1) Storage of access data in server log files
You can visit our websites without giving any personal information. We only store access data in so-called server log files, such as the name of the requested file, the date and time of the retrieval, the amount of data transferred and the requesting provider. These data are evaluated solely to ensure trouble-free operation of the site and to improve our offer and do not allow us to conclude on your person.
2) Collection and use of personal data for contract execution and opening a customer account
Personal data are collected and stored exclusively within the framework of the statutory provisions of the Federal Data Protection Act (BDSG) and the Telemedia Act (TMG). We only collect personal data if you voluntarily provide it to us as part of your order, when contacting us (for example, by contact form or e-mail) or when opening a customer account, and when you agree to the collection and use of the data. Which data are collected, can be seen from the respective input forms. We use the data provided by you to process the contract and process your inquiries. After completion of the contract or deletion of your customer account, your data will be blocked for further use and deleted after expiry of the tax and commercial retention periods, unless you have expressly consented to a further use of your data or we reserve the right to further data use, which is legally permitted and about which we will inform you below. The deletion of your customer account is possible at any time and can be done either by a message to the contact option described below or via a designated function in the customer account.
3) Order data processing
Further details of the order data processing are described in Annex A of this contract
4) Data transfer for fulfillment of the contract
For fulfillment of the contract, we will pass on your data to the payment service provider commissioned by us:
PAYONE GmbH, Fraunhoferstr. 2-4, 24118 Kiel, Germany
Registered office: Kiel - Amtsgericht Kiel HRB 6107
Managing Directors: Carl Frederic Zitscher, Jan Kanieß
In order to make the visit to our website attractive and to enable the use of certain functions, we use so-called cookies on various pages. These are small text files that are stored on your device. Some of the cookies we use are deleted after the end of the browser session, ie after closing your browser (so-called session cookies). Other cookies remain on your device and allow us to recognize your browser on your next visit (persistent cookies). You can set your browser so that you are informed about the setting of cookies and individually decide on their acceptance or exclude the acceptance of cookies for specific cases or in general. Failure to accept cookies may limit the functionality of our website.
6) Use of Google (Universal) Analytics for web analytics
This website uses Google (Universal) Analytics, a web analytics service provided by Google Inc. (www.google.com). Google (Universal) Analytics uses methods that allow you to analyze the use of the website, such as so-called "cookies", text files that are stored on your computer. The generated information about your use of this website is usually transmitted to a Google server in the USA and stored there. By activating IP anonymisation on this website, the IP address will be shortened prior to transmission within the member states of the European Union or in other contracting states of the Agreement on the European Economic Area. Only in exceptional cases will the full IP address be sent to a Google server in the US and shortened there. The anonymized IP address provided by Google Analytics within the scope of Google Analytics will not be merged with other data provided by Google.
You can prevent the collection of the data (including your IP address) generated by the cookie and related to your use of the website from Google as well as the processing of this data by Google by downloading and installing the browser plug-in available under the following link : http://tools.google.com/dlpage/gaoptout?hl=en. We point out, however, that in this case you may not be able to use all the functions of this website in full.
As an alternative to the browser plug-in or within browsers on mobile devices, you can click on this Link to prevent future detection by Google Analytics on this website. An opt-out cookie is stored on your device. If you delete your cookies, you must click the link again.
We continue to use Google Analytics to analyze data from Double-Click and AdWords for statistical purposes. If you do not want to do this, you can disable it through the Ads Preferences Manager (http://www.google.com/settings/ads/onweb/?hl=en).
7) Right to information and contact
You have the right to free information on the data stored about us as well as a right to correct, block or delete this data. For questions about the collection, processing or use of your personal data, information, correction, blocking or deletion of data and revocation of granted consent or objection to a particular use of data, please contact us in writing or by e-mail directly to us via the following contact information:
Annex A: Data processing
Both Company and Supplier hereinafter individually referred to as a »Party«, and jointly referred to as the »Parties« on contract data processing on behalf as referred to by section 11 paragraph 2 of the German federal data protection act (»Bundesdatenschutzgesetz«, hereinafter »BDSG«)
This annex details the obligations of the Parties related to the protection and processing of personal data. It shall apply to all activity within the scope of and related to the Agreement, and in whose context the Supplier’s employees or subcontractors may come into contact with Company’s personal data.
