concluded between licensees as stated in the offer
(hereinafter referred to as the "person responsible")
and in-manas: intelligent management solutions GmbH
FN 456942 z
Bienerstraße 4, 6020 Innsbruck
(hereinafter referred to as "processor")
1. PREAMBLE
1.1 This Agreement is the legal basis for the processing of personal data provided by the Controller to the Processor in accordance with Article 28 paragraph 3 of the Basic Data Protection Regulation ("GDPR").
2. SUBJECT MATTER AND DURATION OF THE PROCESSING
2.1 The subject of this contract is the execution of the following tasks by the processor on behalf of the responsible party: Licensing and operation of the in-manas software solution in accordance with the licence agreement concluded between the Responsible Party and the order processor.
2.2 This agreement is concluded for the duration of the licence agreement between the parties according to point 2.1. It therefore ends automatically at the point in time at which the licence agreement according to point 2.1 ends.
3. NATURE AND PURPOSE OF PROCESSING
3.1 The data provided by the Controller is processed automatically and manually. The processing is carried out for the purpose of the technical and content provision by the processor of the services provided for in the licence agreement referred to in point 2.1. Against this background, the purpose and scope of the processing can be summarised as follows:
3.1.1 The purpose of the Software licensed by the Processor is to collect ideas from natural persons (typically employees) and to discuss, summarise and evaluate them. The exact purpose of the software is presented by the responsible person before inviting the first participants in accordance with company agreements and on the platform for all participants to see. For this purpose, conditions of participation which can be edited and are accessible to all participants are available.
3.1.2 The scope of collection and processing is limited to the persons mentioned by name on the closed platform. Processing includes the display of this data on the screen and data exports for the administrator(s) of the platform and the sending of e-mails to users of the platform.
3.2 In principle, the data processing provided for under this agreement shall only be carried out in a member state of the European Union or in a member state of the European Economic Area.
3.3 Any transfer of data to a state that is not a member state of the European Union or the European Economic Area may only be carried out if (i) this has been expressly agreed between the parties or otherwise approved by the person responsible and (ii) the requirements of Art 44 ff GDPR are fulfilled. In this case, the processor will inform the responsible party in writing of how an adequate level of data protection is ensured in the country concerned that enables data to be transferred.
4. NATURE OF PERSONAL DATA
4.1 The Controller shall provide the following personal data for the processing of orders in accordance with this Agreement:
4.1.1 Personal master data and communication data (name, e-mail address).
4.1.2 Data relating to submitted ideas, comments and ratings of ideas; questions and answers from surveys
4.1.3 Contract master data, contract billing and payment data for the responsible person.
5. CATEGORIES OF THE PERSONS CONCERNED
5.1 Processing under this Agreement includes the following categories of data subjects:
5.1.1 Employees and staff of the Controller;
5.1.2 customers, interested parties, suppliers, sales representatives, contact persons;
5.1.3 sublicensees of the Controller and the employees and co-workers of such sublicensees;
6. OBLIGATIONS OF THE RESPONSIBLE PERSON
6.1 The responsible person declares that:
6.1.1 the processing of the personal data provided to the Processor, including the provision of such data to the Processor, has been and shall continue to be carried out in accordance with the relevant provisions of the applicable legal regulations (in particular data protection law and labour law)
6.1.2 he has instructed and will continue to instruct the Processor, throughout the duration of the data processing services, to process the personal data provided only on behalf of the Controller and in compliance with the applicable law;
6.1.3 he will immediately and fully inform the processor if he discovers errors and irregularities in the results of the order with regard to data protection provisions;
6.1.4 he shall fulfil his obligations to the persons concerned in accordance with the applicable legal situation.
7. PROCESSING SECURITY
7.1 Within his area of responsibility, the Processor shall take and describe technical and organisational measures to ensure a level of protection appropriate to the risk in accordance with Art. 32 GDPR.
7.2 The necessary measures currently implemented by the Seller to ensure the security of processing in accordance with Art. 32 GDPR are described in Annex 1.
7.3 The technical and organisational measures are subject to technical progress and further development. The Seller shall be entitled to implement alternative adequate measures provided that the safety level of the specified measures is not fallen below.
8. DUTIES OF THE PROCESSOR
8.1 The processor shall process personal data only on documented instructions from the controller, including with regard to the transfer of personal data to a third country or international organisation, unless required to do so by Union or national law to which the processor is subject, in which case the processor shall notify the controller of these legal requirements prior to processing, unless the law concerned prohibits such notification for an important public interest.
8.2 The Processor shall ensure that the persons authorised to process the personal data of the Processor are bound to confidentiality or are subject to an appropriate legal obligation of secrecy and process the personal data in accordance with Article 32, paragraph 4 of the GDPR only on the instructions of the Controller, unless they are obliged to do so under Union or national law.
8.3 At the request of the Controller, the processor shall, in accordance with Art. 28 para. 3 lit f GDPR, assist in the preparation of a data protection impact assessment and, where appropriate, in the prior consultation of the supervisory authorities. At the request of the Controller, the processor shall cooperate in the compilation and updating of the Controller's list of processing activities in so far as the documentation of technical and other measures is concerned.
