Terms of Service
General Terms and Conditions of Use for the Service of the Platform
us, Blue Performance GmbH, (Plankenhofstr. 9, 81929 Munich email: email@example.com), recorded in the commercial register maintained by the Local Court of Munich under HRB 258354, represented by Madeleine Scholl, VAT ID No.: DE 335066921 (www.cardeleine.com/en/legal/imprint)
- hereinafter, the "Supplier", "we" or "us" -
- the user described in Section 2 (2) of the General Terms and Conditions of Use - hereinafter, the "User" or "you" -
Section 1: Scope, definitions
(1) The following General Terms and Conditions of Use apply exclusively to the business relationship between us and the User. We do not acknowledge deviating or conflicting terms and conditions unless we have expressly approved them.
(2) Our offer is directed at both consumers and companies. Pursuant to section 13 of the German Civil Code (BGB), the User is a consumer if the purpose of the ordered services cannot be primarily attributed to his or her trade, business or profession. By contrast, pursuant to section 14 BGB, an entrepreneur means any natural or legal person or partnership with legal personality who or which, when concluding the contract, acts in exercise of his or her or its trade, business or profession. The arrangements in these General Terms and Conditions of Use apply both to consumers and to companies, other than where individual arrangements provide for applicability only to consumers or to entrepreneurs.
(3) If the User is an entrepreneur within the meaning of section 14 BGB, the annex to these General Terms and Conditions of Use entitled "Data Processing Contract" is applicable and becomes an integral component when the contract is concluded.
(4) We are entitled, and we reserve the ability, to amend these General Terms and Conditions of Use at any time, including with effect during the existing contractual relationship, under the following conditions:
- We may subsequently modify services that were ordered over the platform or deviate from them if you can reasonably be expected to accept the agreement on the change or deviation, taking into consideration our interests as Supplier. In this regard, acceptable means only those changes or deviations that do not modify the overall character of the services and become necessary because of circumstances that arise after conclusion of contract (e.g. amendments to laws or changed market conditions).
- We may make other amendments that do not relate to any services of the platform without regard to the condition of acceptability.
You will be notified in writing or by email of any amendments to these General Terms and Conditions of Use that have an impact on the contractual relationship. If you do not object to an amendment within four (4) weeks of receipt of the notification and continue to use the services after expiry of the period for objection, the amendments are deemed approved by you. In the event of an amendment of the general business terms and conditions, you will be separately informed of the right to object and the legal consequences of failing to do so. In the case of rejection, we are entitled to terminate your contract at the time the amendment becomes effective and suspend your user account.
(5) In the case of changes to value-added tax, we are entitled modify prices in accordance with this change without the foregoing right to objection being available.
Section 2: Registration as user
(1) Use of the services available on our platform www.cardeleine.com (hereinafter, the "Platform") require that you first register as a user. There is no charge for registering on our Platform. There is no entitlement to registration to our Platform. Only persons who have full capacity to contract are entitled to register. You must fully and truthfully provide the data necessary for registration. In the event that the data you provided should change, you are obligated to correct the entries without delay. If you provide inaccurate data when registering or fail to make a later correction, we reserve the ability to suspend your user account.
(2) Apart from the declaration of your agreement with the applicability of these General Terms and Conditions of Use , your registration is not associated with any obligations whatsoever. You may delete your entry at any time under "My account". Simply by registering with us does not create any obligation whatsoever to purchase the offered services. With registration, we will at our discretion make free features available to you under "My account", whereby we reserve the ability to modify or remove these at any time. In this regard, we will pay consideration to your legitimate interests. If, within 120 days following your registration, we determine that there has been no activity whatsoever in your account, we reserve the ability to delete your account and thus your registration.
(3) In the case of registration as a company within the meaning of section 14 BGB, the following also applies: At our request, you must send us a copy of your personal identity card, provide us with your VAT ID No., and document your recording in the commercial register. If the company is a legal person, the registration must be made by a natural person with full capacity to contract and representational authority, who is to be named. For the purposes of registration, you electronically complete the registration form available on our website and store it under your user account.
(4) After you enter all requested data, they will be reviewed by us for completeness and plausibility. If in our view the data are correct, and if in our view there are no other concerns, we will activate the access you requested and notify you of this by email. The email is considered to be acceptance of your registration application. Following receipt of the email, you are entitled to use the Platform within the scope of these General Terms and Conditions of Use. In this regard, you must first confirm your activation by clicking on the link contained in the email.
(5) Users who are companies within the meaning of section 14 BGB have the ability to have separate accounts set up for their employees. This ability is possible following contract conclusion pursuant to the ordered number of users. See Section 9 of the General Terms and Conditions of Use.
