Contract for order processing

 

between the person responsible for processing (hereinafter referred to as “client”)

 


and

 


Natty Gains Beteiligungs GmbH & Co. KG, 

Talstrasse 7

42697 Solingen

as a processor (hereinafter referred to as “contractor”)

 

Preamble

The client would like to commission the contractor to provide the services mentioned in Section 3. Part of the execution of the contract is the processing of personal data. In particular, Art. 28 GDPR sets certain requirements for such order processing. In order to comply with these requirements, the parties conclude the following agreement, the fulfillment of which will not be compensated separately unless this is expressly agreed.

 

§ 1 Definitions

(1) According to Article 4 Paragraph 7 of the GDPR, the person responsible is the body that alone or jointly with other persons responsible decides on the purposes and means of processing personal data.

(2) According to Article 4 Paragraph 8 of the GDPR, a processor is a natural or legal person, authority, institution or other body that processes personal data on behalf of the person responsible.

(3) According to Article 4 Para. 1 GDPR, personal data is all information that relates to an identified or identifiable natural person (hereinafter “data subject”); A natural person is considered to be identifiable if he or she can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more special characteristics that express the physical, physiological, genetic, psychological, economic, cultural or social identity of that natural person.

(4) Particularly sensitive personal data are personal data in accordance with Art. 9 GDPR, which reveal the racial and ethnic origin, political opinions, religious or ideological beliefs or trade union membership of those affected, personal data in accordance with Art. GVO on criminal convictions and offenses or related security measures as well as genetic data in accordance with Art. 4 Para. 13 GDPR, biometric data in accordance with Art. 4 Para. 14 GDPR, health data in accordance with Art. 4 Para. 15 GDPR. GMOs and data on the sex life or sexual orientation of a natural person.

(5) According to Article 4 Para. 2 GDPR, processing is any process or series of processes carried out with or without the help of automated processes in connection with personal data, such as collecting, recording, organizing, organizing, storing, the adaptation or modification, the reading, the query, the use, the disclosure by transmission, distribution or any other form of provision, the comparison or the linking, the restriction, the deletion or the destruction.

(6) In accordance with Article 4 Paragraph 21 of the GDPR, the supervisory authority is an independent state body established by a member state in accordance with Article 51 of the GDPR.

 

§ 2 Information about the responsible data protection supervisory authority

(1) The responsible supervisory authority for the client depends on the respective federal state in which the company is based.

(2) The responsible supervisory authority for the contractor is the State Commissioner for Data Protection of North Rhine-Westphalia, Kavalleriestr. 2-4, 40213 Düsseldorf.

(3) The client and the contractor and, if applicable, their representatives will cooperate with the supervisory authority upon request in carrying out their tasks.

 

§ 3 Subject of the contract

(1) The contractor provides nutritional advice services for the client on the basis of the contractor's general terms and conditions or on the basis of an individually negotiated main contract between the contractor and the client. The contractor receives access to personal data and processes it exclusively on behalf of and in accordance with the instructions of the client. The scope and purpose of data processing by the contractor result from the general terms and conditions (and the associated service description). The client is responsible for assessing the admissibility of data processing.

(2) The parties conclude this agreement to specify the mutual data protection rights and obligations. In case of doubt, the provisions of this agreement take precedence over the provisions of the general terms and conditions or an individually negotiated main contract.

(3) The provisions of this agreement apply to all activities that are related to a main contract and in which the contractor and its employees or those authorized by the contractor come into contact with personal data that comes from the client or was collected for the client .

(4) The term of this contract is based on the general terms and conditions or an individually negotiated main contract, unless the following provisions result in additional obligations or termination rights.

 

§ 4 Right to give instructions

(1) The contractor may only collect, process or use data within the framework of the general terms and conditions or an individually negotiated main contract and in accordance with the instructions of the client; This applies in particular to the transfer of personal data to a third country or to an international organization. If the contractor is obliged to carry out further processing by the law of the European Union or the Member States to which it is subject, it will inform the client of these legal requirements before processing.

(2) The client's instructions are initially set out in this contract and can then be changed, supplemented or replaced by the client in written form or in text form with individual instructions (individual instructions). The client is entitled to issue corresponding instructions at any time. This includes instructions regarding the correction, deletion and blocking of data. Persons authorized to give instructions must be named by the client. In the event of a change or long-term absence of the named persons, the contractual partner must immediately be named the successor or representative in text form.

