Experience Linkando live. Register now!

On Demand Webinar: Meeting Playbooks for Successful Online Meetings

Data Processing Agreement for Linkando Cloud Services

1. introduction, scope, definitions

  1. This document ("Agreement on Data Processing for Linkando Cloud Services") is incorporated into the agreement between Linkando GmbH, Ostbahnstr. 17, 76829 Landau ("Contractor") and the customer ("Principal") and is part of a written (also concluded in electronic form) main agreement, the Terms of Use for the Linkando Portal, between Linkando and the Customer. This Agreement governs the rights and obligations of the Customer and the Contractor (hereinafter referred to as the "Parties") in the context of a processing of personal data on behalf of Linkando and its sub-processors in connection with the provision of Cloud Services.
  2. Annexes 1 and 2 are part of this DPA. They define the technical and organizational measures to be applied as well as the approved sub-service providers.
  3. This Agreement shall apply to all activities in which employees of the Contractor or subcontractors engaged by the Contractor (subcontractors) process personal data of the Client on the Client's behalf.
  4. Terms used in this Agreement shall be understood in accordance with their definition in the EU General Data Protection Regulation. In this sense, the client is the "responsible party" and the contractor is the "processor". Insofar as declarations are to be made "in writing" in the following, the written form pursuant to Section 126 of the German Civil Code (BGB) is meant. Otherwise, declarations may also be made in another form, provided that appropriate verifiability is ensured.

2. subject and duration of processing

2.1. object 

The Contractor shall undertake the following processing operations: 

  • E-mail communication
  • Customer management  
  • Websites operation
  • Contact forms 
  • Chat Tool 
  • Video Conferences
  • Cloud rooms 

The processing is based on the Terms of Use (hereinafter "Main Contract") existing between the Parties.

2.2. duration 

Processing shall commence upon the commencement of the Main Contract and shall continue indefinitely until termination of this Agreement or the Main Contract by either Party.

 

3. the nature, purpose and data subjects of the data processing:

3.1. type of processing

The processing is of the following nature: collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction of data.

3.2 Purpose of the processing

The processing serves the following purpose: 

Provision of the Linkando Cloud platform for the client and the associated commercial processing and provision of end user support.

3.3 Type of data

The following data will be processed:

  • Salutation
  • First and last name
  • E-mail address
  • Address
  • Communication data
  • Usage data (IP addresses, login time, login name)

3.4 Categories of data subjects

of the processing are affected:

  • Customers of the client
  • Interested parties of the client
  • Employees of the client

4. obligations of the contractor

  1. The Contractor shall process personal data exclusively as contractually agreed or as instructed by the Client, unless the Contractor is legally obliged to carry out a specific processing. If such obligations exist for the Contractor, the Contractor shall notify the Customer thereof prior to the processing, unless the notification is prohibited by law. Furthermore, the Contractor shall not use the data provided for processing for any other purposes, in particular not for its own purposes.
  2. The Contractor confirms that it is aware of the relevant general data protection regulations. It shall observe the principles of proper data processing.
  3. The Contractor undertakes to strictly maintain confidentiality during processing.
  4. Persons who may gain knowledge of the data processed in the order must undertake in writing to maintain confidentiality, insofar as they are not already subject to a relevant confidentiality obligation by law.
  5. The Contractor warrants that the persons employed by it for processing have been familiarized with the relevant provisions of data protection and this Agreement prior to the start of processing. Corresponding training and awareness-raising measures shall be repeated on an appropriate regular basis. The Contractor shall ensure that persons deployed for commissioned processing are appropriately instructed and monitored on an ongoing basis with regard to compliance with data protection requirements.
  6. In connection with the commissioned processing, the Contractor shall support the Customer to the extent necessary in fulfilling its obligations under data protection law, in particular in creating and updating the list of processing activities, in carrying out the data protection impact assessment and any necessary consultation with the supervisory authority. The required information and documentation shall be kept available and provided to the Customer without undue delay upon request.
  7. If the Client is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against it, the Contractor undertakes to support the Client to the extent necessary, insofar as the processing under the contract is affected.
  8. The Contractor may only provide information to third parties or the person concerned with the prior consent of the Client. The Contractor shall immediately forward any inquiries addressed directly to it to the Customer.
  9. To the extent required by law, the Contractor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the commissioner. In cases of doubt, the Customer may contact the data protection officer directly. The Contractor shall inform the Customer without delay of the contact details of the data protection officer or give reasons why no officer has been appointed. The Contractor shall inform the Customer without delay of any changes in the person or the internal tasks of the data protection officer.
  10. Order processing takes place exclusively within the EU or the EEA. 
  11. If the Contractor is not established in the European Union, it shall appoint a responsible contact person in the European Union pursuant to Art. 27 of the General Data Protection Regulation. The contact details of the contact person as well as any changes in the person of the contact person shall be notified to the Customer without undue delay.