Section 3: Responsibility for access credentials, data security, system requirements
(1) When registering, you select a personal user name and a password. The user name must not infringe third-party rights or other rights to names or trademarks or be contra bonos mores. You are obligated to keep the password secret and in no event to disclose it to third parties.
(2) You are also responsible for ensuring that your access and use of the services provided on the Platform takes place solely by you or by persons authorised by you. As an entrepreneur, you must place a corresponding obligation on your employees who have their own account with us. You must immediately notify us if there are concerns that unauthorised third parties have gained or will gain knowledge of your access credentials. You are liable in accordance with statutory provisions for any use and/or other activity that takes place under your access credentials.
(3) If your personal details change, you are personally responsible for updating them (see also Section 2 (1) of these General Terms and Conditions of Use). After registration, all changes can be made online under "My account".
(4) You are solely responsible for properly and regularly backing up your data.
(5) You must satisfy the system requirements specified in the product description in order to use the Platform and the services and products offered on it. You are personally responsible for this. Please find out in advance about whether your systems and devices support the technologies used in our services and products (e.g. QR technology).
Section 4: Services on the Platform
We make the following services and products available to you on our Platform. This may be, inter alia, the creation of digital business cards, as well the making available of data, photo documentation, and information (hereinafter, "Content"). You have the ability to make Content that you have uploaded available to other users and to obtain Content that has been uploaded and made available by other users (hereinafter, "Third-Party Content") at their behest. For the features and scope of the services and products, please refer to the corresponding descriptions on our website. In addition, we offer you supporting services and features in some cases, such as a ticket system or a feedback feature. The provision and scope of these supporting services and features lies in our discretion.
Section 5: Contract conclusion
(1) The depiction of the services on our Platform does not constitute a legally binding offer but rather an invitation to place an order (invitatio ad offerendum).
(2) By clicking on the button "Order with an obligation to pay" in the last step of the ordering process, you submit a binding offer to order the services listed in the order overview for a charge. Immediately after sending the order, you will receive an order confirmation, which however does not yet constitute acceptance of your offer of contract. A contract between you and us comes into effect once we accept your booking by separate email (hereinafter, "Contract Conclusion"). Please regularly check the spam folder in your email account.
(3) On our portal, you can select services for booking for a charge by placing them in a shopping cart by clicking on the corresponding button. If you want to complete the order, go to the shopping cart, where you will be guided through the rest of the ordering process. After selecting the products in the shopping cart and entering all required order data in the following step, a page will open after clicking on the "Continue" button on which the main product information is once again summarised, including incurred costs. Prior to sending the order, you can modify and view the data at any time and decline to make the contract declaration. The offer can be submitted and transmitted only if you accept these contract terms and conditions by clicking on the button "Accept General Terms and Conditions of Use" and include them in your offer. A binding offer within the meaning of subsection (2), above, is first submitted by then clicking on the button "Order with an obligation to pay".
(4) For the main aspects of the services offered by us and the duration of the validity of limited-term offers, please see the individual products descriptions on our website.
(5) The language made available for conclusion of contract is exclusively German. Any translations into other languages are provided merely for informational purposes. In the case of conflicts between the German text and the translation, the German takes has priority.
Section 6: Notice concerning corrections
As part of the ordering process, you first place the desired services in the shopping cart. There, you can change the desired contract term at any time or remove the selected services entirely. If you have placed services in the shopping cart, then by clicking on the "Continue" buttons, you will first reach a page on which you enter your data. Finally, an overview page will open on which you can review your information. You can correct your entry fields (e.g. with respect to dates or the desired contract term) by clicking on the field "Edit". If you would like to cancel the ordering process entirely, you can simply close your browser window. Otherwise, by clicking on the confirmation button "Order with an obligation to pay", your declaration becomes binding within the meaning of Section 5 (2) of these General Terms and Conditions of Use.
Section 7: Storage of the contract text
The contract terms and conditions with information about the ordered services, including these General Terms and Conditions of Use and the cancellation policy (which is applicable only if you are a consumer pursuant to section 13 BGB), will be sent to you by email upon acceptance of the contract offer or upon notification hereof. The contract text is stored in adherence with data protection.
Section 8: Payment terms, prices
(1) The prices for the monthly and annual subscription can be viewed on our website, whereby payment is made monthly or for a year in advance, as the case may be.
(2) The fee for the contractually agreed service is immediate due with the order. If the due date for payment is determined by the calendar, then you are in default if you miss the date. In such case, you must pay us default interest for the year in the statutory amount. The obligation to pay default interest does not exclude the assertion by us of other damages from default.
