as principal ("Principal") -
Hildesheimer Street 265-267
Phone: 0511 / 711 09 999
Fax: 0511 / 711 09 996
as contractor ("Contractor") -
conclude the following agreement on commissioned data processing ("Agreement")
1. the purpose, scope, content, place and duration of the processing operation
(a) the purpose of the data processing
The Client and the Contractor have concluded a contract for the provision of services in the field of web hosting, server hosting (stream servers) and domains as well as related IT support against payment ("Contract").
(b) the scope of the processing
The scope of processing includes all types of processing within the meaning of the GDPR for the performance of the contract.
(c) Content of the agreement
The subject matter of the Agreement is the rights and obligations of the Principal and the Contractor (collectively the "Parties") within the scope of the provision of services in accordance with the contract, the service description and the General Terms and Conditions of the Contractor, insofar as there is a processing of personal data by the Contractor as a processor for the Principal in accordance with Article 28 of the GDPR. This includes all activities which the contractor performs for the fulfilment of the order and in which personal data are processed. This also includes such activities that are not expressly mentioned in the contract (with annexes and general terms and conditions of the contractor), but result from the nature of the contract; this also applies if the contract or annexes and general terms and conditions do not expressly refer to this agreement.
(d) the place of processing
The data processing agreed here takes place on servers within the scope of the DSGVO.
(e) Third countries
Transfer of data to third countries or international organisations
If the contract also includes the registration of Internet domains, the Contractor shall transmit data to the responsible registrars. Some registrars are located outside the scope of the GDPR or are international organisations. When transferring and processing personal data, the Contractor will transfer data to the Registrar. When processing, the Contractor shall comply with the obligations provided for in this Agreement. Compliance on the part of the Registrar shall be governed solely by the provisions applicable to the Registrar.
Data at registrars are processed according to the standards and laws applicable to them. The contractor expressly points out that these standards do not always correspond to the high level of protection of the GDPR. Furthermore, certain data is made accessible to the public or to selected third parties in the case of legitimate interests (such as "Whois" databases). Data included here are regularly name/company, address and email address.
The contractor is entitled to transfer personal data to a third country. This is particularly the case if the subject of the contract is the service of a third party provider and the latter provides the service in whole or in part in a third country.
(f) the duration of the processing
The duration of the processing corresponds to the term of the contract until the actual termination of the service provision. The Contractor shall continue to fulfil the obligations beyond the end of the contract until the Client has removed the data included or has been requested to do so or the data has been deleted or handed over to the Client.
(g) Government agencies
The Contractor shall only comply with requests for information from investigating authorities or other authorised state organisations from EU/EEA and third countries if there is a legal obligation to do so (e.g. as a witness).
2. the nature and categories of personal data of data subjects
(a) the nature of the data
The type of data processed is determined by the client through the choice of product, configuration, use of services and transmission of data.
3. responsibility for processing, instructions
The client is solely responsible for compliance with the applicable data protection laws. This includes the sole responsibility for the lawfulness of the data transfer to the contractor as well as for the lawfulness of the data processing (Art. 4 No. 7 DSGVO). This applies to all types and categories of data specified here and the above-mentioned purposes and means of processing.
b) Documented instructions
The Contractor shall comply with the agreed instructions regarding the Client's data processing. Instructions are regularly recorded in the contract including service descriptions and GTCs. They may be modified and supplemented in text form after express confirmation by the other party. In the case of instructions which lead to corresponding additional expenditure, the Contractor shall be entitled to adjust the contract and to charge for the additional expenditure. This does not apply to instructions that already existed when the contract was concluded.
The Contractor shall inform the Client without delay if it is of the opinion that an instruction violates applicable laws. In this case, the Contractor may wait with the application of the instruction until the parties have reached an agreement. If no agreement is reached, the Contractor may terminate the contract.
If instructions conflict with the interests of other customers or cannot be implemented by the contractor with reasonable effort within the framework of the available resources and infrastructure, the contractor may terminate the contract.
4. rights and obligations of the contractor
a) Legal framework
The Contractor shall only process personal data within the scope of the statutory provisions, the contract and the documented instructions of the Client. This includes exceptional cases provided for by law (Art. 28 para. 3 a) DSGVO, obligation under the law of the European Union or a Member State).
b) Technical and organisational precautions
The Contractor shall support the Client as far as possible with suitable technical and organisational measures in fulfilling the claims of the data subjects in accordance with Chapter III of the DSGVO and Section 64 of the BDSG.
The Contractor shall take appropriate technical and organisational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and that the protection of the rights and freedoms of the data subject is guaranteed. The Contractor shall take appropriate technical and organisational measures in its area of responsibility in accordance with Art. 32 DSGVO and Section 64 BDSG to ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing on a permanent basis. The current technical and organisational measures are listed in Annex 2; they may be adapted according to the state of the art, the risk situation, the contractually agreed services and the operational requirements and possibilities within the scope of Art. 32 DSGVO.
The Contractor shall operate a procedure for the regular review of the effectiveness of the technical and organisational measures to ensure the security of the Processing pursuant to Article 32 (1) d) of the GDPR.
The Contractor shall also assist the Client in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to him.
