Do you want to view this page in English?Yes
Möchten Sie diese Seite auf Deutsch lesen?Ja
Voulez-vous lire cette page en français?Yes

Data Processing Agreement

Order Processing Agreement between Seriotec GmbH and the Customer (together also: "the Parties").
Supplementary Contractual Terms and Conditions for the Order Processing of Seriotec GmbH, Wolfratshauser Straße 157 c, 81479 Munich, Germany


On the basis of the contract between Seriotec GmbH and the Customer regarding the use of the cloud-based software solution "YAMDU" operated by Seriotec, Seriotec (hereinafter: "Contractor") processes, within the scope of the fulfillment of the contractually agreed services, on behalf and on the instructions of the Customer (hereinafter: "Customer") as a so-called order processor, personal data of third parties which the Customer stores on the platform of the order processor within the scope of the use of YAMDU. In order to specify the rights and obligations arising from this commissioned processing relationship in accordance with the legal obligations under Art. 28 DSGVO, the Client and the Contractor agree on the following terms and conditions for commissioned processing for the cloud-based software solution "YAMDU" operated by the Contractor.

1. Subject matter and duration of the Order or Contract

The subject matter of the order results from the confirmed offer between the parties on the basis of the Terms of Use and the license agreement of the Supplier for the use of YAMDU (hereinafter performance agreement) and will continue to run as long as the Supplier provides services in accordance with the service agreement for the Client.

2. Specification of the Order or Contract Details

2.1 The nature and purpose of the processing of personal data by the Supplier for the Client are specifically described in the service agreement and essentially relate to the data stored and processed by the client in the web-based production management platform "YAMDU."

2.2 The type of processed personal data used is as follows: Name, address, e-mail address, telephone number, contact details and other data stored by the client in YAMDU.

2.3. The categories of data subjects are as follows, but not exhaustively: Employees, freelance employees of the Client, service providers and contractual partners of the Client, actors, crew members.

3. Technical and Organisational Measures

3.1 The Supplier will, in his area of responsibility, design the in-house organization in such a way that it meets the special requirements of data protection. He will take technical and organizational measures to adequately protect the data of the client, which meet the requirements of the General Data Protection Regulation (Art. 32 GDPR). The Supplier shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis. The technical and organizational measures of the contractor are attached to this agreement as Annex 1. The Client is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.

3.2 The Technical and Organisational Measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

3.3 The Contractor shall ensure that a strict separation is maintained between the data processed in the order and other data files. The Customer shall have the right to conduct a review of the technical and organizational measures implemented and thus the level of protection at any time. He shall inform the Contractor about this review with an appropriate lead time.

4. Responsibility, Rectification, restriction and erasure of data

4.1 The Contractor shall process personal data on behalf of and exclusively in accordance with the Client's instructions, unless it is required by law to process the data otherwise. This shall include the activities conclusively described in Section 2 for the purpose agreed between the parties. Within the scope of this agreement, the Principal shall be responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of the data processing ("Controller" within the meaning of Art. 4 No. 7 DS-GVO).

4.2 The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client. Insofar as a Data Subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the Data Subject’s request to the Client.

4.3 To the extent covered by the scope of services, the deletion concept, right to be forgotten, correction, data portability and information shall be ensured directly by the Contractor in accordance with documented instructions of the Customer and shall be presented upon request of the Customer.

5. Quality assurance and other duties of the Supplier

In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:

  1. Appointed Data Protection Officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. The Client shall be informed of his/her contact details for the purpose of direct contact. The Client shall be informed immediately of any change of Data Protection Officer.
  2. Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract who have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law.
  3. Implementation of and compliance with all Technical and Organisational Measures necessary for this Order or Contract in accordance with Article 28 Paragraph 3 Sentence 2 Point c, Article 32 GDPR [details in Appendix 1].
  4. The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.
  5. The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Order or Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.
  6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a Data Subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make every effort to support the Client.
  7. The Supplier shall periodically monitor the internal processes and the Technical and Organizational Measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
  8. Verifiability of the Technical and Organisational Measures conducted by the Client as part of the Client’s supervisory powers referred to in item 7 of this contract.
  9. The processing and use of the data on behalf of the Customer shall take place exclusively within the territory of the European Union or in a member state of the European Economic Area. A transfer to a third country requires the prior consent of the Principal. Furthermore, the conditions contained in Art. 44 et seq. EU-DSGVO must be observed by the contractor.