(3) The services are paid for exclusively by credit card (we use the transmission method "SSL" for encryption of your personal data). You can first use the contractually agreed services after payment. The fee for the contractually agreed services will be charged to your credit card entered prior to use of the service. You can view the invoice for the service used under "My Account" in the section "Invoices".
(3) We reserve the right to change the billing models and the payment methods with prospective effect.
(4) To the extent provided for in the product description on the Platform, we grant you on a voluntary basis a free trial phase for certain services. The trial phase starts with the receipt of the order confirmation and ends as follows:
- if as User you are a consumer within the meaning of section 13 BGB, the trial phase automatically ends after the period granted in the product description without the need for a further declaration on our part; this does not affect your right of cancellation pursuant to Section 16 of the General Terms and Conditions of Use.
- if as User you are an entrepreneur within the meaning of section 14 BGB, the trial phase ends after the period granted in the product description and converts automatically to the contract term, unless you cancel your order during the trial phase. The cancellation period is satisfied by sending the cancellation by email to firstname.lastname@example.org in a timely manner prior to the end of the trial phase. The general right of cancellation for consumers pursuant to section 16 of the General Terms and Conditions of Use is not available to you.
Section 9: Creation of additional user accounts
Users who are companies within the meaning of section 14 BGB have the ability to have separate accounts set up for their employees. The number of user accounts is determined by the number of users ordered and paid for in the contract. After Contract Conclusion, the company can apply with us to set up corresponding user accounts for its employees. Following a successful review pursuant Section 2 (4), we will activate the access for your employees that you applied for and notify them of this by email. Following receipt of the email, your employee is entitled to use the portal within the scope of these General Terms and Conditions of Use. In this regard, your employee must first confirm the activation by clicking on the link contained in the email.
Section 10: Rights of use
(1) The Platform, as well as the services covered by it and the features provided by us (e.g. tools for creating digital business cards), are comprehensively protected by copyright.
(2) You will receive for the term of the contract a non-exclusive, non-sublicenseable, non-transferable, and revocable right to use the Platform and the services and features covered by it exclusively for the purposes agreed upon in these General Terms and Conditions of Use and in conformity with these General Terms and Conditions of Use and applicable law. In particularly, you may not copy, edit, revise, modify, reverse-engineer, or transform the Platform and the services and features made available on it, other than where permitted by mandatory law.
(3) By uploading your Content (e.g. names, company logo, photos, design, etc.), you acknowledge and approve that we may store and process this Content pursuant to our Data Protection Policy (www.cardeleine.com/en/legal/privacy) or, in the event that you as User are an entrepreneur within the meaning of section 14 BGTB, pursuant to the arrangements specified in the annex "Data Processing".
(4) For the purpose of providing our services, you grant us a gratuitous, non-exclusive, non-sublicenseable, non-transferable, territorially unlimited right to use uploaded Content, particularly in order to distribute Content over our infrastructure and at our behest to other users, as well as to store, process, and reproduce Content, provided that this is necessary for providing the services. The grant of right is limited in terms of time to the duration of the concluded contract and in terms of substance to the performance of the concluded contract.
Section 11: Responsibility of the User for uploaded Content
(1) You as User are fully responsible for Content you enter. We do not perform a view of Content for accuracy, completeness, lawfulness, quality, or suitability for a specific purposes or for whether it is up to date. The same also applies to Third-Party Content. We do not perform a review of Third-Party Content for accuracy, completeness, or lawfulness and therefore do not assume any responsibility or liability whatsoever for the accuracy, completeness, or lawfulness of Third-Party Content or for whether it is up to date. This also applies with respect to the quality of Third-Party Content and suitability for a specific purpose, including to the extent that Third-Party Content on, e.g., linked-to outside websites is involved. (2) You declare and warrant to us that you are the sole owner of all rights in and to Content uploaded by you on the Platform or are otherwise authorised (e.g. through an effective permission of the rights holder) to upload Content through your user account and to grant rights of use and exploitation pursuant to Section 10 (4). You must indemnify us on first demand against all claims and costs that arise out of or in connection with an infringement of third-party rights by you or by a person authorised by you, a statutory representative, or one of your employees or persons you use to perform an obligation (Erfüllungsgehilfen). More extensive claims by us remain unaffected.
