Data protection
of Kassenheld GmbH
SECTION I
Clause 1 – Purpose and scope of application
-
These standard contractual clauses (hereinafter referred to as “clauses”) are intended to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 of the European Parliament and of the Council of
April 27, 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
-
The controllers and processors listed in Annex I have agreed to these clauses to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679.
-
These clauses apply to the processing of personal data in accordance with Annex II.
-
Annexes I to IV are an integral part of the clauses.
-
These clauses apply without prejudice to the obligations to which the controller is subject under Regulation (EU) 2016/679.
-
These clauses do not in themselves ensure that the obligations relating to international data transfers under Chapter V of Regulation (EU) 2016/679 are met.
Clause 2 – Unalterability of the clauses
-
The parties undertake not to amend the clauses except to supplement or update the information provided in the annexes.
-
This does not prevent the parties from incorporating the standard contractual clauses set out in these clauses into a more comprehensive contract and adding further clauses or additional safeguards, provided that these do not directly or indirectly contradict the clauses or restrict the fundamental rights or freedoms of the data subjects.
Clause 3 – Interpretation
-
Where the terms defined in Regulation (EU) 2016/679 are used in these clauses, these terms shall have the same meaning as in that Regulation.
-
These clauses must be interpreted in light of the provisions of Regulation (EU) 2016/679.
-
These clauses may not be interpreted in a way that is contrary to the rights and obligations provided for in Regulation (EU) 2016/679 or that restricts the fundamental rights or freedoms of the persons concerned.
Clause 4 – Priority
In the event of any conflict between these clauses and the provisions of any related agreements existing or subsequently entered into or concluded between the parties, these clauses shall prevail.
Clause 5 – Tying clause
-
An entity that is not a party to these Clauses may, with the consent of all parties, accede to these Clauses as a Controller or Processor at any time by completing the Annexes and signing Annex I .
-
After completing and signing the annexes referred to in point (a), the acceding entity shall be treated as a party to these clauses and shall have the rights and obligations of a controller or processor in accordance with its designation in Annex I.
-
No rights or obligations arising from these clauses shall apply to the acceding entity for the period prior to its accession as a party.
SECTION II
DUTIES OF THE PARTIES
Clause 6 – Description of the processing
The details of the processing operations, in particular the categories of personal data and the purposes for which the personal data are processed on behalf of the controller, are set out in Annex II .
Clause 7 – Obligations of the parties
-
Instructions
-
The processor shall only process personal data on the documented instructions of the controller, unless it is obliged to do so under Union law or the law of a Member State to which it is subject. In such a case, the processor shall inform the controller of these legal requirements prior to processing, unless the law in question prohibits this due to an important public interest. The controller may issue further instructions for the entire duration of the processing of personal data. These instructions must always be documented.
-
The processor shall inform the controller immediately if it believes that instructions issued by the controller violate Regulation (EU) 2016/679 or applicable data protection provisions of the Union or the Member States.
-
-
Earmarking
The Processor shall process the personal data only for the purpose(s) specified in Annex II
specific purpose(s) mentioned, unless he receives further instructions from the controller.
-
Duration of the processing of personal data
The data shall only be processed by the processor for the duration specified in Annex II .
-
Safety of processing
-
The processor shall take at least the technical and organizational measures listed in Annex III to ensure the security of personal data. This includes the protection of data against a breach of security which, whether accidental or unlawful, results in the destruction, loss, alteration or unauthorized disclosure of data.
or leads to unauthorized access to the data (hereinafter “personal data breach”). In assessing the appropriate level of protection, the parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of the processing and the risks for the data subjects.
-
The Processor shall grant its personnel access to the personal data subject to processing only to the extent strictly necessary for the performance, management and monitoring of the contract. The processor guarantees that the persons authorized to process the personal data received have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
-
-
Sensitive data
If the processing concerns personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, or containing genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health, sex life or sexual orientation of a person, or data relating to criminal convictions and offenses (hereinafter “sensitive data”), the Processor shall apply specific restrictions and/or additional safeguards.