6. Subcontracting

6.1 Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services.

6.2 The Supplier may only commission subcontractors (other processors) to operate the application after prior explicit written or documented consent of the Client. The outsourcing to subcontractors or the replacement of the existing subcontractor are permissible insofar as:

a) the contractor indicates such outsourcing to subcontractors in due time in writing or in writing to the contracting authority; and

b) the client does not object to the planned outsourcing in writing or in text form by the time the data is handed over to the contractor, and

c) a contractual agreement in accordance with Art. 28 para. 2-4 GDPR is used.

6.3 The transfer of personal data of the client to the subcontractor and its initial action are only permitted if all conditions for subcontracting have been met. By signing this Agreement, the Principal authorizes the sub-contracting of Microsoft Corporation, One Microsoft Way, Redmond, WA 98052-6399, USA, in particular for cloud and hosting services ("Microsoft Azure", data being stored exclusively on servers within the EU / EEA).

6.4 If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU Data Protection Regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 6.1 Sentence 2.

6.5 All contractual regulations in the contractual chain shall also be imposed on the further subcontractor. It shall be incumbent on the Contractor to assign its obligations under this contract to the subcontractor. This applies in particular to requirements for confidentiality, data protection and data security between the parties to this contract. In particular, the requirements as set forth in Clauses 4 and 5 of this Agreement shall also be observed by the Contractor. Any examination by the Customer of the subcontractor shall only take place in coordination with the Contractor.

6.6 The Contractor shall enter into written agreements with the Subcontractor to the extent necessary to ensure an appropriate level of data protection and information security.

6.7 By written request, the Customer shall be entitled to obtain information from the Contractor about the Subcontractor's obligations relevant to data protection.

6.8 There shall be a clear differentiation between the responsibilities of the Contractor and the subcontractor.

7. Supervisory powers of the Client

7.1 The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.

7.2 The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the Technical and Organizational Measures.

7.3 Evidence of such measures, which concern not only the specific Order or Contract, may be provided by compliance with approved Codes of Conduct pursuant to Article 40 GDPR.

8. Communication in the case of infringements by the Supplier

8.1 The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include:

  1. Ensuring an appropriate level of protection through Technical and Organizational Measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
  2. The obligation to report a personal data breach immediately to the Client
  3. The duty to assist the Client with regard to the Client’s obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.
  4. Supporting the Client with its data protection impact assessment
  5. Supporting the Client with regard to prior consultation of the supervisory authority

8.2 The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.

9. Authority of the Client to issue instructions

9.1 The Client shall immediately confirm oral instructions (at the minimum in text form).

9.2 The Supplier shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

10. Deletion and return of personal data

10.1 Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

10.2 After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request.

10.3 Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation.

11. Final provisions

11.1 If any provision of this Agreement should be or become invalid or unenforceable, or if there are gaps in this Agreement, this shall not affect the validity of the remaining provisions of this Agreement. In place of the ineffective or unenforceable provisions, such effective provision shall be deemed to be agreed as the parties would have expected to have agreed to if they had been aware at the time of entering into this Agreement that it was ineffective, impracticable or lacking the provisions in question. If a provision is or becomes invalid due to the scope of services agreed therein, the scope of services agreed in the provision shall be adjusted to the legally permissible extent.

11.2 Amendments and additions to this Agreement must be made in writing in order to be valid. This also applies to a possible waiver of the requirement of the written form.

