General Terms and Conditions for Order Processing pursuant to Art. 28 GDPR of Claus Peschahereinafter referred to as netzwerk.design labelled.
- General provisions and subject matter of the order
- The subject of these GTC is the processing of personal data on behalf of netzwerk.design in accordance with Art. 28 GDPR. The controller within the meaning of Art. 4 No. 7 GDPR is the client.
- The content of the order, categories of data subjects and types of data as well as the purpose of the agreement are set out in Annex 1.
- The processing of data by netzwerk.design takes place exclusively on the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state of the EEA Agreement. Processing outside these countries only takes place under the conditions of Chapter 5 of the GDPR (Art. 44 et seq.) and with the prior consent of the client.
- Contract term and cancellation
- These GTC shall apply for an indefinite period and may be terminated by either party with three months' notice. The right to extraordinary cancellation for good cause remains unaffected.
- Instructions from the client
- The Client shall have a comprehensive right to issue instructions to netzwerk.design regarding the type, scope and modalities of data processing. netzwerk.design shall inform the Client immediately if netzwerk.design is of the opinion that an instruction of the Client violates statutory provisions. If an instruction is issued whose legality netzwerk.design has substantiated doubts about, netzwerk.design shall be entitled to temporarily suspend its execution until the Client expressly confirms or changes it again. If there is a possibility that netzwerk.design may be exposed to a liability risk by following the instruction, the execution of the instruction may be suspended until the internal liability has been clarified.
- Instructions must always be issued in writing or in an electronic format (e.g. by e-mail). Verbal instructions are permissible in justified individual cases and shall be confirmed by the client immediately in writing or in an electronic format. The confirmation shall expressly state the reasons why it was not possible to issue instructions in text form. netzwerk.design shall record the person, date and time of the verbal instruction in an appropriate form.
- At the request of netzwerk.design, the Client shall designate one or more persons authorised to issue instructions. netzwerk.design must be informed immediately of any changes in personnel.
- Control authorisations of the client
- The client is authorised to check compliance with the statutory and contractual provisions on data protection and data security before the start of data processing and regularly during the term of the contract to the extent necessary. The customer shall ensure that the control measures are proportionate and do not impair the operation of netzwerk.design more than necessary.
- The results of the checks and instructions must be recorded by the client in an appropriate manner.
- General obligations of netzwerk.design
- The processing of the contractual data by netzwerk.design takes place exclusively on the basis of the contractual agreements and the instructions of the client. Any processing deviating from this is only permitted on the basis of mandatory European or Member State legislation (e.g. in the case of investigations by law enforcement or state security authorities). If processing is necessary due to mandatory law, netzwerk.design shall inform the client of this prior to processing, unless the law in question prohibits such notification due to an important public interest.
- netzwerk.design must ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality (Art. 28 para. 3 lit. b GDPR). The persons concerned must not be granted access to the personal data provided by the client before they are subject to the duty of confidentiality.
- Technical and organisational measures
- netzwerk.design has defined suitable technical and organisational measures to ensure an appropriate level of protection and recorded these in Appendix 2. The measures described therein were selected in compliance with the requirements of Art. 32 GDPR. netzwerk.design will review and adapt the technical and organisational measures as necessary and/or as required.
- Support obligations of netzwerk.design
- netzwerk.design supports the client in accordance with Art. 28 para. 3 lit. e GDPR in its obligations to safeguard the rights of data subjects under Chapter III, Art. 12 - 22 GDPR. This applies in particular to the provision of information and the erasure, rectification or restriction of personal data.
- netzwerk.design shall also support the Client in accordance with Art. 28 para. 3 lit. f GDPR in its obligations under Art. 32 - 36 GDPR (in particular reporting obligations). The scope of these support obligations is determined on a case-by-case basis, taking into account the type of processing and the information available to netzwerk.design.
- Use of subcontracted processors (subcontractors)
- netzwerk.design is authorised to use subcontract processors (subcontractors). All subcontractor relationships of netzwerk.design already existing at the time of the conclusion of the contract are listed in Annex 3. For the subcontractors listed in Annex 3, consent shall be deemed to have been granted upon conclusion of these GTC.
