatically blocked if they are not currently required for tasks. To effectively counter potential intrusion points of unauthorized access, the backend systems must be hardened to protect personal data in accordance with the state of the art. |
F |
A record of all interfaces to other IV procedures must be kept including the following information: Types of personal data; Direction of data transmission (received / sent); Purpose of transmission; Export destination of data (IV procedure or interface); Authentication procedure of the interface; Transmission protection (e.g. encryption). In particular, import and export interfaces from and to files must be documented, as well as their technical and organizational protection during use. At the same time, data migrations must also be recorded as interfaces. |
G |
Ensure that each IT/NT system is provided with an assignable and traceable identifier to prevent personal data from being received by unauthorized systems acting as a substitute, in particular by only faking their authorization. |
H |
Secure data storage facilities for personal data with a high level of protection must be set up. These and corresponding backups must be encrypted. |
I |
If temporary caches are present (especially browser caches or TEMP folders in the operating system), they must be set up so that they are automatically deleted either immediately after closing or before the application or operating system is executed again. The same applies to any screen data or browser cookies, which must be deleted at least every 24 hours. |
J |
It must be prevented that an access to customer data, which is located on local temporary storage devices or databases of the customer, takes place with an objective or application not approved by the customer. If possible, this must also be ensured technically. |
K |
With regard to the frequent loss of mobile data carriers, their use must be avoided. If it is nevertheless necessary, the scope of use must be defined and technical encryption of the personal data must be ensured. As soon as the data is no longer required for processing, it must be deleted from the mobile data medium without delay. In addition, mobile data carriers must be protected against possible loss, including by criminal means (lockable containers, cable locks, etc.). |
L |
Qualified management of the mobile data carriers shall ensure that a log is kept of the number, the scope of tasks and the processing of personal data carried out in each case. In addition, care must be taken to ensure safekeeping until destruction, and the general inventory must be checked. The necessary safeguarding of the storage in a monitored area shall be ensured. If the fulfillment of tasks makes this necessary, security cabinets are to be used for secure storage (e.g., data safes). Any duplication made must be recorded and stored in an audit-proof manner for up to 3 months after completion of the task. |
M |
Procedures on packaging and shipping in the course of a transport of personal data via mobile data carriers shall be established. The security requirements of the data being sent must be taken into account. In any case, personal data must be encrypted before being sent. In addition, persons who are authorized to send personal data shall be designated. The dispatch is always prepared and documented by two persons together. If shipping companies are used, they must first be approved by the client. Exceedingly large amounts of personal data in the context of more than 250,000 data records must be tracked in the course of the transport. In general, the handover to the transport company must be recorded. After the shipment has been carried out, the data sets must be checked for completeness and integrity. |
N |
For data carriers that contain personal data or information carriers in paper form, a procedure must be set up that records their collection, disposal and destruction or deletion. This procedure contains explicit instructions on how a secure collection is to be set up and how internal holding, storage, transport and destruction are to be carried out. With regard to deletion, rapid measures are to be taken, if possible still at the workplace itself, so that there is no further intermediate storage, which in turn reduces the group of people coming into contact with the data and thus the risk of unauthorized access. Employees should be made familiar with the above procedure as emphatically as possible. |
O compliant deletion & its recording |
If data carriers have not been encrypted but are still intended for internal use or are to be transferred to a third party, they must first be deleted in accordance with data protection requirements. Formatting alone is not a sufficient means of doing this. Alternative procedures for the complete deletion of the data carriers must be used, which make it impossible to recover the deleted data or only possible under the most difficult circumstances. If personal data or data carriers containing such data are permanently deleted in accordance with the above rules, this must be recorded and kept available for review for a period of at least 3 months. |
|
|
V. |
Input control |
A -logging |
Entries in data processing systems may only be made by persons authorized to do so. It must be recorded who is authorized to make entries and who bears responsibility. All entries into the systems must be recorded and kept in an audit-proof manner for up to 3 months. |
|
|
VI. |
Order control |
A |
In order to enable the Client to issue instructions, the persons designated to receive or implement such instructions on the part of the Contractor shall be specified and, if necessary, illustrated on the basis of the Contractor's hierarchy of responsibilities. Before the start of the order or in case of changes on the part of the Contractor, the Customer shall be informed of the (new) person authorized to receive such instructions. The person designated by the Contractor shall present the Client with the authorization to receive instructions. The same applies in principle during the implementation of the instructions. |
