Data Processing Agreement

§ 1 Preamble

This agreement specifies the data protection obligations arising from the Main Contract concluded between  

loyos bi GmbH

Media Docks, Willy-Brandt-Allee 31b, 23554 Lübeck, Germany

as the processor (hereinafter referred to as the "Contractor") and the customer as the responsible party (hereinafter referred to as the "Client"). The Client commissions the Contractor in accordance with the Main Contract with the services specified in § 2. Part of the execution of the contract is, among other things, the processing of personal data. The processing of personal data in the EU is subject to the General Data Protection Regulation (GDPR). If the Client is based in Switzerland, the requirements of the Federal Act on Data Protection of the Swiss Confederation (Datenschutzgesetz, DSG) also apply. If the Client is based in the UK, the requirements of the UK GDPR and the Data Protection Act 2018 (DPA 2018) apply in addition to the GDPR. In order to comply with these requirements, the parties conclude the following agreement.

Unless expressly defined otherwise in this agreement, the definitions of the GDPR, UK GDPR and DPA 2018 and the DSG apply, e.g. for the terms "controller" (Art. 4 (7) GDPR/UK GDPR), "processor" (Art. 4 (8) GDPR/UK GDPR) or "personal data" (Art. 4 (1) GDPR/UK GDPR). If the wording in the regulations is not identical, the wording of the GDPR is used in this agreement for reasons of simplicity. The aim of this agreement is to regulate the processing of personal data in such a way that the provisions of the GDPR and those of the UK GDPR, the DPA 2018 and the DSG are complied with.

 

§ 2 Subject matter of the agreement

(1) The Contractor and the Client have concluded a contract (in this agreement referred to as the "Main Contract") which obliges the Contractor to provide services in the area of app and browser-based reporting solutions and to operate these solutions for the Client. In doing so, the Contractor also receives access to personal data and processes it exclusively on behalf of and in accordance with the instructions of the Client. The scope and purpose of the data processing by the Contractor are set out in the Main Contract and, if applicable, in the associated service description. The Client is responsible for assessing the permissibility of the data processing.

(2) The mutual rights and obligations under data protection law are specified in this agreement. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the Main Contract.

(3) The provisions of this contract shall apply to all activities related to the Main Contract and in which the Contractor and its employees or persons commissioned by the Contractor come into contact with personal data originating from the Client or collected for the Client.

(4) The Client shall ensure that, if the Contractor also processes data relevant to this agreement from affiliated companies of the Client, the Client has concluded the necessary agreements with these affiliated companies.

 

§ 3 Right to issue instructions

(1) The Contractor may only collect, process or use data within the scope of the Main Contract and in accordance with the instructions of the Client; this applies in particular with regard to the transfer of personal data to a third country or to an international organization. If the Contractor is obliged by the law of the European Union or the Member States to which it is subject to carry out further processing, it shall notify the Client of these legal requirements prior to processing, unless the law in question prohibits such notification due to an important public interest.

(2) The Client may at any time amend, supplement or replace its instructions initially set out in the Main Contract or this agreement in writing or in text form with individual instructions (individual instructions). This includes instructions regarding the correction, deletion and blocking of data. Individual instructions may only be issued by the Client's management. If individual instructions may also be issued by employees of the Client, the Client shall inform the Contractor of this in writing or in text form. The Client may specify either the names or the role(s) of the authorized employees. The Contractor must only follow the individual instructions of an employee once the employee has been named to the Contractor as authorized to give instructions. The Contractor may rely on the authorization of the employee until the management of the Client informs the Contractor that the right to issue instructions no longer exists.

(3) All instructions issued must be documented by both the Client and the Contractor. Instructions that go beyond the service agreed in the Main Contract shall be treated as a request for a change in service.

(4) If the Contractor is of the opinion that an instruction of the Client violates data protection regulations, it must inform the Client of this immediately. The Contractor shall be entitled to suspend the implementation of the instruction in question until it is confirmed or amended by the Client. The Contractor may refuse to carry out an obviously unlawful instruction.

 

§ 4 Type and purpose of processing, type of data, group of data subjects, duration of processing

(1) The type of processing includes all types of processing within the meaning of the GDPR/UK GDPR to fulfill the contract. The purposes of the processing are all purposes necessary for the provision of the services agreed in the Main Contract in the areas of consulting, setup, cloud services, hosting, software as a service (SaaS) and IT support.
 
(2) The type of data processed is determined by the Client through product selection, configuration, use of the services and transmission of data. In the course of executing the Main Contract, the Contractor may in principle obtain access to the following types of personal data: First and last names, gender, dates of birth, e-mail addresses, IP addresses, personnel numbers, entry dates, wage types, amounts per month, regular working hours, religious affiliation, reported days of absence, health data and other data that may be stored in payroll accounting,

 

(3) The group of data subjects is determined by the Client through the product selection, configuration, use of the services and transmission of data. The personal data of the following persons may be affected by the processing: Employees of the Client, employees of companies affiliated with the Client, data of the Client's customers, data of the Client's suppliers. If necessary, the group of data subjects may be extended by instructions from the Client.

