Contract about the Order processing of personal data in WiredMinds LeadLab according to GDPR
Contractors
CONTRACTOR
Company name: WiredMinds
Company addition: GmbH
Street & Housenumber: Lindenspürstr. 32
Postal Code: 70176
City: Stuttgart
Represented by: Mr. Andrei Lisikov, CEO
Client
> Your company data is entered here <
1 INTRODUCTION, SCOPE, DEFINITIONS
(1) This contract governs the rights and obligations of the Client and the Contractor (hereinafter referred to as the “Parties”) in the context of the processing of personal data.
(2) Terms used in this contract shall be understood in accordance with their definition in the EU General Data Protection Regulation. In this sense, the Client is the “Controller” and the Contractor is the “Processor”.
2 SUBJECT AND DURATION OF PROCESSING
2.1 SUBJECT
3 Type and purpose of data collection, processing or use:
3.1 LEADLAB
3.1.1. Nature of the processing
The processing is as follows:
(1) The Client uses the tracking technology (Java Script) of WiredMinds GmbH (www.wiredminds.de) on its website to analyse the visitor behaviour of its website visitors. Before the visitor’s behaviour is recorded, the IP address of each website visitor is read from the TCP/IP protocol, compared with the company database of WiredMinds GmbH (whitelist procedure) and deleted after the comparison has taken place.
The IP address is never stored in LeadLab.
The IP address is processed solely for the purpose of being able to assign website visits to an identifiable company without any possible inference to the natural person. The visiting behaviour of website visitors for whom the identifiability of a natural person cannot be ruled out is not recorded.
The basis for the processing is the legitimate interest of the Client (Art. 6(1)(f) GDPR) to obtain information on an identifiable company visitor to its website and to optimise its website via the analytical consideration of visitor behaviour.
WiredMinds GmbH uses the information collected on behalf of the Client to create anonymous usage profiles relating to visitor behaviour on the Client’s website. The data obtained in this way is not used to personally identify the visitor to the website.
(2) The Contractor shall provide the Client with a user interface for processing and managing the collected visitor data.
3.1.2. Type of Data
The following data is processed in the case of 3.1.1
(1) The IP address
(2) User ID and user master data of the Client’s employees (software users), user usage data of the Client’s employees in the form of log files (service monitoring and security), hosting of CRM data, which can also be personal such as notes of the Client in LeadLab.
3.1.3 Categories of data subjects
The following are affected by the processing in the case of 3.1.1
(1) Website visitors
(2) Employees of the Client
3.2 IP-TO-COMPANY
3.2.1. Nature of the processing
The processing is as follows:
(1) The Client uses the API of WiredMinds GmbH (www.wiredminds.de) to match the IP address of the website visitor against the WiredMinds company database (whitelist procedure).
The IP address of each website visitor is read from the TCP/IP protocol, compared with the company database of WiredMinds GmbH (whitelist procedure) and deleted after the comparison has taken place. The IP address is not stored under any circumstances.
The IP address is processed solely for the purpose of retrieving company-relevant information about an identifiable IP address of a website visitor from the WiredMinds company database via the API. The data received includes, for example, the company name, company address, telephone number, domain, industry, etc.
The basis for the processing is the legitimate interest of the Client (Art. 6(1)(f) GDPR) to obtain information about an identified company visitor to its website via the interface.
3.2.2 Type of data
The following data is processed:
(1) The IP address
3.2.3. Categories of data subjects
The following is affected by the processing:
(1) Website visitors
4 Obligations of the Contractor
(1) The Contractor shall process personal data only as contractually agreed or as instructed by the Client, unless the Contractor is required by law to carry out a specific processing operation. If such obligations exist for them, the Contractor shall notify the Client of them prior to the processing, unless the notification is prohibited to them by law. Furthermore, the Contractor shall not use the data provided for processing for any other purposes, in particular not for their own purposes.
(2) The Contractor confirms that they are aware of the relevant general data protection regulations. They shall observe the principles of proper data processing.
(3) The Contractor undertakes to strictly maintain confidentiality during processing.
(4) Persons who may obtain knowledge of the data processed on behalf of the Client shall undertake in writing to maintain confidentiality, insofar as they are not already subject to a relevant confidentiality obligation by law.
