Privacy agreement

08.12.2017 version

Preamble

This agreement sets out the data protection obligations of the parties to the contract which arise in relation to the contract processing described in this agreement and in section 3 and section 4. It applies to all activities relating to toujou services where the contractor’s employees or third parties recruited by the contractor may come into contact with the client’s personal data.

The parties are aware that the EU General Data Protection Regulation (GDPR: Regulation (EU) 2016/679) applies as of 25.05.2018 and that the provisions applicable to contracting processing are essentially based on art. 28 GDPR. Until then, section 11 of the Bundesdatenschutzgesetz (German Federal Data Protection Act – BDSG) continues to apply. The rules which will cease to apply from 25.05.2018 are therefore shown in [square brackets].

Any individual arrangements in this privacy agreement shall take priority over the contractor’s General Terms and Conditions ('GTCs').

§ 1 Definitions

1. Personal data
   According to section 3 para. 1 BDSG, personal data is individual information regarding the personal or material circumstances of a specific or identifiable natural person. According to art. 4 para. 1 GDPR, personal data is any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
2. Contract data processing and contract processors
   According to section 11 para. 3 BDSG, contract data processing is the storage, modification, transfer, blocking, or erasure of personal data by a contractor commissioned by the client. According to art. 4 para. 8 GDPR, a contract processor is a natural or legal person, public authority, agency, or other body which the controller commissions to process personal data.
3. Instruction
   An instruction is a, generally, written order from the client relating to the contractor’s specific handling from a data protection perspective (e.g. storage, pseudonymisation, erasure, publication) of personal data. Instructions are issued by the client and may be modified, supplemented, or replaced by individual instructions (individual instruction). The client’s instructions must be issued in writing or via email.

§ 2 Scope of application and responsibility

1. The contractor provides development and hosting services and undertakes maintenance measures on preconfigured TYPO3 systems on behalf of the client. In this context, the possibility of the contractor gaining access to or becoming aware of personal data cannot be ruled out. According to [section 11 para. 5 BDSG or] art. 28 GDPR, it is necessary therefore to conclude an agreement regarding contract processing.
2. The client has selected the contractor as a service provider in accordance with the duties of diligence set out in [section 11 BDSG or] art. 28 GDPR. In order for contract data processing to be permissible, the client must issue the order to the contractor in writing. This contract contains, as intended by the parties and the client in particular, the written contract processing order as per [section 11 BDSG or] art. 28 para. 3 GDPR and governs the data protection rights and obligations of the parties in relation to the provision of hosting services.
3. The client, as the 'controller' within the meaning of the German Federal Data Protection Act or the General Data Protection Regulation, has sole ownership of personal data. Given this responsibility, the client may also request correction, erasure, blocking, and publication of personal data both during the term and after the end of the contract.

§ 3 Object and duration of the order

1. The object of the order is TYPO3 service hosting based on the tariff ordered by the customer.
2. This agreement shall take effect with the conclusion of the toujou contract (in accordance with the GTCs, https://www.toujou.com/gtc/) and end, ordinarily, upon cancellation of the underlying main contract in accordance with the GTCs. The right to extraordinary cancellation remains unaffected.

§ 4 Description of processing, data, and data subjects

The scope, type, and purpose of processing as well the type of data involved are defined via forms drafted or used by the client. The use, content, and scope of these forms are matters for the client. There is also access to all content, media data (images, videos, documents, etc.) which editors have uploaded and added within the system. The group of data subjects is defined in terms of editors in the TYPO3 system (staff or persons commissioned by the client) as well as visitors and users of its website generated from the system.

§ 5 Technical and organisational measures

The contractor undertakes, vis-à-vis the client, to comply with the technical and organisational measures appropriate and necessary for the observance of the data protection provisions to be applied.

