Skip to content
Contact us
logo network.design 2026
0

General Terms and Conditions (GTC) for order processing

General Terms and Conditions for Order Processing pursuant to Art. 28 GDPR of Claus Peschahereinafter referred to as network.design labelled.

  1. General provisions and subject matter of the order
    1. The subject of these GTC is the processing of personal data on behalf of netzwerk.design in accordance with Art. 28 GDPR. The controller within the meaning of Art. 4 No. 7 GDPR is the client.
    2. The content of the order, categories of data subjects and types of data as well as the purpose of the agreement are set out in Annex 1.
    3. The processing of data by netzwerk.design takes place exclusively on the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state of the EEA Agreement. Processing outside these countries only takes place under the conditions of Chapter 5 of the GDPR (Art. 44 ff.) and with the prior consent of the client.
  2. Contract term and cancellation
    • These GTC shall apply for an indefinite period and may be terminated by either party with three months' notice. The right to extraordinary cancellation for good cause remains unaffected.
  3. Instructions from the client
    1. The client has a comprehensive right to issue instructions to netzwerk.design regarding the type, scope and modalities of data processing. netzwerk.design shall inform the client immediately if netzwerk.design is of the opinion that an instruction from the client violates legal regulations. If an instruction is issued whose legality netzwerk.design substantiated doubts, netzwerk.design is entitled to temporarily suspend its execution until the client expressly confirms or changes it again. If there is a possibility that netzwerk.design will be exposed to a liability risk by following the instruction, the execution of the instruction may be suspended until the internal liability has been clarified.
    2. Instructions must always be issued in writing or in an electronic format (e.g. by e-mail). Verbal instructions are permitted in justified individual cases and shall be confirmed by the client immediately in writing or in an electronic format. The confirmation shall expressly state the reasons why it was not possible to issue instructions in text form. netzwerk.design shall record the person, date and time of the verbal instruction in an appropriate form.
    3. At the request of netzwerk.design, the client shall name one or more persons authorised to issue instructions. netzwerk.design must be informed immediately of any changes in personnel.
  4. Control authorisations of the client
    1. The client is entitled to check compliance with the statutory and contractual provisions on data protection and data security before the start of data processing and regularly during the term of the contract to the extent necessary. The client must ensure that the control measures are proportionate and do not impair the operation of netzwerk.design more than necessary.
    2. The results of the checks and instructions must be recorded by the client in an appropriate manner.
  5. General obligations of netzwerk.design
    1. The processing of the contractual data by netzwerk.design takes place exclusively on the basis of the contractual agreements and the instructions of the client. Any processing deviating from this is only permitted on the basis of mandatory European or Member State legislation (e.g. in the case of investigations by law enforcement or state security authorities). If processing is necessary due to mandatory law, netzwerk.design shall inform the client of this before processing, unless the law in question prohibits such notification due to an important public interest.
    2. netzwerk.design must ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality (Art. 28 para. 3 lit. b GDPR). The persons concerned may not be given access to the personal data provided by the client before they are subject to the duty of confidentiality.
  6. Technical and organisational measures
    • netzwerk.design has defined suitable technical and organisational measures to ensure an appropriate level of protection and recorded these in Appendix 2. The measures described therein were selected in compliance with the requirements of Art. 32 GDPR. netzwerk.design will review and adapt the technical and organisational measures as required and/or on an ad hoc basis.
  7. Support obligations of netzwerk.design
    1. netzwerk.design supports the client in accordance with Art. 28 para. 3 lit. e GDPR in its obligations to safeguard the rights of data subjects under Chapter III, Art. 12 - 22 GDPR. This applies in particular to the provision of information and the erasure, rectification or restriction of personal data.
    2. netzwerk.design also supports the client in accordance with Art. 28 Para. 3 lit. f GDPR in its obligations under Art. 32 - 36 GDPR (in particular reporting obligations). The scope of these support obligations is determined on a case-by-case basis, taking into account the type of processing and the information available to netzwerk.design.
  8. Use of subcontracted processors (subcontractors)
    1. netzwerk.design is authorised to use subcontracted processors (subcontractors). All subcontractor relationships of netzwerk.design already existing at the time of the conclusion of the contract are listed in Annex 3. For the subcontractors listed in Appendix 3, consent is deemed to have been given upon conclusion of these GTC.
