AV contract

conclude the following contract:

1. subject matter of the contract, definitions

1.1 The subject matter of this contract is the collection, processing or use of personal data (hereinafter: "Data") by the Contractor, which are provided to the Contractor by the Client for the purpose of performing services after successful acceptance of the offer (hereinafter: "Main Contract").

1.2 The Client has selected the undersigned Contractor carefully and conscientiously and in accordance with the existing statutory provisions - in particular in compliance with its statutory obligations.

1.3 The commissioned data processing may not commence before the Client has issued a written order to the Contractor, which is effected by this Agreement.

1.4 The data provided by the Client may be processed, collected or used by the Contractor exclusively for the fulfilment of the agreed contractual purpose.

1.5 The collection, use and processing of data by the Contractor shall take place exclusively in Germany. Should the Contractor commission subcontractors in a third country (non-EU or non-EEA) with the data processing, this may not take place without the written consent of the Client. Furthermore, the Contractor shall ensure an appropriate level of data protection and that all legal (in particular according to the BDSG, the EU-DSGVO and the data protection laws of the federal states) and contractual obligations are complied with.

2. duration of the contract and termination

2.1 The contract begins with the signing of the present agreement - but not before the signing and effectiveness of the main contract - and ends with termination.
The parties are aware that the commissioned data processing may not take place without a valid contract for the processing of personal data on behalf, so that in the event of termination of the present contract, the commissioned data processing may not take place until a new contract for the processing of personal data on behalf has been concluded.

2.2 Ordinary termination of this contract is excluded. The contractual relationship concerning the processing of personal data on behalf of the Client shall automatically end with the termination of the corresponding main contract.

2.3 The right to terminate without notice remains unaffected by these clauses. A right to termination without notice is given in particular in the event of serious, intentional and/or repeated breaches of contractual or statutory data protection provisions. A serious breach shall be deemed to have occurred in particular if the Contractor does not comply with the Client's instructions - irrespective of the reason - or does not support, obstruct or impede controls by the Client or the competent supervisory authorities.

3 General obligations of the contractor

3.1 The Contractor undertakes to organise its operating procedures in such a way that the data processed by it on behalf of the Client are secured to the required extent and protected against unauthorised acquisition or knowledge by third parties. The Contractor shall coordinate security-relevant changes to the operating procedures with the Client in advance.

3.2 The Contractor undertakes to collect/process/use the data exclusively within the scope of this contract and/or the main contract and/or to implement the Client's instructions. The Contractor is prohibited from collecting, processing or using any data beyond this.

3.3 The Contractor shall ensure that the persons involved in the data processing in the individual case have been familiarised with the protective provisions of the data protection laws and regulations (in particular data secrecy). The persons involved shall also be obliged to comply with special confidentiality obligations within the meaning of Section 203 of the German Criminal Code (StGB).

3.4 To the extent required by law, the Contractor confirms that it has appointed a company data protection officer and assures the Client that it will name this officer and provide its contact details (e.g. by e-mail). In the event of the appointment of a new data protection officer, the Client shall be informed of his contact details without delay. If there is no obligation to appoint a data protection officer, this shall be proven by the Contractor; in this case, however, the Contractor may have to prove that operational regulations exist which guarantee the processing of the data in accordance with the contract.

3.5 The contractor shall inform the client without delay if data subjects assert their data subject rights against him and refer the data subjects to the client. In addition, the Contractor shall inform the Client without delay of any events or measures taken by third parties that could jeopardise the data that is the subject of the contract.

3.6 The Client shall comply with all state and federal as well as European regulations on the protection of personal data. In particular, it shall implement the necessary technical and organisational measures and keep the register of processing activities required under Article 30(2) of the EU General Data Protection Regulation, insofar as this is required by law.

3.7 The Contractor shall comply with the notification obligations of this Contract.

3.8 The Contractor shall regularly and independently monitor the fulfilment of its obligations and document this in a suitable manner.

3.9 The Contractor shall inform the Client without delay if it is of the opinion that an instruction of the Client violates statutory provisions. If an instruction is issued whose legality the Contractor substantially doubts, the Contractor shall be entitled to temporarily suspend its execution until the Client expressly demands it again or changes it.

4. technical and organisational measures

4.1 The Contractor undertakes to take technical and organisational measures to protect personal data. The individual measures taken at the time of conclusion of the contract are set out in Annex 2 to this contract.

4.2 The Contractor shall regularly review the effectiveness of the technical and organisational measures and optimise them if necessary.

4.3 The parties agree that the technical and organisational measures may have to be modified due to legal, technical or actual changes. In this context, significant changes that may affect data protection concerns shall be agreed with the Client. Other measures by which no restriction of data protection concerns is to be feared may also be undertaken by the contractor without consultation. In any case, an up-to-date list of the technical and organisational measures taken by the contractor shall be submitted to the contractor at any time upon request.