5. processing safety

  1. The data security measures described in Annex 1 are defined as binding. They define the minimum owed by the Contractor. The description of the measures must be made in such detail that a knowledgeable third party can at any time recognize beyond doubt, based on the description alone, what the minimum owed should be. A reference to information which cannot be taken directly from this agreement or its appendices is not permissible.
  2. The data security measures may be adapted in accordance with the technical and organizational further development as long as the level agreed here is not undercut. The Contractor shall implement any changes required to maintain information security without delay. The Customer shall be notified of any changes without delay. Significant changes shall be agreed between the parties.
  3. Insofar as the security measures taken do not or no longer meet the requirements of the Customer, the Contractor shall notify the Customer without delay.
  4. The Contractor warrants that the data processed under the Order will be strictly separated from other data files.
  5. Copies or duplicates shall not be made without the knowledge of the client. Technically necessary, temporary duplications are excepted, insofar as an impairment of the level of data protection agreed here is excluded.
  6. The processing of data in private residences is permitted. Insofar as such processing takes place, the Contractor shall ensure that a level of data protection and data security corresponding to this Agreement is maintained and that the Client's control rights specified in this Agreement can also be exercised without restriction in the private apartments concerned. The processing of data on behalf of the Client using private devices is not permitted under any circumstances.
  7. Dedicated data carriers originating from the Client or used for the Client shall be specially marked and shall be subject to ongoing management. They must be stored appropriately at all times and must not be accessible to unauthorized persons. Inputs and outputs are documented.
  8. The Contractor shall provide regular evidence of the fulfillment of its obligations, in particular the full implementation of the agreed technical and organizational measures and their effectiveness.

6. regulations on the correction, deletion and blocking of data

  1. The Contractor shall only correct, delete or block data processed within the scope of the order in accordance with the contractual agreement reached or in accordance with the Client's instructions. 
  2. The Contractor shall comply with the corresponding instructions of the Customer at any time and also beyond the termination of this Agreement.

