Agreement

between

 

LexCom Informationssysteme GmbH, Rüdesheimer Str. 23, 80686 Munich, Germany

- hereinafter referred to as the “Contractor” or the “data processing company” -

and its customer

- hereinafter referred to as the “Client” –

 

Note

This document contains the Contractor’s conditions for the data processing agreement between the Client and the Contractor pursuant to Art. 28 para. 3 of the General Data Protection Regulation (GDPR). The Client agrees to be bound by these conditions by concluding a user contract for the Contractor’s online or other information services (the “Service Agreement”) or – if a Service Agreement is already in place – through a subsequent declaration.

1. Object and duration of the order

(1) Object

The object of the order for data processing results from the underlying Service Agreement.

(2) Duration

The duration of this order (term) corresponds to the term of the underlying Service Agreement.

2. Specification of the content of the order

(1) Nature and purpose of the intended processing of data
  The order includes the following types of processing:

1. Processing of personal data that are entered by the Client when using the respective online and other information services and that need to be processed by the Contractor to provide the product functions.
2. Processing of personal data for which access by the Contractor in the course of other activities cannot be excluded.
   • Firstly, the personal data mentioned under a) may be accessed as part of the Contractor’s own evaluations, in particular the analysis of product functionalities for the purpose of product optimisation and success and usage measurement. In this case, the data affected by the order does not form part of the evaluation and is removed or pseudonymised/anonymised by the Contractor
   • Secondly, other personal data stored locally at the Client may be accessed as part of maintenance and/or support services.
3. Moreover, in order to query parts according to the VIN, it may be necessary for the Contractor to forward the VIN to the server of the respective manufacturer. The manufacturer adds specific information required for the parts query to the VIN and returns it to the Contractor. The manufacturer also processes the VIN for its own purposes and is therefore an independent controller within the meaning of the GDPR. The Client hereby authorises the Contractor to forward the VIN to the manufacturer for this purpose.

(2) Type of data

The following data types/categories (list/description of the data categories) make up the object of the processing of personal data

• Vehicle identification numbers (VIN) and/or vehicle registration numbers entered by the Client in the online service
• End customer data entered by the Client in the online service including, in particular:
  • Address data for parts orders
  • E-mail addresses for sending image-text pages
• Customer data entered by the end customer when registering for the online service and
• Customer data saved locally by the Client (as part of remote maintenance by customer service)
  • Personal master data
  • Communication data (e.g. telephone, e-mail)

(3) Categories of data subjects

The categories of data subjects to which the processing relates include:

• End customers of the Client

(4) The Contractor reserves the right to anonymise or aggregate the client data so that it is no longer possible to identify individual data subjects and to use the client data in this form for the purposes of designing, enhancing and optimising as well as providing the service agreed in accordance with the main contract. The parties agree that anonymised client data or client data that is aggregated in accordance with the above is no longer considered client data within the meaning of this Contract.

(5) The Contractor may process and use the client data within the scope of what is permitted under data protection law for his own purposes under his own responsibility, provided a legal permission regulation or a declaration of consent by the data subject permits this. This Contract does not apply to such data processing.

3. Place of processing

The contractually agreed processing of data will be performed primarily in Germany or in a member state of the European Union or in another contracting state to the Agreement on the European Economic Area. If data is also processed by a subcontractor in a third country, this will only be done in compliance with the special requirements of Art. 44 et seqq. GDPR.

4. Technical and organisational measures

(1) The Contractor documents the implementation of the required technical and organisational measures set out prior to the award of the contract, in particular with regard to the specific execution of the order, and makes this documentation available to the Client together with this declaration. Upon acceptance by the Client, the documented measures become the basis of the order. Otherwise, the parties will not conclude a Service Agreement.

(2) The Contractor will ensure the level of security pursuant to Articles 28 para. 3 lit. c, 32 GDPR in particular in connection with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and measures to ensure a level of protection appropriate to the risk in terms of the confidentiality, integrity, availability and resilience of the systems. In doing so, the Contractor shall take into account the state of the art, the implementation costs and the nature, scope and purpose of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 GDPR [details in Appendix 1].

(3) The technical and organisational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, it will not fall short of the security level of the specified measures. It must document any major changes.

5. Correction, restriction and deletion of data

(1) The Contractor will not correct, delete or restrict the processing of the data to be processed on behalf of the Client on its own authority. It will only correct, delete or restrict the processing of the data in accordance with the documented instructions of the Client. Insofar as a data subject contacts the Contractor directly in this regard, the Contractor will immediately forward this request to the Client.

(2) Insofar as included in the scope of services, the Contractor will immediately ensure a deletion concept, the right to be forgotten, correction, data portability and information in accordance with the Client’s documented instructions. Individual instructions that deviate from the Service Agreement or that present additional requirements, require the prior consent of the Contractor. It must be taken into account that the online services provided by the Contractor are standard products, the adaptation of which to the Client’s data protection requirements can result in high costs. These costs are to be paid in full by the Client in accordance with a corresponding individual agreement.

