GCC: General Contract Conditions
Client acc. to the appendix: Soloplan
Service provider: company which saves the data of the party concerned by order of the client
User/Party concerned: company or person who uses CarLo exCHANGE
Data: all data of the party concerned which the client transfers to the service provider
Personal data: personal data comprises all individual data of personal or factual nature about a specific or determinable natural person.
Software: CarLo exCHANGE = cloud-based communications platform of the client
This appendix regulates and substantiates the collection, processing, and usage of personal data which the client or the client’s users enter while using the client’s software; as well as all data which is created or otherwise collected during the usage of the software and which the client transfers to the service provider in any other way in connection with the main contract (GCC).
1.1. The subject and duration of the order, as well as the volume and type of data collection, processing, and usage are described in the client’s GCC.
1.2. The term of this appendix depends on the GCC’s term, unless the regulations of this appendix specify any additional obligations.
2.1. The service provider shall process personal data by order of the client. This includes any tasks specified in the GCC and its definition of services. The client is responsible for compliance with legal data protection regulations as specified in the GCC, in particular with regard to the legality of the transfer of data to the service provider and to the legality of the processing of the data – the client shall thus be regarded as the “responsible party” in accordance with § 3, 7 of the Federal Data Protection Act (BDSG).
2.2. Any instructions are initially defined through the GCC and can later be modified, supplemented, or replaced by the client in writing or text through individual instructions (individual instruction).
3.1. The service provider may only collect, process, or use data of the party concerned within the scope of the order or of additional instructions from the client.
3.2. The service provider shall be responsible for designing the intra-company organisation in such a way that any special requirements to data protection can be met. The service provider shall take technical and organisational measures, which meet the requirements of the appendix of § 9 of the Federal Data Protection Act (Bundesdatenschutzgesetz) and available in the appendix hereof.
3.3. Changes to the security measures taken are reserved by the client, whereby it must be ensured at all times that the contractual level of security is fulfilled.
3.4. The service provider shall provide the client with an overview of all necessary information in accordance with § 4g, 2 sentence 1 of the Federal Data Protection Act, at the client’s request if the client cannot get the information itself.
3.5. The service provider guarantees that any employees and other persons charged with the processing of the client’s data have undertaken not to collect, process,
or use the data without authorisation in any manner other than that defined in § 5 BDSG.
3.6. The agreement on data secrecy shall remain in power after termination of the contract.
3.7. The service provider undertakes to inform immediately the client about serious infringements of the protection of the personal data provided by the client or of the stipulations made in the contract or the GCC, on the service provider’s part or on the part of any person engaged by the client in fulfilling the order. It undertakes to take the necessary measures to protect the data and to minimise possible negative consequences for the parties concerned and shall co-ordinate this expressly with the client. The service provider shall support the client in fulfilling the information obligations as specified under § 42a of the Federal Data Protection Act).
3.8. The service provider shall designate a contact person to the client responsible for any data protection issues related to the contract.
3.9. The service provider undertakes to fulfil his obligations according to §§ 4f, 4g Federal Data Protection Act (§ 11 Abs. 2 no. 5 in connection with § 11 Abs. 4 Federal Data Protection Act); this includes, for example, his obligation to name a person responsible for data protection if required by law.
3.10. The service provider shall not use the data given to it for any purposes other than the fulfilment of the contract.
3.11. The service provider shall correct, delete, or lock the contractual data at the client’s request. The destruction of the data volumes and other materials in accordance with data protection legislation shall be undertaken by the service provider based on an individual instruction from the client, unless it has already been agreed in the contract. In special cases to be determined by the client, the data can be retained or transferred.
3.12. Data, data volumes and any other materials must either be handed over or deleted at the end of the contract’s term.
4.1. The client is obliged to immediately and fully inform the service provider it if it detects any errors or irregularities in the results of the order with respect to
the data protection regulations.
4.2. The obligation to maintain a public directory of procedures (Jedermannverzeichnis) in accordance with § 4g, 2 sentence 2 Federal Data Protection Act lies
with the client.
5.1. If the client is bound by data protection law to pass on information to a specific person on the collecting, processing, or usage of the data on this person,
then the service provider shall support the client in providing those data. This requires that the client shall request the service provider to do so either in writing or text form, and the client shall reimburse the service provider the costs incurred by the rendering of this support. The service provider shall not answer directly to any requests for information but shall always refer the requesting party to the client, instead.
5.2. If a party concerned contacts the service provider with demands for the correction, deletion, or locking of data, then the service provider shall refer the party concerned to the client.
