General Terms and Conditions for Order Processing (GTC)

1 General provisions and subject matter of the contract

(1) The contracting person shall provide its customers (hereinafter referred to as "the ordering person") with the works and services listed here, in which personal data are processed on behalf of:

• use of the "Software-As-A-Service-Solution",
• trainings, workshops and webinars,
• provision of works and services.

In this case, the contracting person processes, among other things, personal data of third parties (so-called third-party data) of the following categories of persons on behalf of the ordering person. These General Terms and Conditions for Order Processing (hereinafter referred to as "GTC") apply to the processing of these third-party data.

• Customers
• Employees of the customer
• Customers’ customers
• Subcontractors of the customer

During the processing of this personal data of third parties by the contracting person, the following information is usually collected, stored, processed and, if necessary, analysed:

• personal data (e.g. name, address, telephone number, email),
• location data (e.g. GPS coordinates),
• image files with personal reference (e.g. House numbers, license plates, faces),
• user-related metadata (e.g. User names, roles, IP addresses, login times),
• project-specific input data, provided that they allow conclusions to be drawn about natural persons (e.g. names, professional positions),
• communication and support data processed in the context of requests,
• device identifiers (e.g. Device ID, IMEI, MAC address, IP address of the accessing device),
• type and version of the operating system and web browser used,
• referrer URL and other header information,
• time and duration of access.

(2) The processing of this data by the contracting person takes place exclusively on the territory of the Federal Republic of Germany, a member state of the European Union or a contracting state of the EEA Agreement. Processing outside these countries takes place only under the conditions of Chapter 5 of the GDPR (Art. 44 ff.) and with the prior consent of the ordering person.

2 Term and cancellation

The term of order processing is based on the term of the main contract. Insofar as and as long as personal data of the ordering person are further processed on behalf of the main contract, this agreement shall apply until the time at which the processing of this data by the contracting person ends. The right to extraordinary termination without notice for good cause remains unaffected by this.

3 Instructions of the ordering person

(1) The ordering person is entitled to a comprehensive right of instruction with regard to the type, scope and modalities of data processing to the contracting person. The contracting person shall immediately inform the ordering person if the contracting person is of the opinion that an instruction from the ordering person violates statutory provisions.

(2) If an instruction is issued, the legality of which is substantiatedly doubted by the contracting person, the contracting person is entitled to temporarily suspend its execution until the ordering person expressly confirms or changes it again. If there is the possibility that the contracting person is exposed to a liability risk by following the instructions, the execution of the instruction can be suspended until the internal liability is clarified.

(3) Instructions are generally in writing or in an electronic format (e.g. by email). Oral instructions are permissible in justified individual cases and are immediately confirmed by the ordering person in writing or in an electronic format. The confirmation must expressly justify why no instruction could be given in text form. The contracting person must record the person, date and time of the oral instruction in an appropriate form.

4 Control powers of the ordering person

(1) The ordering person is entitled to check compliance with the legal and contractual provisions on data protection and data security before the start of the data processing and during the term of the contract regularly, to the extent necessary. The contracting person shall enable and contribute to these checks – including inspections – which are carried out by the contracting person or by another auditor commissioned by it.

(2) The ordering person must ensure that the control measures are proportionate and do not lead to an excessive impairment of business operations. As a rule, an examination should only take place after prior notification, unless the prior registration would jeopardise the purpose of the control.

(3) If the ordering person appoints an auditor, the latter must not be in a direct competitive relationship with the contracting person.

(4) The results of the checks shall be recorded by the ordering person in an appropriate manner.

(5) The contracting person undertakes to provide the ordering person with all necessary information to prove compliance with the measures laid down in Art. 28 of the GDPR.

5 Duties of the contractor

(1) The processing of the data subject to the contract by the contracting person takes place exclusively on the basis of the contractual agreements in conjunction with the instructions given by the ordering person. Processing deviating from this is only permitted on the basis of mandatory European or member state legislation (e.g. in the case of investigations by law enforcement or state protection authorities).

(2) If processing is required by force of law, the contracting person shall notify the ordering person thereof prior to processing, provided that the relevant law does not prohibit such communication on account of an important public interest.

(3) The contracting person must ensure that the persons authorised to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality (Art. 28 (3) (b) GDPR). Before being subject to the duty of confidentiality, the persons concerned may not have access to the personal data provided by the ordering person.

6 Technical and organisational measures (TOM)

(1) The contracting person, taking into account the requirements of Art. 32 GDPR, appropriate technical and organisational measures to ensure an adequate level of protection are defined and implemented. All measures already in place at the time of conclusion of the contract are finally attached to these GTC in Appendix 1.

(2) The contracting person will review and adapt the technical and organisational measures if necessary and / or due to the occasion.

(3) If the ordering person requires the use of further technical and organisational measures to protect her personal data covered by the contract, the ordering person will notify the contracting person in writing or electronic form in good time – but no later than two weeks – before its use and coordinate and record it with the contracting person.

(4) The specific scope of services and, if applicable, the remuneration of these additional technical and organisational measures and regulations is the subject of individual contractual agreements between the parties.

7 Support obligations of the contracting person

(1) The contracting person will be the ordering person pursuant to Art. 28 (3) (e) GDPR in their obligations to safeguard the rights of the data subject from Chapter III, Art. 12 to 22 GDPR. This applies in particular to the provision of information and the deletion, correction or restriction of personal data.