- If netzwerk.design intends to use additional subcontractors, netzwerk.design shall notify the Client of this in writing or electronically in good time, but no later than two weeks prior to their use. After this notification, the client shall have two weeks to object to the use of the subcontractor(s). If no objection is raised within this period, the use of the subcontractor(s) shall be deemed to have been authorised. In urgent cases (e.g. in the case of error analyses or defect rectification required at short notice), netzwerk.design may shorten the notification and objection period for subcontractors appropriately. If an objection is lodged in due time, the subcontractors concerned may not be used. Objections are only permissible if the client has reasonable grounds to believe that the use of the subcontractor would restrict data security or data protection, jeopardise compliance with legal or contractual provisions and/or conflict with other legitimate interests of the client; the corresponding suspicions must be attached to the objection.
- Subcontractors are selected by netzwerk.design in compliance with legal and contractual requirements. All contracts between netzwerk.design and sub-processors must comply with the statutory provisions on the processing of personal data on behalf of netzwerk.design; this applies in particular to the implementation of appropriate technical and organisational measures in accordance with Art. 32 GDPR at the subcontractor's premises. Ancillary services which netzwerk.design utilises for the performance of business activities do not constitute subcontracting relationships within the meaning of Art. 28 GDPR. Ancillary activities in this sense include, in particular, telecommunications services without a specific connection to the main service, postal and transport services as well as other measures which are intended to ensure the confidentiality and/or integrity of the hardware and software and have no specific connection to the main service. However, netzwerk.design shall also ensure compliance with the statutory data protection standards (in particular through corresponding confidentiality agreements) for these third-party services.
- The commissioning of subcontractors in third countries is only permitted if the legal requirements of Art. 44 et seq. GDPR are met and the client has given its consent.
- Notification obligations of netzwerk.design
- Violations of these GTC, of the instructions of the Client or of other provisions of data protection law shall be reported to the Client without delay; the same shall apply if there are reasonable grounds for suspicion. This obligation shall apply irrespective of whether the breach was committed by netzwerk.design itself, a person employed by netzwerk.design, a sub-processor or any other person employed by netzwerk.design to fulfil contractual obligations.
- If a data subject, an authority or any other third party requests netzwerk.design for information, rectification, restriction of processing or erasure, netzwerk.design shall forward the request to the client without delay and coordinate the further procedure with the client.
- netzwerk.design shall inform the Client without delay if supervisory actions or other measures by an authority are imminent which could also affect the processing, use or collection of the personal data provided by the Client. In addition, netzwerk.design shall inform the customer without delay of all events or measures by third parties which could jeopardise or impair the contractual data.
- Termination of contract, deletion and return of data
- After completion of the contractual data processing or after termination of these GTC, netzwerk.design shall delete or return all personal data at the client's discretion, provided that there is no longer a legal obligation to store the data in question (e.g. statutory retention periods).
- Data secrecy and confidentiality
- netzwerk.design is obliged to treat the personal data obtained within the scope of the contractual relationship confidentially for an unlimited period of time and beyond the end of these GTC. netzwerk.design undertakes to familiarise employees with the relevant data protection provisions and confidentiality rules and to oblige them to maintain confidentiality before they commence their work at netzwerk.design.
- Liability
- 12.1. netzwerk.design shall not be liable to the client in the internal relationship if the data processing/measure giving rise to liability was carried out as a result of an instruction from the client. The same applies to measures that have been agreed with the client (e.g. technical and organisational measures pursuant to Art. 32 GDPR). Agreement is also deemed to have been reached if a provision has been included in these GTC at the request of the client.
- 12.2 The client must ensure that the original collection of the data processed in the order is lawful. In particular, the customer shall obtain any necessary consents completely and correctly. If claims are asserted against netzwerk.design in the external relationship due to a breach of this obligation, the Client shall be liable to netzwerk.design in the internal relationship and shall indemnify netzwerk.design against any damages incurred.
- Final provisions
- 13.1 Amendments to these GTC and ancillary agreements must be made in writing or electronically, clearly indicating that and which amendment or supplement to these terms and conditions is to be made by them.
- 13.2 If the contracting parties are merchants, legal entities under public law or special funds under public law, the registered office of netzwerk.design shall be the place of jurisdiction for all disputes arising from these GTC, unless an exclusive place of jurisdiction is established in this respect.
- 13.3 Should the GDPR or other legal regulations referred to change during the term of the contract, the references here shall also apply to the respective successor regulations.
- 13.4 Should individual parts of these GTC be or become invalid, this shall not affect the validity of the remaining provisions.
- 13.5 All annexes to these GTC are an integral part of the contract.
These GTC for order processing are an integral part of the contractual agreements between the client and netzwerk.design. By accepting our services, you declare your agreement with these GTC.