Section 12: Prohibited activities
(1) As User, you are obligated in connection with use of the Platform and the services and features made available to observe applicable laws and all third-party rights. You are prohibited from undertaking any activities on or in connection with the Platform that violate applicable law, infringe third-party rights (including those of other users), or are in breach of the principles of protection of young persons. In particular, but not exclusively, you are prohibited from taking the following actions:
- entering, disseminating, offering, or promoting Content, services, and/or products that are in contravention of youth protection statutes, data protection law, criminal law, copyright, trademark and labelling law, or the provisions for the protection of the right of personality and industrial property rights and/or are in violation of other law and/or are fraudulent;
- entering, disseminating, offering, or promoting Content, services, and/or products that are libellous, slanderous, anti-constitutional, racist, sexist, or pornographic;
- using, providing, or disseminating Content, services, and/or products that are protected by statute or are encumbered with third-party rights (e.g. copyrights, trademarks) without being expressly authorised to do so.
(2) In addition, irrespective of any statutory violation in uploading your own Content on the Platform, you are prohibited from undertaking the following activities:
spreading viruses, Trojan horses, or other malware;
- sending junk or spam email or chain letters;
- disseminating lewd, indecent, sexually explicit, obscene, or defamatory Content or communication or such Content or communication that is designed to promote or support racism, fanaticism, hate, physical violence, or unlawful actions (either explicitly or implicitly);
- disseminating and/or public reproducing services and features available on the Platform or Third-Party Content unless this is expressly made available to you as a functionality on the platform or you are permitted to do so by the other users or rights holder.
(4) Also prohibited is any action that is intended to or is capable of interfering with the smooth operation of the Platform, particularly interfering with the security or availability of the Platform, making it non-functional or preventing, impeding, or delaying its use, or putting an excessive burden on the systems.
(5) If you become aware of use that is illegal, abusive, in breach of contract, or otherwise unauthorised, please contact Blue Performance GmbH, Plankenhofstr. 9, 81929 Munich. We will then review the event and take the appropriate steps where necessary.
(6) In the event of suspicion of unlawful or criminal actions, we are entitled and, in some cases, obligated to review your activities and take the suitable legal steps, where necessary. This may also include forwarding the matter to the public prosecutor’s office.
Section 13: Suspension of user accounts
(1) We may temporarily or permanently suspend your user account and thus your access to the Platform if there are specific indications that you are or have been in breach of these General Terms and Conditions of Use and/or in violation applicable law or if we have some other legitimate interest in suspension. In making the decision about a suspension, we will appropriately take your legitimate interests into consideration.
(2) In the case of a temporary or permanent suspension, we will suspend your access authorisation and notify you of this by email.
(3) In the case of a temporary suspension, we will reactivate your user account and access authorisation after expiry of the suspension period and notify you of this by email. A permanently suspended access authorisation cannot be restored. Permanently suspended persons are permanently excluded from use of the Platform and may not re-register on the Platform.
Section 14: Term, termination, end of use
(1) The minimum term of the contract amounts to one month or one year, unless a different minimum term is expressly set forth in the product description. The term begins upon Contract Conclusion and, in the event that a trial phase was granted, upon expiry of the trial period.
(2) In the case of a one-month term, the contact may be terminated with 10 days’ notice or, in the case of a one-year contract, with four weeks’ notice, effective at the end of the respective term. Without termination, the contract automatically renews for a further month or a further year, unless a different term is expressly set forth in the product description.
(3) The foregoing does not affect the right of the contracting parties to terminate without notice. In particular, in the event of price increases of more than 10%, you are entitled to terminate without notice.
(4) Terminations are to be directed to: email@example.com
(5) When the termination becomes effective, the use relationship ends, and you may no longer use your account. We reserve the ability to suspend the user name and the password when the termination becomes effective.
(6) Once 30 calendar days have elapsed since the termination became effective, and once any statutory retention periods have expired, we are entitled to irretrievably delete all Content and data deposited and stored in your account.
Section 15: Limitation of liability
(1) We are liable for wilful misconduct and gross negligence. In addition, we are liable for the negligent breach of duties whose fulfilment is essential for proper performance of the contract, whose breach jeopardises the achievement of the contract purpose, and on whose compliance you as User normally may rely. In the latter case, however, we are liable only for foreseeable damage that is typical of the contract. We are not liable for the breach of duties other than those specified in the foregoing sentences that is occasioned by simple negligence.
(2) The foregoing exclusions of liability do not apply in the case of loss of life, physical injury, or damage to health. Liability under the German Product Liability Act (Produkthaftungsgesetz) remains unaffected.
(3) In accordance with the current state of technology, the communication of data over the internet cannot be guaranteed to be free of error and/or available at all times. Accordingly, we are not liable for the error-free, constant, and uninterrupted availability of our services. You cannot derive any claims against us from an interruption of availability.
(4) Our strict liability for compensation of damages pursuant to section 536a (1) sentence 1, alternative 1 BGB is excluded for defects that exist at the time of Contract Conclusion.