7. subcontracting relationships

  1. The use of subcontracted processors shall be at the discretion of the Contractor, provided that the Contractor informs the Customer in advance (by email or by posting on the support portal) of any planned additions or replacements within the list of subcontracted processors and the Customer may object to such changes in accordance with the following regulations. The Contractor shall carefully select the subcontractor with particular regard to the suitability of the technical and organizational measures taken by the subcontractor.
  2. If the Customer has a legitimate reason under data protection law to object to the processing of personal data by the new sub-processors, it may terminate the Agreement by written notice to the Contractor with effect from a date specified by the Customer, but no later than the expiry of thirty days after the date of the Contractor's notification to the Customer of the new sub-processor. If the Client does not terminate the Agreement within this period of thirty days, the new sub-processor shall be deemed approved by the Client.
  3. Within the thirty-day period from the date of Contractor's notice to Customer informing Customer of the new Subprocessor, Customer may request that the parties meet in good faith to discuss a resolution of the dispute. Such discussions shall not extend the notice period and shall not affect Contractor's right to have the new Subcontractor(s) in service after the expiration of the thirty-day period. Any termination under this section shall be deemed to be without fault on the part of either party and shall be subject to the terms of the Agreement.
  4. The engagement of subcontractors who provide processing on behalf of not exclusively from the territory of the EU or the EEA is only possible in compliance with the conditions set forth in Chapter 4 (10) and (11) of this Agreement. In particular, it is only permissible to the extent and as long as the subcontractor provides adequate data protection guarantees. The Contractor shall inform the Customer which specific data protection guarantees the subcontractor offers and how proof of this can be obtained. Insofar as currently valid standard contractual clauses based on a decision of the EU Commission (e.g. in accordance with Commission Decision 2010/87/EU) or standard data protection clauses in accordance with Art. 46 GDPR are used as appropriate guarantees, Customer authorizes Contractor, subject to release from the prohibition of double representation in accordance with Section 181 of the German Civil Code (BGB), to take all actions necessary for this purpose and to make and receive declarations of intent vis-à-vis Subcontractor. Furthermore, the Contractor shall be entitled to exercise the rights and powers of the Principal under this Agreement vis-à-vis the Subcontractor.
  5. The Contractor shall adequately check compliance with the Subcontractor's obligations on a regular basis, at the latest every 12 months. The inspection and its result shall be documented in such a meaningful manner that they are comprehensible to a competent third party. The documentation shall be submitted to the customer without being requested to do so. The Contractor shall keep the documentation on audits performed at least until the end of the third calendar year after the end of the commissioned processing and shall present it to the Customer upon request at any time.
  6. If the subcontractor fails to comply with its data protection obligations, the contractor shall be liable for this to the customer.
  7. At present, the subcontractors designated in Annex 2 with name, address and order content are engaged in the processing of personal data to the extent specified therein and approved by the Customer. The other obligations of the Contractor towards subcontractors set forth herein shall remain unaffected.
  8. Subcontracting relationships within the meaning of this agreement are only those services that have a direct connection with the provision of the main service. Ancillary services, such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not covered. The Contractor's obligation to ensure compliance with data protection and data security in these cases shall remain unaffected.

8. rights and obligations of the client

  1. The client alone is responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
  2. The client shall issue all orders, partial orders or instructions in documented form. In urgent cases, instructions may be issued verbally. The client shall immediately confirm such instructions in a documented manner.
  3. The Client shall inform the Contractor without undue delay if it detects any errors or irregularities in the examination of the results of the order.
  4. The Customer shall be entitled to monitor the Contractor's compliance with the provisions on data protection and the contractual agreements to a reasonable extent itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programs as well as other on-site checks. The persons entrusted with the control shall be granted access and inspection by the Contractor to the extent necessary. The Contractor shall be obliged to provide the necessary information, to demonstrate processes and to provide evidence required to carry out a control. The Contractor shall be entitled to refuse inspections by third parties if they are in a competitive relationship with the Contractor or if there are similar weighty reasons.
  5. Inspections of the Contractor shall be carried out without avoidable disruption to its business operations. Unless otherwise indicated for urgent reasons to be documented by the Customer, inspections shall take place after reasonable advance notice and during the Contractor's business hours, and not more frequently than every 12 months. Insofar as the Contractor provides evidence of the correct implementation of the agreed data protection obligations as provided for in Chapter 5 (8) of this Agreement, any checks shall be limited to random samples.

9. notification obligations

  1. The Contractor shall notify the Client without delay of any violations of the protection of personal data processed on behalf of the Client. Reasonable suspicions thereof shall also be notified. The notification shall be made at the latest within 24 hours of the Contractor becoming aware of the relevant event to an address specified by the Customer. It must contain at least the following information:
    1. A description of the nature of the personal data breach, including, to the extent possible, the categories and approximate number of individuals affected, the categories affected, and the approximate number of personal data records affected;
    2. the name and contact details of the data protection officer or other point of contact for further information;
    3. a description of the likely consequences of the personal data breach;
    4. A description of the measures taken or proposed by the Contractor to address the personal data breach and, if applicable, measures to mitigate its potential adverse effects 
  2. Significant disruptions in the execution of the order as well as violations by the Contractor or the persons employed by the Contractor of the provisions of data protection law or the stipulations made in this Agreement shall also be reported immediately.
  3. The Contractor shall inform the Client without undue delay of inspections or measures by supervisory authorities or other third parties, insofar as these relate to the commissioned processing.  
  4. The Contractor warrants to support the Client in its obligations pursuant to Art. 33 and 34 of the General Data Protection Regulation to the extent necessary.