(5) The Contractor warrants that the persons they employ for processing are familiarised with the relevant provisions of data protection prior to the start of processing and are continuously sensitised.
(6) In connection with the commissioned processing, the Contractor shall support the Client as far as necessary in the fulfilment of obligations under data protection law. This includes, in particular, the creation of the inventory of processing activities or the performance of the data protection impact assessment as well as the consultation of the supervisory authority.
(7) If the Client is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against the Client, the contractor undertakes to support the Client to the extent necessary insofar as the processing under the contract is affected.
(8) The Contractor may only provide information to third parties or the data subject with the prior consent of the Client. They shall immediately forward requests addressed directly to them to the Client.
(9) To the extent required by law, the Contractor shall appoint a competent and reliable person as data protection officer.
(10) The order processing takes place exclusively within the EU or the EEA.
5 Technical and organisational measures
(1) The data security measures described in Annex 1 are set out as mandatory. They define the minimum owed by the Contractor.
(2) The data security measures can be adapted to technical and organisational developments as long as the level agreed here is met. The Client shall be informed immediately of any significant changes.
(3) The Contractor assures that the data processed in the order are strictly separated from other data files.
(4) Copies or duplicates shall not be made without the knowledge of the Client. Technically necessary, temporary duplications are excepted, insofar as an impairment of the level of data protection agreed here is excluded
(5) The processing of data outside the Contractor’s business premises, in particular in home offices, is permissible. The Contractor shall ensure that a level of data protection and data security corresponding to this contract is maintained and that the Client’s control rights provided for in this contract can be exercised without restriction. The processing of data on behalf of private devices is not permitted under any circumstances.
(6) The Contractor shall ensure a procedure for the regular review, assessment and evaluation of the effectiveness of the technical and organisational measures to ensure the security of the processing pursuant to Art. 32(1)(d) GDPR.
6 Rules on the correction, deletion and blocking of data
(1) The Contractor shall only correct, delete or block data processed within the scope of the order in accordance with the agreement reached or in accordance with the Client’s instructions.
(2) The Contractor shall comply with the corresponding instructions of the Client at all times and also beyond the termination of this contract.
7 Subcontracting relationships
(1) The Client generally agrees that the Contractor may use subcontractors.
(2) The Contractor shall carefully select subcontractors with particular regard to the suitability of the technical and organisational measures taken by them.
(3) Subcontractors shall be contractually bound to at least the data protection obligations comparable to those agreed in this contract. The Client shall be given access to the relevant contracts between the Contractor and the subcontractor upon request.
(4) The rights of the Client must also be able to be effectively exercised against subcontractors. In particular, the Contractor must be entitled to carry out inspections also at subcontractors or to have them carried out by third parties to the extent stipulated herein.
(5) The responsibilities of the Contractor and the subcontractor shall be clearly demarcated.
(6) Before engaging or replacing a subcontractor, the Contractor shall inform the Client at least in written form. The Client has the right to object to the Contractor’s use of the subcontractor for good cause within two weeks of receipt of the information about the subcontractor. If no justified objection is raised within the aforementioned period, this shall be deemed to constitute the Client’s consent. Should it not be possible to find an amicable solution between the Parties in the event of a justified objection, both Parties shall be entitled to terminate the cooperation with immediate effect within 2 weeks of the failure of the negotiations by written declaration to the other party..
(7) At present, the subcontractors designated in Annex 2 with name, address and contract content are engaged in the processing of personal data to the extent specified therein and are approved by the Client. The Contractor’s other obligations towards subcontractors set out herein shall remain unaffected.
(8) Subcontracting relationships within the sense of this contract are only those services which have a direct connection with the provision of the main service. Ancillary services, such as transport, maintenance and cleaning as well as the use of telecommunication services or user services are not covered. The Contractor’s obligation to ensure compliance with data protection and data security also in these cases shall remain unaffected.
8 Rights and obligations of the Client
(1) The Client alone shall be responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
(2) The Client shall issue all orders, partial orders or instructions in a documented manner. In urgent cases, instructions may be given verbally. Such instructions shall be confirmed by the Client in a documented form without delay.