§ 1 Scope, Duration and Specification as to Contract Data Processing on Behalf
The scope and duration as well as the extent and nature of the collection, processing and use of personal data shall be as defined in the Agreement. Processing on behalf shall include in particular, but not be limited to, the categories of personal data listed in the table below:
- Category of data
Customers and personal data:
Name, address and e-mail and access data of the customer, his employees and used communication partners.
- Purpose of collection, processing or use of data:
Communication for organizational and technical purposes. Sending of billing data. Access for the customer portal. Authorize access to the cloudplan software.
- Category of data subjects the data relates to:
Geschäftsleitung, Mitarbeiter der Abrechnung, Datenverarbeitung, Programmierung, Technische Unterstützung
Except where this annex expressly stipulates any surviving obligation, the term of this annex shall follow the term of the Agreement.
§ 2 Scope of Application and Distribution of Responsibilities
- Supplier shall process personal data on behalf of Company. The foregoing shall include the activities enumerated and detailed in the Agreement and its scope of work. Within the scope of the Agreement, Company shall be solely responsible for complying with the statutory data privacy and protection regulations, including, but not limited to, the lawfulness of the transmission to the Supplier and the lawfulness of processing; Company shall be the responsible body (»verantwortliche Stelle«) as defined in section 3 paragraph 7 BDSG.
- Any instruction by Company to Supplier related to processing (hereinafter, a »Processing Instruction«) shall, initially, be defined in the Agreement, and Company shall be entitled to issuing changes and amendments to Processing Instructions and to issue new Processing Instructions. Parties shall treat any Processing Instruction exceeding the scope of work defined in the Agreement as a change request.
§ 3 Supplier’s Obligations and Responsibilities
- Supplier shall collect, process, and use data related to data subjects only within the scope of work and the Processing Instructions issued by Company.
- Supplier shall, within Supplier’s scope of responsibility, structure Supplier’s internal organisation so it complies with the specific requirements of the protection of personal data. Supplier shall implement and maintain technical and organisational measures to adequately protect Company’s data in accordance with and satisfying the requirements of the BDSG (annex to section 9 BDSG). These measures shall be implemented as defined in the following list:
Supplier shall be entitled to modifying the security measures agreed upon, provided, however, that no modification shall be permissible if it derogates from the level of protection contractually agreed upon.
- physical access control
- logical access control
- data access control
- data transfer control
- data entry control
- control of Processing Instructions
- availability control
- separation control
- Upon Company’s request, and except where Company is able to obtain such information directly, Supplier shall provide all information necessary for compiling the overview defined by § 4g paragraph 2 sentence 1 BDSG.
- Supplier shall ensure that any personnel entrusted with processing Company’s data have undertaken to comply with the principle of data secrecy in accordance with § 5 BDSG and have been duly instructed on the protective regulations of the BDSG. The undertaking to secrecy shall continue after the termination of the above-entitled activities.
- Supplier shall, without undue delay, inform Company of any material breach of the regulations for the protection of Company’s personal data, committed by Supplier or Supplier’s personnel. Supplier shall implement the measures necessary to secure the data and to mitigate potential adverse effects on the data subjects and shall agree upon the same with Company without undue delay. Supplier shall support Company in fulfilling Company’s disclosure obligations under section 42a BDSG.
- Supplier shall notify to Company the point of contact for all issues related to data privacy and protection within the scope of the Agreement.
- Supplier represents and warrants that Supplier complies with Supplier’s obligations under sections 4f and 4g BDSG (section 11 paragraph 2 no. 5 in connection with section 11 paragraph 4 BDSG). The foregoing shall include in particular, but not be limited to, Supplier’s obligations to appoint a data protection official where required by law.
- Supplier shall not use data transmitted to Supplier for any purpose other than to fulfil Supplier’s obligations under the Agreement.