6. Quality assurance and other duties of the Contractor

In addition to complying with the regulations of this order, the Contractor also has legal duties in accordance with Articles 28 to 33 GDPR; in particular, it must ensure compliance with the following requirements:

1. Written appointment of a Data Protection Officer, who carries out his duties pursuant to Articles 38 and 39 GDPR. His contact details are communicated to the Client for the purpose of direct contact. A change of Data Protection Officer will be communicated to the Client immediately.
2. Safeguarding of confidentiality in accordance with Articles 28 para. 3 sentence 2 lit. b, 29, 32 para. 4 GDPR. When carrying out the work, the Contractor will use only employees who have been obliged to maintain confidentiality and who have previously been familiarised with the data protection regulations relevant to them. The Contractor and any person reporting to the Contractor who has access to personal data, must process such data only in accordance with the instructions of the Client, including the powers granted in this Contract, unless they are legally obliged to process the data.
3. Implementation and compliance with all technical and organisational measures necessary for this order in accordance with Articles 28 para. 3 sentence 2 lit. c, 32 GDPR [details in Appendix 1].
4. The Client and the Contractor will work together with the supervisory authority on request to fulfil the relevant tasks.
5. Immediate informing of the Client regarding audit activities and measures by the supervisory authority, insofar as they relate to this order. This also applies if a competent authority investigates the Contractor due to an administrative offence or criminal proceedings with regard to the processing of personal data for the commissioned data processing.
6. Insofar as the Client is subject to an inspection by the supervisory authority, an administrative offence or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with the data processing by the Contractor, the Contractor will support the Client to the best of its ability.
7. The Contractor will regularly review the internal processes and technical and organisational measures to ensure that the processing within its area of responsibility complies with the requirements of applicable data protection law and ensures the protection of the data subject’s rights.
8. Verifiability vis-à-vis the Client of the technical and organisational measures taken within its supervisory powers in accordance with Section 7 of this Contract.

7. Subcontractual relations

(1) For the purposes of this regulation, subcontractual relationships are those services that relate directly to the provision of the main service. This does not include ancillary services provided by the Contractor e.g. telecommunication services, postal/transport services, maintenance and user services or the disposal of data storage devices as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software for data processing systems. However, even in the case of outsourced ancillary services, the Contractor is obliged to take appropriate and legally compliant contractual agreements and control measures to ensure the protection and security of the Client’s data.

(2) The Client hereby grants the Contractor general permission to commission additional data processing companies.

The Client agrees to the commissioning of the following subcontractor under the condition of a contractual agreement in accordance with Art. 28 para. 2–4 GDPR:

Subcontractor’s company	Address/country	Service
Belenus LOB GmbH	Rüdesheimer Str. 23 80686 Munich GERMANY	Provision of all internal and external IT operations
LexCom (China) Co., Ltd	Suite G, 9/F Huamin Empire Plaza, 728 Yan An West Road, Changning Shanghai, 200050 CHINA	Provision of customer support
LexCom Japan K.K.	Shin-Yokohama Daini Centre Bldg., 7F, 3-19-5 Shin-Yokohama, JAPAN	Provision of customer support
LexCom Information Systems Ltd	Unit C3 Arena Business Centre, 9 Nimrod Way, Wimborne, BH21 7UH, UNITED KINGDOM	Provision of customer support
LexCom France SARL	Espace Mama Works 51 Quai Lawton 33300 Bordeaux FRANCE	Provision of customer support
OiC Imaging Comercial Ltda	Rua Kara 419, CEP 09750-300, São Bernardo do Campo, São Paulo, BRAZIL	Provision of customer support
Element1 Media GmbH	Rüdesheimer Str. 21 80686 Munich GERMANY	Processing of customer data entered during registration

 

The current subcontractor can be changed provided:

• The Contractor notifies the Client of such outsourcing to a subcontractor a reasonable time in advance in writing or in text form and
• The Client does not object to the planned outsourcing in writing or in text form by the time the data is passed over to the Contractor and
• A contractual agreement or binding declaration in accordance with Art. 28 para. 2-4 GDPR is taken as the basis.

(3) The transfer of the Client’s personal data to the subcontractor and its commencing work are only permitted if all conditions for subcontracting are met.

(4) Any further outsourcing by the subcontractor requires the express consent of the main contractor (in text form as a minimum); all contractual regulations in the contracting chain must also be imposed on the additional subcontractor.