-
Documentation and compliance with the clauses
-
The parties must be able to prove compliance with these clauses.
-
The Processor shall process requests from the Controller regarding the processing of data in accordance with these Clauses promptly and appropriately.
-
The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in these clauses and arising directly from Regulation (EU) 2016/679. At the request of the Controller, the Processor shall also allow and contribute to an audit of the processing activities covered by these Clauses at appropriate intervals or where there are indications of non-compliance. When deciding on a review or audit, the controller may take into account relevant certifications of the processor.
-
The person responsible can carry out the inspection themselves or commission an independent inspector. Audits may include inspections of the Processor’s premises or physical facilities and shall be carried out with reasonable prior notice where appropriate.
-
The Parties shall make the information referred to in this clause, including the results of audits, available to the competent supervisory authority(ies) upon request.
-
-
Use of subcontracted processors
-
The Processor shall not subcontract any of its processing operations that it carries out on behalf of the Controller pursuant to these Clauses to a subprocessor without the prior separate written consent of the Controller. The processor shall submit the request for the separate authorization at least four weeks before the sub-processor concerned is engaged, together with the information required by the controller to decide on the authorization. The list of the persons responsible
The list of approved sub-processors can be found in Annex IV . The parties shall keep Annex IV up to date.
-
Where the Processor engages a sub-processor to carry out certain processing activities (on behalf of the Controller), such engagement must be by way of a contract which imposes on the sub-processor substantially the same data protection obligations as those which apply to the Processor under these Clauses. The Processor shall ensure that the Sub-Processor complies with the obligations to which the Processor is subject under these Clauses and Regulation (EU) 2016/679.
-
The processor shall provide the controller with a copy of such a subcontracting agreement and any subsequent amendments at the controller’s request. To the extent necessary to protect trade secrets or other confidential information, including personal data, the Processor may redact the wording of the Agreement before disclosing a copy.
-
The processor shall be fully liable to the controller for ensuring that the sub-processor fulfills its obligations under the contract concluded with the processor. The processor shall notify the controller if the sub-processor does not fulfill its contractual obligations.
-
The processor agrees a third-party beneficiary clause with the sub-processor, according to which the controller – in the event that the processor no longer exists in fact or in law or is insolvent – has the right to terminate the subcontracting agreement and instruct the sub-processor to delete or return the personal data.
-
-
International data transfers
-
Any transfer of data by the processor to a third country or an international organization shall take place exclusively on the basis of documented instructions from the controller or to comply with a specific provision under Union law or the law of a Member State to which the processor is subject and must comply with Chapter V of Regulation (EU) 2016/679.
-
The Controller agrees that in cases where the Processor uses a sub-processor pursuant to clause 7.7 for the performance of certain processing activities (on behalf of the controller) and where such processing activities involve a transfer of personal data within the meaning of Chapter V of Regulation (EU) 2016/679, the processor and the sub-processor may ensure compliance with Chapter V of Regulation (EU) 2016/679 by using standard contractual clauses adopted by the Commission pursuant to Article 46(2) of Regulation (EU) 2016/679, provided that the conditions for the application of such standard contractual clauses are met.
Clause 8 – Support of the responsible person
-
The processor shall inform the controller immediately of any request received from the data subject. He does not answer the request himself unless he has been authorized to do so by the person responsible.
-
Taking into account the nature of the processing, the Processor shall assist the Controller in fulfilling the Controller’s obligation to respond to requests from data subjects to exercise their rights. In fulfilling its obligations under points (a) and (b), the processor shall follow the instructions of the controller.
-
In addition to the Processor’s obligation to assist the Controller under Clause 8(b), the Processor shall also assist the Controller in complying with the following obligations, taking into account the nature of the data processing and the information available to the Processor:
-
Obligation to carry out an assessment of the impact of the intended processing operations on the protection of personal data (hereinafter “data protection impact assessment”) if a form of processing is likely to result in a high risk to the rights and freedoms of natural persons;
-
Obligation to consult the competent supervisory authority(ies) prior to processing if a data protection impact assessment indicates that the processing would result in a high risk, unless the controller takes measures to mitigate the risk;
-
Obligation to ensure that the personal data is accurate and up to date by the processor informing the controller immediately if it discovers that the personal data it is processing is inaccurate or out of date;
-
Obligations under Article 32 of Regulation (EU) 2016/679.