(5) For any services made available by us on the Platform at no charge, we are liable only to the extent that the User’s damage occurred as a result of contractually consistent use of the free services and only in the case of wilful misconduct (including fraud) or gross negligence.
(6) If your damages result from the loss of data, we are not liable for this, to the extent that the damages would have been prevented by a regular and complete back-up of all relevant data by you. You are solely responsible for performing a regular and complete data back-up yourself or having it performed by a third party.
(6) You must indemnify us on first demand against all third-party claims, including claims for compensation of damages and liability claims, as well as reasonable costs, that are attributable to your culpable conduct (or that of your employees, representatives, or persons you use to perform an obligation). In particular, this includes, but is not limited to, claims against us based on prohibited activities within the meaning of Section 12 that were undertaken by you.
Section 16: Right of cancellation
The following right of cancellation applies only if you as User are a consumer within the meaning of section 13 BGB:
As a consumer, you have a right of cancellation in accordance with the policy set forth below.
As a consumer, i.e. a natural person who concludes a transaction for purposes the can be primarily attributed to his or her trade, business or profession, you have the right of cancellation for 14 days with regard to all services that we offer on the Platform for a charge.
Right of withdrawal
You have the right to withdraw from this contract within 14 days without having to provide reasons.
The withdrawal period amounts to 14 days, starting on the day of Contract Conclusion.
In order to exercise your right of withdrawal, you must inform us (Blue Performance GmbH, Plankenhofstr. 9, 81929 Munich, Germany, firstname.lastname@example.org; you can find additional contact data in the imprint www.cardeleine.com/en/legal/imprint) by means on an unambiguous declaration (e.g. a letter sent by postal mail or an email) about your decision to withdraw from this contract. To do so, you may use the attached model withdrawal form www.cardeleine.com/en/legal/terms, but this is not required.
Additionally: You can electronically complete and transmit the sample cancellation form or another unambiguous declaration on our website www.cardeleine.com/en/legal/withdrawal. If you make use of this ability, we will immediately send you a confirmation (e.g. by email) about receipt of such withdrawal.]
The withdrawal period is complied with if you send the notice about the exercise of the right of withdrawal prior to expiry of the withdrawal period.
Consequences of withdrawal
If you withdraw from this contract, we must reimburse you for all payments that we have received from you under this contract, including delivery costs (with the exception of additional costs that are a result of the fact that you chose a type of delivery different from the least expensive standard delivery offered by us), without delay and not later than 14 days from the date on which we received the notice of your withdrawal from this contract. In making this reimbursement, we will use the same form of payment that you used for the original transaction, unless something else was expressly agreed upon with you. In no event will you be charged any fees for this reimbursement.
If you requested that the services are to begin during the withdrawal period, then for services provided for a charge, you must pay us an appropriate amount that corresponds to the proportion of services that were provided for a charge up to the time at which you notified us about the exercise of the right of withdrawal with respect to this contract compared with the total scope of the services envisaged in the contract.
In the case of a contract for the delivery of digital Content not contained on a physical data storage device, the right of withdrawal also expires when the operator has started to perform the contract after you expressly approved that the operator is to start to perform the contract prior to expiry of the withdrawal period and you confirmed your awareness that you lose your right of withdrawal with the start of contract performance.
Exclusion of the right of withdrawal
There is no right of withdrawal if at the time of conclusion of the transaction, you are acting primarily in exercise of your trade, business or profession and you are therefore to be considered an entrepreneur (section 14 BGB).
Other important notices
You expressly approve that we are to start performance of the service prior to the end of the withdrawal period.
Model Withdrawal Form
Complete and return this form only if you wish to withdraw from the contract
To: Blue Performance GmbH, Plankenhofstr. 9, 81929 Munich, Germany, E-Mail: email@example.com
• I/We (*) hereby give notice that I/We (*) withdraw from my/ our (*)
• contract for the provision of the following service:
• Ordered on (*)/Received on (*)
• Name of the consumer(s)
• Address of the consumer(s)
• Signature of the consumer(s) (only in the case of notice on paper)
(*) Delete as appropriate.
Section 17: Final provisions
(1) The law of the Federal Republic of Germany is applicable to contracts concluded between us and User, under exclusion of the United Nations Convention on Contracts for the International Sale of Goods. The foregoing does not affect the statutory provisions concerning the limitation of the choice of law and concerning the applicability of mandatory provisions, particularly of the country in which the User as consumer has his or her habitual place of residence.
(2) If the User is a merchant, a legal person under public law, or a special fund under public law, the place of jurisdiction for all disputes under contractual relationships between the customer and the supplier is the registered office of the supplier.