    2. If netzwerk.design intends to use additional subcontractors, netzwerk.design shall notify the client of this in writing or electronically in good time, but no later than two weeks before their use. The client has two weeks after this notification to object to the use of the subcontractor(s). If no objection is raised within this period, the use of the subcontractor(s) shall be deemed to have been authorised. In urgent cases (e.g. in the case of error analyses or defect rectification required at short notice), netzwerk.design may shorten the notification and objection period for subcontractors accordingly. If an objection is lodged in due time, the subcontractors concerned may not be used. Objections are only permissible if the client has reasonable indications that the use of the subcontractor would restrict data security or data protection, jeopardise compliance with legal or contractual provisions and/or conflict with other legitimate interests of the client; the corresponding suspicions must be attached to the objection.
    3. Subcontractors are selected by netzwerk.design in compliance with the legal and contractual requirements. All contracts between netzwerk.design and subcontracted processors must comply with the statutory provisions on the processing of personal data on behalf; this applies in particular to the implementation of appropriate technical and organisational measures in accordance with Art. 32 GDPR in the subcontractor's company. Ancillary services that netzwerk.design utilises to carry out business activities do not constitute subcontracting relationships within the meaning of Art. 28 GDPR. Ancillary activities in this sense are, in particular, telecommunications services without a specific reference to the main service, postal and transport services as well as other measures that are intended to ensure the confidentiality and/or integrity of the hardware and software and have no specific reference to the main service. netzwerk.design will, however, also ensure compliance with the legal data protection standards (in particular through appropriate confidentiality agreements) for these third-party services.
    4. The commissioning of subcontractors in third countries is only permitted if the legal requirements of Art. 44 et seq. GDPR are met and the client has given its consent.
  9. Notification obligations of netzwerk.design
    1. Violations of these GTC, of the client's instructions or of other data protection regulations must be reported to the client immediately; the same applies in the event of a justified suspicion. This obligation applies regardless of whether the breach was committed by netzwerk.design itself, a person employed by netzwerk.design, a subcontracted processor or any other person employed by netzwerk.design to fulfil contractual obligations.
    2. If a data subject, an authority or any other third party requests netzwerk.design for information, correction, restriction of processing or deletion, netzwerk.design will forward the request to the client without delay and coordinate the further procedure with the client.
    3. netzwerk.design shall inform the client immediately if supervisory actions or other measures by an authority are imminent, which could also affect the processing, use or collection of the personal data provided by the client. In addition, netzwerk.design shall inform the client immediately of any events or measures by third parties that could jeopardise or impair the data covered by the contract.
  10. Termination of contract, deletion and return of data
    • After completion of the contractual data processing or after termination of these GTC, netzwerk.design shall delete or return all personal data at the client's discretion, provided that there is no longer a legal obligation to store the data in question (e.g. statutory retention periods).
  11. Data secrecy and confidentiality
    • netzwerk.design is obliged to treat the personal data obtained within the framework of the contractual relationship confidentially for an unlimited period of time and beyond the end of these GTC. netzwerk.design undertakes to familiarise employees with the relevant data protection regulations and confidentiality rules and to oblige them to maintain confidentiality before they start working for netzwerk.design.
  12. Liability
    1. 12.1. netzwerk.design is not liable to the client in the internal relationship if the data processing/measure triggering liability was carried out as a result of an instruction from the client. The same applies to measures that have been agreed with the client (e.g. technical and organisational measures in accordance with Art. 32 GDPR). Agreement is also deemed to have been reached if a provision has been included in these GTC at the request of the client.
    2. 12.2 The client must ensure that the original collection of the data processed in the order is lawful. In particular, he must obtain any necessary consent completely and correctly. If a claim is made against netzwerk.design in the external relationship due to a breach of this obligation, the client shall be liable to netzwerk.design in the internal relationship and shall indemnify netzwerk.design against any damages incurred.
  13. Final provisions
    1. 13.1 Amendments to these GTC and ancillary agreements must be made in writing or electronically, clearly indicating that and which amendment or supplement to these terms and conditions is to be made by them.
    2. 13.2 If the contracting parties are merchants, legal entities under public law or special funds under public law, the registered office of netzwerk.design shall be the place of jurisdiction for all disputes arising from these GTC, unless an exclusive place of jurisdiction is established in this respect.
    3. 13.3 Should the GDPR or other legal regulations referred to change during the term of the contract, the references here shall also apply to the respective successor regulations.
    4. 13.4 Should individual parts of these GTC be or become invalid, this shall not affect the validity of the remaining provisions.
    5. 13.5 All annexes to these GTC are an integral part of the contract.