-
-
The Parties shall specify in Annex III the appropriate technical and organizational measures for the Processor to assist the Controller in the application of this Clause and the scope and extent of the assistance required.
Clause 9 – Notification of personal data breaches
In the event of a personal data breach, the Processor shall cooperate with and assist the Controller to enable the Controller to comply with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679, taking into account the nature of the processing and the information available to the Processor.
-
Violation of the protection of data processed by the controller
In the event of a personal data breach in connection with the data processed by the controller, the processor shall assist the controller as follows:
-
in notifying the personal data breach to the competent supervisory authority(ies) without undue delay after the controller becomes aware of the personal data breach, where relevant (unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons);
-
when obtaining the following information to be included in the controller’s notification in accordance with Article 33(3) of Regulation (EU) 2016/679, which must include at least the following information:
-
the nature of the personal data, where possible, indicating the categories and approximate number of data subjects concerned and the categories and approximate number of personal data records concerned;
-
the likely consequences of a personal data breach;
-
the measures taken or proposed to be taken by the controller to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.
If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter;
-
-
in complying with the obligation under Article 34 of Regulation (EU) 2016/679] or to notify the data subject without undue delay of a personal data breach where the personal data breach is likely to result in a high risk to the rights and freedoms of natural persons.
-
-
Breach of the protection of data processed by the processor
In the event of a personal data breach in connection with the data processed by the Processor, the Processor shall notify the Controller immediately after becoming aware of the breach. This notification must contain at least the following information:
-
a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects affected and the approximate number of data records affected);
-
Contact details of a contact point where further information about the personal data breach can be obtained;
-
the likely consequences and the measures taken or proposed to address the personal data breach, including measures to mitigate its possible adverse effects.
-
If and to the extent that not all such information can be provided at the same time, the initial notification will contain the information available at that time and further information will be provided as soon as it becomes available without undue delay thereafter.
The parties shall specify in Annex III any other information that the processor must provide to assist the controller in fulfilling its obligations under Articles 33 and 34 of Regulation (EU) 2016/679.
SECTION III FINAL PROVISIONS
Clause 10 – Breaches of the clauses and termination of the contract
-
If the Processor fails to comply with its obligations under these clauses, the Controller may – without prejudice to the provisions of Regulation (EU) 2016/679 – instruct the Processor to suspend the processing of personal data until it complies with these clauses or the contract is terminated. The Processor shall inform the Controller immediately if it is unable to comply with these clauses for any reason whatsoever.
-
The controller is entitled to terminate the contract insofar as it relates to the processing of personal data in accordance with these clauses if
-
the controller has suspended the processing of personal data by the processor in accordance with point (a) and compliance with these clauses has not been restored within a reasonable period and in any event within one month of the suspension;
-
the processor materially or persistently breaches these clauses or fails to comply with its obligations under Regulation (EU) 2016/679;
-
the Processor fails to comply with a binding decision of a competent court or the competent supervisory authority or authorities relating to its obligations under these Clauses, Regulation (EU) 2016/679.
-
-
The Processor shall be entitled to terminate the Contract insofar as it relates to the Processing of Personal Data under these Clauses if the Controller insists on the fulfillment of its instructions after being informed by the Processor that its instructions violate applicable legal requirements under Clause 7.1(b).
-
After termination of the contract, the processor shall, at the choice of the controller, erase all personal data processed on behalf of the controller and certify to the controller that this has been done, or return all personal data to the controller and erase existing copies, unless there is an obligation to store the personal data under Union or Member State law. The processor shall continue to ensure compliance with these clauses until the data is deleted or returned.
Processor:
Kassenheld GmbH
Name:
Address: Zum Lonnenhohl 40, 44319 Dortmund
ANNEX II – Description of the processing
Categories of data subjects whose personal data are processed
Employees of the client and its customers.