10. instructions

  1. The Customer reserves a comprehensive right to issue instructions with regard to processing on behalf of the Customer.
  2. The Client and the Contractor shall name the persons exclusively authorized to issue and accept instructions. If no persons authorized to issue instructions are named, only the persons authorized to represent the respective party shall be authorized to issue instructions.
  3. In the event of a change or long-term prevention of the designated persons, the other party must be informed immediately of successors or representatives.
  4. The Contractor shall immediately draw the Customer's attention to the fact if, in its opinion, an instruction issued by the Customer violates statutory provisions. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the responsible person at the Customer.
  5. The Contractor shall document instructions issued to it and their implementation.

11. termination of the order

  1. If, upon termination of the contractual relationship, data processed in the order or copies thereof are still in the Contractor's power of disposal, the Contractor shall, at the Client's option, either destroy the data or hand them over to the Client. The Client shall make this choice within 2 weeks of being requested to do so by the Contractor. The destruction shall be carried out in such a way that a recovery of even residual information is no longer possible with reasonable effort. Physical destruction shall be carried out in accordance with DIN 66399. 
  2. The Contractor shall be obligated to cause the immediate destruction or return also of subcontractors.
  3. The Contractor shall provide proof of proper destruction and submit it to the Client without delay.
  4. Documentation serving as proof of proper data processing shall be kept by the Contractor at least until the end of the third calendar year after the end of the contract. The Contractor may hand them over to the Client for the purpose of discharging the Contractor.

12. liability

  1. The Client and the Contractor shall be jointly and severally liable for compensation of damages suffered by a person due to unauthorized or incorrect data processing within the scope of the contractual relationship.
  2. The Contractor shall bear the burden of proof that any damage is not the result of a circumstance for which it is responsible, insofar as the relevant data was processed by it under this Agreement. As long as this proof has not been provided, the Contractor shall indemnify the Customer upon first request against all claims asserted against the Customer in connection with the commissioned processing. Under these conditions, the Contractor shall also reimburse the Client for all legal defense costs incurred. 
  3. The Contractor shall be liable to the Client for any damage culpably caused by the Contractor, its employees or the subcontractors engaged by it to perform the contract or the subcontractors engaged by it in connection with the provision of the contractual service commissioned.
  4. Numbers (2) and (3) shall not apply insofar as the damage was caused by the correct implementation of the commissioned service or an instruction issued by the Client.

13. special right of termination

  1. The Customer may terminate the Main Agreement and this Agreement at any time without notice ("Extraordinary Termination") if there is a serious breach of data protection regulations or the provisions of this Agreement by the Contractor, the Contractor cannot or will not carry out a lawful instruction of the Customer or the Contractor refuses control rights of the Customer in breach of the Agreement. 
  2. A serious breach shall be deemed to have occurred in particular if the Contractor fails to fulfill or has failed to fulfill to a significant extent the obligations specified in this Agreement, in particular the agreed technical and organizational measures.
  3. In the event of insignificant violations, the Customer shall set the Contractor a reasonable deadline for remedial action. If the remedy is not provided in time, the Customer shall be entitled to extraordinary termination as described in this section.
  4. The Contractor shall reimburse the Client for all costs incurred by the Client as a result of the premature termination of the main contract or this Agreement as a result of extraordinary termination by the Client.

14. miscellaneous

  1. Both parties are obligated to treat all knowledge of business secrets and data security measures of the respective other party obtained within the framework of the contractual relationship as confidential, even after the termination of the main contract. If there is any doubt as to whether information is subject to the obligation of confidentiality, it shall be treated as confidential until released in writing by the other party. 
  2. If the property of the Customer with the Contractor is endangered by measures of third parties (for example by attachment or seizure), by insolvency or composition proceedings or by other events, the Contractor shall notify the Customer without delay.
  3. Ancillary agreements must be made in writing and must expressly refer to this agreement.
  4. The defense of the right of retention within the meaning of § 273 BGB (German Civil Code) is excluded with regard to the data processed in the order and the associated data carriers.
  5. Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

Annex 1 - technical and organizational measures

See page: Technical and organizational measures

 

Annex 2 - Approved subcontractors

 

We are happy to send all of our customers a list of our approved subcontractors. Please email us at
datenschutz@linkando.com and we will provide you with this information in confidence.