5. data secrecy

5.1 The Client expressly draws the Contractor's attention to the statutory provisions on data secrecy. The Contractor shall ensure that all persons employed by it to process the personal data which are the subject matter of the contract are expressly obliged to comply with legally prescribed secrecy obligations and are instructed about the special instruction and purpose bindings as well as any special data protection or secrecy obligations. The contractor shall also inform the aforementioned persons of the confidentiality rules pursuant to Section 203 of the German Criminal Code (violation of private secrets) and Section 17 of the German Unfair Competition Act (betrayal of business and trade secrets). The aforementioned persons shall also be informed by the contractor that the corresponding obligations shall continue to apply even after the termination of the activity.

5.2 The Contractor assures that he and all persons employed by him for the performance of the present contract are aware of the applicable data protection regulations and their application.

5.3 Statutory disclosure obligations of the Contractor shall remain unaffected by the aforementioned provisions.

6. notification and documentation obligations of the contractor

6.1 The Contractor undertakes to immediately report any breach of data protection provisions, of this Agreement and/or of the Client's instructions. This obligation applies irrespective of whether the breach was committed by the Contractor itself, a person employed by it, a subcontractor or any other person it has used to fulfil its contractual obligations towards the Contractor. In particular, the contractor is obliged to support the client in the fulfilment of its statutory information obligations.

6.2 The Contractor shall inform the Client without delay if supervisory actions or other measures of an authority are imminent which could also affect the processing, use or collection of the data provided by the Client.

6.3 If the data provided to the contractor by the client within the scope of this contract is endangered by insolvency proceedings, attachment, seizure, composition proceedings or other events or measures taken by third parties against the contractor, the contractor shall immediately inform the client thereof. The Client shall thereupon inform the persons responsible for the measure that the ownership or ownership and all rights to the data lie with the Client as the responsible entity within the meaning of the law.

6.4 The Contractor further undertakes to document all instructions of the Client in writing or in another suitable form and to make available to the Client without delay upon request all directories, protocols and other necessary information to prove compliance with statutory obligations and to enable and reasonably contribute to reviews - including inspections - carried out by the Client or another auditor appointed by the Client.

7. obligations of the principal

7.1 The Client is the body responsible for the data processing by the Contractor under data protection law. In this role, it is responsible in particular for the lawfulness and admissibility of the data processing, the protection of the rights of the data subjects and the supervision of the commissioned data processing. In this context, the client is responsible in particular for creating the conditions that enable the contractor to provide its services without violating the law.

7.2 Before the start of data processing and regularly during the term of the contract, the Client shall monitor compliance with contractual and statutory data protection provisions and, if necessary, issue appropriate instructions. This concerns in particular compliance with technical and organisational measures. The results of these checks and instructions shall be recorded in an appropriate manner by both the Client and the Contractor.

7.3 The Client may furthermore demand the deletion, correction, blocking or surrender of the data concerned before, during and after the data processing or before, during and after the term of the contract.

7.4 In the event of irregularities in data processing, the Client shall inform the Contractor without delay and take appropriate measures or issue instructions to remedy the breach as quickly as possible.

8. control powers of the principal

8.1 The Client is entitled and obliged to monitor compliance with the statutory and contractual provisions on the protection of personal data before the start of data processing and then regularly and at any time during the term of the contract to the extent required. This control authority shall include, in particular, compliance with the Client's instructions, the fulfilment of the statutory logging and documentation obligations and the implementation of the necessary technical and organisational measures. At the request of the Client, the Contractor shall also allow inspection of the data processing programmes or systems used by the Contractor to carry out the order.

8.2 As a matter of principle, the contractor shall support and tolerate all control and supervisory measures to an appropriate extent. In particular, the Contractor shall be obliged to provide the Client with complete and truthful information, insofar as this is necessary for the performance of the checks referred to in this clause.

8.3 Within the scope of the aforementioned inspections, disruptions to the Contractor's operations shall be avoided as far as possible. In particular, visits to the Contractor's premises shall generally be announced with an appropriate lead time and shall be carried out during normal business hours, provided this does not conflict with the success of the inspection measure. If there is a suspicion of a breach of statutory or contractual data protection provisions, the inspection - including the site visit - may be carried out without prior notice, whereby the proportionality of the inspection measure must be taken into account.

8.4 In the event of irregularities in data processing, the Client shall inform the Contractor without delay and take appropriate measures or issue instructions to remedy the breach as quickly as possible.

8.5 The Client and the Contractor shall independently document the results of the inspections.

9. authority of the principal to issue instructions

9.1 The Client reserves the right to specify the subject matter of the order in terms of type, scope and procedure within the framework of this agreement by means of oral or written instructions. In the event of oral instructions, these shall be confirmed in writing by the Client without delay. The Contractor shall record the person, date and time of the oral instruction in an appropriate form. The Client shall expressly state the reason why no written instruction could be given.