8. Monitoring rights of the Client

(1) In consultation with the Contractor, the Client is entitled to carry out inspections or have them carried out by auditors who are to be named in individual cases. It is entitled to carry out spot checks to verify that the Contractor is in compliance with this Agreement in its business operations. The Client must notify the Contractor in good time that it intends to conduct such a spot check. Such spot checks must be carried out during normal business hours without disturbing the Contractor’s course of operations, while maintaining strict confidentiality with regard to the Contractor’s operating and business secrets.

(2) The Contractor will make sure that the Client can satisfy itself of the compliance with the duties of the Contractor in accordance with Art. 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organisational measures. As a rule, the Client can carry out one inspection per calendar year; additional checks are permitted in the case of specific incidents.

(3) The Contractor is entitled, at its sole discretion and taking into account the statutory obligations of the Client, not to disclose information that is sensitive with regard to the Contractor’s business or if the Contractor would breach any legal or contractual obligations by disclosing such information.

(4) At the Contractor’s discretion, the proof of such measures that relate not only to the specific order can be made by the following means instead of an on-site inspection

1. Compliance with approved codes of conduct pursuant to Art. 40 GDPR
2. Certification in accordance with an approved certification mechanism pursuant to Art. 42 GDPR
3. Current attestations, reports or excerpts of reports from independent entities (e.g. auditors, review, Data Protection Officer, IT security department, data protection auditors, quality auditors)
4. Appropriate certification from an IT security audit or data protection audit (e.g. in accordance with the baseline security of the German Federal Office for Information Security (BSI)).

A prerequisite for this is that this measure enables the Client to reasonably satisfy itself of the compliance with the technical and organisational measures as specified in the Appendix to this Agreement.

(5) The Contractor may assert a claim for compensation for enabling the Client to perform checks.

9. Notification in case of violations on the part of the Contractor

(1) The Contractor shall assist the Client in complying with the obligations relating to the security of personal data, reporting of data breaches, data protection impact assessments and prior consultations, as set out in Articles 32 to 36 GDPR. This includes but is not limited to:

1. Ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing and the predicted likelihood and severity of a possible breach of rights due to security vulnerabilities, and enable the immediate detection of relevant violation events
2. The duty to report personal data breaches to the Client without delay
3. The obligation to support the Client in its duty to provide information to the data subject and to provide it with all relevant information in this context without delay
4. Providing assistance to the Client for its data protection impact assessment
5. Supporting the Client in the context of prior consultations with the supervisory authorities

10. Authority of the Client

(1) The Client shall confirm verbal instructions immediately (in text form as a minimum).

(2) The Contractor will inform the Client immediately if it believes that an instruction violates data protection regulations. The Contractor is entitled to suspend the execution of the relevant instruction until it is confirmed or amended by the Client. The Contractor may assert a claim for compensation against the Client for expenses that it incurs as a result of this.

11. Deletion and return of personal data

(1) Copies or duplicates of the data will not be created without the knowledge of the Client. This does not include backup copies, to the extent that these are necessary to ensure proper data processing, and data that is required for compliance with statutory retention requirements.

(2) Upon completion of the contractually agreed work or earlier at the request of the Client – at the latest upon termination of the Service Agreement – the Contractor must hand over to the Client all documents that have come into its possession, results of processing and utilisation as well as datasets created in connection with the contractual relationship or, with prior consent, destroy them in line with data protection guidelines. The same applies to test material and discarded material. The log documenting the deletion must be submitted on request.

(3) The Contractor will retain documentation that serves to provide evidence of the proper data processing as per the order beyond the end of the Contract in accordance with the respective retention periods. It can hand this documentation over to the Client at the end of the contract term.

 

 

Appendix 1 – Technical and organisational measures

1. Confidentiality (Art. 32 (1) b) GDPR)

Physical access control

• Permits
• Access code cards / access transponders
• Physical access authorisation concept
• Monitoring devices (e.g. video surveillance)
• Regulations regarding the use of keys
• Regulation for external visitors, badges
• Internal staff to accompany visits
• Attendance records of visitors
• Securing the building outside of working hours with an alarm system and/or plant security
• Defined security areas and controlled access
• Secured entrance for incoming and outgoing deliveries
• Door safety device (electric door closer, ID card reader, TV monitor, porter)
• Monitoring by employees (dual control principle)
• Measures for securing the property (e.g. special glazing, alarm system, security patrols)
• Separate secure access to the data centre
• Storage of servers in lockable rooms
• Storage of data storage devices under lock and key or in locked rooms
• Storage of backups (e.g. tapes, CDs) in the safe
• Instructions for issuing keys
• Other / Specification of the above measures:

