Data processing agreement

§ 1 Preamble

This contract specifies the data protection obligations arising from the agreement between the

loyos bi GmbH
Georgsplatz 10, 20099 Hamburg, Germany

This agreement is based on the main contract concluded between the data processor (hereinafter referred to as "Processor") and the customer (hereinafter referred to as "Client"). The Client commissions the Processor to perform the services specified in Section 2 of the main contract. The processing of personal data is part of the contract's performance. The General Data Protection Regulation (GDPR) sets out certain requirements for such data processing. If the Client is based in Switzerland, the requirements of the Swiss Federal Act on Data Protection (Data Protection Act, DSG) also apply. If the Client is based in the United Kingdom (UK), the requirements of the UK GDPR and the Data Protection Act 2018 (DPA 2018) apply in addition to the GDPR. To comply with these requirements, the parties conclude the following agreement. The terms used in this contract have the same meanings as in the GDPR, the UK GDPR, the DPA 2018, and the DSG. Where the terminology used in the laws is not identical (for example, the GDPR refers to a data processor, while the German Federal Data Protection Act (BDSG) refers to a data processor), this agreement uses the wording of the GDPR for the sake of simplicity. The aim of this agreement is to regulate the processing of personal data in such a way that the requirements of the GDPR, the UK GDPR, the Data Protection Act 2018 (DPA 2018), and the German Federal Data Protection Act (BDSG) are met.

§ 2 Subject of the Contract

(1) The contractor and the client have concluded a contract (“Main Contract”) which obligates the contractor to provide services in the area of ​​app- or browser-based reporting solutions and to operate these solutions for the client. In doing so, the contractor also receives access to personal data and processes this data exclusively on behalf of and according to the instructions of the client. The scope and purpose of the data processing by the contractor are set out in the Main Contract and, where applicable, the associated service description. The client is responsible for assessing the permissibility of the data processing.
(2) The mutual data protection rights and obligations are specified in this agreement. In case of doubt, the provisions of this agreement take precedence over the provisions of the main contract.
(3) The provisions of this contract shall apply to all activities related to the main contract in which the contractor and its employees or agents come into contact with personal data originating from or collected on behalf of the client.
(4) The Client shall ensure that, if the Contractor processes data relevant to this Contract also from affiliated companies of the Client, the Client has concluded the necessary agreements with these affiliated companies.


§ 3 Right to issue instructions

(1) The contractor may collect, process, or use data only within the scope of the main contract and in accordance with the instructions of the client; this applies in particular to the transfer of personal data to a third country or to an international organization. If the contractor is required by the law of the European Union or the Member States to which it is subject to further processing, it shall inform the client of these legal requirements before processing, unless the law in question prohibits such notification on grounds of important public interest.
(2) The Client may amend, supplement, or replace its initial instructions stipulated in the main contract or this contract at any time by issuing individual instructions (individual instructions) in writing or text form. This includes instructions regarding the correction, deletion, and blocking of data. Individual instructions may, in principle, only be issued by the Client's management. If individual instructions are also to be issued by the Client's employees, the Client shall notify the Contractor of this in writing or text form. The Client may specify either the names or the role(s) of the authorized employees. The Contractor is only obligated to comply with an employee's individual instruction once the employee has been designated to the Contractor as authorized to issue instructions. The Contractor may rely on the employee's authorization until the Client's management informs the Contractor that the right to issue instructions no longer exists.
(3) All instructions given must be documented by both the client and the contractor. Instructions that go beyond the scope of the main contract will be treated as a request for a change in scope.
(4) If the contractor believes that an instruction from the client violates data protection regulations, the contractor must inform the client immediately. The contractor is entitled to suspend the execution of the instruction in question until it is confirmed or amended by the client. The contractor may refuse to execute an instruction that is clearly unlawful.