(3) The Client shall inform the Contractor without delay if they discover any errors or irregularities in the examination of the results of the order.
(4) The Client shall be entitled to monitor the Contractor’s compliance with the provisions on data protection and the contractual agreements to a reasonable extent themselves or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programmes as well as other on-site checks. The persons entrusted with the inspection shall be given access and insight by the Contractor as far as necessary. The Contractor shall be obliged to provide necessary information, demonstrate procedures and provide evidence required to carry out an inspection. The Contractor shall be entitled to refuse inspections by third parties insofar as these are in a competitive relationship with the Contractor or there are similarly weighty reasons.
(5) Inspections at the Contractor’s premises shall be carried out without avoidable disruption to their business operations. Unless otherwise indicated for urgent reasons to be documented by the Client, inspections shall take place after reasonable advance notice and during the Contractor’s business hours, and not more frequently than every 12 months. Insofar as the Contractor independently provides evidence of the correct implementation of the agreed data protection obligations, checks shall only be carried out by the Client in the event of justified doubts about the evidence provided or for other weighty reasons which the Client must explain.
9 Obligation to notify
(1) The Contractor shall immediately notify the Client of any breaches of the protection of personal data. Reasonable suspicions must also be reported. The notification shall contain at least the information pursuant to Article 33(3) of the General Data Protection Regulation.
(2) Significant disruptions in the execution of the order as well as violations of data protection provisions or of the stipulations made in this contract by the Contractor or the persons they employ shall also be reported immediately.
(3) The Contractor shall inform the Client without delay of inspections or measures by supervisory authorities or other third parties, insofar as these relate to the order processing.
(4) The Contractor assures to support the Client in its obligations pursuant to Art. 33 and 34 of the General Data Protection Regulation to the extent necessary.
10 Instructions
(1) The Client reserves a comprehensive right to issue instructions with regard to processing on behalf of the Client.
(2) The Contractor shall immediately draw the Client’s attention to the fact if, in their opinion, an instruction issued by the Client violates statutory provisions. The Contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the responsible person at the Client.
(3) The Contractor shall document instructions given to them and their implementation.
11 Termination of the order
(1) Upon termination of the contractual relationship or at any time upon request of the Client, the Contractor shall, at the Client’s option, either destroy the data processed under the contract or hand it over to the Client and then destroy it. All existing copies of the data must also be destroyed. Destruction shall be carried out in such a way that recovery of even residual information is no longer possible with reasonable effort.
(2) The Contractor shall be obliged to bring about the immediate return or deletion also in the case of subcontractors.
(3) The Contractor shall provide proof of proper destruction and submit it to the Client upon request.
(4) Documentation which serves as proof of proper data processing shall be kept by the Contractor at least until the end of the third calendar year after the end of the contract. They may hand them over to the Client to assist them.
12 Remuneration
The Contractor’s remuneration is conclusively regulated in the Main Contract. There shall be no separate remuneration or reimbursement of costs under this contract.
13 Liability
(1) The Client and the Contractor shall be liable in accordance with the law vis-à-vis persons who suffer damage due to inadmissible or incorrect data processing within the scope of the contractual relationship.
(2) The Contractor shall be exempt from liability towards the Client insofar as damage has been caused by the correct implementation of the commissioned processing or an instruction issued by the Client. In these cases, the Client shall indemnify the Contractor upon first request against all claims of third parties which are raised against the Contractor in connection with the order processing.
(3) The Contractor shall only be liable to the Client in the event of gross negligence or intent. This restriction shall not apply in the event of intent or injury to life, limb, health, freedom or breach of cardinal obligations.
14 Miscellaneous
(1) Both Parties are obliged to keep confidential all knowledge of business secrets and data security measures of the respective other party obtained within the framework of the contractual relationship, even after the termination of the contract. If there is any doubt as to whether information is subject to the obligation of confidentiality, it shall be treated as confidential until released in writing by the other party.
(2) Should the property of the Client with the Contractor be endangered by measures of third parties (for example by attachment or seizure), by insolvency or composition proceedings or by other events, the Contractor shall notify the Client without delay.
(3) The written form is required for ancillary agreements.
(4) The defence of the right of retention within the sense of Section 273 BGB (German Civil Code) is excluded with regard to the data processed in the order and the associated data carriers.