System access control

• Encryption of networks
• Storage of data processing equipment under lock and key
• Identification of a user of the data processing system
• Issuing and securing of identification codes
• Password protection of computer workstations
• Functional and/or temporally limited use of workstations and identifiers
• Regulations for user authorisation
• Use of individual passwords
• Automatic blocking of user accounts after multiple incorrect entries of passwords
• Automatic screen lock with password protection after inactivity (screensaver)
• Password policy with minimum requirements for password complexity and update interval
• Hashing of stored passwords
• Rights assignment process for new employees
• Rights withdrawal process when employees change departments
• Rights withdrawal process when employees leave the company
• Commitment to data secrecy pursuant to Art. 28 para. 3 lit. b GDPR
• Guidelines for file organisation
• Logging and evaluation of system usage
• Controlled destruction of data storage devices
• Work instruction and processing procedure for data acquisition
• Program review and approval process
• Other / Specification of the above measures:

Data access control

• Definition of access authorisation, authorisation concept
• Definition of the power to enter, modify or delete data
• Distinction between authorisation granting (organisational) and
• authorisation assignment (technical)
• Concept of drive usage and allocation
• Regulations on restoring data from backups (who,
• when, at whose request)
• Regular verification of authorisations
• Limitation of free and unregulated
• query capability of databases
• Regular evaluation of log files
• ID card reader at the terminal
• Restricted access to databases and functions (read, write, execute)
• Logging file accesses, deletions, changes
• Malware scanner on workstation computers
• Malware filtering for Internet
• Malware/spam filtering for e-mail
• Firewalls
• Intrusion detection/prevention (IDS/IPS)
• Limited access to log data (only log administrators)
• Storage of log data on a dedicated log server
• Other / Specification of the above measures

Separation control

• Separation of clients / legal entities
• Separation of development, test and productive system

2. Confidentiality (Art. 32 (1) b) GDPR)

Disclosure control

• Secure file exchange (SFTP/FTPS)
• Data exchange via HTTPS connection (TLS 1.1 and 1.2)
• Definition of transmission authorisation, authorisation concept
• Monitoring by employees (dual control principle)
• Secured entrance for incoming and outgoing deliveries
• Management of data storage devices, inventory control
• Designated areas in which data storage devices must be located
• Encryption of confidential data storage devices
• Encryption of laptops
• Storage of personal data in lockable
• security cabinets
• Prohibition against carrying bags and other items of baggage in security areas
• Secure deletion of data storage devices (e.g. physical destruction, repeated overwriting)
• Secure paper disposal: Locked containers made of metal (secure collection bins)
• Regulations for making copies
• Backup copies of data storage devices that need to be transported
• Packaging and shipping instructions
• Direct collection, courier service, accompanied transportation
• Completeness and accuracy inspection

Entry control

• Labelling / classification of collected data
• Definition of user permissions (roles/profiles)
• Differentiated user permissions (reading, editing, deleting data, restricted access to data or functions)
• Organisational specification of data entry responsibilities
• Logging of data entries/deletions
• Regulation on retention periods for revision/verification purposes

3. Availability and resilience (Art. 32 (1) b) GDPR)

Availability control

• Data protection and backup concept
• Regular review of the data protection and backup concept
• Access restriction in server rooms to necessary personnel only
• Fire alarm systems in server rooms
• Automatic fire extinguishing systems in server rooms
• Waterless fire extinguishing agents (e.g. CO2 extinguishers) in server rooms
• Air-conditioned server rooms
• Lightning/surge protection
• Uninterruptible power supply (UPS)
• Emergency power systems
• Water sensors in server rooms
• Storage of backup systems in separate rooms and fire zones
• Storage of data in data cabinets, safes
• Regular check of the ability to restore the backup storage media
• Ensuring the technical readability of backup storage media in the future
• Storage of backup storage media under necessary storage conditions (air conditioning, protection requirements, etc.)
• Agreement to transfer the (data) backups
• Regular vulnerability analysis (site protection, building protection, intrusion into networks and IT systems)
• Redundant storage system
• Alternate data centres

4. Restoration of availability and access (Art. 32 (1) c) GDPR)

• Crisis or emergency plan (e.g. water, fire, explosion, threat of attacks, crash, earthquake)

5. Monitoring, assessment and evaluation (Art. 32 (1) d) GDPR; Art. 25 (1) GDPR)

Process for regular monitoring, assessment and evaluation

• Defined process for data protection management
• Defined process for incident response management
• Privacy by default settings (Art. 25 GDPR)

Order control

• Selection of subcontractor under due diligence (in particular regarding data security)
• Contract design according to legal requirements (Art. 28 GDPR)
• Centralised recording of existing subcontractors (standard contract management)
• On-site inspections of the subcontractor before the contract begins
• Regular on-site inspections of the subcontractor after the contract starts (during the contract period)
• Verification of the subcontractor’s data security concept
• Reviewing existing information security certificates for the subcontractor
• Issuing instructions to improve the data protection procedures of subcontractors
• Obligation of subcontractor employees to comply with data protection regulations