§ 4 Type and purpose of processing, type of data, group of data subjects, duration of processing

(1) The type of processing includes all types of processing within the meaning of the GDPR/UK GDPR for the performance of the contract. The purposes of the processing are all those necessary for the provision of the services agreed in the main contract in the areas of consulting, setup, cloud services, hosting, Software as a Service (SaaS) and IT support.
(2) The type of data processed is determined by the client through product selection, configuration, use of the services, and data transmission. In the course of fulfilling the main contract, the contractor may, in principle, gain access to the following types of personal data: first and last names, gender, dates of birth, email addresses, IP addresses, employee numbers, start dates, wage types, monthly amounts, regular working hours, religious affiliation, any reported absences, health data, and other data that may be stored in the payroll system.
(3) The controller determines the group of data subjects through product selection, configuration, use of services, and data transfer. The personal data of the following persons may be affected by the processing: the controller's employees, employees of companies affiliated with the controller, data of the controller's customers, and data of the controller's suppliers. The controller may, if necessary, expand the group of data subjects by issuing instructions.

§ 5 Contractor's protective measures, confidentiality and secrecy

(1) The contractor is obliged to comply with the legal provisions on data protection under the GDPR, the UK GDPR, the DPA 2018 and the DSG and not to disclose information obtained from the client to third parties or to restrict their access. Documents and data must be protected against unauthorized access in accordance with the state of the art.
(2) The contractor shall organize its internal operations within its area of ​​responsibility in such a way as to meet the specific requirements of data protection. It shall take all necessary technical and organizational measures to adequately protect the client's data in accordance with Article 32 GDPR/UK GDPR and Article 8 DSG, as well as the relevant provisions of the DPA 2018. Since the contractor is based in Germany and is not as familiar with the requirements of the DPA 2018 as with the provisions of the GDPR, it is the responsibility of a client based in the UK to inform the contractor of any relevant specific requirements of the DPA 2018 that go beyond the requirements of the GDPR.
The measures taken by the contractor include, in particular, at least the measures listed in Annex 1:

a) Access control
b) Access control
c) Access control
d) Control of further disclosure
e) Input control
f) Order control
g) Availability control
h) Separation requirement.

The contractor reserves the right to change the implemented security measures, provided that the contractually agreed level of protection is not undercut.
(3) The contractor is currently not required to appoint a data protection officer pursuant to Art. 37 para. 1 GDPR/UK GDPR, Section 38 BDSG, Part 3 Chapter 4 DPA 2018, or a data protection advisor pursuant to Art. 10 DSG. The relevant contact person for data protection can be reached at datenschutz@loyos-bi.de.
(4) Persons employed by the Contractor in the processing of data are prohibited from collecting, processing, or using personal data without authorization. The Contractor shall, before the commencement of their work, obligate all persons entrusted with the performance of this contract (hereinafter referred to as "Employees") in writing to maintain confidentiality in accordance with Article 28(3)(b) GDPR, UK GDPR, and the applicable data protection regulations of Switzerland. This obligation shall continue even after the termination of the employment relationship or the contractual cooperation. The Contractor shall provide suitable evidence of these obligations to the Client upon request.
(5) If the client is a professional bound by confidentiality within the meaning of Section 203 of the German Criminal Code (StGB), Article 321 of the Swiss Criminal Code (StGB), or in accordance with the common law duty of confidentiality (UK), the following additional provisions apply: The client shall ensure that the contractor is granted access to information protected by professional secrecy only when this is absolutely necessary for the performance of the contractually owed services. The contractor undertakes to acquire knowledge of such data only to the extent necessary for the performance of the tasks assigned to him and to maintain strict confidentiality regarding all professional secrets that come to his knowledge in the course of performing the contract. The contractor is aware that persons who participate in the professional activities of a professional bound by confidentiality and who unlawfully disclose a secret belonging to another person that has come to their knowledge in the course of or in connection with their activities are committing a criminal offense. The contractor shall ensure that all employees involved are informed about this criminal relevance, are duly bound in writing to secrecy and are regularly trained on the special requirements for handling professional secrets.