8.4 The Processor shall ensure that it supports the Responsible Party as far as possible with suitable technical and organisational measures in fulfilling its obligation to respond to requests to exercise the rights of the data subject as specified in Chapter III of the GDPR. If a data subject turns to the processor with the assertion of one of the rights specified in Chapter III GDPR, the processor shall refer the person concerned to the controller, provided that an assignment to the controller is possible according to the data subject's details. The processor shall not be liable if the data subject's request is not, not correctly or not timely answered by the data controller.
8.5 The processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 of the DPA, taking into account the nature of the processing and the information available to him.
8.6 The Processor shall continuously monitor its data processing processes and systems with regard to compliance with data protection regulations and shall document the monitoring. Upon request, the Processor shall provide the Responsible Party with documentation as proof of sufficient guarantees.
8.7 The Processor shall inform the Responsible Party in case of suspicion of a violation of the protection of personal data as well as of control actions and measures taken by the supervisory authority. The Processor is aware that the Responsible Party is obliged to comprehensively document all violations of the protection of personal data and, if necessary, to notify the supervisory authorities or the data subject within 72 hours. In this case, the processor shall support the responsible party in complying with its reporting obligations and, in particular, provide the information specified in Art. 33 para. 3 GDPR.
8.8 The Processor shall - at the option of the Controller - either delete or return the personal data provided and the works developed from it after termination of the contract concluded pursuant to point 2.1, unless there is an obligation to store them under Union law or the law of the Member States.
8.9 If the legal requirements are met, the Processor shall appoint a Data Protection Officer and notify the Controller thereof. Any change of the data protection officer and the contact person for information security matters of the processor shall be notified to the Responsible Party in writing without delay.
8.10 The Processor shall provide the Responsible party with all information necessary to prove compliance with the obligations set forth in this Article and shall enable and contribute to any checks - including inspections - carried out by the Responsible party or by another auditor appointed by the Responsible party.
8.11 The data shall be handled exclusively within the framework of the agreements made and in accordance with the instructions of the Responsible Party. The standards contractually agreed in the context of the assignment, including user documentation and the general terms and conditions of the processor, shall apply to the scope of the instructions. The processor shall inform the controller without delay if it considers that an instruction from the controller is in breach of Union or national data protection legislation. However, the mere acceptance of an instruction by the processor does not constitute an assessment of whether or not it is in breach of data protection rules. The processor is entitled to suspend compliance with instructions until they have been reconfirmed or amended by the controller.
9. CONTROL RIGHTS OF THE RESPONSIBLE PERSON
9.1 The Responsible Party shall be entitled to carry out inspections in consultation with the processor or to have them carried out by inspectors to be named in individual cases. If, in individual cases, inspections by the Responsible Party or an inspector appointed by the Responsible Party are necessary, they shall be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Contractor may make such inspections dependent on prior notification with an appropriate lead time and on the signing of a confidentiality agreement with regard to the data of other customers and the technical and organisational measures implemented. If the examiner commissioned by the Responsible Party is in a competitive relationship with the commissioned processor, the commissioned processor shall have the right to object to this.
9.2 The Contractor shall ensure that the Client can satisfy himself that the Contractor complies with his obligations under Art. 28 GDPR. The contractor undertakes to provide the customer with the necessary information on request and in particular to provide evidence of the implementation of the technical and organisational measures.
9.3 The proof of such measures, which do not only concern the specific order, can be provided by
9.3.1 compliance with approved rules of conduct in accordance with Art. 40 GDPR;
9.3.2 certification in accordance with an approved certification procedure under Art 42 GDPR;
9.3.3 current attestations, reports or report extracts of independent bodies (e.g. auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors);
9.3.4 appropriate certification by IT security or data protection audit.
9.4 The party processing the order may assert a claim for remuneration for enabling controls by the responsible party.
10. SUB-PROCESSOR
10.1 The Contractor may use subcontractors for the performance of its processing activities, provided that the provisions of the GDPR (in particular Art. 28 Paras. 2 and 4 GDPR) are complied with.
10.2 The same data protection obligations as laid down in this contract shall be imposed on the sub-processor by means of a contract or another legal instrument in accordance with Union law or the law of the Member State concerned, in particular by providing sufficient guarantees that the appropriate technical and organisational measures are implemented in such a way that the processing is carried out in accordance with the requirements of this Regulation.
10.3 The Processor currently uses the following subcontractors:
Name | Address | Service |
Hyve |
|
|
|
|
|
|
|
|
10.4 By entering into this agreement, the Responsible party confirms not to raise any objections against the subcontractors listed in point 10.3.
10.5 In accordance with Art. 28 para. 2 of the GDPR, the responsible party has the right to object to any change regarding the involvement or replacement of subcontractors. For this purpose, the subcontractor shall inform the Responsible party of this fact at least 30 days before a new subcontractor is called upon. An objection must be made within 10 working days.