(5) Should individual parts of this agreement be invalid, this shall not affect the validity of the rest of the agreement.
Attachments
Attachment 1
Technical and organizational measures for data processing security
The following describes which technical and organizational measures are defined to ensure data protection and data security. The aim is to ensure in particular the confidentiality, integrity and availability of the information processed in the company. The structure is based on the internationally recognized standard DIN ISO/IEC 27002.
01. Guideline
The data protection guideline of WiredMinds GmbH contains the guiding statements of the management regarding the handling of personal data in the company. All employees, freelancers and supporting companies are obliged to observe these central regulations. The achieved IT security level of the organizational units, processes and systems is monitored by a combination of of periodic audits and continuous controls.
Monitoring of ongoing operations is carried out in coordination with the security officer. A review of the security policy is conducted at least annually, unless an essential change requires it earlier.
This ensures the ongoing adequacy, suitability and effectiveness of the policy. The Safety Officer is the person responsible for the safety policy and has the responsibility to develop, revise, and review it.
02. Information security organization
The managers of WiredMinds GmbH are responsible for the full implementation of the IT security principles in their organizational unit and for fulfilling the IT security tasks assigned to them. tasks assigned to them.
Information security roles and responsibilities are defined in the IT security organization. Conflicting roles and responsibilities are segregated to reduce the potential for unauthorized or unintended modification or misuse of our company’s assets.
We have a process in place to determine when and by whom relevant authorities are notified and identified data privacy and information security incidents are reported in a timely manner. We also maintain ongoing contact with special interest groups to keep abreast of changes and improvements in the area of data privacy and information security.
In our projects, data privacy and data security is part of all phases of our project methodology. Through our respective policies and processes on teleworking and the use of mobile devices, we ensure data privacy and data security in these areas as well.
03. Personnel security
We have carefully selected our employees and reviewed their suitability for their roles in the company. We have defined their responsibilities in job descriptions and regularly check whether the employees comply with them. Before starting their employment, all employees sign a confidentiality and data protection agreement which remains in force after the end of their employment. Employees are trained in data privacy and data security, and in particular training courses are refreshed when they change functions. They are therefore aware of their responsibilities in this regard.
In a documented process for the period before, during and after termination of the employment relationship, we ensure that personal data is protected and data security is guaranteed. This also includes measures in the event of a data protection breach.
04. Management of values
We inventory and maintain all assets (such as equipment, notebooks, smartphones) and information related to personal data.
We have designated responsible parties to protect these assets, who are responsible for the lifecycle of an asset.
Documented rules have been established for the permissible use of our assets. The return of these assets is documented.
Our information and data are classified and labeled based on legal requirements, their value, criticality, and sensitivity to unauthorized disclosure or modification.
In accordance with this classification scheme, we have developed and implemented documented procedures for handling our assets. We do not usually transfer data on removable media, but only in encrypted form via verified communication channels. In exceptional cases, we can only deviate from this practice if instructed to do so in writing by the client.
We dispose of data carriers that are no longer required securely, using a documented procedure and obligated certified service providers.
05. Access control
We have regulated and documented measures in place to ensure that authorized persons only have access to personal data for which they are authorized to view and process.
Authorizations to access IT systems are granted via a regulated procedure based on a documented and restrictive authorization concept. We have regulated and implemented access to networks and network services.
It is ensured that only authorized users have access to systems and services and that unauthorized access is prevented; in particular, there is a formal process for registering users that enables the assignment of access rights. We grant our administrative rights in a restricted and controlled manner.
We have a documented and regulated process for handling passwords.
Actual and target status of user access rights are regularly compared. If necessary, these are withdrawn or adjusted.
We restrict access to our data as needed and control access to our systems and applications through a secure login process. We employ a system for using strong and secure passwords.
The use of utilities that may be capable of circumventing system and application protections is restricted and closely monitored.
06. Cryptography
The appropriate and effective use of cryptography to protect the confidentiality, authenticity, or integrity of information is ensured. To this end, we have implemented a policy on the use of cryptography within the company, including the management of cryptographic keys, which is appropriate to the need for protection.