These GTC for order processing are an integral part of the contractual agreements between the client and netzwerk.design. By accepting our services, you declare your agreement with these GTC.

Appendix 1 - Order details

Services for which data is processed

  1. Creation of websites
    • Processed data types: Inventory data of the client that is imported into the new websites (e.g. customer lists of the client).
    • Categories of persons affected: Website visitors of the client, customers of the client.
  2. Maintenance of websites / online shops
    • Processed data types: IP addresses of website visitors, entries in contact forms, analyses of user behaviour, transaction data (payment data), customer data.
    • Categories of persons affected: Website visitors of the client, customers of the client.
  3. SEO marketing
    • Processed data types: User data from website visitors, keyword analyses.
    • Categories of persons affected: Website visitors.
  4. SEA marketing
    • Processed data types: User data from website visitors, keyword analyses.
    • Categories of persons affected: Website visitors.
  5. Social media marketing
    • Processed data types: Analysis data from visitors to the social media profiles.
    • Categories of persons affected: Social media users.

Annex 2 - List of existing technical and organisational measures of the processor pursuant to Art. 32 GDPR

netzwerk.design implements the following technical and organisational measures to protect the personal data covered by the contract. The measures were defined in accordance with Art. 32 GDPR and agreed with the client. 

  1. Securing the processor's workplace (access control)
    • The processor's workplace is secured against burglary and other unauthorised access in the following manner: 
      • Manual locking system / door locks
      • Security locks
      • Securing building shafts
      • Access concept / visitor regulations
  2. Securing the IT systems of the processor (access control)
    • The IT systems of the processor are secured against unauthorised access (e.g. hacker attacks) in the following manner:
      • Password assignment 
      • Password guidelines (regular change, minimum length, complexity, etc.)
      • Login to the IT systems with individual user name and password
      • Access rules for users / user groups in the IT systems (authorisation concept)
      • Management of authorisations by system administrators
      • Number of system administrators is reduced to the "bare minimum"
      • Regular and event-driven updating and review of access rights (especially when employees leave the company or similar)
      • Use of a software firewall
      • Hard drive encryption
      • Encryption of mobile data carriers (mobile phones, laptops, etc.)
      • Encryption of external data carriers (external hard drives, USB sticks, etc.)
      • Encryption of the data backup systems
      • Secure storage of data carriers
  3. Logging of data processing procedures (input control)
    • The following measures ensure that the processor can recognise at any time which data processing processes have taken place in its data processing systems (e.g. entry, modification, blocking or deletion): 
      • Traceability of data entry, modification and deletion through individual user names.
      • Retention of forms from which data has been transferred to automated processing.
  4. Secure deletion of data
    • The following measures ensure the proper deletion of the contractual data: 
      • Deletion concept
      • Use of document shredders (at least level P-4)
      • Proper clean-up of data carriers before reuse
  5. Data protection at the processor's subcontractors
    • The following measures ensure that the subcontractors selected by the processor behave in compliance with data protection regulations: 
      • Selection of subcontractors with due diligence (in particular with regard to data security).
      • Conclusion of GDPR-compliant order processing contracts with the subcontractor.
  6. Securing data during transport and transmission (transfer control)
    • The following measures ensure that personal data is protected from unauthorised third parties when it is passed on (physically and/or digitally):  
      • Encryption of e-mail traffic.
      • Encryption of other communication channels.
      • Encryption of physical data carriers during transport.
  7. Data protection and backups (availability and recoverability)
    • The following measures ensure that the contractual data is available at all times: 
      • Backup & recovery concept.
      • Testing the data recovery.
      • Storage of data backups in a secure, off-site location.
      • Fire and smoke detection systems in server rooms.
      • Server rooms not under sanitary facilities.
  8. Other data protection measures
    • The following additional data protection measures have been implemented: 
      • Logical client separation (on the software side).
      • Encryption of data records that are processed for the same purpose.
      • Separation of productive and test system.
  9. Review, evaluation and adaptation of existing measures
    • The Processor shall review, evaluate and, if necessary, adapt the technical and organisational measures described in this Annex every 12 months and as required. 

Annex 3 - List of existing subcontractors at the time of conclusion of the contract

none

Status: July 2024

GTC GTC order processing Right of cancellation for consumers