The Contractor shall inform the Client without undue delay if it becomes aware of any breaches of the Client's personal data protection. The Contractor shall take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subjects.
The Contractor shall be entitled to demand reasonable remuneration from the Client for these services, unless the measures are the responsibility of or caused by the Contractor.
The Contractor shall ensure through training, written work instructions and comparable measures that all employees of the Contractor and other persons working for the Contractor are prohibited from processing the Client's personal data outside the scope of the instruction. Furthermore, the Contractor shall ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. Likewise, legal provisions such as the secrecy of telecommunications under the Telecommunications Act and the relevant standards of the Criminal Code shall be observed. These obligations shall apply beyond the end of the contract.
(d) Data Protection Officer
The Contractor shall notify the competent authority of a data protection officer who fulfils his duties in accordance with the requirements of the GDPR and the other legal requirements. A contact option (Annex 3) will also always be provided on the Contractor's website https://www.streampanel.net/kontakt/datenschutz/veröffentlicht.
At the end of the agreement, the Contractor shall delete all data of the Client by default. The Client may request a transfer of the data within the framework of the legal and contractual requirements. This provision does not apply to data that is required for the performance of the contract or the exercise of legitimate interests or for which there is an obligation to store data under Union law or the applicable law of a Member State, or if the respective contractual agreements provide otherwise.
The Contractor may charge a reasonable fee for the work involved in the transfer.
f) Compensation of third parties
If data subjects assert claims for damages or other claims pursuant to Art. 82 DSGVO, the Contractor shall support the Client in defending or fulfilling the claims within the scope of its possibilities. The Contractor may demand reasonable remuneration for this, insofar as it is not responsible for the measure. The liability provisions set out below shall apply (cf. Section 8.).
5. obligations of the client
The Client shall appoint a contact person for data protection (Annex 3). The Client shall inform the Contractor (there: designated contact person for data protection) immediately and in full if it becomes aware of violations or conspicuous features with regard to data protection provisions during the implementation of the Agreement.
In the event of termination, the Client undertakes to delete those personal data stored in the Services prior to termination of the contract, unless restitution or something else has been agreed or the rights of the Contractor or third parties conflict with this.
6. audit procedures
Upon request, the Contractor shall provide the Client with documentation of compliance with the obligations provided for in Art. 28 GDPR within a reasonable period of time and shall enable and assist in audit activities - including inspections - carried out by the Client or third parties commissioned by the Client. The contractor is entitled to request a confidentiality agreement from the client or its auditor. The Contractor may refuse requests for information or audit actions if there are doubts about confidentiality, qualification or other prerequisites relevant to data protection or competition.
Should a data protection supervisory authority or other state supervisory authority of the client (or third parties commissioned by them) carry out an inspection, the above rules shall apply analogously.
In the event of special incidents for which the Contractor is responsible within the meaning of Art. 33 (1) DSGVO in connection with the performance of the commissioned processing for the Client, there shall be no right of refusal. Inspections can only be carried out by agreement within the scope of normal business hours at the Contractor's location without disrupting operations
The Contractor may demand reasonable remuneration for information and support activities. The expenditure for the contractor due to an inspection is generally limited to one day per calendar year.
7. subcontracting agreements with subcontractors / service providers
(a) Selection and right of appeal
The Client grants the Contractor general permission to use further processors within the meaning of Article 28 of the GDPR to fulfil the Agreement. According to the current status, these are hosters and telephone service providers based in the area of application of the GDPR. The other processors currently used are listed in Annex 1. The client agrees to their use.
Other processors are those who provide services that are directly aimed at fulfilling the obligations of the services under the contract. As a rule, these are not: telecommunication services, IT services, or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the personal data, networks, services, data processing equipment and other IT systems. However, the Contractor shall be obliged to enter into appropriate and legally compliant contractual agreements as well as control measures to ensure data protection and data security with regard to the Client's data also in the case of such ancillary services.
The Contractor shall inform the Client in text form if it intends to make a change that is material to the performance of the Agreement or the Contract with regard to the involvement or replacement of further Processors. The Client may object to such changes for an important reason under data protection law. The objection must be submitted in text form without delay.
In the event of an objection, the contractor may remedy or terminate the contract.
(b) Extension of the agreement
The Contractor shall ensure, in the event that further Processors are commissioned, that the obligations arising from the Agreement are of the same nature and are also fulfilled by them in accordance with the scope of services and the possibilities of the Contractor.
The liability provision agreed in the contract together with the annexes shall also apply to claims arising from this agreement and in the internal relationship between the parties for claims of third parties pursuant to Art 82 DSGVO, unless expressly agreed otherwise. The General Terms and Conditions of the Contractor shall apply, in particular § 9 and § 10.
9. contract period, miscellaneous
The agreement begins with the last signature of both parties. It ends with the end of the last contract under between the parties.
The Contractor may amend the Agreement at its reasonable discretion with reasonable notice. The Client shall accept this insofar as the changes are prompted by legal or technical requirements.
The General Terms and Conditions of the Contractor, available at https://www.streampanel.net/kontakt/agb/, shall apply in addition.
In the event of any contradictions in content, the provisions of this agreement on commissioned processing shall take precedence over the provisions of the contract. Should individual parts of this agreement be invalid, this shall not affect the validity of the remaining agreements.