07. Physical and environmental security
We have documented and regulated measures in place to prevent unauthorized persons from gaining access to data processing equipment used to process or use personal data. These include, but are not limited to:
- The business premises are located on the 3rd floor of an office building and are used exclusively
- The central entrance is monitored
- Doors to secure areas are always closed
- Visitors or external service providers are admitted individually
- Fire protection is provided by our hosting partner
- There are security areas to which only specially authorized persons have access
- IT rooms are locked separately and can only be opened by authorized persons
- Supply facilities are protected against power failures and malfunctions
- The security of cabling is observed
- Maintenance of systems is planned and implemented
- Removal and changes to systems and information are regulated
- The security of off-premises systems is observed
- Disposal or reuse of equipment is regulated
- Unattended user devices are protected via an automatic screensaver and automatic hard drive encryption
- Clean desk and screen lock policies are implemented
08. Operational security
We have regulated and documented measures in place to ensure the proper and secure operation of information and data processing facilities. These include, among other things, control in the event of a change to the information-processing facilities, as well as control and regular measurement of our capacities and resources to ensure the availability of the required system performance. For example, the following values, among others, are continuously monitored on an up-to-date basis:
- Hard disk status and available memory
- Raid status
- Services and status of all virtual machines
- Failed login attempts
- Memory usage of the storages and main memory
- Ethernet utilization
- Number of RDP sessions of the individual terminal servers
- Throughput and utilization of the firewall
- Checking the accessibility of all servers is possible via monitoring
- Accessibility and throughput of the switches
A protected procedure for data backup has been implemented by us and is documented.
Standard maintenance windows are defined. Additional necessary windows are announced at least 10 days in advance.
In our company, it is essential to separate development, test and operating environments, so we pay special attention to this.
Measures for detection, prevention and recovery to protect against malware have been taken and are regularly updated.
We have centrally monitored and protected event logging and have privacy measures in place in the event that sensitive personal data is stored. All logging equipment and logging information, including administrators and operator logs are protected from tampering and unauthorized access.
Our clocks are synchronized centrally with a single reference time source.
We have a centralized procedure for the controlled installation of software on systems in our company.
There is a list of our technical assets and regulated, documented handling in the event of a technical vulnerability, which includes our patch management with defined responsibilities.
We have centrally implemented regulations for restrictions on software installations.
In the event of an audit review of our information systems, we have defined measures to minimize disruptions to business processes as far as possible.
09. Communications security
The security of our personal data and information stored in networks and network services is imperative. Therefore, we have implemented documented measures that manage, control and secure our networks.
Information services, users and information systems are kept separate as needed.
We have policies and procedures in place for information and data transfer, as well as information transfer agreements with external entities (e.g., CRM vendors).
Our electronic messaging is appropriately protected. For example, among other things, we have measures in place to protect messages from unauthorized access, alteration, or denial of service that comply with the classification scheme adopted by the organization (protection class 1_E2).
To protect our data, we enter into confidentiality or non-disclosure agreements as needed, which we review regularly.
It is ensured that data and information security is an integral part throughout the lifecycle of our systems. This also includes the requirements for and securing of information systems that provide services via public networks. Transaction protection for application services is performed on an as-needed basis. In addition, we have established a system change management process to ensure the integrity of the system, applications, and products from the early design phases through any subsequent maintenance.
When changes are made to operating platforms, business-critical applications are reviewed and tested to ensure there is no negative impact on organizational security and customer applications. We have a managed process for analyzing, developing, and maintaining secure IT systems.
Acceptance testing programs and associated criteria are established for new information systems, upgrades, and new releases. Our test data is carefully selected, protected and controlled.
10. Acquisition, development and maintenance of systems
Ensuring that data and information security is an integral part throughout the lifecycle of our systems. This also includes the requirements for and securing of information systems that provide services via public networks. Transaction protection for application services is performed on an as-needed basis. In addition, we have established a system change management process to ensure the integrity of the system, applications, and products from the early design phases through any subsequent maintenance.
When changes are made to operating platforms, business-critical applications are reviewed and tested to ensure there is no negative impact on organizational security and customer applications. We have a managed process for analyzing, developing, and maintaining secure IT systems.
Acceptance testing programs and associated criteria are established for new information systems, upgrades, and new releases. Our test data is carefully selected protected and controlled.