§ 6 Information obligations of the contractor

(1) In the event of disruptions, suspected data breaches or breaches of contractual obligations by the contractor, suspected security-related incidents or other irregularities in the processing of personal data by the contractor, by persons employed by the contractor within the scope of the contract or by third parties, the contractor shall inform the client immediately in writing or text form. The same applies to audits of the contractor by the data protection supervisory authority. The notification of a personal data breach shall contain at least the following information:

a) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects and the categories and number of personal data records concerned;
b) a description of the measures taken or proposed by the contractor to remedy the infringement and, where appropriate, measures to mitigate its possible adverse effects.

(2) The contractor shall immediately take the necessary measures to secure the data and to mitigate any possible adverse consequences for the data subjects, inform the client accordingly and request further instructions.
(3) The Contractor shall also be obliged to provide the Client with information at any time insofar as the Client’s data is affected by a breach pursuant to paragraph 1.
(4) Should the client's data held by the contractor be jeopardized by attachment or seizure, insolvency or composition proceedings, or other events or measures by third parties, the contractor shall inform the client immediately, unless prohibited from doing so by a court or administrative order. In this context, the contractor shall immediately inform all relevant authorities that the sole decision-making power over the data rests with the client as the "controller" within the meaning of the GDPR/UK GDPR, DPA 2018, and the German Federal Data Protection Act (BDSG).
(5) The contractor shall inform the client without delay of any significant changes to the security measures pursuant to Section 5(2).
(6) The contractor shall cooperate to a reasonable extent in the preparation of the register of processing activities by the contracting authority. The contractor shall provide the contracting authority with the necessary information in a suitable manner.

§ 7 Control rights of the client

(1) Before commencing data processing and thereafter regularly, the client shall verify the contractor's technical and organizational measures. For this purpose, the client may, for example, request information from the contractor, request to see existing expert reports, certifications, or internal audits, or, after prior arrangement, personally inspect the contractor's technical and organizational measures during normal business hours or have them inspected by a qualified third party, provided that the third party is not in competition with the contractor. The client shall only conduct inspections to the necessary extent and shall not cause disproportionate disruption to the contractor's operations.
(2) The Contractor undertakes to provide the Client, upon oral or written request and within a reasonable period, with all information and evidence necessary for conducting an audit of the Contractor's technical and organizational measures. The Contractor shall be reimbursed for reasonable costs incurred in providing this support.
(3) The client shall document the inspection results and inform the contractor. In the event of errors or irregularities discovered by the client, particularly during the review of deliverables, the client shall inform the contractor immediately. If the inspection reveals circumstances that require changes to the prescribed procedure to prevent future occurrences, the client shall inform the contractor of the necessary procedural changes without delay.
(4) The Contractor shall, upon request, provide the Client with proof of the obligation of the employees pursuant to Section 5(4).

§ 8 Use of subcontractors

(1) In order to provide the contractually agreed services or partial services, the Contractor shall enter into subcontracting relationships with subcontractors (“subcontracting relationship”).
(2) The use of the following subcontractors has been approved by the client:

Cloud servers and online services:
Microsoft Ireland Operations Ltd. One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 Ireland (Server location: Netherlands)
STRATO AG, Otto-Ostrowski-Straße 7, 10249 Berlin, Germany

(3) The client agrees that the contractor may engage further subcontractors within the scope of its contractual obligations. Before engaging or replacing any subcontractors, the contractor shall inform the client and give the client the opportunity to object within a reasonable period (28 days) if there are compelling reasons. An objection entitles the contractor to terminate this contract and the associated main contract with immediate effect. The contractor is obligated to select subcontractors carefully based on their suitability and reliability. If the contractor engages further subcontractors, it is the contractor's responsibility to transfer its data protection obligations under this contract to the subcontractor. If the engagement of subcontractors in a third country (outside the EU, UK, and Switzerland) is to take place, the contractor must ensure that an adequate level of data protection is guaranteed by the respective subcontractor (e.g., by concluding an agreement based on the EU Standard Contractual Clauses). The contractor shall provide the client with proof of the conclusion of the aforementioned agreements with its subcontractors upon request.
(4) A subcontracting relationship within the meaning of these provisions does not exist if the contractor engages third parties to provide services that are purely ancillary. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without a direct connection to services that the contractor provides for the client, and security services.