Type of processing
Storage, retrieval, consultation, use, comparison, erasure, destruction within the meaning of Art. 4 para. 2 GDPR
Purpose(s) for which the personal data are processed on behalf of the controller
The subject matter of the contract is the administration, support and remote maintenance, as well as all related activities, of the software and hardware (POS systems in the broader sense) of the Client to be supported by the Contractor.
The Client shall only grant the Contractor the access rights it actually requires to carry out the remote maintenance work. He shall ensure that the Contractor can only access stored personal data to the extent that this is absolutely necessary to carry out the remote maintenance work. The Contractor may only make use of the access rights granted to it to the extent absolutely necessary to carry out the remote maintenance work. The Contractor may only extract personal data from the Client’s system by means of file transfer or download for the purposes of error analysis and rectification and copy it to its own system if this is absolutely necessary for troubleshooting or necessary data processing.
The client is entitled to follow the remote maintenance work from a control screen and to cancel it at any time. Insofar as the Contractor must cooperate in this, it shall ensure that this is possible. Should the client make use of this, he must notify the contractor before the start of the remote maintenance. The Contractor must immediately delete personal data received during remote maintenance or return it to the Client if it is no longer required for the performance of the remote maintenance work. Any paper printouts containing personal data provided to the Contractor must be returned by the Contractor immediately after completion of the remote maintenance work.
Duration of processing
Corresponds to the term of the main contract
ANNEX III -Technical and organizational measures, including to ensure the security of data
Description of the specific technical and organizational measures that the processor must take to support the controller:
In detail, the following measures are involved:
-
Confidentiality (Art. 32 para. 1 lit. b GDPR)
Access control
The Contractor shall take the following measures, among others, to prevent unauthorized persons from gaining access to the data processing systems with which the remote maintenance is carried out:
Access to the offices of the Contractor from which the remote maintenance is carried out is only permitted and possible for employees of the Contractor. The entrances are always locked and can only be accessed by authorized persons using keys or cards. Access is secured by a permanently manned reception desk at the entrances during business hours. Visitors are only granted access when accompanied by an employee of the contractor. Only employees of the contractor receive access authorization. The existing standard security measures are based on known technologies and follow generally recognized industry best practices.
Access control
The Contractor shall take the following measures, among others, to prevent the use of data processing equipment used to process data by unauthorized persons:
In the case of remote maintenance, the connection or activation can be established or released by the contractor after prior agreement to ensure that no unauthorized dial-in attempts can take place. Once the maintenance work has been completed, this connection must be deactivated again. The contractor uses an authentication process for this purpose. In the case of remote maintenance of hardware and software in relation to workstations of individual employees of the client, the connection or activation (after an authentication process) can only ever be established or released by the client (e.g. by means of a call-back procedure) to ensure that no unauthorized dial-in attempts can take place. Once the maintenance work has been completed, this connection must be deactivated again. The contractor uses an authentication process for this purpose. In the case of remote maintenance of hardware and software on servers and server systems, preferably, but not exclusively, in the evening or at weekends, the Contractor shall notify the Client of the start of the remote access by e-mail or by telephone with confirmation by e-mail in order to give the Client the opportunity to document and track the Contractor’s actions during the remote access and to take any necessary technical and organizational measures (e.g. for security) and to monitor the process. The contractor has a firewall configuration rule that defines acceptable ports that may be used for remote maintenance. Only required ports and services are open. Access to change the firewall configuration is restricted to the internal security operations team. The security operations team regularly reviews critical firewall rules.
Access control
The Contractor shall take the following measures, among others, to ensure that the persons authorized to use a data processing system can only access the data subject to their access authorization and that stored data or data being processed cannot be read, copied, modified or removed without authorization:
Remote maintenance work may only be started if the Contractor’s remote maintenance personnel have logged in with a user ID and password. The security level of the password is checked by the contractor and the password may be rejected as too “weak”. Inadmissible attempts to guess a user ID or password are made more difficult by delaying the response or by blocking the IP or Teamviewer ID. Passwords are only saved after conversion using one-way functions (hash functions). Access to the converted password data is secured by authorization concepts (see no. 1 and no. 2 above) and is only permitted to employees with the corresponding responsibility. The client is entitled to follow the remote maintenance work from a control screen and to cancel it at any time. Insofar as the Contractor must cooperate in this, it shall ensure that this is possible.