(3) We make you aware that in addition to recourse to the ordinary courts of law, you also have the ability to obtain an out-of-court resolution of disputes pursuant to Regulation (EU) No. 524/2013. You can find details about this in Regulation (EU) No. 524/2013 and at: ec.europa.eu/consumers/odr
Our email address is: firstname.lastname@example.org . Pursuant to section 36 of the German Act on Alternative Dispute Resolution in Consumer Matters (VSBG), we point out that we are obliged to take part in dispute resolution procedures before a consumer conciliation body.
(4) Even where individual clauses are legally ineffective, the contract remains binding in its other parts. Where they exist, statutory provisions take the place of the ineffective clauses. However, if this would pose an unreasonable hardship for a contracting party, the contract becomes ineffective in its entirety.
Annex (applicable only for users who are entrepreneurs within the meaning of section 14)
Data Processing Agreement
Agreement on the processing of personal data on behalf of a controller pursuant to Art. 28 GDPR
1. Scope, Subject of the Agreement
1.1 This data processing agreement (hereinafter "DPA") only applies if the Customer is a company within the meaning of § 14 BGB.
1.2 In accordance with this DPA, Blue Performance GmbH (hereinafter referred to as "Supplier") processes personal data on behalf of the Customer. In the course of the provision of services in accordance with the conclusion of the contract in accordance with the above General Terms and Conditions of Use of the Supplier (hereinafter referred to as "Main Agreement"), it is necessary for the Supplier to process personal data for which the Customer is the controller in terms of data protection regulations (hereinafter referred to as "Customer Data"). This DPA specifies the data protection obligations and rights of the Parties in connection with the Supplier´s use of Customer Data to render the services under the Main Agreement.
2. Scope of the Commissioning
2.1 The Supplier shall process the Customer Data on behalf and in accordance with the instructions of the Customer within the meaning of Art. 28 GDPR (Processing on Behalf). The Customer remains the controller in terms of data protection law.
2.2 The processing of Customer Data by the Supplier occurs in the manner and the scope and for the purpose determined in the Main Agreement and in Annex 1 to this DPA. The processing relates to the types of personal data and categories of data subjects specified in Annex 1. The duration of processing corresponds to the term of the Main Agreement.
2.3 The Supplier reserves the right to anonymize or aggregate the Customer Data in such a way that it is no longer possible to identify individual data subjects, and to use them in this form for the purpose of needs-based designing, developing and optimizing as well as rendering of the services agreed as per the Main Agreement. The Parties agree that anonymized and according to the above requirement aggregated Customer Data are not considered Customer Data for the purposes of this agreement.
2.4 The processing of Customer Data by the Supplier shall in principle take place inside the European Union or another contracting state of the European Economic Area (EEA). The Supplier is nevertheless permitted to process Customer Data in accordance with the provisions of this agreement outside the EEA if he informs the Customer in advance about the place of data processing and if the requirements of Art. 44 to 48 GDPR are fulfilled or if an exception according to Art. 49 GDPR applies.
3. Right of the Customer to issue Instructions
3.1 The Supplier processes the Customer Data in accordance with the instructions of the Customer, unless the Supplier is legally required to do otherwise. In the latter case, the Supplier shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
3.2 The instructions of the Customer are in principle conclusively stipulated and documented in the provisions of this DPA. Individual instructions which deviate from the stipulations of this agreement or which impose additional requirements shall require the Supplier´s consent; the Customer immediately confirms verbal instructions (at least in text form). The Customer assumes any additional costs caused by the individual instruction.
3.3 The Supplier shall ensure that the Customer Data is processed in accordance with the instructions given by the Customer. If the Supplier is of the opinion that an instruction given by the Customer infringes this DPA or applicable data protection law, he is after correspondingly informing the Customer entitled to suspend the execution of the instruction until the Customer confirms the instruction. The Parties agree that the sole responsibility for the processing of the Customer Data in accordance with the instructions lies with the Customer.
4. Legal Responsibility of the Customer
4.1 The Customer is solely responsible for the permissibility of the processing of the Customer Data and for safeguarding the rights of data subjects in the relationship between the parties. Should third parties assert claims against the Supplier based on the processing of Customer Data in accordance with this DPA, the Customer shall indemnify the Supplier from all such claims upon first request.
4.2 The Customer is responsible to provide the Supplier with the Customer Data in time for the rendering of services according to the Main Agreement and he is responsible for the quality of the Customer Data. The Customer shall inform the Supplier immediately and completely if during the examination of the of the Supplier´s results he finds errors or irregularities with regard to data protection provisions or his instructions.