1. Since the contractor is running hosting services for the client outside of the client’s business premises, the contractor must document without exception the technical and organisational measures it takes as per [section 9 BDSG and the appendix to section 9 sentence 1 BDSG or] art. 28 para. 3 point c GDPR and art. 32 GDPR in conjunction with art. 5 para. 1 and para. 2 GDPR and pass the details on to the client for it to check.
2. The measures are intended to promote data security and ensure a level of protection appropriate to the risk in terms of the confidentiality, integrity, availability, and resilience of the systems associated with this order. It is a case of reflecting the state of the art, the implementation costs, and the type, scope, and purposes of processing as well as the various possibilities of gaining entrance and the gravity of the risk to the rights and freedoms of natural persons as per art. 32 para. 1 GDPR.
3. Details of the situation as of the time of concluding the contract as well as the current situation in terms of technical and organisation measures are attached to this agreement as Appendix A ’Technical and organisational measures as per section 9 BDSG (German Federal Data Protection Act)’. The parties agree that changes to technical and organisational measures may be necessary in order to adapt to technical and legal aspects of a given situation. The contractor shall agree in advance with the client any material changes which may have an impact on the integrity, confidentiality, or availability of personal data. Measures involving only minor technical or organisational changes or which do not have any negative impact on the integrity, confidentiality, or availability of personal data may be implemented by the contractor without the client’s agreement. The contractor can findhere at any time a current version of the technical and organisational measures taken by the client.

§ 6 Correction, restriction, and erasure of data

1. The contractor may not independently correct, erase, or restrict the processing of data processed on a commissioned basis and may only do so if it has a documented instruction from the client. If a data subject approaches the contractor directly in relation to any of this, the contractor shall immediately refer this request to the client for approval.
2. Implementation of the erasure concept, the right to be forgotten, correction, data portability, and provision of information are to be ensured by the contractor directly, but only in accordance with a documented instruction from the client.
3. Copies or duplicates of data shall not be created without the client’s knowledge. This does not include backup copies insofar as these are necessary to ensure orderly data processing or any data required in order to comply with statutory retention obligations.
4. Upon conclusion of the contractually agreed work or prior to this at the client’s request – although no later than the end of the service agreement – the contractor must hand over to the client or destroy, subject to prior agreement and in accordance with data protection requirements, all documents and results of processing and use in its possession as well as data inventories relating to the contractual relationship. The same applies to any test and rejected material. The protocol for erasure must be provided upon request.
5. Documentation intended as evidence that data has been processed in accordance with the order and in an orderly manner must be retained by the contractor beyond the end of the contract in accordance with the respective retention periods. It may, for its own relief, hand this over to the client at the end of the contract.

§ 7 Obligations of the contractor

1. The contractor is prohibited from processing personal data which does not relate to the provision of hosting services unless the client has agreed to this in writing.
2. The contractor confirms – insofar as there is a statutory obligation for it to do so – that it has appointed a company data protection officer as per [section 4f BDSG or] art. 38, 39 GDPR. The current contact data for the data protection officer shall be saved to the contractor’s website and made easy to access. You can find these at https://www.toujou.com/legal-notice/. 
3. The contractor shall inform the client immediately if it believes an instruction given by the client breaches statutory rules. The contractor is entitled to postpone implementation of the relevant instruction until this is confirmed or modified by the client.
4. The contractor shall inform the client immediately in the event of any severe disruption of business operations, suspected data protection violations, or other irregularities associated with the processing of the client’s personal data.
5. If the contractor establishes or the facts as they stand give grounds to assume that personal data it is processing for the client is subject to some violation of the statutory protection of personal data as per [section 421a BDSG or] art. 33 GDPR (data protection breach or data mishap), e.g. if this is unlawfully transmitted or unlawfully discovered by third parties in some other way, the contractor must inform the client immediately and in full regarding the time, type, and extent of the incident or incidents in writing or text form (fax/email). The notification provided to the client must contain the following information at least, and the contractor is also obliged to provide immediate notification regarding the measures it has taken to prevent unlawful transmission or unauthorised discovery by third parties in future:
   1. A description of the type of violation of personal data protection including if possible information on the categories and approximate number of data subjects, the categories concerned, and the approximate number of personal data records concerned.
   2. The name and contact details of the data protection officer or some other point of contact for further information.
   3. A description of the likely consequences of the violation of personal data protection.
   4. A description of the measures taken or proposed to rectify the violation of personal data protection and any measures to mitigate its potential negative impact.
6. The contractor shall make available to the client upon request the information needed for the record of processing activities in accordance with [section 4g para. 2 sentence 1 BDSG or] art. 30 para. 1 GDPR and keep itself, as a contract processor, a record of processing activities in accordance with art. 30 para. 2 GDPR.
7. The contractor shall ensure that the employees involved in the processing of the client’s personal data as per [section 5 BDSG or] art. 28 para. 3 sentence 2 point b, 29, 32 para. 4 GDPR are obliged to respect confidentiality and made familiar in advance with the data protection provisions relevant to them. The contractor and each person under its authority with access to personal data may only process this data in accordance with the client’s instruction including the powers granted under this agreement unless they are obliged to process it by law. This confidentiality obligation continues to apply after the activity comes to an end.
8. The contractor must check fulfilment of the above obligations and provide suitable evidence of this.
9. The contractor also undertakes to help the client comply, as per art. 28 para. 3 point f GDPR, with the obligations set out in art. 34-36 GDPR:
   1. As part of its information obligation vis-à-vis data subjects and the client to make available immediately all relevant information in this regard.
   2. With performing its data protection impact assessment.
   3. As part of a prior consultation with the supervisory authority.
10. The client and contractor shall work with the supervisory authority upon request in fulfilling their duties.
11. The contractor must inform the client immediately about any inspections and measures by the supervisory authority insofar as these relate to this order. This also applies if a competent authority conducts investigations as part of any administrative or criminal proceedings relating to the processing of personal data associated with contract processing at the contractor.
12. If the client is the subject of an inspection by the supervisory authority, any administrative or criminal proceedings, a liability claim from a data subject or third party, or some other claim relating to contract processing by the contractor, the contractor must support it to the best of its ability.
13. The contractor shall check internal processes as well technical and organisational measures on a regular basis in order to ensure the processing for which it is responsible is being conducted in accordance with the requirements of the relevant data protection legislation and protection of the data subject’s rights is guaranteed.

