AGREEMENT ON THE PROCESSING OF ORDER DATA
Xelon AG ("Xelon") provides IT services as Managed Services Provider (MSP) and/or IT infrastructure services in relation to one or more servers, services or applications of the Customer in accordance with the contract or SLA vis-à-vis the Customer. In providing the services, Xelon processes personal data on behalf of and for the purposes of the Customer ("Order Data Processing").
1. SUBJECT MATTER AND SCOPE OF THE ADV AGREEMENT
This Order Data Processing Agreement ("ADV Agreement") sets out the duties, roles and responsibilities of Xelon and the Customer ("Parties") in relation to Order Data Processing.
2. VALIDITY, TERM, RELATIONSHIP TO THE CONTRACT
The subject matter and duration of the order as well as the type and purpose of the processing result from the contract or the SLA. If there are several contracts, this ADV Agreement shall apply to all of them. It applies for the entire duration of the contract and, if applicable, beyond that until the deletion of the personal data affected by the order data processing (cf. section 4.2) by Xelon.
The provisions of this ADV Agreement supplement the provisions of the Contract as an integral part thereof and are deemed to be accepted by the Customer upon conclusion of the Contract. They do not restrict the rights and obligations of the contracting parties with regard to the provision or use of the Services. However, the provisions of this ADV Agreement shall take precedence over the provisions of the Contract with regard to their subject matter (unless expressly agreed otherwise in the Contract).
3. SCOPE OF THE ADV AGREEMENT
This ADV Agreement shall apply - as soon as the Customer has agreed to it by entering into the Agreement - with regard to commissioned data processing within the scope of the services provided by Xelon pursuant to the Agreement.
4. INFORMATION ON ORDER DATA PROCESSING
- The following are affected by the processing of order data
- MSP services personal data that Xelon processes for the provision of services to the client on the client's behalf.
- provider services, personal data that the customer stores, according to its choice, on the infrastructure used by Xelon for the provision of services, as well as data of persons to whom the customer grants access to its website or application. In particular, this includes personal data that is usually collected when websites and applications are called up or executed and used. This includes log data that are automatically collected during the informational use of a website or an application (e.g. the IP address and the operating system of the user's device as well as the date and access time of the browser), data entered by the user as well as usage data collected by the customer with personal reference (hereinafter "personal data").
Depending on the service model, the customer himself decides whether and what kind of data he processes on Xelon's systems, which categories of data subjects and for what purpose. The following types or categories of data can be the subject of order data processing: personal master data (e.g. name, address, date of birth, employer, position), customer master data (e.g. name, address, date of birth), communication data (e.g. telephone numbers, e-mail addresses), company data (e.g. employees, addresses, bank details, business reports), supplier master data (e.g. employees, addresses, bank details, evaluations), supplier master data (e.g. employees, addresses, bank details, evaluations), customer master data (e.g. name, address,date of birth). (e.g. employees, addresses, bank details, valuations), contract master data (e.g. contact persons, contractual relationships), contract-related documents (general terms and conditions, contracts, orders, invoices), etc.
5. ROLES AND AREAS OF RESPONSIBILITY
The Client acknowledges and Xelon recognises that the Client is and remains responsible for the processing of the Personal Data in accordance with applicable data protection laws. The Client therefore assumes the role of data controller. This is without prejudice to cases in which the Customer itself is a Data Processor in relation to the Personal Data (cf. Section 5.4).
Xelon acknowledges that the Customer in the role of the controller is obliged to contractually bind Xelon to some of its obligations under the DPA or, if applicable, the EU GDPR (or other applicable data protection laws) when using services.
Xelon assumes the role of the commissioned data processor with regard to the processing of personal data concerned. Unless Xelon is also subject to the EU GDPR (or any other applicable data protection laws) in addition to the DPA for this commissioned data processing, Xelon shall only assume this role on the basis of Xelon's contractual obligations under this ADV Agreement and shall not be obliged under the EU GDPR (or any other applicable data protection laws) solely for this reason.
If the customer is in turn a commissioned data processor (i.e. if the customer is authorised under the contract to make the storage space available to its customers), it confirms that its customer (i.e. the responsible party) has authorised it under a separate agreement to subcontract processing and issue any instructions to Xelon.