Appendix 1 - Order details
Services for which data is processed
- Creation of websites
- Processed data types: Inventory data of the client that is imported into the new websites (e.g. customer lists of the client).
- Categories of persons affected: Website visitors of the client, customers of the client.
- Maintenance of websites / online shops
- Processed data types: IP addresses of website visitors, entries in contact forms, analyses of user behaviour, transaction data (payment data), customer data.
- Categories of persons affected: Website visitors of the client, customers of the client.
- SEO marketing
- Processed data types: User data from website visitors, keyword analyses.
- Categories of persons affected: Website visitors.
- SEA marketing
- Processed data types: User data from website visitors, keyword analyses.
- Categories of persons affected: Website visitors.
- Social media marketing
- Processed data types: Analysis data from visitors to the social media profiles.
- Categories of persons affected: Social media users.
Annex 2 - List of existing technical and organisational measures of the processor pursuant to Art. 32 GDPR
netzwerk.design implements the following technical and organisational measures to protect the personal data covered by the contract. The measures were defined in accordance with Art. 32 GDPR and agreed with the client.
- Securing the processor's workplace (access control)
- The processor's workplace is secured against burglary and other unauthorised access in the following manner:
- Manual locking system / door locks
- Security locks
- Securing building shafts
- Access concept / visitor regulations
- The processor's workplace is secured against burglary and other unauthorised access in the following manner:
- Securing the IT systems of the processor (access control)
- The IT systems of the processor are secured against unauthorised access (e.g. hacker attacks) in the following manner:
- Password assignment
- Password guidelines (regular change, minimum length, complexity, etc.)
- Login to the IT systems with individual user name and password
- Access rules for users / user groups in the IT systems (authorisation concept)
- Management of authorisations by system administrators
- Number of system administrators is reduced to the "bare minimum"
- Regular and event-driven updating and review of access rights (especially when employees leave or similar)
- Use of a software firewall
- Hard drive encryption
- Encryption of mobile data carriers (mobile phones, laptops, etc.)
- Encryption of external data carriers (external hard drives, USB sticks, etc.)
- Encryption of the data backup systems
- Secure storage of data carriers
- The IT systems of the processor are secured against unauthorised access (e.g. hacker attacks) in the following manner:
- Logging of data processing procedures (input control)
- The following measures ensure that the processor can recognise at any time which data processing processes have taken place in its data processing systems (e.g. entry, modification, blocking or deletion):
- Traceability of data entry, modification and deletion through individual user names.
- Retention of forms from which data has been transferred to automated processing.
- The following measures ensure that the processor can recognise at any time which data processing processes have taken place in its data processing systems (e.g. entry, modification, blocking or deletion):
- Secure deletion of data
- The following measures ensure the proper deletion of the contractual data:
- Deletion concept
- Use of document shredders (at least level P-4)
- Proper clean-up of data carriers before reuse
- The following measures ensure the proper deletion of the contractual data:
- Data protection at the processor's subcontractors
- The following measures ensure that the subcontractors selected by the processor behave in compliance with data protection regulations:
- Selection of subcontractors with due diligence (in particular with regard to data security).
- Conclusion of GDPR-compliant order processing contracts with the subcontractor.
- The following measures ensure that the subcontractors selected by the processor behave in compliance with data protection regulations:
- Securing data during transport and transmission (transfer control)
- The following measures ensure that personal data is protected from unauthorised third parties when it is passed on (physically and/or digitally):
- Encryption of e-mail traffic.
- Encryption of other communication channels.
- Encryption of physical data carriers during transport.
- The following measures ensure that personal data is protected from unauthorised third parties when it is passed on (physically and/or digitally):
- Data protection and backups (availability and recoverability)
- The following measures ensure that the contractual data is available at all times:
- Backup & recovery concept.
- Testing the data recovery.
- Storage of data backups in a secure, off-site location.
- Fire and smoke detection systems in server rooms.
- Server rooms not under sanitary facilities.
- The following measures ensure that the contractual data is available at all times:
- Other data protection measures
- The following additional data protection measures have been implemented:
- Logical client separation (on the software side).
- Encryption of data records that are processed for the same purpose.
- Separation of productive and test system.
- The following additional data protection measures have been implemented:
- Review, evaluation and adaptation of existing measures
- The Processor shall review, evaluate and, if necessary, adapt the technical and organisational measures described in this Annex every 12 months and as required.
Annex 3 - List of existing subcontractors at the time of conclusion of the contract
none
Status: July 2024