(3) All instructions given must be documented by both the client and the contractor. Instructions that go beyond the service agreed in the general terms and conditions or in an individually negotiated main contract are treated as a request for a change in service.

(4) If the contractor is of the opinion that an instruction from the client violates data protection regulations, he must inform the client of this promptly. The contractor is entitled to suspend the implementation of the relevant instructions until they are confirmed or changed by the client. The contractor may refuse to carry out an obviously illegal instruction.

 

§ 5 Type of data processed, group of those affected

(1) The collection, processing and storage serves, on the one hand, to create individual nutritional plans and, on the other hand, to display and analyze eating behavior (calories, nutritional values, etc.) as well as to record progress with regard to body weight, body circumference and body composition for you as the client.

(2) The following data is processed:

  • Goal(s)
  • Age
  • Gender
  • Body size
  • Body weight
  • Calorie goal
  • Activity at work
  • Leisure activity
  • Sleep duration
  • Sporting activity
  • Diet
  • Food intolerances and intolerances
  • Further information on eating habits (this includes budget, cooking time, meal distribution, eating habits, snack check, drinks check, food exclusion)
  • First name
  • Last name
  • E-mail address
  • Encrypted password
  • User agent
  • Eaten foods
  • Photos of meals eaten
  • Body circumferences
  • Body composition
  • Hydration

(3) Categories of data subjects

  • Customers
  • Interested parties
  • Members
  • Employees

 

§ 6 Protective measures of the contractor

(1) The contractor is obliged to observe the legal provisions on data protection and not to pass on the information obtained from the client's area to third parties or to suspend their access. Documents and data must be secured against access by unauthorized persons, taking into account the state of the art.

(2) The contractor will design the internal organization within his area of ​​responsibility in such a way that it meets the special requirements of data protection. He takes all necessary technical and organizational measures to adequately protect the client's data in accordance with Art. 32 GDPR. The contractor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not fallen short of.

(3) Mr. Jannik Disch is the contact person for data protection at the contractor. 

(4) Persons employed by the contractor in data processing are prohibited from collecting, processing or using personal data without authorization. The contractor will oblige all persons entrusted by him with the processing and fulfillment of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 para. 3 lit. b GDPR) and with the necessary obligations Carefully ensure compliance with this obligation. These obligations must be worded in such a way that they continue to exist even after the termination of this contract or the employment relationship between the employee and the contractor. The obligations must be provided to the client in an appropriate manner upon request.

 

§ 7 Information obligations of the contractor

(1) In the event of disruptions, suspected data protection violations or violations of the contractor's contractual obligations, suspected security-related incidents or other irregularities in the processing of personal data by the contractor, people employed by him as part of the order or by third parties, the contractor will inform the client promptly inform in writing or text form. The same applies to audits of the contractor by the data protection supervisory authority. 

(2) The contractor immediately takes the necessary measures to secure the data and to reduce possible adverse consequences for those affected, informs the client of this and requests further instructions.

(3) The contractor is also obliged to provide the client with information at any time to the extent that his data is affected by a violation in accordance with paragraph 1.

(4) If the client's data is at risk from the contractor through seizure or confiscation, through insolvency or settlement proceedings or through other events or measures by third parties, the contractor must inform the client of this in a timely manner, unless this has been done to him by judicial or official action Order is prohibited. In this context, the contractor will promptly inform all responsible authorities that decision-making authority over the data rests exclusively with the client as the “responsible party” within the meaning of the GDPR.

(5) The contractor must inform the client of any significant changes to the security measures in accordance with Section 6 Paragraph 2.

(6) The client must be informed of any change in the company data protection officer/contact person for data protection.

(7) The contractor and, if applicable, his representative keep a list of all categories of processing activities carried out on behalf of the client, which contains all information in accordance with Article 30 (2) GDPR. The list must be made available to the client upon request.

(8) The contractor must participate to an appropriate extent in the creation of the list of procedures by the client. He must provide the client with the required information in an appropriate manner.

 

§ 8 Control rights of the client

(1) The client checks the technical and organizational measures of the contractor before starting data processing and then regularly. For this he can z. B. Obtain information from the contractor, have existing reports from experts, certifications or internal tests presented to you, or personally check the contractor's technical and organizational measures after timely coordination during normal business hours or have them checked by a knowledgeable third party, provided that this is not the case has a competitive relationship with the contractor. The client will only carry out checks to the extent necessary and will not disproportionately disrupt the contractor's operational processes.