(2) The contracting person will also be the ordering person pursuant to Art. 28 para. 3 lit. f DSGVO with their obligations under Art. 32 to 36 GDPR (esb. reporting obligations). The scope of these support obligations is determined on a case-by-case basis, taking into account the type of processing and the information available to the contracting person.

8 Use of subcontractors

(1) The contracting person is authorised to use subcontract processors (subcontractors). All subcontracting relationships of the contracting person already existing at the time of conclusion of the contract are subsequently attached to these GTC in Appendix 2. For the subcontractors listed in Appendix 2, the consent shall be deemed to have been granted by agreement of these GTC.

(2) If the contracting person intends to use other subcontractors, the contracting person will notify the ordering person in writing or electronic form in good time – but no later than two weeks before their use. After this notification, the ordering person has two weeks to object to the involvement of the subcontractor. If no objection is received within this period, the involvement of the subcontractor(s) shall be deemed to be approved. In urgent cases (e.g. in the case of short-term error analyses or elimination of defects), the contracting person may appropriately shorten the notification and objection period for subcontractors.

(3) If an objection is made on time, the subcontractors concerned may not be used. Objections are only permissible if the ordering party has reasonable indications that the use of the subcontractor would restrict data security or data protection, would jeopardize compliance with legal or contractual provisions and / or other legitimate interests of the commissioning person would be contrary. The corresponding suspicions must be attached to the objection.

(4) Subcontractors are selected by the contracting person in compliance with the legal and contractual requirements. All contracts between the processor (contracting person) and the subcontracting processor (subcontractor contracts) must comply with the legal provisions on the processing of personal data on behalf. This applies in particular to the implementation of appropriate technical and organisational measures in accordance with Art. 32 GDPR in the company of the subcontractor.

(5) Ancillary services that the contracting person makes use of for the exercise of business activities do not constitute subcontracting relationships within the meaning of Art. 28 GDPR. Ancillary activities in this sense are in particular telecommunications services without concrete reference to the main service, postal and transport services as well as other measures that are intended to ensure the confidentiality and / or integrity of the hardware and software and have no concrete relation to the main service. However, the contracting person will also ensure compliance with the statutory data protection standards (in particular through appropriate confidentiality agreements) for these third-party services.

(6) All contracts between the contracting person and the subcontracting processor (subcontracting contracts) must meet the requirements of these GTC and the statutory provisions on the processing of personal data on behalf.

(7) The commissioning of subcontractors in third countries is only permissible if the legal requirements of Art. 44 ff. GDPR and the ordering person has agreed.

9 Notification obligations of the contracting person

(1) Violations of these GTC, of instructions of the ordering person or of other provisions of data protection law must be reported to the ordering person immediately; the same applies in the presence of a corresponding justified suspicion. This obligation applies regardless of whether the violation was committed by the contractor himself, a person employed by the contractor, a subcontractor or another person who has appointed the contractor to fulfil contractual obligations.

(2) If an data subject, an authority or other third party requests the contracting person for information, correction or deletion of data processed by the contracting person as processor, the contracting person will immediately forward the request to the ordering person and coordinate the further procedure with him.

(3) The contracting person will inform the ordering person without delay if supervisory actions or other measures are imminent by an authority, which could also affect the processing, use or collection of the personal data provided by the ordering person. In addition, the contracting person must immediately inform the ordering person of any events or measures of third parties that could jeopardise or impair the data subject to the contract.

10 Contract termination, deletion and return of data

(1) After completion of the contractual data processing or after termination of the main contract, the contracting person must delete or return all personal data at the option of the ordering person, provided that there is no longer a legal obligation to store the data concerned (e.g. statutory retention periods).

11 Data secrecy and confidentiality

(1) The contracting person is obliged to treat the personal data obtained within the framework of this contractual relationship confidentially beyond the end of the main contract for an indefinite period and beyond the end of the main contract. The contracting person undertakes to familiarise employees with the relevant data protection regulations and confidentiality rules and to oblige them to secrecy before they start their work with the contracting person.

12 Final provisions

(1) If the contracting parties are merchants, legal entities under public law or special funds under public law, the registered office of the contracting person shall be the place of jurisdiction for all disputes arising from these GTC, provided that an exclusive place of jurisdiction is not established in this respect.

(2) Insofar as personal data is concerned on behalf of the contract, the provisions of these GTC take precedence over the regulations of the main agreement.

(3) Should the GDPR or other legal regulations referred to change during the term of the contract, the references here also apply to the respective successor regulations.

(4) The contracting person is entitled to withdraw the present GTC for objectively justified reasons (e.g. Changes in case law, legal situation, market conditions or business or corporate strategy) and within a reasonable period of time. Existing customers will be notified by email no later than two weeks before the change takes effect.

(5) If the existing customer does not object within the period set in the change notification, his consent to the change shall be deemed to have been given. In the event of an objection, the contracting person is entitled to terminate the contract extraordinarily at the time of the entry into force of the amendment. Notification of the intended modification of these Terms of Use will indicate the time limit and consequences of the objection or failure to object.

(6) The terms used are not gender-specific.

Status: September 2025

GDPR compliant

Appendices