Preamble This Agreement sets forth the rights and obligations of the Parties with regard to the processing of Personal Data by scribos on behalf of the Client as set forth in the Client's commission and the relevant General Business Terms and Conditions of tesa® 360 (collectively the “tesa 360 Agreement”).
§ 1 Object, nature, scope and purpose of the Commission
1.1. The object, nature, scope and purpose of the data processing are stated in the tesa 360 Agreement.
1.2. Any transfer of personal data in the course of the tesa 360 Agreement to a third country is subject to compliance with the specific requirements of Articles 44 to 49 GDPR. In any case, in which the Parties use the Standard Contractual Clauses for the transfer of Personal Data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council (Official Journal L 39 dated 12.22.2010, p. 5 et seqq.) or another version substituting this decision (following: Standard Contractual Clauses), the regulations of the Standard Contractual Clauses shall prevail over those in this Processing Agreement in case of any discrepancies.
§ 2 Term of the Commission
2.1. The commission’s term depends on the term of the tesa 360 Agreement and ends when all data have been deleted.
2.2. The Client may terminate this Processing Agreement at any time without notice, if there is an important reason for the termination of this Processing Agreement, in particular but not limited there to if scribos violates material obligations under this Processing Agreement or if scribos has committed a serious breach of the applicable data protection regulations. The Client acknowledges that scribos might not be able to perform the duties out of the tesa 360 Agreement if the Client terminates the Processing Agreement.
§ 3 Nature of the Data to be processed
3.1. The data made available or accessible to scribos includes personal data within the meaning of the GDPR. Specifically, the following categories of data shall be processed:
- IP Address
- Location from IP lookup: City, Provider, Longitude & Latitude
- Login information including email-address
- Contact details from client feedback form
- Supplier contact details
- Photographs taken by supplier employees (if applicable)
§ 4 Data Subjects
4.1. The group of data subjects affected by processing through scribos within the context of this commission includes the following categories of persons:
- Suppliers (if applicable)
- Licensees (if applicable)
§ 5 Obligations of scribos
5.1. scribos undertakes vis-à-vis the Client to adhere to the applicable data protection provisions, and the provisions of this Processing Agreement with the utmost diligence.
5.2. scribos shall provide for appropriate technical and organisational measures pursuant to Article 24 GDPR in order to adhere to the data protection provisions, in particular to ensure data security pursuant to Article 32 GDPR.
5.3. scribos shall monitor and document the fulfilment of its obligations under the contractual provisions and under data protection law and shall provide the Client upon request with the required information and suitable evidence. This also includes monitoring the execution of the data processing within the context of the commission and the technical and organisational measures taken.
5.4. scribos shall ensure that data confidentiality is observed. For this purpose, scribos shall familiarise all its employees who have access to personal data of the Client within the context of the commission with the data protection provisions and shall obligate them in writing not to process any such personal data without authorisation. Upon the Client’s request, scribos shall submit these declarations to the Client at any time.
5.5. scribos shall use the data it has been provided with exclusively based on the tesa 360 Agreement and pursuant to this Processing Agreement. Any further processing/use of the data for any other purpose than the purpose of the tesa 360 Agreement (e.g. for scribos’ own purposes or for the purposes of a third party) or the transmission to third parties is, unless agreed upon otherwise in writing, expressly excluded except where the data was anonymized prior to such processing.
5.6. Moreover, scribos shall not copy the data it has been provided with onto data storage media or make any other copies and shall not make them accessible to third parties, unless the Client has given its explicit written consent to do so except required for backup purposes.
5.7. Should supervising authorities request information from or take measures at the Client, scribos shall, upon the Client’s request, offer its support to the extent that is required to settle the matter.
5.8. Furthermore, scribos shall support the Client in a reasonable manner with regard to the adherence to the obligations stated in Articles 32 to 36 GDPR, if data processing within the context of the commission pursuant to this tesa 360 Agreement is concerned, and shall, in particular, provide any required information which is available to it.
§ 6 Data Security
6.1. scribos shall protect the data it has been provided with against unauthorised disclosure and manipulation by taking appropriate technical and organisational measures pursuant to Article 32 GDPR. Data and systems have to be protected from, including but not limited to, unauthorised or accidental destruction, accidental loss, technical defects, falsification, theft, illegal use, unauthorised access as well as from unauthorised modifications, copying, deletion, forwarding, access and any other unauthorised processing. Moreover, scribos must ensure that appropriate measures are taken to quickly restore the availability of personal data and access thereto in cases of technical incidents and must allow for an examination of the effectiveness of the technical and organisational measures taken.
6.2. scribos shall ensure that the data made available to it for processing is strictly separated from any other data sets. Data storage media which are provided by the Client to scribos are to be labelled accordingly. The receipt and return of such data storage media is to be documented.
6.3. scribos shall work out a security concept with the measures that have been taken and shall hand it over to the Client before data processing starts. The security concept with the measures that have been taken is available at the following link: Security Concept
6.4. The technical and organisational measures to be taken by scribos shall be subject to continuous updating and adjustment reflecting the technical and organisational progress. The Client is to be informed of any significant changes regarding the technical and organisational measures.
§ 7 Requests from Data Subjects
7.1. scribos may correct, delete, block or transfer data which are processed within the context of the commission exclusively upon instruction of the Client.
7.2. If a data subject contacts scribos directly to assert his or her rights, in particular those stated in Articles 12 to 23 of the GDPR, with regard to the data processed within the context of the commission, scribos shall forward such requests to the Client without delay. scribos may only disclose information to third parties or to the data subject after having obtained the Client’s previous written consent, unless it is legally obliged to do so.
7.3. If a data subject contacts the Client, scribos shall reasonably support the Client in order to respond to the data subject’s request. For this purpose, appropriate technical and organisational measures shall be provided for by scribos.