6. DUTIES OF XELON
Xelon undertakes to process the personal data only for the provision of the services in accordance with the service description and contractual obligations as well as in accordance with this ADV Agreement.
Xelon is entitled to process personal data of the Customer in such a way as it involves the fulfilment of the performance obligations under the contract and this ADV Agreement. Upon corresponding request, Xelon is prepared to implement further instructions of the Customer concerning the order data processing. The prerequisite for this i s that these can be implemented by Xelon within the scope of the contractually agreed services and are objectively reasonable and do not lead to additional costs or a changed scope of services. In any case, the fulfilment of legal or regulatory obligations to which Xelon is subject remains reserved.
Xelon ensures compliance with the provisions of this ADV- Agreement by the employees entrusted with the order data processing and other persons working for Xelon who have access to the personal data. Xelon also undertakes to oblige persons with access to the personal data to maintain confidentiality, even beyond the duration of their work for Xelon.
Xelon undertakes to take appropriate technical and organisational measures in the interest of confidentiality, integrity and contractual availability of the personal data. Xelon implements in particular access controls, access controls as well as procedures for the regular review, assessment and evaluation of the effectiveness of the technical and organisational measures. When selecting the measures, Xelon takes into account the state of the art, the implementation costs as well as the type, scope, circumstances and purposes of the processing as well as the varying probability of occurrence and severity of the risk for data subjects. The measures applicable in each case result from the current service descriptions of Xelon as well as the appendix TOM - Technical and Organisational Security Measures. Technical and organisational measures are subject to technical progress. In this respect, Xelon is permitted to implement alternative adequate measures. In doing so, t h e security level of the measures specified in the current service descriptions must not be undercut. Significant changes are to be documented.
Xelon undertakes to inform the Customer in writing without delay if Xelon becomes aware of a data security breach. In doing so, Xelon shall inform the Customer of the type and extent of the breach as well as possible remedial measures. The contracting parties shall jointly take the necessary measures to ensure the protection of personal data and to mitigate possible adverse consequences for the data subjects. Furthermore, Xelon undertakes to provide the Customer, upon written request, with sufficient information to enable the Customer to comply with its obligations under the DPA, EU GDPR or other applicable data protection laws regarding the notification, investigation and documentation of data security breaches.
Xelon undertakes to support the Customer in the fulfilment of data subject rights (in particular rights of access, rectification and deletion) by the Customer upon written request and against separate reasonable remuneration and within the scope of Xelon's operational resources and possibilities. If a data subject addresses claims regarding the fulfilment of data protection rights directly to Xelon, Xelon will refer the data subject to the customer. The prerequisite for this is that Xelon can make such an assignment to the customer based on the information provided by the data subject.
Xelon is obliged to notify the Customer in writing without delay if Xelon receives a request (e.g. a request for information or deletion) from a data subject in relation to personal data; provided that an allocation to the Customer is possible based on the information provided by the data subject.
Xelon is prepared, upon written request of the Customer and against separate reasonable compensation and taking into account Xelon's operational resources and capabilities, to assist the Customer in data protection impact assessments and regulatory consultations.
Xelon will release or immediately delete the personal data at the end of the term of the contract in accordance with the provisions of the contract.
7. SUBCONTRACTOR INVOLVEMENT
If the Customer requests services from Xelon that involve personal data and are provided by third parties, Xelon remains the Data Processor vis-à-vis the Customer and fulfils the relevant obligations under the ADV Agreement. The provider of the third-party service that is integrated into Xelon's service is a sub-contract data processor of Xelon. This is to be distinguished from cases in which Xelon arranges a direct contract conclusion with the third-party service provider for the customer and the third-party service provider becomes the customer's direct order data processor. In such cases, the customer itself must ensure that any necessary agreements are made with the third-party service provider under applicable data protection laws.
Xelon is entitled to involve subcontracted data processors in the context of the provision of Xelon's services (e.g. in the context of support services of suppliers and providers, or for external services such as domain registrations or other services). In such cases, Xelon is obliged to enter into an agreement with subcontracted data processors to the extent necessary to enable Xelon to comply with the provisions of this ADV Agreement.