11. Supplier relations
We carefully select our suppliers in advance and review their suitability with regard to maintaining data and information security protection.
Documented agreements ensure the protection and confidentiality of our assets and data. Suppliers are required to take technical and organizational measures to ensure this.
There is a regulated and user-defined access authorization to the values and data that are absolutely necessary for the respective supplier.
Suppliers may only engage additional suppliers with our consent in order to ensure a secure supply chain.
We regularly conduct a review of our suppliers’ data protection and data security measures to maintain the agreed level. Assigned authorizations are also subject to continuous documented monitoring.
After termination of the supplier relationship, they are obliged to destroy the data and assets received from us. In addition, the maintenance of confidentiality applies indefinitely.
12. Information security and data privacy incident handling
Our company has a regulated, documented process for handling information security and data privacy incidents to ensure a consistent and effective approach in this regard. Employees are required to report all data privacy and security incidents immediately and receive regular training in this regard. We have installed a reporting system that forwards events to an intervention team to ensure a rapid response. All events are documented, classified and evaluated. The implemented intervention team has precise guidelines on how to respond to an event.
Together with the management, improvement measures resulting from the findings and the collected evidence of an event are discussed and implemented on a regular basis..
13. Information security aspects of business continuity management
As part of information security, the intended availability of systems is specifically assessed and documented. From the requirements, we derive the technical and organizational specifications, such as redundant systems / connections or corresponding planning, and implement them in a consistent and controlled manner.
An overarching emergency plan forms the framework with regard to the corresponding instructions for action for selected documented emergency scenarios.
Continuously updated exercise plans for testing the measures implemented and documentation of the execution of corresponding tests round off the emergency management. All servers and storage systems are leased from a selected data center. Based on the contractual agreements, there is a permanent claim to availability against the service provider.
14. Compliance
We have identified, documented, and keep up-to-date all relevant legal, regulatory, self-imposed, or contractual requirements, as well as our company’s procedures for complying with these requirements.
Appropriate procedures have also been implemented to ensure compliance with legal, regulatory, and contractual requirements relating to intellectual property rights and the use of proprietary software products.
In accordance with legal, regulatory, contractual and business requirements, we protect records and personal data as needed. Annual activity reports by the data protection officer document the measures taken.
We observe the regulations on cryptographic measures for this purpose.
To ensure the protection of our information and data, we regularly conduct independent audits of our information security and data privacy levels, our security and data privacy policies, and our compliance with technical requirements.
Attachment 2
The data protection officer appointed for the Contractor is:
Data protection officer of WiredMinds GmbH
c/o activeMind
Potsdamer Str. 3
80802 München
Telefon: +49 (0)89 91 92 94 – 900
www.activemind.de
E-Mail: datenschutzbeauftragter@wiredminds.de
Directory of procedures:
Activemind AG maintains a directory of procedures for WiredMinds GmbH that complies with legal requirements. All WiredMinds employees are contractually bound to data secrecy via their employment contract. WiredMinds employees are demonstrably trained and are familiar with the topics of data security and data protection.
The data protection officer appointed for the client
> The data of your data protection officer are entered here!<
Attachment 3
The following persons are authorized to issue instructions on the part of the Customer:
> The data of your authorizing officer are entered here!>
The following persons are authorized to receive instructions from the Contractor:
Nicole Kienzle
E-Mail: nicole.Kienzle@wiredminds.de
Tel.: 0711 – 585 331 310
Günter Jobst
E-Mail: guenter.jobst@wiredminds.de
Tel.: 0711 – 585 331 3655
Attachment 4
The following subcontractors are currently being used to perform the contract:
Hetzner Online AG
Industriestr. 25
91710 Gunzenhausen
Deutschland
Notice:
Technical service provider; sourcing of root servers.
There is NO possibility of the service provider to access data processed on behalf.
Together we ensure data protection
HOW DO YOU USE LEADALAB?
With the start of the use of WiredMinds LeadLab on your website, we are obliged to conclude this DPA.
You can enter the date of the start of the test phase. The DPA will then continue to apply when the contract is concluded.
If no contract is concluded, the joint processing also ends and therefore this DPA.