Preamble
The client has commissioned branchly GmbH, Am Kartoffelgarten 14, 81671 Munich ("branchly") with the SaaS operation of an AI content navigation system. In the course of executing the contract, branchly gains access to personal data of the client. Art. 28 of the General Data Protection Regulation (GDPR) imposes special requirements on such a service agreement. To uphold these requirements, the parties enter into this agreement.
1. Subject Matter of the Contract, Content of the Order
1.1 branchly provides the SaaS delivery based on the client's commissioning according to the branchly offer and the GTC for SaaS services ("Main Contract").
1.2 To specify the data protection rights and obligations, the parties enter into this processing agreement. The subject matter and duration of the services provided by branchly are determined by the Main Contract. In case of doubt, the provisions of this agreement take precedence over those of the Main Contract.
2. Scope, Purpose and Execution of Data Processing; Type of Data and Circle of Affected Parties; Instruction Dependency
2.1 The scope and purpose of data processing by branchly result from the Main Contract and the corresponding service description.
2.2 branchly potentially has access to data stored on the SaaS platform in the context of service provision. This includes the following types of data:
– "Customer inquiries; in rare cases, these may also contain personal information (e.g., email address, telephone number of the client)."
2.3 branchly may process the client’s personal data solely for the purposes of fulfilling the Main Contract on behalf of the client or based on individual instructions from the client. If branchly processes data due to a legal obligation in accordance with Art. 28 (3) lit. a GDPR, branchly will notify the client before processing, unless this is legally excluded.
2.4 branchly must observe and implement the client's individual instructions regarding the collection, processing or use of data. The client is entitled to issue appropriate instructions at any time. This also includes instructions concerning the correction, deletion, and blocking of data. If branchly believes that an instruction from the client violates data protection regulations, it will inform the client. The appropriate costs of carrying out instructions that go beyond the contractual services of the Main Contract will be reimbursed by the client in accordance with the respective applicable hourly rates of branchly.
3. Subcontracting Relationships
3.1 branchly is entitled to engage additional processors ("subcontractors"). Currently, branchly employs the following subcontractors .
Contractual agreements with subcontractors are structured by branchly in such a way that they comply with the provisions of the GDPR.
3.2 branchly informs the client of any intended change regarding the engagement or replacement of other subcontractors, thereby giving the client the opportunity to raise objections to such changes. Should the client have justified objections against the engagement of a new subcontractor on the grounds that the engagement does not comply with the requirements of the GDPR, the client is entitled to raise objections to branchly within 14 days of receiving the change notification. If branchly, despite justified objections from the client, states that it will not forego the engagement of the subcontractor, the client is entitled to terminate the Main Contract in writing with a notice period of four weeks.
3.3 Subcontracting relationships in the sense of this regulation are to be understood as those services that directly relate to the provision of the main service. This does not include ancillary services that branchly, for example, utilizes as telecommunications services, postal/transport services, maintenance and user services, or the disposal of data carriers. However, branchly is obligated to take appropriate and legally compliant contractual agreements and control measures to ensure data protection and data security even for outsourced ancillary services.
4. Data Confidentiality and Confidentiality
branchly ensures that the employees engaged in the processing of personal data are obligated to confidentiality or are subject to an appropriate legal confidentiality obligation. These obligations must be structured in such a way that they continue to exist even after the termination of the employment relationship between the employee and branchly.
5. Protective Measures and Control
5.1 branchly takes the required technical and organizational measures (TOMs) according to Art. 32 GDPR. branchly may change and adjust the technical-organizational measures, especially in accordance with developments in technology, as long as the initial level of security is not lowered.
5.2 branchly provides the client with all necessary information upon request to demonstrate compliance with obligations under Art. 28 GDPR, for example, by presenting suitable documentation. branchly also allows for verification by the client or another auditor appointed by it. For this purpose, branchly allows the auditor to verify compliance with the relevant obligations for processing in its premises during regular business hours without significantly disrupting operations. The reasonable costs of participation in such an audit on the part of branchly will be reimbursed by the client in accordance with branchly's hourly rates. 5.3 The client commits to treating all information, documents, data, and insights that become known in the course of the aforementioned controls and disclosures strictly confidentially, using them exclusively for data protection control, and not utilizing them otherwise. Employees or external third parties engaged by the client are, unless they are legally obliged to confidentiality, subject to an equivalent confidentiality obligation as defined herein.
6. Information and Support Obligations
6.1 If branchly becomes aware of a breach of the protection of the client’s personal data, it will notify the client immediately. branchly will take appropriate measures to secure the data and mitigate possible adverse consequences for the affected parties in consultation with the client. branchly supports the client in fulfilling the reporting and notification obligations under Art. 33 and 34 GDPR.
6.2 branchly supports the client, taking into account the nature of the processing and the information available to it, in preparing data protection impact assessments in accordance with Art. 35, 36 GDPR.
6.3 Should the data at branchly be jeopardized by seizure or confiscation, insolvency or settlement proceedings, or other events or measures of third parties, branchly must immediately inform the client. branchly will inform all responsible parties in this context without delay that the sovereignty and ownership of the data lies solely with the client as the "data controller" in the sense of the GDPR.
7. Deletion of Data
7.1 The deletion of the data collected, processed, and used in the context of the contractual relationship occurs with the termination of the Main Contract, provided that there are no statutory retention periods to the contrary.
7.2 If data carriers have been provided by the client in the course of data processing, branchly will return these at the latest with the termination of the Main Contract.
8. Rights of Affected Persons
8.1 If an affected person directly contacts branchly to exercise rights of affected persons (e.g., regarding rectification, blocking or restriction of processing or deletion of data), branchly will forward this request immediately to the client.
8.2 branchly assists the client upon request in upholding these rights, e.g., concerning their information obligations (notification, provision of information), rectification, blocking, or restriction of processing and deletion of personal data. The reasonable costs of support from branchly will be reimbursed by the client according to the hourly rates of branchly.
9. Term and Final Provisions
9.1 This agreement ends with the termination of the Main Contract. It remains in force even after the termination of the Main Contract as long as branchly holds personal data of the client.
9.2 The liability provisions agreed between the parties in the Main Contract also apply to the liability between the parties in connection with this processing agreement.
9.3 Changes and additions to this agreement must be made in writing. This also applies to the waiver of this written form requirement.
9.4 Only German law applies to the exclusion of those legal norms that refer to other legal systems. The Uniform UN Sales Law (UNCITRAL) does not apply.