 

§ 5 Protective measures of the Contractor

(1) The Contractor is obliged to observe the statutory provisions on data protection, including the GDPR, UK GDPR DPA 2018 and the DSG, and not to disclose the information obtained from the Client's area to third parties or expose it to their access. Documents and data must be secured against unauthorized access, taking into account the state of the art.

(2) The Contractor shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection under the GDPR, UK GDPR and DPA 2018. It shall take all necessary technical and organizational measures to adequately protect the Client's data in accordance with Art. 32 GDPR/UK GDPR, Art. 8 DSG and relevant provisions of the DPA 2018. As the Contractor is based in Germany and is not familiar with the requirements of the DPA 2018 to the same extent as with the provisions of the GDPR, it is the responsibility of a Client based in UK to inform the Contractor of any relevant special requirements from the DPA 2018 that go beyond the requirements of the GDPR.

The measures taken by the Contractor include, at a minimum, the security measures listed in Annex 1:

a) Physical access control

b) Logical access control

c) Data access control

d) Transfer control

e) Input control

f) Order control

g) Availability control

h) Principle of separation.

The Contractor reserves the right to change the security measures taken, whereby it shall ensure that the contractually agreed level of protection is not undercut.

(3) The Contractor is currently not required to appoint a data protection officer pursuant to Art. 37 (1) GDPR/UK GDPR, § 38 German Data Protection Act (“Bundesdatenschutzgesetz”, BDSG), part 3, chapter 4 DPA 2018 or Art. 10 DSG. The respective contact person for data protection can be reached at datenschutz@loyos-bi.de

(4) The persons employed by the Contractor for data processing are prohibited from collecting, processing or using personal data without authorization. The Contractor shall obligate all persons entrusted by it with the processing and fulfillment of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 para. 3 lit. b GDPR/UK GDPR) and ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this contract or the employment relationship between the employee and the Contractor. The obligations must be demonstrated to the Client in a suitable manner upon request.

 

§ 6 Information obligations of the Contractor

(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security-relevant incidents or other irregularities in the processing of personal data by the Contractor, persons employed by the Contractor within the scope of the order or by third parties, the Contractor shall inform the Client immediately in writing or text form. The same applies to audits of the Contractor by the data protection supervisory authority, including under the DPA 2018. The notification of a personal data breach shall contain at least the following information:

(a) a description of the nature of the personal data breach, including, where possible, the categories and number of data subjects concerned, the categories and number of personal data records concerned;

(b) a description of the measures taken or proposed to be taken by the Contractor to remedy the breach and, where appropriate, measures to mitigate its possible adverse effects.

(2) The Contractor shall immediately take the necessary measures to secure the data and to mitigate possible adverse consequences for the data subjects, inform the Client thereof and request further instructions.

(3) In addition, the Contractor shall be obliged to provide the Client with information at any time insofar as the Client's data is affected by a breach pursuant to paragraph 1.

(4) Should the Client's data at the Contractor be jeopardized by seizure or confiscation, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Client of this immediately, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Client as the "controller" within the meaning of the GDPR/UK GDPR and DPA 2018 resp. the DSG.

(5) The Contractor shall inform the Client immediately of any significant changes to the safety measures in accordance with § 5 (2).

(6) The Contractor shall cooperate to an appropriate extent in the preparation of the record of processing activities by the Client. He shall provide the Client with the necessary information in an appropriate manner.

 

§ 7 Control rights of the Client

(1) The Client shall convince itself of the Contractor's technical and organizational measures before commencing data processing and thereafter on a regular basis. For this purpose, he may, for example, obtain information from the Contractor, have existing certificates from experts, certifications or internal audits presented to him or personally inspect the Contractor's technical and organizational measures after timely coordination during normal business hours or have them inspected by a competent third party, provided that the latter is not in a competitive relationship with the Contractor. The Client shall only carry out inspections to the extent necessary and shall not disproportionately disrupt the Contractor's operating procedures.

(2) The Contractor undertakes to provide the Client with all information and evidence required to carry out an inspection of the Contractor's technical and organizational measures within a reasonable period of time at the Client's verbal or written request. Costs incurred by the Contractor as a result of its support activities shall be reimbursed to the Contractor to a reasonable extent.

(3) The Client shall document the results of the inspection and inform the Contractor thereof. In the event of errors or irregularities that the Client discovers, in particular during the inspection of order results, it must inform the Contractor immediately. If, during the inspection, facts are discovered which require changes to the ordered procedure to be avoided in the future, the Client shall inform the Contractor immediately of the necessary procedural changes.

