Annex 1 to the General Terms and Conditions of the Sawayo Platform

Order processing - contract

Preamble

The Controller has concluded a contract with the Processor for the use of the software referred to in 3.3 of the GTC (hereinafter "Main Contract"). Part of the execution of the contract is the processing of personal data. In particular, Art. 28 DSGVO imposes certain requirements on such commissioned processing. In order to comply with these requirements, the parties enter into the following agreement, the performance of which shall not be remunerated separately unless expressly agreed.

§ 1 Definitions

(1) Pursuant to Art. 4 (7) DSGVO, the controller is the entity which alone or jointly with other controllers determines the purposes and means of the processing of personal data.

(2) According to Article 4 (8) of the GDPR, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the controller.

(3) Pursuant to Article 4 (1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

(4) Personal data requiring special protection are personal data pursuant to Art. 9 GDPR revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and criminal offenses or related security measures, as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR and data on the sex life or sexual orientation of a natural person.

(5) Processing means, pursuant to Article 4(2) of the GDPR, any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

(6) Pursuant to Art. 4 (21) DSGVO, the supervisory authority shall be an independent state body established by a Member State pursuant to Art. 51 DSGVO.

§ 2 Subject matter of the contract

(1) The Processor shall provide the services specified in the main contract for the Controller. In doing so, the Processor obtains access to personal data which the Processor processes for the Controller exclusively on behalf of and in accordance with the instructions of the Controller. The scope and purpose of the data processing by the Processor are set out in the main contract and any associated service descriptions. The Controller shall be responsible for assessing the permissibility of the data processing.

(2) The Parties shall conclude the present Agreement to specify the mutual rights and obligations under data protection law. In case of doubt, the provisions of this Agreement shall take precedence over the provisions of the main agreement.

(3) The provisions of this contract shall apply to all activities related to the main contract, both of which the Processor and its employees or persons authorized by the Processor come into contact with personal data originating from the Controller or collected for the Controller.

(4) The term of this Agreement shall be governed by the term of the main Agreement, unless the following provisions give rise to obligations or rights of termination going beyond this.

§3 Right to issue instructions

(1) The Processor may only collect, process or use data within the scope of the main contract and in accordance with the instructions of the Controller; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Processor is required by the law of the European Union or of the Member States to which it is subject to carry out further processing, it shall notify the Controller of these legal requirements prior to the processing.

(2) The Controller's instructions shall initially be specified by this Agreement and may thereafter be amended, supplemented or replaced by the Controller in writing or in text form by means of individual instructions (individual instructions). The Responsible Party shall be entitled to issue corresponding instructions at any time. This includes instructions with regard to the correction, deletion and blocking of data.

(3) All instructions issued shall be documented by the person responsible. Instructions that go beyond the performance agreed in the main contract shall be treated as a request for a change in performance. Regulations concerning any remuneration of additional expenses incurred by the Contractor as a result of supplementary instructions issued by the Client shall remain unaffected.

(4) If the Processor is of the opinion that an instruction of the Controller violates data protection provisions, it shall notify the Controller thereof without undue delay. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller. The Processor may refuse to implement an instruction that is obviously unlawful.

§ 4 Types of data processed, group of data subjects

(1) As part of the performance of the Main Contract, the Processor shall have access to the personal data specified in more detail in Annex 1.

(2) The group of persons affected by the data processing is shown in Annex 2.

§ 5 Protective measures of the processor

(1) The Processor shall be obliged to observe the statutory provisions on data protection and not to disclose information obtained from the area of the Controller to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.

(2) The Processor shall organize the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. It shall have taken the technical and organizational measures specified in Annex 3 for the adequate protection of the data of the Controller pursuant to Art. 32DSGVO, which the Controller acknowledges as adequate. The Processor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.

(3) The persons employed in the data processing by the Processor are prohibited from collecting, processing or using personal data without authorization. The Processor shall oblige all persons entrusted by it with the processing and performance of this Agreement (hereinafter referred to as "Employees") accordingly (obligation of confidentiality, Art. 28 (3) lit. b DSGVO) and shall ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force after the termination of this Agreement or the employment relationship between the Employee and the Processor.

§ 6 Information obligations of the processor

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Processor, suspected security-related incidents or other irregularities in the processing of personal data by the Processor, by persons employed by it within the scope of the contract or by third parties, the Processor shall inform the Controller without undue delay. The same shall apply to audits of the Processor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

a) a description of the nature of the personal data breach, specifying, to the extent possible, the categories and number of data subjects, the categories concerned and the number of personal data records concerned;

b) a description of the measures taken or proposed by the Processor to address the breach and, where applicable, measures to mitigate its possible adverse effects;

 (c) a description of the likely consequences of the personal data breach.

(2) The Processor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences of the Data Subjects, inform the Controller thereof and request further instructions.

(3) The Processor shall furthermore be obligated to provide the Controller with information at any time insofar as the Controller's data are affected by a breach pursuant to Paragraph 1.

(4) If the data of the data controller at the data processor is endangered by attachment or seizure, by insolvency or composition proceedings or by other events or measures of third parties, the data processor shall inform the data controller thereof without undue delay, unless the data processor is prohibited from doing so by court or administrative order. In this context, the Processor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Controller.

(5) The Processor shall inform the Controller without delay of any significant changes to the security measures pursuant to Section 5 (2).(12) The Processor shall cooperate to a reasonable extent in the creation of the procedure directory by the Controller. The Processor shall provide the Controller with the required information in an appropriate manner.