(2) The contractor undertakes to provide the client, upon his oral or written request, within a reasonable period of time with all information and evidence that is necessary to carry out an inspection of the contractor's technical and organizational measures.

(3) The client documents the inspection result and informs the contractor. In the event of errors or irregularities that the client discovers, particularly when checking the results of the order, he must inform the contractor immediately. If the inspection reveals circumstances whose future avoidance requires changes to the ordered procedural sequence, the client will immediately inform the contractor of the necessary procedural changes.

(4) At the client's request, the contractor will provide the client with a comprehensive and up-to-date data protection and security concept for order processing and information on persons authorized to access it.

(5) The contractor will provide the client with proof of the employee's obligation in accordance with Section 6 Paragraph 4 upon request.

(6) If additional costs arise for the contractor as a result of the client's control measures, these will be borne by the client.


§ 9 Use of subcontractors

(1) Within the scope of his contractual obligations, the contractor is authorized to establish further subcontractor relationships with subcontractors (“subcontractor relationship”). He will inform the client of this immediately. The contractor is obliged to carefully select subcontractors based on their suitability and reliability. When engaging subcontractors, the contractor must oblige them to comply with the provisions of this agreement and ensure that the client can exercise its rights under this agreement (in particular its testing and control rights) directly against the subcontractors. If subcontractors in a third country are to be involved, the contractor must ensure that an appropriate level of data protection is guaranteed by the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). Upon request, the contractor will provide the client with proof of the conclusion of the aforementioned agreements with his subcontractors.

(2) A subcontractor relationship within the meaning of these provisions does not exist if the contractor commissions third parties to provide services that are to be viewed as purely ancillary services. These include, for example: B. Postal, transport and shipping services, cleaning services, telecommunications services without any specific reference to services that the contractor provides for the client and security services. Maintenance and testing services represent subcontractor relationships requiring approval, insofar as they are provided for IT systems that are also used in connection with the provision of services for the client.


§ 10 Inquiries and rights of those affected

(1) If possible, the contractor supports the client with suitable technical and organizational measures in fulfilling his obligations in accordance with Articles 12–22 as well as 32 and 36 GDPR.

(2) If a data subject asserts rights, such as access to information, correction or deletion of his or her data, directly against the contractor, the contractor does not react independently, but instead refers the data subject immediately to the client and waits for his instructions.


§ 11 Liability

(1) The client and contractor are jointly liable externally to the respective data subject for damage caused by processing that does not comply with the GDPR.

(2) The contractor is solely liable for damages resulting from processing carried out by him

- the contractor has not complied with the obligations resulting from the GDPR and specifically imposed on processors or

- the contractor acted in disregard of the client's legally issued instructions or

- the contractor acted contrary to the legally issued instructions of the client.

(3) If the client is obliged to pay compensation to the person concerned, he reserves the right to resort to the contractor.

(4) In the internal relationship between the client and the contractor, the contractor is only liable for damage caused by processing if the contractor

- has not fulfilled its obligation specifically imposed by the GDPR or

- acted in disregard of the client's legally issued instructions or against these instructions.

(5) Further liability claims under general laws remain unaffected.

 

§ 12 Termination of cooperation

(1) The contractor will return all documents, data and data carriers provided to the client after the end of the collaboration or at any time upon the client's request or - at the client's request, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany Data exists – delete. This also applies to any data backups at the contractor. The contractor must provide documented evidence of the proper deletion of any remaining data. 

(2) The client has the right to appropriately control the complete and contractual return or deletion of the data to the contractor.

(3) The contractor is obliged to treat the data he becomes aware of in connection with the collaboration confidentially, even after the end of the collaboration. This agreement remains valid beyond the end of the collaboration as long as the contractor has personal data that was provided to him by the client or that he collected for him.


§ 13 Final provisions

(1) Changes and additions to this agreement must be made in writing. This also applies to the waiver of this formal requirement. The priority of individual contractual agreements remains unaffected by this.

(2) If individual provisions of this agreement are or become wholly or partially invalid or unenforceable, this will not affect the validity of the remaining provisions.

(3) This agreement is subject to German law. The exclusive place of jurisdiction is Solingen.