Xelon shall give the Customer reasonable advance notice if Xelon will be adding new Subcontract Data Processors or replacing existing Subcontract Data Processors with respect to existing Services after the effective date of this ADV Agreement. If the Customer does not comply with this within thirty (30) days of the date of the notice from important data protection reasons, the new or replaced subcontracted data processor shall be deemed approved.
If the subcontracted data processing involves the transfer of personal data to another location, Xelon shall ensure that the applicable data protection requirements are complied with by taking appropriate legal, technical or organisational measures (see Annex). As a matter of principle, subcontracted data processors in third countries are only commissioned if there is sufficient protection of the personal data.
8. OBLIGATIONS OF THE CLIENT
The client is responsible for the lawfulness of the processing of the personal data, including the lawfulness of the order or sub-order data processing.
The Customer shall independently take appropriate technical and organisational measures to protect personal data in its area of responsibility (e.g. on its own systems and applications and, depending on the agreement with Xelon in the contract or SLA) in accordance with the current state of the art.
The Customer undertakes to inform Xelon without undue delay if the Customer detects violations of applicable data protection laws in the provision of services by Xelon.
As a rule, the Client shall issue all orders, partial orders and instructions in writing or in a documented electronic format. Verbal instructions shall be confirmed immediately by the contractor in writing or in a documented electronic format. If Xelon is of the opinion that an instruction violates data protection regulations, it shall inform the client without delay. Xelon is entitled to suspend the implementation of the relevant instruction until it is confirmed or modified by the client.
9. INFORMATION AND AUDIT RIGHTS
Xelon shall, upon written request, provide Customer with all information reasonably required by Customer to demonstrate compliance with this ADV Agreement to data subjects or data protection supervisory authorities.
Xelon shall allow the Customer or an auditor appointed by the Customer and bound to confidentiality to audit Xelon's compliance with this ADV Agreement. If violations of the ADV Agreement are identified by Xelon after submission of appropriate evidence, Xelon shall implement appropriate corrective measures without delay and free of charge.
The aforementioned information and examination rights of the Customer exist only insofar as the contract does not grant the Customer any other information and examination rights that comply with the relevant requirements of the applicable data protection laws. Furthermore, these information and examination rights are subject to the principle of proportionality and the protection of Xelon's interests worthy of protection (in particular security or confidentiality interests). Unless otherwise agreed between the contracting parties, the Customer shall bear all costs of the information and examination, including proven internal costs of Xelon.
10. AMENDMENTS TO THIS ADV AGREEMENT
Xelon reserves the right to amend this ADV Agreement (a) if this is necessary to adapt to legal developments or (b) if this does not lead to a deterioration in the overall security of the Order Processing and does not (at Xelon's discretion) have a material adverse effect on the rights of the persons affected by the Order Processing.
Xelon will notify the Customer of any intended changes to this ADV Agreement in accordance with Clause 10.1 at least thirty (30) days before they take effect. If the Customer wishes to object to the amendment, it may do so within thirty (30) days from the date of the notification via a support ticket in the Customer Portal. If no objection is made within this period, the amendment shall be deemed to have been approved.
11. GENERAL PROVISIONS
In deviation from any written form requirements agreed between the contracting parties, the ADV Agreement may be agreed or amended electronically between the contracting parties.
If this ADV Agreement requires a written request or notice, an email (for notices to the Customer) to the Customer's address specified in the Customer Portal or (for notices to Xelon) an email to firstname.lastname@example.org shall satisfy the written form requirement.
Data protection terms such as "personal data", "process", "controller", "commissioned data processor", "data protection impact assessment", etc., have the meaning given to them in the DPA or the EU DSGVO ascribed to them meaning. "Data Breach", means "Personal Data Breach".
The customer confirms that he remains responsible. Xelon is liable exclusively for intent and gross negligence.
The Parties hereby submit to the choice of law and jurisdiction set forth in the Agreement for all disputes and claims arising out of or in connection with this ADV Agreement.
Should one or more provisions of the ADV Agreement be or become invalid or void, this shall not affect the validity of the remaining provisions. The invalid or void provision shall be replaced by the provision which the contracting parties would have made in good faith and from an economic point of view if they had known about the defect at the time of the conclusion of the ADV Agreement. The same shall apply in the event of any loopholes in the ADV Agreement.