§ 8 Rights and obligations of the client

1. The client has the right to issue the contractor at any time with supplementary instructions regarding the type and extent of any development, upkeep, and maintenance of software and/or IT systems and the processes involved. Instructions may be in writing, sent via email, or given verbally. The client should provide the contractor with immediate confirmation in text form (e.g. email) of any verbal instructions given.
2. The client must provide the contractor with full and immediate information if it identifies any errors or irregularities in terms of data protection provisions when inspecting the results of the order.
3. The client is subject to the reporting obligations resulting from [section 42a BDSG or] art. 33 para. 1 GDPR.
4. The client shall define by contractual means or through an instruction the measures for returning data carriers provided and/or erasing stored personal data after the end of the order.
5. If the client issues individual instructions which go beyond the contractually agreed scope of service, the client must bear any resulting justified costs.

§ 9 Guaranteeing the rights of the data subject

1. The client is responsible for guaranteeing the rights of the data subject.
2. If the contractor needs to cooperate in order to help the client guarantee the rights of data subjects – in particular to information, correction, [blocking or], restriction, data portability, or erasure – the contractor shall take the measures required in each case as instructed by the client.
3. If a data subject approaches the contractor directly for the purpose of correction, erasure, or [blocking or] restriction or regarding the portability of their data, the contractor shall refer this request to the client immediately.
4. Rules regarding any remuneration of additional expenses incurred by the contractor as a result of cooperation in terms of enforcing data subject rights vis-à-vis the client remain unaffected.

§ 10 Powers of inspection

1. The client has the right to inspect, at any time and to the extent necessary, the contractor’s compliance with statutory data protection provisions, compliance with the contractual rules established between the parties, and compliance with client instructions.
2. The contractor is obliged to provide the client with any information required for the purpose of performing inspections as per para. 1.
3. The client may, having given reasonable advance notice, perform the inspections as per para .1 at the contractor’s business premises during normal business hours. The client shall take care to ensure that inspections are only performed to the extent strictly necessary if the contractor’s operating processes are disrupted by the inspections.
4. The contractor is obliged, in the case of measures by the supervisory authority vis-à-vis the client as per [section 38 BDSG or] art. 58 GDPR and in particular in respect of information and inspection obligations, to provide the client with the information required.
5. The contractor shall provide evidence of technical and organisational measures which apply beyond the specific order. This may involve:
   1. compliance with approved codes of conduct as per art. 40 GDPR.
   2. certification in accordance with an approved certification process as per art. 42 GDPR.
   3. current attestations, reports, or excerpts of reports from independent bodies (e.g. auditor, audit department, data protection officer, IT security officer, data protection auditors).
   4. suitable certification by means of an IT security or data protection audit (e.g. in accordance with ISO 27001 or the baseline protection set out by the BSI (German Federal Office for Information Security)).
6. The costs associated with the expense/work of an inspection at the contractor as per para. 3 and 4 may be claimed from the client.

