within the meaning of Article 28 (3) of the General Data Protection Regulation (GDPR)

Preamble

The contractor has taken on the task described below from the client:
a. Provision of individually contracted logistics services.

The contractor processes information from the client that is personal data. As part of the provision of services to the client, the contractor accesses the personal data for this purpose.

The parties therefore conclude this data protection agreement to ensure the lawful processing of personal data by the contractor. In this respect, the agreement specifies the contractor's data protection obligations.

That being said, the parties agree on the following:

§ 1 Scope

1.1 The contractor processes personal data on behalf of and on instructions from the client to fulfill the performance obligations incumbent on him under the main contract.

1.2 The contractor processes the data in accordance with the provisions of the main contract, this agreement and on documented instructions from the client.

1.3 If the contractor believes that an instruction from the client violates the General Data Protection Regulation (GDPR) or other data protection regulations of the European Union or its member states, he will inform the client of this. In these cases, the contractor is entitled to suspend execution of the instruction until the client confirms or amends the instruction.

§ 2 Obligations of the client

2.1 Within the framework of this agreement, the client is responsible for compliance with the legal provisions of data protection laws, in particular for the lawfulness of the transfer of data to the contractor and for the lawfulness of data processing and the protection of the rights of the data subjects (“responsible person” within the meaning of Art. 4 No. 7 GDPR). Should third parties assert claims against the contractor based on the processing of their data, the client will release the contractor from all such claims upon first request.

2.2 The client is the owner of all necessary rights relating to the data.

2.3 The client must immediately and completely inform the contractor if he discovers errors or irregularities in connection with the processing of the data by the contractor within the framework of this agreement or his instructions.

§ 3 Obligations of the contractor

3.1 The contractor processes the data within the framework of the main contract, this agreement and the client's specific individual instructions. He is not entitled to pass on the data to third parties without authorization. This does not apply if this is done in accordance with the agreement and the main contract, is required in writing by the client or is necessary due to legal or legal requirements. In such cases, to the extent permitted by applicable law, the contractor will inform the client in advance of the intended transfer and coordinate with the latter. The contractor ensures that all persons who have access to the data process it in accordance with the client's instructions.

3.2 The contractor supports the client with checks by the supervisory authorities to the extent that is reasonable and necessary, insofar as these controls relate to data processing by the contractor. He will provide the client with the information that he needs to prove that he has met the requirements of applicable data protection law with regard to this order processing.

3.3 The contractor also supports the client — taking into account the type of data processing and the information available to it — upon request in complying with the following obligations:

• 3.3.1 ensuring the security of personal data processing,
• 3.3.2 reporting a personal data breach to supervisory authorities and data subjects,
• 3.3.3 If necessary, carrying out a data protection impact assessment, insofar as data processing by the contractor is affected,
• 3.3.4 If necessary, carrying out a necessary prior consultation with the data protection authority, insofar as data processing by the contractor is affected.

3.4 The contractor shall immediately inform the client if he becomes aware of a violation of data protection law as part of its order processing for the client.

3.5 The contractor obliges the persons employed to process the data to handle the data confidentially.

3.6 The contractor may demand appropriate remuneration for the cooperation services in accordance with Sections 3.2 and 3.3. However, not for the cooperation under section 3.3.2 if the infringement is due to his fault.

§ 4 Subcontracting relationships

4.1 The contractor may establish subcontracting relationships with regard to the processing of the data. This applies in particular with regard to the provision of logistics services.

4.2 The contractor will inform the client of any intended change to a subcontractor or a new subcontractor.

4.3 The contractor will transfer the obligations set out in this agreement, including ensuring the technical and organizational measures, to its subcontractors. The technical and organizational measures must meet the requirements of applicable data protection law.

4.4 The contractor will conclude a confidentiality or secrecy agreement with the subcontractors if they are not subject to a legal obligation of confidentiality or secrecy.

§ 5 Rights of data subjects

5.1 The rights of data subjects must be asserted against the client.

5.2 Insofar as a data subject asserts their rights against the contractor, the contractor will promptly forward the request to the client.

5.3 Insofar as a data subject asserts their rights against the client, the contractor will provide the client with appropriate technical and organizational measures in meeting these claims adequately and to the extent necessary if the client is unable to fulfill the claim without the assistance of the contractor.

5.4 The contractor may demand appropriate remuneration for the support provided in accordance with Section 5 of this Agreement.

§ 6 Liability

6.1 The contractor is liable to the client for the violation of data protection regulations and the provisions of this agreement as agreed in the main contract.

6.2 Should claims be made against the contractor by third parties due to a violation of data protection laws by the client, the client releases the contractor from liability upon first request. In addition, the client provides the contractor with legal defense to the extent necessary and reimburses the contractor for all damage resulting from the incident, including reasonable costs of legal defense.

§ 7 Contract duration and return or deletion of data

7.1 The agreement comes into force when signed by the parties and runs for an indefinite period of time. The agreement ends upon termination of the service contract on which the data processing by the contractor is based.

7.2 If necessary, the parties will agree on appropriate reconciliation arrangements to ensure the regularity of the underlying processing processes, possibly even after the end of the main contract.

7.3 Documentation that serves as proof of data processing in accordance with the order and proper data processing must be kept by the contractor beyond the term of the agreement in accordance with the relevant retention periods. The same applies to other documents that are subject to legal storage obligations (e.g. from tax law).

§ 8 Miscellaneous

8.1 Should the client's data be endangered by the contractor as a result of seizure or seizure, insolvency or settlement proceedings or other events or measures taken by third parties, the contractor must immediately inform the client of this. The contractor will immediately inform all responsible parties in this context that the authority and ownership of the data lies exclusively with the client as “responsible person” within the meaning of the GDPR.

8.2 If there are changes in the actual structure of the service relationships between the parties, the parties will adjust all attachments accordingly and exchange them amicably. When the amended annex is signed by the parties, it becomes effective and replaces the previously valid annex.

8.3 The law of the Federal Republic of Germany applies to the agreement. The place of jurisdiction for all disputes in connection with this agreement is Münster.

8.4 Amendments or additions to the agreement must be made in writing. This applies mutatis mutandis to the amendment or cancellation of the above written form requirement.

8.5 Should individual provisions of this agreement be or become invalid, the validity of the remaining agreement remains unaffected. The invalid provision is replaced by an effective provision whose economic content comes as close as possible to the invalid provision. The same applies in the event of regulatory gaps.