Separation control
The Contractor shall take the following measures, among others, to ensure that data collected for different purposes can be processed separately: Processing takes place on server systems that are logically separated by a system of logical and physical access controls in the network
Pseudonymization (Art. 32 para. 1 lit. a GDPR; Art. 25 para. 1 GDPR)
The contractor shall ensure that the processing of personal data is carried out in such a way that the data can no longer be attributed to a specific person without the use of additional information, provided that this additional information is stored separately and is subject to appropriate technical and organizational measures.
-
Integrity (Art. 32 para. 1 lit. b GDPR)
Transfer control
The Contractor shall take the following measures, among others, to ensure that data cannot be read, copied, modified or removed without authorization during electronic transmission, transport or storage on data carriers, and that it is possible to check and determine where data is to be transmitted by data transmission equipment:
The Contractor may only remove personal data from the Client’s system by means of a file transfer or download for the purposes of error analysis and rectification and copy it to its own system if this is necessary for the purposes of error analysis and rectification. The Contractor shall inform the Client prior to such a file transfer. Data transmissions are encrypted and signed. Access to the Client’s systems is subject to effective access controls, see No. 3 above. The Contractor shall immediately delete personal data obtained during remote maintenance if it is no longer required for the performance of the remote maintenance work. Any paper printouts containing personal data provided to the Contractor shall be returned to the Contractor or destroyed by the Contractor immediately after completion of the remote maintenance work.
Input control
The Contractor and the Client shall take the following measures, among others, to ensure that it is subsequently possible to check and determine whether and by whom data has been entered, changed or removed in data processing systems: The Client shall automatically log the Contractor’s remote maintenance activities with date, time and user ID, review the logs and retain the logs for one year. In the case of particularly critical actions, the entire dialog should be logged so that it can later be seen which data was accessed.
The log databases are regularly evaluated automatically for indications of misuse using programs developed in-house for this purpose and are checked manually on a random basis.
-
Availability and resilience (Art. 32 para. 1 lit. b GDPR) and rapid recoverability (Art. 32 para. 1 lit. c GDPR)
Availability control
The Contractor shall take the following measures, among others, to ensure that data is protected against accidental destruction or loss: Not applicable for remote maintenance.
-
Procedures for regular review, assessment and evaluation (Art. 32 para. 1 lit. d GDPR) and data protection management (Art. 25 para. 1 GDPR)
-
Data protection management;
-
Incident response management;
-
Data protection-friendly default settings (Art. 25 para. 2 GDPR);
-
Order control
-
The Contractor and the Client shall take the following measures, among others, to ensure that data can be processed in accordance with the instructions:
The client shall only grant maintenance/remote maintenance access to the extent that is absolutely necessary for troubleshooting (principle of least privilege). The client shall ensure that, as far as possible, no functions are activated during maintenance or remote maintenance that permit the transfer or evaluation of client data. If a transfer of personal data is absolutely necessary, this data may only be stored temporarily by the contractor. Improper access to other computers in the network must be prevented by the client.
The Contractor shall only make use of the access rights granted to it to the extent absolutely necessary for the performance of the remote maintenance work.
ANNEX IV – List of sub-processors
Company Subcontractor |
Address/Country |
Description of the partial service taken over |
fiskaly Germany GmbH |
Zeilweg 42 60439 Frankfurt am Main |
Software-supported or cloud-based solutions for fiscalization, i.e. the tamper-proof, electronic recording and archiving of business transactions |
Tecoyo UG (limited liability) |
Aussigstr. 11 |
Hosting & Development |
Stripe Payments Europe, Limited (SPEL) |
Aussigstr. 11 |
Payment processing/settlement |