9.2 Changes to the subject matter of the contract must be agreed jointly with the Contractor.

10. correction, deletion and blocking of data

10.1 Personal data or documents that are no longer required may only be corrected, blocked or destroyed with the consent of the Client. Otherwise, the Client may demand the correction, deletion, blocking or surrender of the data before, during or after the end of the term of the contract. The Contractor shall comply with any such instruction without delay. The working time incurred for this purpose shall be charged at an hourly rate of EUR 80.00 plus statutory value added tax.

10.2 If a data subject requests the Contractor to correct, block or delete or inspect data, the Contractor shall forward the request to the Client without delay. The Contractor shall support the Client in the fulfilment of the Client's obligations towards the data subjects. The working time incurred for this purpose shall be charged at an hourly rate of EUR 80.00 plus statutory VAT.

11. use of subcontractors (subcontractors)

11.1 The Contractor is only entitled to use subcontractors with the written consent of the Client. All subcontractor relationships of the Contractor already existing at the time of the conclusion of the contract and expressly confirmed by the Client are conclusively attached to this contract in Annex 1. For the subcontractors listed in Annex 1, the written consent shall be deemed to have been granted upon signature of this contract.

11.2 The actions of the subcontractor in connection with the performance of the contract shall be attributed to the contractor as its own actions.

11.3 The Contractor assures that it has selected its subcontractors carefully and conscientiously and will select future subcontractors accordingly so that their use does not impair the proper performance of the contract in relation to the Client. In particular, it shall ensure by means of appropriate contractual provisions and corresponding subcontract data processing agreements that the subcontractor has taken the necessary technical and organisational measures to protect personal data. The contractor must also ensure that the instructions issued by the client are also followed and recorded by the subcontractors. Compliance with these obligations shall be regularly monitored and documented by the contractor.

11.4 The Contractor shall obtain confirmation from its subcontractors that they have appointed a company data protection officer - to the extent required by law. If no data protection officer has been appointed or if one leaves during the term of the contract without being replaced, the Client shall be informed of this circumstance by the Contractor.

11.5 All contracts between the Contractor and subcontractors (subcontracts) must comply with the requirements of this Contract and the requirements of the statutory provisions on the processing of personal data on behalf of the Principal. The subcontractor agreements must also ensure that the control and instruction powers agreed in this contract can also be exercised by the Client in the same way and to the full extent in relation to the subcontractors.

11.6 In the event of a corresponding request by the Contractor, the Contractor shall be obliged to provide information about the Subcontractor's obligations relevant under data protection law and, if necessary, to inspect the corresponding contractual documents or control and supervision results as well as corresponding documentation, protocols and directories of the Contractor or to request the transmission of copies of these documents.

11.7 Services which the contractor uses as purely ancillary services for the performance of its business activities shall not be considered subcontracts within the meaning of this clause. This includes, for example, cleaning services, telecommunication services which have no specific connection to the contractual service as well as postal and courier services, other transport services and security services. Even in the case of ancillary services not requiring consent, the contractor must take the necessary organisational and technical precautions to protect personal data. Maintenance and auditing services required by law are deemed to be subcontracts requiring consent if they include those IT systems that are also used to provide the contractual service.

11.8 If the Contractor wishes to commission subcontractors in a third country (non-EU or non-EEA) with the data processing, this may not be done without the written consent of the Client. In addition to the obligations mentioned in the previous paragraphs, the contractor shall ensure an adequate level of data protection and that all legal and contractual obligations are complied with.

12. return and deletion of data and data carriers after termination of the contract

12.1 After termination of the contract, the Client shall be obliged to hand over to the Client all data files, results of use and processing as well as data carriers obtained in connection with the order and/or to destroy them in accordance with data protection law after prior consent of the Client. The same applies to test and reject material as well as any data backups remaining with the Client.

12.2 The Client shall be entitled to inspect the measures of the Contractor pursuant to paragraph 1 in a suitable manner. For this purpose, it shall in particular be entitled to inspect the relevant data processing systems and the Contractor's business premises. The inspection of the business premises shall take place during regular business hours and shall be announced to the Contractor in good time, provided that this does not jeopardise the success of the inspection measure.

12.3 The obligation to delete does not cover correspondence and documents to be retained in accordance with statutory provisions or contractual documents or other documents intended for the contractor. The relevant retention periods, if any, shall apply to these documents. Further claims for deletion remain unaffected by this clause.

13. final provisions

13.1 The Contractor waives its right of retention with regard to the data and data carriers provided to it for the purpose of executing the contract.

13.2 Amendments to this Contract and ancillary agreements shall be in writing and shall clearly indicate that and what amendment or supplement to these Conditions they are intended to effect.

13.3 Should individual provisions of this agreement be invalid, the remainder of this agreement shall remain unaffected.

13.4 All annexes to this contract are part of the contract.

13.5 The place of performance and jurisdiction is Mannheim.