§ 11 Subcontracting arrangements

1. The contractor shall not make use, for the provision of hosting services commissioned by the client, of any services of third parties which it commissions to process data as per [section 11 BDSG or] art. 28 GDPR ('subcontractors').
2. Needs-based commissioning of subcontractors by the contractor is only permissible with the client’s written consent.
3. The client agrees that the contractor may use other companies to help it deliver its contractually agreed services or subcontract services to these. The companies currently involved are as follows:

   
   Approved subcontractor:

   NAME	PURPOSE	PROVIDER	DATA PROTECTION
   Google	Visitor statistics, hosting infrastructure	Google Inc. 1600 Amphitheatre Parkway Mountain View, CA 94043 USA	Data protection provider
   jweiland.net	Hosting infrastructure	jweiland.net  Jochen Weiland  Echterdinger Straße 57, 70794 Filderstadt  Germany	Data protection provider
   HEXONET	Domain registration	HEXONET GmbH Talstraße 27 66424 Homburg Germany	Data protection provider
   Amazon Web Services	Hosting infrastructure, CDN	Amazon Web Services, Inc. 410 Terry Avenue North Seattle WA 98109 United States	Data protection provider
   punkt.de GmbH	Hosting infrastructure	punkt.de GmbH Kaiserallee 13a 76133 Karlsruhe Germany	Data protection provider

4. When commissioning a subcontractor, the contractor must select it with care and check prior to any commissioning that it is able to comply with the agreements made between client and contractor. The contractor must check in particular both in advance and on a regular basis during the term of the contract that the subcontractor has taken the necessary technical and organisational measures for the protection of personal data in accordance with [section 9 BDSG or] art. 28 para. 3 point c, 32 GDPR in conjunction with art. 5 para.1, para. 2 GDPR. The result of the inspection must be documented by the contractor and passed on to the client on request. The contractor is obliged to have the subcontractor confirm it has appointed a company data protection officer as per [section 4f BDSG or] art. 37-39 GDPR.
   The contractor must ensure that the rules agreed in this contract and any supplementary instructions from the client also apply to the subcontractor. The contractor must check compliance with these obligations on a regular basis.
   The obligation on the subcontractor must be imposed in writing. The client must be copied in on the written obligation on request.
   The contractor is obliged in particular to ensure through contractual rules that the powers of inspection (point 10 of this agreement) available to the client and supervisory authorities also apply to the subcontractor and that corresponding rights of inspection are agreed for the client and supervisory authorities. There must also be some contractual ruling that the subcontractor has to tolerate these inspection measures and any inspections on site.

§ 12 Data secrecy and secrecy obligations

1. The contractor undertakes to observe the same secrecy rules as apply to the client. The client is obliged to inform the contractor of any special secrecy rules.
2. The contractor shall ensure it is aware of the relevant data protection provisions and familiar with their application.
3. Both parties undertake to treat as confidential for an unlimited period all information they receive in connection with the implementation of this agreement and only to use it for the purpose of implementing the contract. No party is entitled to use this information in whole or in part for purposes other than those stated above or make this information accessible to third parties.
4. The above obligation does not apply to information which one of the parties has clearly received from third parties without any obligation to keep it secret or to information in the public domain.

§ 13 Information obligations, written form clause, choice of law

1. If the client’s personal data at the contractor is at risk as a result of seizure or confiscation, insolvency or composition proceedings, other events, or measures taken by third parties, the contractor must inform the client of this immediately. The contractor shall inform all those with any responsibility in these matters that the client has exclusive control and ownership of the personal data as the 'controller' as per the German Federal Data Protection Act.
2. Any changes and additions to this appendix and any of its component parts – including any warranties on the part of the contractor – need to be agreed in writing and specific reference must be made to the effect that they entail a change or addition to these conditions. This also applies to any waiver of this formal requirement.
3. If a provision of these contractual conditions proves to be ineffective, the other provisions shall remain effective. The parties to the contract undertake in good faith to replace any ineffective provision or unintentionally missing provision with a provision which comes closest to the intention jointly pursued by the parties to the contract.

Appendices

Appendix A, Technical and organisational measures as per section 9 BDSG (German Federal Data Protection Act)

The current version of 'Appendix A' as well as the previous versions are available to download here.

Changes

Our privacy agreements are continuously revised in line with ongoing developments. Here is an ongoing change history.