§ 8 Subcontracting
8.1. scribos is entitled to commission third parties with the processing of the personal data. Currently scribos makes use of noris network AG, Thomas-Mann-Straße 16-20, 90471 Nuremberg, Germany and Amazon Web Services, Inc., 410 Terry Avenue North Seattle WA 98109, United States as a subcontractor. scribos will notify the Client of any changes to the subcontractors by email.
8.2. scribos shall notify the Client of any change in relation to the incorporation of new or the replacement of existing subcontractors. The Client has the right to object to such changes. An objection may only be raised by the Client for important reasons to be proven to scribos. If the Client objects, scribos is entitled to terminate the tesa 360 Agreement and this Processing Agreement with one month's notice from receipt of the objection.
8.3. The contract between scribos and the subcontractor must impose essentially the same obligations on the subcontractor as are the responsibility of scribos under this Processing Agreement. The Parties agree that this requirement is met if the contract has a level of protection corresponding to this Processing Agreement or if the subcontractor is subject to the obligations set out in Art. 28 (3) GDPR.
8.4. Services that scribos uses from third parties as an ancillary service to support the performance of the processing are not subcontractor relationships within the meaning of the above provisions. These include e.g. telecommunications services, cleaning services, testing services or, under certain circumstances, maintenance services. However, in order to ensure the protection and security of the data of the Client as well as to ensure confidentiality, scribos is obligated to make lawful and appropriate contractual agreements with externally assigned ancillary services and to take control measures.
§ 9 Client’s Review Rights
9.1. The Client is entitled to review, to the extent necessary, that the contractual provisions as well as the statutory regulations on data protection are complied with, and, in particular, the technical and organisational measures taken by scribos pursuant to this Processing Agreement. In the event the information provided by scribos during such review gives rise to the Client's concerns that scribos may be in non-compliance with substantial contractual or data protection law obligation, these rights also include the entitlement to assure itself by inspecting the premises at any time that the data is properly processed under data protection law and the contractual provisions and that the technical and organisational measures are implemented and complied with. The Client is entitled to perform such controls itself in consultation with scribos, or, in an individual case, to have them performed by third party reviewers bound by confidentiality.
9.2. scribos shall appropriately support the Client with regard to the execution of such reviews, including but not limited by granting access to the premises, systems and documents connected with the processing of the data within the context of the commission upon prior written request with at least two weeks’ notice.
§ 10 Notifications by scribos
10.1. scribos shall inform the Client without delay of any requests by supervising authorities, in particular of any announced data protection inspections, if data processing under this Processing Agreement is concerned.
10.2. scribos shall inform the Client without delay if any severe disruptions of processing operations have occurred, if data protection violations are suspected, if the provisions of this Processing Agreement have been violated, or if any other irregularities with regard to the processing of the Personal Data have occurred. This particularly concerns the loss of the personal data processed by scribos, unauthorised or unintended access to the personal data by third parties and/or their unauthorised disclosure. The duty to inform already applies if there is concern that potential disruptions, breaches or irregularities may have taken place with some degree of probability.
10.3. In consultation with the Client, scribos shall immediately take appropriate measures in order to secure the data and to reduce any potential negative consequences for the data subjects. If the Client is subject to obligations pursuant to Articles 33 and/or Article 34 GDPR, scribos has to support it in this regard.
§ 11 Authority to Issue Instructions
11.1. The processing of personal data by scribos and the persons subordinated to it who have access to the data shall exclusively take place within the framework of the tesa 360 Agreement and based on the Client’s documented instructions (cf. Article 29 GDPR). The Client has a comprehensive right of direction with regard to the nature, scope and method of the data processing, which may be specified in individual instructions. If scribos is subject to a legal obligation which allows for a different processing, scribos shall inform the Client of the respective legal requirements, unless such notification is legally prohibited.
11.2. scribos shall document any instructions given by the Client in an appropriate manner. Instructions given orally are to be confirmed by the Client in written form without delay.
11.3. scribos shall inform the Client without delay if it is of the opinion that an instruction violates contractual provisions or statutory regulations under data protection legislation. scribos may withhold carrying out the instruction until Client demonstrates its lawfulness to scribos’ reasonable satisfaction.
§ 12 Erasure or Return of Data
12.1. Upon termination of the Term or earlier when requested by the Client – and no later than at the moment when the commission has been completed – scribos must, at the Client’s discretion, either return all personal data in its possession and connected to the commission, whether included in documents, in generated processing or utilisation results or in data sets, in a generally readable form or, with prior consent, destroy or delete them in accordance with data protection law regulations, unless there is a legal obligation to store the personal data. The destruction or erasure is to be confirmed to Client in written form. In the case of electronic data, the processing and utilisation results or data sets shall be handed over in a format to be agreed upon by the Parties, or, if no agreement has been made, on standard data storage media in a format that is customary in the market and permits a structured readout.
12.2. There is no right to retain any personal data which have been made available or have been collected or processed by scribos within the framework of this contractual relationship, nor any of the respective data storage media.
§ 13 Miscellaneous
13.1. Documentation that evidences data processing in accordance with the commission and the rules is to be stored by scribos for the respective retention period even after the termination of the tesa 360 Agreement.
13.2. If the Client’s data are endangered due to measures of third parties taken at scribos, e.g. in the form of seizure, through insolvency or settlement proceedings or any other event, scribos must inform the Client without delay.
13.3. In the case of any discrepancies between the tesa 360 Agreement and this Processing Agreement the Processing Agreement shall prevail.
13.4. In case of doubt the German wording of this Processing Agreement shall prevail.
13.5. This Processing Agreement is subject to German law. The place of jurisdiction shall be governed by the tesa 360 Agreement.