11. LIABILITY
11.1 The person responsible and the processor shall be liable in the external relationship pursuant to Art 82 para. 1 GDPR for material and immaterial damage suffered by a person on account of a violation of the GDPR. If both the person responsible and the processor are responsible for such damage under Art 82(2) GDPR, the parties are liable for this damage in their internal relationship in proportion to their share of responsibility. If in such a case a person claims damages from one party in whole or in part, that party may demand indemnification or indemnification from the other party in so far as this corresponds to its share of responsibility.
12. GENERAL PROVISIONS
12.1 This agreement contains all agreements between the parties with regard to the subject matter of the contract. There are no oral or written agreements outside of this agreement. This agreement replaces and cancels all previous oral and written agreements of the parties with regard to the subject matter of the agreement.
12.2 Subsidiary agreements or amendments to this agreement - including this written form clause - must be in writing.
12.3 References to laws, regulations, documents and annexes shall apply to the laws, regulations, documents and annexes as amended from time to time, including any amendments after the date of the Contract, unless expressly provided otherwise.
12.4 This Framework Agreement shall be governed by the law of the Republic of Austria to the exclusion of the UN Convention on Contracts for the International Sale of Goods (CISG). The international place of jurisdiction is Austria. The local place of jurisdiction is the registered office of the processor.
12.5 Should individual provisions of this agreement be or become invalid or impracticable, the validity of the remaining parts shall not be affected. In such a case, the parties undertake to replace the invalid or unenforceable provision with one that comes as close as possible to the intended purpose in a legally permissible manner. The same applies in the event of loopholes in the regulations.
Date and signature according to offer and order confirmation |
|
|
|
| Contractor |
Date and signature according to offer and order confirmation |
|
|
|
| Person responsible |
The in-manas system itself is developed at IN-MANAS in the company building and after testing with artificially generated data on internal servers it is imported into the environment in the computer centre. Production system (computer centre), test system (computer centre) and development system (IN-MANAS) are operated separately. An update usually takes place step by step.
The virtualised server infrastructure is provided by Configo Systems GmbH (Hil-pertstrasse 3, 64295 Darmstadt, Germany).
The data centre complies with the international guidelines for IT security ISO 27001:2005 and quality management ISO 9001:2008. Only Global Switch customers have access to the data centre. During the visit, an official identification document must be deposited at reception.
2.1 CUSTOMER PLATFORM (IN-MANAS.COM)
Securing data traffic via HTTPS
2.2 IN-MANAS SERVER IN THE DATA CENTRE (LIVE & TEST)
Only the IN-MANAS system administrators responsible for the project have administrative access to the servers. The access is only possible for the system administrators in the following way:
Database access: access to the MySQL database of the In-manas platform is only provided via the IN-MANAS intranet. Access to this web interface is provided by the IN-MANAS System Administration Team and the responsible developer of the plattform.
2.3 IN-MANAS internal systems:
2.4 ACCESS CONTROL
The following minimum configuration of the authorisation concept and access rights as well as their monitoring and logging is given:
2.5 in-manas: Customer platform
2.6 IN-MANAS INTERNAL SYSTEMS, TEST AND PRODUCTION SYSTEMS
3. TRANSFER CONTROL
The following minimum measures are to be taken during transport, transfer and transmission or storage on data carriers (manual or electronic) and during subsequent inspection:
3.1 in-manas: customer platform
3.2 IN-MANAS INTERNAL SYSTEMS, TEST AND PRODUCTION SYSTEMS
Encryption for updates
All data carriers that store personal data - in particular the data of the web server and the databases - are on AES256bit encrypted data carriers. Backups that are transferred to a third party system for further protection are encrypted with a separate AES256bit key, which is only used for the corresponding in-manas platform, and transferred via a secure SSHv2 connection using SFTP.
4. INPUT CONTROL
The following measures for subsequent verification whether and by whom data have been entered, modified or removed (deleted) are at least given.
4.1 IN-MANAS: CUSTOMER PLATFORM
5. ORDER CONTROL
The following measures (technical/organisational) to delimit the competences between the client and contractor are at least given.
IN-MANAS will only collect and process personal data to the extent necessary for the order. For control purposes, the customer receives regular reports on the collected data and its processing after consultation. For control by the client there is the possibility to transmit corresponding server logs to the client.
6. AVAILABILITY CONTROL
The following measures for data backup (physical / logical) are minimal:
Furthermore, in order to protect personal data from being destroyed in any other way, backups are carried out according to the following plan:
The servers of the In-manas platform are monitored 24/7 by a monitoring system. In the event of a failure, the responsible project manager and the IN-MANAS Sys-tem Administration Team are informed of the failure by e-mail and SMS. The response times are the working hours of the responsible IN-MANAS System Administration Team (Mon-Fri 9am-6pm), unless otherwise agreed with the project manager.
7. SEPARATION CONTROL
The following minimum separation measures are in place.