(4) Upon request, the Contractor shall provide the Client with evidence of the obligation of the employees in accordance with § 5 (4).

 

§ 8 Use of subcontractors

(1) The Contractor may conclude subcontracting relationships with subcontractors (“subcontractor relationship”) in order to provide the contractually agreed services or partial services.

(2) The use of the following subcontractors is approved by the Client:

Cloud servers and online services:

Microsoft Ireland Operations LtD  
One Microsoft Place, South County Business Park Leopardstown Dublin 18, D18 P521 Ireland  

(Server Location: Netherlands)

STRATO AG  
Otto-Ostrowski-Straße 7, 10249 Berlin, Germany

(3) The Client agrees that the Contractor may engage further subcontractors within the scope of its contractual obligations. Before engaging or replacing the subcontractors, the Contractor shall inform the Client and give it the opportunity to object to this within a reasonable period of time (28 days) if there are important reasons. An objection shall entitle the Contractor to terminate this contract and the associated Main Contract with immediate effect. The Contractor is obliged to carefully select subcontractors according to their suitability and reliability. If the Contractor commissions other subcontractors, it shall be incumbent on the Contractor to transfer its data protection obligations under this contract to the subcontractor. If subcontractors in a third country are to be involved, the Contractor must ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). Upon request, the Contractor shall provide the Client with evidence of the conclusion of the aforementioned agreements with its subcontractors.

 
(4) A subcontractor relationship within the meaning of these provisions shall not exist if the Contractor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transportation and shipping services, cleaning services, telecommunications services with no specific connection to services provided by the Contractor for the Client and security services.  

 

§ 9 Requests and rights of data subjects

(1) The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling its obligations under Art. 12-22 GDPR/UK GDPR resp. Art. 25-29 DSG as well as 32 GDPR/UK GDPR resp. Art. 8 DSG and 36 GDPR/UK GDPR resp. Art. 23 DSG and the relevant provisions of the DPA 2018.

(2) If a data subject asserts rights, such as the right to information, correction or deletion of their data, directly against the Contractor, the Contractor shall not react independently but shall immediately refer the data subject to the Client and await the Client's instructions.

(3) Insofar as the Contractor's cooperation is required pursuant to para. 1 or 2, the Contractor shall be obliged to do so against reimbursement of the costs incurred.

 

§ 10 Liability

(1) In the internal relationship with the Contractor, the Client shall be solely responsible to the data subject for compensation for damages suffered by a data subject due to inadmissible or incorrect data processing or use in the scope of the commissioned processing.

(2) The parties shall release each other from liability if one party proves that it is in no way responsible for the circumstance that caused the damage to a party concerned.

(3) In addition, the liability rules from the Main Contract shall apply.

 

§ 11 Term of the agreement; Termination of the Main Contract

(1) This Agreement is concluded when the Client confirms the conclusion of this Data Processing Agreement in the course of concluding the Main Contract. This Agreement is concluded for an indefinite period and shall generally end when the Main Contract ends. However, the Contractor shall be obliged to treat the data of which it becomes aware in connection with the Main Contract confidentially even after the end of the Main Contract. This agreement shall remain valid beyond the end of the Main Contract for as long as the Contractor has personal data that was forwarded to it by the Client or that it has collected for the Client.

(2) The Contractor shall return to the Client all documents, data and data storage media provided to it after termination of the Main Contract or at any time at the Client's request or - at the Client's request, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them using data protection-compliant measures. The Contractor shall provide evidence of the proper deletion of any remaining data if the Client requests such evidence. This does not apply to documentation that serves as proof of proper data processing in accordance with the order or if, for example, legal regulations, statutory obligations or court orders conflict with this. If additional costs are incurred as a result of deletion prior to termination of the contract, these shall be borne by the Client.

(3) The Client has the right to check the complete and contractually compliant return or deletion of the data at the Contractor in a suitable manner.

(4) If the Client does not issue any instructions to the contrary, the Contractor must delete the data six months after termination of the Main Contract.  

 

§ 12 Extraordinary right of termination

The Client may terminate the Main Contract in whole or in part with immediate effect if the Contractor fails to comply with its obligations under this Agreement, violates provisions of the GDPR/UK GDPR or, if applicable, the DSG intentionally or through gross negligence or is unable or unwilling to carry out instructions from the Client in accordance with the law. In the case of simple - i.e. neither intentional nor grossly negligent - violations, the Client shall set the Contractor a reasonable deadline within which the Contractor can remedy the violation.

