This condition describes the obligations of the parties to data protection arising from the contracts of the parties. It applies to all activities that are related to a contract and in which employees of the contractor or by the contractor process personal data („data“) of the client.

The contractor processes personal data on behalf of the client. This includes activities that are specified in the respective contract and, if applicable, in the service description. Within the scope of each contract, the client is solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the data transfer to the contractor and for the lawfulness of the data processing (“controller” within the meaning of Art. 4 No. 7 GDPR).

The data protection obligations of the Contractor are set out in the contract and may be amended, supplemented or replaced by the Client in writing or in an electronic format (text form) by means of individual instructions (individual instructions). Verbal instructions must be confirmed immediately in writing or in text form.

The type of data to be processed and the categories of data subjects are set out in the service descriptions of the respective services commissioned by the customer.

1. The Contractor may only process data of data subjects within the scope of the order and the instructions of the Client, unless there is an exceptional case within the meaning of Article 28 (3) a) GDPR. The Contractor shall inform the Client immediately if it is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client.
2. The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall take technical and organizational measures for the appropriate protection of the Client's data that meet the requirements of the General Data Protection Regulation (Art. 32 GDPR). The Contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term. The client is aware of these technical and organizational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed.
   The contractor reserves the right to change the security measures taken, but must ensure that an appropriate or contractually agreed level of protection is not undercut.
   A description of the contractor's technical and organizational measures can be found at the end of these terms and conditions.
3. The Contractor shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects pursuant to Chapter III of the GDPR and in complying with the obligations set out in Art. 33 to 36 GDPR. This work shall be remunerated to the Contractor by the Client at the Contractor's applicable hourly rates.
4. The Contractor warrants that the employees involved in the processing of the Client's data and other persons working for the Contractor are prohibited from processing the data outside the instructions. Furthermore, the Contractor warrants that the persons authorized to process the personal data have undertaken to maintain confidentiality or are subject to an appropriate statutory duty of confidentiality. The duty of confidentiality/secrecy shall continue to apply even after termination of the contract.
5. The Contractor shall inform the Client immediately if it becomes aware of any breaches of the protection of the Client's personal data.
   The Contractor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the persons concerned and shall consult with the Client immediately in this regard.
6. The Contractor shall inform the Client of the contact person for data protection issues arising within the scope of the contract.
7. The contractor guarantees to comply with its obligations under Art. 32 para. 1 lit. d) GDPR and to use a procedure to regularly review the effectiveness of the technical and organizational measures to ensure the security of the processing.
8. The Contractor shall rectify or erase the contractual data if instructed to do so by the Client. If deletion in compliance with data protection regulations or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in compliance with data protection regulations on the basis of an individual order by the Client or shall return these data carriers to the Client, unless already agreed in the contract.
   In special cases to be determined by the Client, storage or handover shall take place; remuneration and protective measures for this shall be agreed separately, unless already agreed in the contract.
9. Data, data carriers and all other materials must either be returned or deleted at the request of the client after the end of the order.
10. In the event of a claim against the Client by a data subject with regard to any claims under Art. 82 GDPR, the Contractor undertakes to support the Client in the defense of the claim within the scope of its possibilities. The expenses described above shall be remunerated by the Client to the Contractor at the Contractor's applicable prices according to the price list.

1. The Client must inform the Contractor immediately and in full if it discovers errors or irregularities in the results of the order with regard to data protection regulations.
2. In the event of a claim against the client by a data subject with regard to any claims under Art. 82 GDPR, Section 3 (10) shall apply accordingly.
3. The Client shall provide the Contractor with the contact person for data protection issues arising within the scope of the contract.

If a data subject contacts the Contractor with requests for rectification, erasure or access, the Contractor shall refer the data subject to the Client, provided that the data subject can be assigned to the Client according to the information provided by the data subject. The Contractor shall forward the data subject's request to the Client without delay. The Contractor shall support the Client within the scope of its possibilities upon instruction to the extent agreed. The Contractor shall not be liable if the request of the data subject is not answered by the Client, is not answered correctly or is not answered on time.

1. The Contractor shall provide the Client with evidence of compliance with the obligations set out in this contract by suitable means.
2. Should inspections by the client or an auditor commissioned by the client be necessary in individual cases, these shall be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Contractor may make this dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures in place. If the inspector commissioned by the Client is in a competitive relationship with the Contractor, the Contractor shall have the right to object to this.
   The Contractor shall be remunerated for its expenses at its respective applicable hourly rates for support in carrying out an inspection with the Client.
3. Should a data protection supervisory authority or another sovereign supervisory authority of the client carry out an inspection, paragraph 2 shall apply accordingly. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality, where a breach is punishable under the German Criminal Code.

1. The Contractor shall use the subcontractors listed in Annex 4 to fulfill its contractual obligations.
2. Such a subcontractor relationship exists if the Contractor commissions other contractors to provide all or part of the service agreed in the contract. The Contractor shall enter into agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures.
   The Client agrees that the Contractor may engage subcontractors. Before involving or replacing subcontractors, the Contractor shall inform the Client with a notice period of three weeks. The client may object to the change - within a reasonable period - for good cause. If no objection is made within the deadline, consent to the change shall be deemed to have been given.
3. If the Contractor places orders with subcontractors, the Contractor shall be responsible for transferring its data protection obligations under this contract to the subcontractor.

1. Should the Client's data be jeopardized by attachment or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client thereof without delay. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client as the “controller” within the meaning of the General Data Protection Regulation.
2. Amendments and supplements to these Terms and Conditions and all their components - including any warranties made by the Contractor - require a written agreement, which may also be made in an electronic format (text form), and an express reference to the fact that it is an amendment or supplement to these Terms and Conditions. This also applies to the waiver of this formal requirement.
   In the event of any contradictions, the provisions of this annex on data protection shall take precedence over the provisions of the contract. Should individual parts of these terms and conditions be invalid, this shall not affect the validity of the rest of the annex.
3. German law applies.