11.3 Jurisdiction for disputes arising from this agreement is - as far as legally permissible - Munich.

Annex 1 to the supplementary contract terms for data processing
Technical-organizational measures

of Seriotec GmbH, represented by Managing Director Florian Reimann, Wolfratshauser Str. 157c, 81479 Munich

I. Securing confidentiality (Article 32 subpara 1 lit. 1 b GDPR)

1. Access control

Measures designed to prevent unauthorized persons from accessing data processing equipment that processes or uses personal data.

  • Security Locks
  • Locking system with code lock
  • key regulation (key issue etc.)
  • Logging of visitors
  • Careful selection of cleaning personnel

2. Data access control

Measures designed to prevent data processing systems from being used by unauthorized persons.

  • Assignment of user rights
  • Create user profiles
  • password assignment
  • Authentication with username / password
  • Assignment of user profiles to IT systems
  • Security Locks
  • key regulation (key issue etc.)
  • Logging of visitors
  • Careful selection of cleaning personnel
  • Encryption of mobile data carriers
  • Use of anti-virus software
  • Use of a software firewall
  • For subcontractors: Security concept of Microsoft Azure for data management and SendGrid / Domain Factory for email management

3. Data usage control

Measures to ensure that data subject users can only access data subject to their access rights and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after storage.

  • Number of administrators reduced to the "necessary"
  • Administration of rights by system administrator
  • Password policy incl. Password length, password change
  • Secure storage of data media
  • Use of document shredders or service providers (if possible with data protection quality seal / certifications or compliance with relevant DIN standards)
  • For subcontractors: Security concept of Microsoft Azure for data management and SendGrid / Domain Factory for email management

4. Separation control

Measures to ensure that data collected for different purposes can be processed separately.

  • Logical client separation (software side)
  • Creation of an authorization concept
  • Provide records with purpose attributes / data fields
  • Separation of productive and test system
  • Definition of database rights

II. Ensuring integrity (Article 32 subpara 1 lit. 1 b GDPR)

1. Passing control

Measures to ensure that personal data cannot be illegally read, copied, altered or removed during electronic transmission or during their transport or storage on data carriers, and that it is possible to verify and determine to which places a transfer of personal data by institutions intended for data transmission.

  • Disclosure of data in anonymous or pseudonymous form, as appropriate / required
  • Overview of regular retrieval and delivery transactions
  • Documentation of the recipients of data and the time periods of the planned release or agreed deletion periods
  • For physical transport: safe transport containers / packaging
  • For physical transport: careful selection of transport personnel and vehicles

2. Entry Control

Measures to ensure that it can be subsequently verified and ascertained whether and by whom personal data has been entered, changed or removed in data processing systems.

  • Logging of entry, modification and deletion of data
  • Traceability of input, modification and deletion of data by individual user names (not user groups)

III. Ensuring availability and resilience (Article 32 subpara 1 lit. 1 b GDPR)

Measures to ensure the long-term confidentiality, integrity, availability and resilience of the equipment, systems and services and to protect the data from accidental destruction or loss:

  • Fire and smoke alarm systems
  • Backup & Recovery Concept
  • Emergency Plan
  • Server rooms not under sanitary facilities
  • Retain data in a safe, outsourced location
  • For subcontractors: Security concept of Microsoft Azure for data management and SendGrid / Domain Factory for email management

IV. Order control

Measures to ensure that personal data processed in the order can only be processed in accordance with the instructions of the client.

  • Selection of the contractor under due diligence (in particular with regard to data security)
  • Prior checking and documentation of the security measures taken by the contractor
  • Commitment of the contractor's employees to confidentiality
  • Appointment of a data protection officer at the contractor
  • Ensuring the destruction of data after completion of the contract
  • Effective control rights agreed with the contractor
  • ongoing verification of the contractor and his activities
  • penalties for violations

V. Procedure for the regular review, evaluation and evaluation of the effectiveness of the aforementioned measures (Article 32 subpara 1 lit. 1 d GDPR)

  • Regular revision of the safety concept
  • Information about emerging weaknesses and other risk factors, if necessary, revision of risk analysis and assessment
  • Process for data protection management
  • Privacy-friendly default settings (Article 25 subpara 2 GDPR) where necessary
  • Effective control rights agreed with contractors