- Where Company so instructs Supplier, Supplier shall correct, delete or block data in the scope of this Agreement. Unless stipulated differently in the Agreement, Supplier shall, at Company’s individual request, destroy data carrier media and other related material securely and beyond recovery of the data it contains. Where Company so instructs Supplier, Supplier shall archive and/or provide to Company, such carrier media and other related material.
- Supplier shall, upon Company’s order, provide to Company or delete any data, data carrier media and other related materials after the termination or expiration of the Agreement.
§ 4 Company’s Obligations
- Company shall, without undue delay and in a comprehensive fashion, inform Supplier of any defect Company may detect in Supplier’s work results and of any irregularity in the implementation of statutory regulations on data privacy.
- Company shall be obliged to maintain the public register of processing in accordance with section 4g paragraph 2 sentence 2 BDSG.
§ 5 Enquiries by Data Subjects
- Where, in accordance with applicable data privacy laws, Company is obliged to answer a data subject’s enquiry related to the collection, processing or use of such data subject’s data, Supplier shall support Company in providing the required information. The foregoing shall be apply only where Company has so instructed Supplier in writing or in text form, and where Company reimburses Supplier for the cost and expenses incurred in providing such support. Supplier shall not directly respond to any enquiries of data subjects and shall refer such data subjects to Company.
- Where a data subject requests Supplier correct, delete or block data, Supplier shall refer such data subject to Company.
§ 6 Audit Obligations
- Company shall, prior to the commencement of the processing of data and at regular intervals thereafter [alternatively, an interval may be expressly stipulated], audit the technical and organisational measures implemented by Supplier and shall document the result of such audit. In the course of such audit, Company may, in particular, conduct the following measures, but shall not be limited to the same:
- Company may obtain information from Supplier.
- Company may request Supplier to submit to Company an existing attestation or certificate by an independent professional expert.
- Company may, upon reasonable and timely advance agreement, during regular business hours and without interrupting Supplier’s business operations, conduct an on-site inspection of Supplier’s business operations or have the same conducted by a qualified third party which shall not be a competitor of Supplier.
- Supplier shall, at Company’s written request and within a reasonable period of time, submit to Company any and all information, documentation and other means of factual proof necessary for the conduction of an audit.
§ 7 Subcontractors
- Company hereby permits Supplier to use Supplier’s affiliated legal entities as subcontractors for the scope of work defined in the Agreement, in whole or in part, and to subcontract to said affiliated legal entities the parts of the scope of work enumerated below.
- Where Supplier subcontracts deliverables to subcontractors, Supplier shall be obliged to extend any and all of Supplier’s obligations under the Agreement to all subcontractors. Sentence 1 shall apply in particular, but not be limited to, the requirements on the confidentiality and protection of data as well as data security, each as agreed upon between the Parties. Company shall be entitled to auditing Supplier’s subcontractors only upon prior agreement with Supplier to that effect.
At Company’s written request, Supplier shall be required to provide to Company comprehensive information on the obligations of all subcontractors as they relate to data privacy and protection; this information shall, where necessary, include Company’s right to inspect the relevant contract documents.
- The approval requirements for subcontracting shall not apply in cases where Company subcontracts ancillary deliverables to third parties; such ancillary deliverables shall include, but not be limited to, the provision of external contractors, mail, shipping and receiving services, and maintenance services. Supplier shall conclude, with such third parties, any agreement necessary to ensure the adequate protection of data.
§ 8 Duties to Notify, Mandatory Written Form, Choice of Law
- Where Company’s data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Supplier’s control, Supplier shall notify Company of such action without undue delay. Supplier shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in Company’s sole property and area of responsibility, that data is at Company’s sole disposition, and that Company is the responsible body in the sense of the BDSG.
- No modification of this annex and/or any of its components – including, but not limited to, Supplier’s representations and warranties, if any – shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form.
- In case of any conflict, the regulations of this annex shall take precedence over the regulations of the Agreement. Where individual regulations of this annex are invalid or unenforceable, the validity and enforceability of the other regulations of this annex shall not be affected.
- This annex is subject to the laws of the Federal Republic of Germany.