§ 9 Inquiries and rights of data subjects

(1) The Contractor shall, where possible, support the Client with suitable technical and organisational measures in fulfilling its obligations under Articles 12–22 GDPR/UK GDPR or Articles 25–29 DSG, as well as Article 32 GDPR/UK GDPR or Article 8 DSG and Article 36 GDPR/UK GDPR or Article 23 DSG or, where applicable, the relevant provisions of the DPA 2018.
(2) If a data subject asserts rights, such as the right to information, rectification, or erasure of their data, directly against the contractor, the contractor shall not act independently but shall immediately refer the data subject to the client and await the client's instructions. (3) Insofar as the contractor's cooperation is required pursuant to paragraphs 1 or 2, the contractor shall be obliged to provide such cooperation upon reimbursement of the costs incurred.

§ 10 Liability

(1) In the internal relationship between the data controller and the data processor, the data controller alone shall be liable to the data subject for compensation for damages suffered by a data subject as a result of data processing or use that is unlawful or incorrect under data protection laws in the context of commissioned data processing.
(2) Each party shall be released from liability if one party proves that it is in no way responsible for the circumstance that caused the damage to an affected party.
(3) In addition, the liability rules from the main contract shall apply.


§ 11 Contract Term; Termination of the Main Contract

(1) This contract is concluded when the client confirms the conclusion of this data processing agreement as part of the conclusion of the main contract. This contract is concluded for an indefinite period and generally terminates when the main contract terminates. However, the data processor is obligated to treat as confidential all data that has become known to it in connection with the main contract, even after the main contract has ended. This agreement remains valid beyond the end of the main contract as long as the data processor possesses personal data that was provided to it by the client or that it collected on the client's behalf.
(2) Upon termination of the main contract or at any time upon the client's request, the contractor shall return to the client all documents, data, and data carriers provided to it or – at the client's request, provided there is no obligation to store the personal data under Union law or the law of the Federal Republic of Germany – delete them using data protection-compliant measures. The contractor shall provide the client with proof of the proper deletion of any remaining data if the client requests such proof. This does not apply to documentation that serves as proof of the data processing carried out in accordance with the contract and in compliance with regulations, or where, for example, legal regulations, statutory obligations, or court orders preclude deletion. If additional costs arise from deletion before termination of the contract, these shall be borne by the client. (3) The client has the right to verify the complete and contractual return or deletion of the data by the contractor in an appropriate manner.
(4) Unless the client gives instructions to the contrary, the contractor shall, in principle, delete the data six months after the termination of the main contract.


§ 12 Extraordinary right of termination

The client may terminate the main contract without notice, in whole or in part, if the contractor fails to fulfill its obligations under this contract, intentionally or grossly negligently violates provisions of the GDPR or, where applicable, the UK GDPR or the German Federal Data Protection Act (BDSG), or is unable or unwilling to comply with a legally compliant instruction from the client. In the case of simple breaches – i.e., breaches that are neither intentional nor grossly negligent – ​​the client shall set the contractor a reasonable deadline within which the contractor can remedy the breach.

§ 13 Transfer to third countries

To fulfill the services owed under the main contract, the transfer of personal data between Germany, the Netherlands, and, if the client is based there, Switzerland or the UK is necessary. Since Switzerland and the UK are considered "third countries" by the EU, and Germany and the Netherlands are considered "foreign countries" by Switzerland, and "third countries" by the UK, personal data may only be transferred between these countries if it is established that the receiving country ensures an adequate level of protection (Art. 45 para. 1 GDPR/UK GDPR or Art. 16 para. 1 DSG). Switzerland is recognized by the European Commission as a country that provides an adequate level of protection for personal data (Adequacy Decision 2000/518/EC, confirmed by the Commission report of 15 January 2024). In its ordinance of August 31, 2022 (as of January 1, 2024), the Swiss Federal Council declared Germany and the Netherlands to be countries with an adequate level of data protection. The UK recognizes Germany and other countries of the European Economic Area (EEA) as safe countries for the transfer of personal data. From the UK's perspective, data transfers between the UK and EEA countries, including Germany, are possible without additional safeguards such as standard contractual clauses. An EU adequacy decision in favor of the UK also exists. Therefore, the transfer of personal data between the aforementioned countries is possible without restriction.