4.3 On request, the Customer shall provide the Supplier with the information specified in Art. 30 para. 2 GDPR, insofar as it is not available to the Supplier himself.
4.4 If the Supplier is required to provide information to a governmental body or person on the processing of Customer Data or to cooperate with these bodies in any other way, the Customer is obliged at first request to assist the Supplier in providing such information and in fulfilling other cooperation obligations.
5. Requirements for Personnel and Systems
The Supplier shall commit all persons engaged in processing Customer Data to confidentiality with respect to the processing of Customer Data.
6. Security of Processing
6.1 The Supplier takes according to Art. 32 GDPR necessary, appropriate technical and organizational measures, taking into account the state of the art, the implementation costs and the nature, scope, circumstances and purposes of the Customer Data, as well as the different likelihood and severity of the risk to the rights and freedoms of the data subjects, in order to ensure a level of protection of Customer Data appropriate to the risk.
6.2 The Supplier shall have the right to modify technical and organizational measures during the term of the DPA, as long as they continue to comply with the statutory requirements.
7. Engagement of further Processors
7.1 The Customer grants the Supplier the general authorization to engage further processors with regard to the processing of Customer Data. Further processors consulted at the time of conclusion of the DPA result from Annex 2. In general, no authorization is required for contractual relationships with service providers that are concerned with the examination or maintenance of data processing procedures or systems by third parties or that involve other additional services, even if access to Customer Data cannot be excluded, as long as the Supplier takes reasonable steps to protect the confidentiality of the Customer Data.
7.2 The Supplier shall notify the Customer of any intended changes in relation to the consultation or replacement of further processors. In individual cases, the Customer has the right to object to the engagement of a potential further processor. An objection may only be raised by the Customer for important reasons which have to be proven to the Supplier. Insofar as the Customer does not object within 14 days after receipt of the notification, his right to object to the corresponding engagement lapses. If the Customer objects, the Supplier is entitled to terminate the Main Agreement and this DPA with a notice period of 3 months.
7.3 The agreement between the Supplier and the further processor must impose the same obligations on the latter as those incumbents upon the Supplier under this DPA. The Parties agree that this requirement is fulfilled if the contract has a level of protection corresponding to this DPA, respectively if the obligations laid down in Art. 28 para. 3 GDPR are imposed on the further processor.
7.4 Subject to compliance with the requirements of Section 2.5 of this DPA, the provisions of this Section 7 shall also apply if a further processor in a third country is involved. The Customer hereby authorizes the Supplier to conclude an agreement with another processor on behalf of the Customer based on the standard contractual clauses for the transfer of personal data to processors in third countries pursuant to the decision of the European Commission of February 5th in 2010. The Customer declares his willingness to cooperate in fulfilling the requirements of Art. 49 GDPR to the extent necessary.
8. Data Subjects´ Rights
8.1 The Supplier shall support the Customer with technical and organizational measures within the scope of what is reasonable and against reimbursement of the expenses and costs incurred to be proven by the Supplier in fulfilling the Supplier’s obligation to respond to requests for exercising data subjects´ rights.
8.2 As far as a data subject submits a request for the exercise of his rights directly to the Supplier, the Supplier will forward this request to the Customer in a timely manner.
8.3 The Supplier shall inform the Customer of any information relating to the stored Customer Data, about the recipients of Customer Data to which the Supplier shall disclose it in accordance with the instruction and about the purpose of storage, as far as the Customer does not have this information at his disposal and as far as he is not able to collect it himself.
8.4 The Supplier shall, within the bounds of what is reasonable and necessary, against reimbursement of the expenses and costs incurred by the Supplier as a result of this and to be proven, enable the Customer to correct, delete or restrict the further processing of Customer Data, or at the instruction of the Customer correct, block or restrict further processing himself, if and to the extent that this is impossible for the Customer.
8.5 Insofar as the data subject has a right of data portability vis-à-vis the Customer in respect of the Customer Data pursuant to Art. 20 GDPR, the Supplier shall support the Customer within the bounds of what is reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result of this and to be proven in handing over the Customer Data in a structured, commonly used and machine-readable format, if the Customer is unable to obtain the data elsewhere.
9. Notification and Support Obligations of the Supplier
9.1 Insofar as the Customer is subject to a statutory notification obligation due to a breach of the security of Customer Data (in particular pursuant to Art. 33, 34 GDPR), the Supplier shall inform the Customer in a timely manner of any reportable events in his area of responsibility. The Supplier shall assist the Customer in fulfilling the notification obligations at the latter´s request to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result thereof and to be proven.