B |
During the execution of the order, the stipulated specifications must be adhered to. For further contractually binding extensions of the original order, the text form (written, fax, email and ticket system) is to be provided. Verbal agreements are invalid. As a matter of principle, a schedule of the order shall be drawn up in cooperation with the client prior to the start of the execution. If there are any disruptions in the execution of the order, whether due to interruptions in the operational process, indications of a violation of the data protection requirements or other errors or peculiarities with regard to personal data, the Customer shall be notified thereof as soon as possible and the Contractor shall be obligated to remedy the same. After completion of the order, an orderly transfer of the results as well as the proper handling of data or documents exchanged in the meantime shall be ensured. It must be ensured on the basis of the contractor's records that the client can follow up the execution of the order and check the necessity of individual steps as well as the actions taken in accordance with the client's specifications. In any case, the client or customer, the respective process including exact specifications regarding the processing of data, the executing processors as well as the schedule must be recorded. |
C |
In principle, the Contractor is obliged to ensure the level of data protection security required by the General Data Protection Regulation in the course of the order. The Contractor shall not perform any unsupervised maintenance or support. He shall be allowed access to the respective system via activation by the Customer. In doing so, the client must be enabled to control the execution of the order via its monitors (client view). META data of the order execution must be logged. Customer data may not be created by the client either directly or as an image file or similar recordings of data to which he has access. |
D |
The Customer shall be authorized to check the Contractor's compliance with the requirements described in this catalog of measures after prior notice, which must always be given a reasonable period of time in advance. |
|
|
VII. |
Availability control
|
A |
Data shall be backed up at specified intervals to prevent its sudden loss. For this purpose, the Customer shall appoint a person who, by means of a backup concept, shall create the possibility of restoring lost data after their loss with a proportionate expenditure of time. |
B |
If there is an internal or external, intended attack on personal data or a suspension of data processing, the Client must be informed of this as soon as possible. In order to minimize or completely avert possible damage, an emergency plan must be followed if there are indications of a threat. This plan must specify how to proceed in this situation and which departments at the Customer must be informed. In order to be able to guarantee data security in emergency situations, existing emergency power generators or surge protection devices must be checked on a regular basis. In addition, general parameters for the operation of the systems must be constantly monitored. Backups must be stored in special data security cabinets protected against fire and water damage. |
|
|
VIII. |
Separation requirement |
A |
Data shall only be collected to the extent necessary for the objective of the order or an individual part of the order. The same applies to storage and processing. Even after the above steps have been taken, the objective of handling personal data will always be to fulfill the order. |
B |
It must be stipulated that the storage, modification, deletion or transfer of data must be separated from the storage of data or data carriers. |
|
|
IX. |
Organization Control |
A |
Procedures for the processing of data must be described, applied and controlled with regard to processing. |
B |
The personnel who come into contact with personal data or are otherwise involved in the order must be trained. The following subject areas of data protection must be covered. - The fundamental importance of data protection in the company and the implementation of technical and organizational measures.
Training shall be conducted at intervals of no more than 2 years and through supportive measures commensurate with the importance of the assignment. |
C Separation of roles |
A distinction must be made between two types of roles in the execution of the order or data processing/IT use. On the one hand, the order execution or IT use must be prepared or accompanied (work preparation, data follow-up, operating, programming, network administration, rights management, auditing), and on the other hand, the previously provided applications must be used for execution (e.g., specialist responsible, IT application supervisor, data entry clerk, clerk, payment order authorizer, ...). These two tasks must not be occupied by the same person in the distribution of tasks. |
D |
The above measures must be applied without restriction to external persons. They must observe the requirements regarding access to rooms with data processing equipment. They must be made aware of their obligation to maintain data and telecommunications secrecy and confidentiality. This must be done in the course of training external personnel. Anyone who only comes into the vicinity of the data or data processing systems at random is considered to be external. In contrast, subcontractors or other persons who are to have contact with personal data must be obligated to comply with these regulations. |
E |
The Contractor shall use internal audits to check the documentation of access to personal data at intervals of no more than two months. If irregularities occur, the client must be informed and the documentation must be stored in an audit-proof manner for 12 months after completion of the order. |
This contract has been machine translated from German. In case of any errors in the translation, the text of the original German version applies.