6.1. The client shall satisfy itself as to the technical and organisational data protection measures taken by the service provider both prior to the launch and regularly thereafter. The client furthermore undertakes to document the results of those processes. For this purpose, the client may, for example, request information from the service provider, have any available expert certification presented, or, upon timely notification and without disrupting business operations, check in person or by means of a qualified third party the processes during normal business hours. The third party charged with this task may not be a business competitor of the service provider.
6.2. The service provider undertakes to provide the client with all requested information and proof required for conducting an inspection upon written request within a reasonable time.
7.1. The service provider is authorised, for the purpose of fulfilling its contractually agreed services, to engage its affiliate companies, or to commission subcontractors to render the specified services.
7.2. If the service provider awards contracts to subcontractors, it shall be the service provider’s responsibility to transfer the obligations resulting from this contract to the subcontractor. Sentence 1 applies in particular to the requirements regarding confidentiality, data protection, and data security with respect to the regulations specified in the GCC. Any checks of the subcontractor’s work by the client may only be conducted in co-ordination with the service provider. The client has the right to request in writing information on the subcontractor’s obligations with respect to data protection – if necessary, this includes the inspection of the respective contractual documents.
7.3. Ancillary services commissioned by the service provider to a third party outside of the main contractual services do not constitute subcontracting subject
to approval. This includes, for instance, external personnel, postal and shipping services, as well as maintenance.
The service provider shall conclude agreements with this third party to the extent necessary to cover all measures necessary to ensure appropriate data protection.
8.1. If the client’s data stored by the service provider are compromised through garnishment or seizure, an insolvency or conciliation procedure,
or any other event or measures taken by a third party, then the service provider must immediately give notice to the client. The service provider shall immediately inform all parties involved in this matter that the sovereignty over and the ownership of the data lies solely with the client as the »responsible party« as defined by the Federal Data Protection Act.
8.2. Changes and additions to this appendix and all of its parts – including any assurances by the service provider– require a written agreement and an explicit remark indicating it as a change or addition to the present conditions. This shall also apply to the waiver of the requirement of written form.
8.3. Should any part of this appendix on data protection be contrary to terms defined in the contract, the terms of this appendix shall have precedence. If individual parts of this appendix are invalid, this shall not affect the validity of the rest of this document.
8.4. This contract is subject exclusively to German law. The UN Convention on Contracts for the International Sale of Goods shall not apply.
8.5. If the party concerned is a merchant, a public legal entity, or a special public fund then the exclusive place of jurisdiction shall be Kempten.
Responsibility for security
The service provider shall appoint one or more security administrators who are responsible for the co-ordination and monitoring of the security regulations and procedures.
Functions and responsibilities with respect to security
The service provider’s employees with access to customer data shall be subject to confidentiality obligations.
Risk management programme
The service provider shall undertake a risk assessment prior to the processing of customer data, or the introduction of the service for online services.
The service provider shall maintain its security documents in accordance with the record keeping requirements after they are no longer active.
Storage media inventory
The service provider shall maintain an inventory of all media on which customer data is stored. Access to this inventory of media is restricted to employees who have received written authorisation for this access.
Handling of data
The service provider shall inform its employees of relevant security procedures and their respective tasks. Furthermore, the service provider shall inform its employees of possible consequences of the breach of security regulations and procedures. The service provider shall use exclusively anonymous data during trainings.
Physical access to premises
The service provider shall restrict access to premises where the information systems on which customer data is processed are located to named, authorised personnel.
Physical access to components
The service provider shall keep records of all incoming and outgoing media which contain customer data, including the type of medium, authorised sender/recipient, date and time, number of media, and types of customer data contained.
Protection against disruptions
The service provider shall use a variety of industry-standard systems in order to prevent any loss of data due to power failure or line disruptions.
Disposal of components
The service provider shall use industry-standard procedures for the deletion of customer data when it is no longer required.
The service provider shall keep security documents which describe the security measures and relevant procedures and responsibilities of its employees which have access to customer data.
Procedures for data recovery
Transfer of data without of premises
The service provider shall log access to, and the usage of, the information systems which contain customer data, whereby the access ID, access time, authorisation granted or refused, and respective activity are registered, or the customer shall be enabled to do so.
The service provider shall keep documentation of the security permissions of individual persons who have access to customer data.
The service provider shall have controls to prevent persons from gaining access rights to customer data where they have not been authorised for this purpose.
Procedures for reacting to incidents
The service provider’s security employees shall check the logs at least once every six months, in order to suggest improvements where necessary.