9.2 The Supplier shall assist the Customer to the extent reasonable and necessary in return for reimbursement of the expenses and costs incurred by the Supplier as a result thereof and to be proven with data protection impact assessments to be carried out by the Customer and, if necessary, subsequent consultations with the supervisory authority pursuant to Art. 35, 36 GDPR.
10. Deletion and Return of Customer Data
10.1 The Supplier shall delete the Customer Data upon termination of this DPA, unless the Supplier is obligated by law to further store the Customer Data.
10.2 The Supplier may keep documentations, which serve as evidence of the orderly and accurate processing of Customer Data, also after the termination of the DPA.
11. Evidence and Audits
11.1 The Supplier shall provide the Customer, at the latter´s request, with all information required and available to the Supplier to prove compliance with his obligations under this DPA.
11.2 The Customer shall be entitled to audit the Supplier with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organizational measures; including inspections.
11.3 In order to carry out inspections in accordance with Section 11.2., the Customer is entitled to access the business premises of the Supplier in which Customer Data is processed within the usual business hours (Mondays to Fridays from 10 a.m. to 6 p.m.) after timely advance notification in accordance with Section 11.5 at his own expense, without disruption of the course of business and under strict secrecy of the Supplier´s business and trade secrets.
11.4 The Supplier is entitled, at his own discretion and taking into account the legal obligations of the Customer, not to disclose information which is sensitive with regard to the Supplier´s business or if the Supplier would be in breach of statutory or other contractual provisions as a result of its disclosure. The Customer is not entitled to get access to data or information about the Supplier´s other customers, cost information, quality control and contract management reports, or any other confidential data of the Supplier that is not directly relevant for the agreed audit purposes.
11.5 The Customer shall inform the Supplier in good time (usually at least four weeks in advance) of all circumstances relating to the performance of the audit. The Customer may carry out one audit per calendar year. Further audits are carried out after consultation with the Supplier. The Supplier can assert a remuneration claim for enabling controls by the Customer. The amount of the remuneration must be agreed in advance and is based on the hourly rate of the employee of the Supplier or subcontractor assigned to the inspection.
11.6 If the Customer commissions a third party that shall not be a competitor to the Supplier to carry out the audit, the Customer shall obligate the third party in writing the same way as the Customer is obliged vis-à-vis the Supplier according to this Section 11 of this DPA. In addition, the Customer shall obligate the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional obligation of secrecy. At the request of the Supplier, the Customer shall immediately submit to him the commitment agreements with the third party.
11.7 At the discretion of the Supplier, proof of compliance with the obligations under this DPA may be provided, instead of an inspection, by submitting an appropriate, current opinion or report from an independent authority (e.g. auditor, audit department, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g. according to BSI-Grundschutz – ("audit report"), if the audit report makes it possible for the Customer in an appropriate manner to convince himself of compliance with the contractual obligations.
12. Contract Term and Termination
12.1 The term and termination of this DPA shall be governed by the term and termination provisions of the Main Agreement. A termination of the Main Agreement automatically results in a cancellation of this DPA. An isolated termination of this DPA is excluded.
13.1 The Supplier´s liability under this DPA shall be governed by the disclaimers and limitations of liability provided for in the Main Agreement. As far as third parties assert claims against the Supplier which are caused by the Customer´s culpable breach of this DPA or one of his obligations as the controller in terms of data protection law affecting him, the Customer shall upon first request indemnify and hold the Supplier harmless from these claims.
13.2 The Customer undertakes to indemnify the Supplier upon first request against all possible fines imposed on the Supplier corresponding to the Customer´s part of responsibility for the infringement sanctioned by the fine.
14. Final Provisions
14.1 In case individual provisions of this DPA are ineffective or become ineffective or contain a gap, the remaining provisions shall remain unaffected. The Parties undertake to replace the ineffective provision by a legally permissible provision which comes closest to the purpose of the ineffective provision and that thereby satisfies the requirements of Art. 28 GDPR.
14.2 In case of conflicts between this DPA and other arrangements between the Parties, in particular the Main Agreement, the provisions of this DPA shall prevail.
Annex 1: Types of Personal Data and Categories of Data Subjects
Annex 2: Further Processors
Annex 1: Types of Personal Data and Categories of Data Subjects
Types of personal data: Communication data (e.g. telephone, e-mail), contract master data, log data, personal master data
Categories of data subjects: Employees, employees and suppliers of the Costumer
Annex 2: Further Processors
Company, Adress: Hetzner Online GmbH; Industriestr. 25, 91710 Gunzenhausen
Type of processing: Webhosting, Data Storage
Purpose: Data hosting and provision of data
Type of data: See Annex 1
Categories of data subjects: See Annex 1