§ 14 Final Provisions

(1) The parties agree that the contractor's right of retention is excluded with regard to the data to be processed and the associated data carriers.
(2) Amendments and supplements to this agreement must be in writing. This also applies to any waiver of this requirement of written form. The precedence of individual contractual agreements remains unaffected.
(3) Should individual provisions of this agreement be or become wholly or partially invalid or unenforceable, the validity of the remaining provisions shall not be affected.
(4) This data processing agreement is available in German and English. In case of discrepancies, the German version shall prevail.
(5) This agreement is governed by German law. The exclusive place of jurisdiction is Hamburg. The agreement is intended to comply with the requirements of the GDPR, the UK GDPR, the DPA 2018, and the German Federal Data Protection Act (BDSG). In the event of a conflict between the laws, the stricter provision shall prevail.

Annex 1: Technical and organizational measures of the contractor

General practice . loyos BI The company uses the Microsoft Office 365 online solution for implementing solutions and all internal processes. Therefore, working with personal data on a paper basis is unnecessary. Work is carried out from the office in Hamburg as well as from home offices . The following technical and organizational measures have been implemented to protect access.


Access control

Hamburg office

Access to our offices is only possible via 2 lockable doors.
The office door is locked as soon as the last person leaves the office. The entrance door is locked and can be opened with a four-digit code.
Access authorization and key handover are carried out exclusively by management. If unauthorized persons require access to the offices, they are constantly monitored by a security guard. loyos BI -Assistant.

Working from home

A private, lockable room that is not accessible to third parties after work or during breaks.

Access control

- Access to systems is granted via authentication using an individual user ID and password.
Passwords must comply with our password policy.
Access rights are granted exclusively by management.
Our systems are protected against unauthorized access by firewalls and antivirus software. All workstations are password-protected when users leave their workstations.



Access control

Access to the Microsoft online service requires authentication via an individual username and password. Passwords must comply with our password policy.
- All computers are secured with firewall and anti-virus software.
- User actions are logged in the Microsoft Office 365 Security Compliance Center.
Any irregularities will be immediately communicated to the managing director via email.

Transfer control

- No disclosure, transmission, transfer or transport of personal data within the system is planned.
- All employees are subject to our confidentiality agreement.
- Encrypted transmissions are used as part of the data provision.

Input control

- All content data is provided by the client and is not modified by the contractor.
- The setup of Microsoft user accounts (first name, last name, email address) is carried out by the contractor. Microsoft Office 365's user action logging allows verification of who entered, modified, or deleted personal data, when, and how.

Order control

- Logging user actions ensures processing in accordance with the client's instructions.
- The data processing agreement specifies the rights and obligations of the client and the contractor.
Availability control
- Microsoft Corporation Office 365 Availability

separation requirement

- Data is stored separately for each client.



As of October 1, 2024

Financial Management Suite HR Reporting Suite Company Contact
Transparency. Made. Simple.
Financial Management Suite
Features Reporting and Analytics Planning and Forecasting Consolidation Interfaces Other Modules Custom Developments
FMS in use SME Private Equity Tax Consulting
Cash Board
Prices
HR Reporting Suite
Features Personal Reporting KPI Monitoring Interfaces Custom Developments
HRRS in use SMEs Personnel service providers & temporary employment agencies
Prices
Academy
Help Center Webinars FAQs
Company
Careers Jobs Contact | Schedule an appointment Demo registration
Legal
Legal notice Privacy policy Terms and Conditions Data Processing