 

§ 13 Third-country transfer

For the performance of the services owed under the Main Contract, the transfer of personal data between Germany, the Netherlands, and, if the Client is based there, Switzerland or the UK is required. Since, from the EU's perspective, the Switzerland and UK are considered "third countries," and Germany and the Netherlands are considered "third countries" from the UK's perspective and “foreign countries” from Switzerland’s perspective, personal data may only be transferred between these countries if it is determined that the country to which the data is being transferred ensures an adequate level of protection (Article 45(1) GDPR/UK GDPR resp. Art. 16 DSG). Switzerland is recognised by the European Commission as a country that offers an adequate level of protection for personal data (Adequacy Decision 2000/518/EC, confirmed by the Commission report of 15.01.2024). In its ordinance of 31 August 2022 (as of 1 January 2024), the Swiss Federal Council declared Germany and the Netherlands to be countries with an adequate level of data protection. The UK recognizes Germany and other European Economic Area (EEA) countries as safe countries for the transfer of personal data. Data transfers between the UK and EEA countries, including Germany, are possible from UK’s perspective without additional security measures such as standard contractual clauses. An EU adequacy decision in favour of the UK is also in place. Therefore, the transfer of personal data between the specified countries is unrestricted.

 

§ 14 Final provisions

(1) The parties agree that the Contractor's defense of the right of retention is excluded with regard to the data to be processed and the associated data carriers.

(2) Amendments and supplements to this agreement must be made in writing. This also applies to the waiver of this formal requirement. The precedence of individual contractual agreements remains unaffected by this.

(3) Should single provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions.

(4) This Data Processing Agreement is available in German and English. In the event of contradictions, the German version shall take precedence.

(5) This agreement is subject to German law. The exclusive place of jurisdiction is Hamburg. The agreement is intended to meet the requirements of the GDPR, the UK GDPR, the DPA 2018 and the DSG. In the event of a conflict between the regulations, the stricter regulation takes precedence.

Annex 1: Technical and organizational measures of the Contractor

 

General practice. loyos BI uses the Microsoft online solution Office 365 to implement the solutions and all internal processes. Therefore, analog work with personal data is not necessary.  

We work from two offices in Lübeck and Hamburg as well as from our home office. The following technical and organizational measures have been implemented to protect access.  

Physical access control  

Lübeck office

Access to our offices is only possible via 3 lockable doors.  The direct office door is locked as soon as the last person leaves the office. The corridor door is locked between 7 pm and 7 am.  The entrance door is locked between 7 p.m. and 7 a.m. and is under video surveillance

Access authorization and key handover is carried out exclusively by the management. If external persons require access to the offices, they will be accompanied by a loyos BI employee at all times.  

Hamburg office

Access to our offices is only possible via 2 lockable doors.  The direct office door is locked as soon as the last person leaves the office. The entrance door is locked and can be opened using a four-digit numerical code.

Access authorization and key handover is carried out exclusively by the management. If external persons require access to the offices, they are always accompanied by a loyos BI employee.

Home office

A separate lockable room that is not accessible to third parties after work or during breaks.


Logical access control  

Access to systems takes place with authentication via individual user ID and password.  

Passwords must comply with our password policy.  

Access authorizations are granted exclusively by the management.

Our systems are protected against unauthorized access by firewalls and anti-virus software. All workplaces are password-protected when leaving the workplace.
 

Data access control

Access to the Microsoft Online service takes place with authentication using an individual user ID and password.  

Passwords must comply with our password policy.  

All computers are secured with firewalls and anti-virus software.  

The logging of user actions is ensured in the Microsoft Office 365 Security Compliance Center.  

Any anomalies are immediately communicated to the managing director by e-mail.

 

Transfer control

No disclosure, transmission, transfer or transportation of personal data is intended in the system.  

All employees are subject to our confidentiality obligation.  

Encrypted transmissions are used for data provision.
 

Input control

All content data is provided by the Client itself and is not changed by the Contractor.  

The user creation of Microsoft users (first name, surname, email address) is carried out by the Contractor. The Microsoft Office 365 logging of user actions makes it possible to check who, when and how personal data was entered, changed or deleted.  
 

Order control

The logging of user actions ensures processing in accordance with the Client's instructions.  

The Data Processing Agreement specifies the rights and obligations of the Client and the Contractor.  
 

Availability control

Microsoft Corporation Office 365 availability
 

Principle of separation

The data is saved separately for each Client.


Stand: 01.10.2024
‍‍

Your  Reporting-as-a-Service provider in the field of financial management with  efficient solutions for data retrieval and visualization, and predictive  analytics.

Transparency. Made. Simple.

Follow us on
Products
Financial Management SuiteHR Reporting SuiteOther Solutions
Links
HomeProductsAbout usJobs
Legals
General Terms and ConditionsData Processing AgreementImprint
Data Privacy
Contact

info@loyos-bi.de

+49 (0) 451 160 860 30

Locations

loyos bi GmbH
Willy-Brandt-Allee 31 b,
D-23554 Lübeck

loyos bi GmbH
Georgsplatz 10,
D-20099 Hamburg

© 2024 loyos bi