§ 7 Control rights of the person responsible

(1) The controller shall verify the technical and organizational measures of the processor before commencing data processing and then regularly thereafter. For this purpose, he may, for example, obtain information from the processor, have existing certificates from experts, certifications or internal audits presented to him or personally check the technical and organizational measures of the processor after timely consultation during normal business hours or have them checked by a competent third party, provided that the latter is not in a competitive relationship with the processor. The controller shall only carry out checks to the extent necessary and shall not disproportionately disrupt the processor's operations.

(2) The Processor undertakes to provide the Controller, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a check of the Processor's technical and organizational measures.

(3) The controller shall document the results of the inspection. In the event of errors that the controller discovers, in particular during the review of order results, the controller shall inform the processor immediately. If facts are discovered during the inspection that require changes to be made to the ordered procedure in order to avoid them in the future, the controller shall inform the processor of the necessary procedural changes without delay.

(4) The Processor shall provide the Controller, at the latter's request, with a comprehensive and up-to-date data protection and security concept for the commissioned processing and on persons authorized to access the data.

(5) Upon request, the Processor shall provide the Controller with evidence of the commitment of the employees pursuant to Section 5 (3).


§ 8 Use of subcontracted processors

(1) The contractually agreed services shall be performed with the involvement of the subcontractors named in Annex 4 (hereinafter referred to as Sub-Processors). The Controller grants the Processor its general authorization within the meaning of Article 28(2) sentence 1 of the GDPR to engage additional sub-processors within the scope of its contractual obligations or to replace sub-processors already engaged.

(2) The Processor shall inform the Controller in advance by e-mail newsletter of any intended change regarding the use or replacement of a sub-processor. The Processor shall receive the e-mail newsletter after registering at https://www.sawayo.de/unterauftragsverarbeiter-news. The Controller may object to the intended use or replacement of a sub-processor for good cause under data protection law.

(3) The objection to the intended use or replacement of a sub-processor must be raised within 2 weeks of the information being sent in the e-mail newsletter. If there is an important reason under data protection law and a mutually agreeable solution cannot be found between the controller and the processor, the controller shall have a special right of termination at the end of the month following the objection.

(4) When engaging subcontractors, the Processor shall oblige them in accordance with the provisions of this Agreement.

(5) A subcontracting relationship within the meaning of these provisions does not exist if the Processor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunication services without any specific reference to services provided by the Processor to the Controller and guarding services. Maintenance and testing services constitute subcontractor relationships requiring consent insofar as they are provided for IT systems that are also used in connection with the provision of services for the controller.

§ 9 Requests and rights of data subjects,

(1) The Processor shall support the Controller as far as possible with suitable technical and organizational measures in fulfilling the Controller's obligations under Articles 12-22 and32 to 36 of the GDPR.

(2) If a data subject asserts rights, such as the right to information, correction or deletion with regard to his/her data, directly against the Processor, the Processor shall not react independently, but shall immediately refer the data subject to the Controller and await the Controller's instructions.


§ 10 Liability

(1) The Processor shall have unlimited liability for damages insofar as the cause of the damage is based on an intentional or grossly negligent breach of duty by the Processor, a legal representative or vicarious agent.

(2) The Processor shall only be liable for negligent conduct in the event of a breach of an obligation the fulfillment of which is a prerequisite for the proper performance of the contract and on the observance of which the responsible party regularly relies and may rely, but limited to the average damage typical for the contract. Otherwise, the liability of the Processor - also for vicarious agents - is excluded.

(3) The limitation of liability pursuant to § 10.2 shall not apply to claims for damages arising from injury to life, body, health or from the assumption of a guarantee.

§ 11 Termination of the main contract

(1) After termination of the main contract, the Processor shall return to the Controller all documents, data and data carriers provided to it or - at the request of the Controller, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them. The Processor shall confirm the proper deletion of any initially still existing data upon request.

(2) The Controller shall have the right to control the complete and contractual return or deletion of the data at the Processor in an appropriate manner.

(3) The Processor shall be obligated to keep confidential any data disclosed to it in connection with the Main Agreement even beyond the end of the Main Agreement. The present agreement shall remain valid beyond the end of the main contract for as long as the Processor has personal data at its disposal which have been forwarded to it by the Controller or which it has collected for the Controller.


§ 12 Final provisions

(1) Amendments and supplements to this Agreement must be made in text form. This shall also apply to any waiver of this formal requirement. The priority of individual contractual agreements shall remain unaffected.

(2) Should individual provisions of this Agreement be or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions.

(3) This agreement is subject to German law. The exclusive place of jurisdiction is Rostock.


Attachments

Annex 1 - Description of data/data categories

Personal master data (title, name, address, position in the company, working time model, telephone numbers, e-mail)
Recorded working times, working time accounts, vacation accounts, sick days
Any documents and their contents that the User enters as part of his use of the Provider's software; for example, in the context of the personnel file, these may be employment contracts and other agreements between the Employer and its employees.

Annex 2 - Description of affected persons/groups of affected persons

● Responsible person, as far as natural person
● Employees of the responsible person
● Third parties to whom the responsible person gives access to the provider's software
● Third parties named in the documents loaded into the software

Appendix 3 - Technical and organisational measures of the processor

The list of our technical and organizational measures can be viewed publicly at any time as Annex 3 to this order processing agreement at the following URL:
‍www.sawayo.de/TOMs

Annex 4 - Current subcontracted processors

The list of our sub-processors is publicly available as Annex 4 to this Order Processing Agreement at any time at the following URL:
www.sawayo.de/unterauftragsverarbeiter