Contract according to Article 28 GDPR

between

client

- hereinafter referred to as "client" -

and

alkima LTD, Centris Business Gateway, Level 2M, Triq Is-Salib Tal-Imriehel, Zone 3, Central Business District, CBD3020 Birkirkara, MALTA

- hereinafter referred to as "contractor" or "alkima WEB & DESIGN ®" -

1. The subject matter and duration of the contract

   The subject matter and duration of the contract are fully determined by the information provided in the respective contractual relationship.

   The Contractor processes personal data for the Client within the meaning of Article 4 No. 2 and Article 28 GDPR on the basis of this contract.

2. Scope, type and purpose of the collection, processing or use of data

   The scope, type and purpose of any collection, processing or use of personal data, the type of data and the group of data subjects will be described to the Contractor by the Client in accordance with Annex 1 completed by the Client, unless it is based on the contractual content of the contractual relationships described in section 1.

   The provision of the contractually agreed data processing takes place exclusively in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any relocation to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 ff. GDPR are met.

3. Technical-organizational measures according to Article 32 GDPR (Article 28 Paragraph 3 Sentence 2 Letter c GDPR)

   1. The Contractor must document the implementation of the necessary technical and organizational measures set out in advance of the contract award, in particular with regard to the specific execution of the contract, and hand them over to the customer for review (see Appendix 2). If accepted by the Client, the documented measures become the basis of the contract.

   2. The Contractor must provide security in accordance with Article 28 Paragraph 3 Clause 2 Letter c, 32 GDPR, in particular in conjunction with Article 5 Paragraph 1, Paragraph 2 GDPR. Overall, the measures to be taken are data security measures and those to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope and purposes of processing as well as the different probability of occurrence and severity of the risks for the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account.

   3. The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative, adequate measures. The security level of the specified measures must not be undercut. Significant changes must be documented.

4. Rectification, blocking and deletion of data

   1. The Contractor may not delete the data processed in the contract or restrict their processing without authorization. Insofar as a person concerned contacts the Contractor directly in this regard, the Contractor will immediately forward this request to the Client.

   2. As far as included in the scope of services, the deletion concept, right to be forgotten, rectification, data portability and access must be ensured directly by the Contractor in accordance with documented instructions from the Client.

5. Quality assurance and other obligations of the Contractor

   In addition to complying with the provisions of this contract, the Contractor has legal obligations in accordance with Article 28 to 33 GDPR; in this respect, he particularly guarantees compliance with the following requirements:

   • Maintaining confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Letter b, 29, 32 Paragraph 4 GDPR. When carrying out the work, the Contractor will only use employees who are bound to confidentiality and who have previously been familiarized with the data protection provisions that are relevant to them. The Contractor and every person subordinate to the Contractor who has access to personal data may only process this data in accordance with the instructions of the Client, including the powers granted in this contract, unless they are legally obliged to process them.

   • The implementation of and compliance with all technical and organizational measures necessary for this contract correspond to Article 28 Paragraph 3 Clause 2 Letter c, 32 GDPR and Annex 2.

   • The Client and the Contractor work on request with the supervisory authority in the performance of their tasks together.

   • The immediate information of the Client about control actions and measures of the supervisory authority, as far as they relate to this contract. This also applies if a competent authority investigates the processing of personal data during contractual processing by the Contractor within regulatory or criminal proceedings.

   • Insofar as the Client is exposed to a control by the supervisory authority, a regulatory or criminal procedure, the liability claim of a data subject or a third party or any other claim in connection with the contractual processing by the Contractor, the Contractor must support him to the best of his ability.

   • The Contractor regularly checks the internal processes as well as the technical and organizational measures to ensure that the processing in his area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the rights of the data subject are protected.

   • Documentation of the technical and organizational measures taken towards the Client will be provided to the Client as required in accordance with Section 3.

6. Sub-contractual relations

   Sub-contractual relationships in the sense of this regulation are those services that relate directly to the provision of the main service. This does not include ancillary services that the Contractor uses, e.g. as telecommunications services, post / transport services, maintenance and user services, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However even with outsourced ancillary services, the Contractor is obliged to ensure the data protection and data security of the Client's data by taking appropriate and legally compliant contractual agreements and control measures.

7. Supervision rights of the Client

   1. The Client has the right to carry out inspections in coordination with the Contractor or to have them carried out by inspectors to be designated in individual cases. He has the right to convince himself of the compliance with this agreement by the Contractor in his business operations by means of random checks, which must usually be announced in time

   2. The Contractor ensures that the Client can convince himself of the compliance with the obligations of the Contractor according to Article 28 GDPR. The Contractor undertakes to provide the Client with the necessary information upon request and, in particular, to provide evidence of the implementation of the technical and organizational measures.

   3. Evidence of such measures, which do not only concern the specific contract, can optionally be provided by compliance with authorized rules of conduct in accordance with Article 40 GDPR, certification according to an authorized certification procedure in accordance with Article 42 GDPR, current certificates, reports or extracts from reports from independent entities (e.g. auditors, revision, data protection officers, IT security departments, data protection auditors, quality auditors) and / or a suitable certification through IT security or data protection audits (e.g. according to BSI basic protection).

   4. The Contractor can assert a claim for remuneration in order to allow controls by the Client.

8. Notification of violations by the Contractor

   1. The Contractor supports the Client in complying with the obligations for the security of personal data, reporting obligations in case of data leaks, privacy impact assessments and prior consultations, set out in Articles 32 to 36 of the GDPR. These include

      • ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the assessed probability and severity of a possible violation of the law due to security gaps and the immediate detection of relevant breach events allows

      • the obligation to report violations of personal data to the Client immediately

      • the obligation to support the Client in the context of his information obligation towards the data subject and to provide him with all relevant information immediately

      • the support of the Client for his privacy impact assessment

      • the support of the Client in the context of prior consultations with the supervisory authority.

   2. The Contractor can claim remuneration for support services that are not included in the service description or that cannot be traced back to misconduct on the part of the Contractor.

9. Authority of the Client to issue instructions

   1. Verbal instructions are immediately confirmed by the Client (at least in text form).

   2. The Contractor must inform the Client immediately if he is of the opinion that an instruction violates data protection regulations. The Contractor is entitled to suspend the implementation of the relevant instruction until it is confirmed or changed by the Client.

10. Deletion and return of personal data

    1. Copies or duplicates of the data are not made without the knowledge of the Client. Exceptions to this are backup copies, insofar as they are necessary to ensure proper data processing, as well as data that are necessary for compliance with statutory storage obligations.

    2. fter completion of the contractually agreed work or earlier upon request by the Client - at the latest with the termination of the service agreement - the Contractor shall hand over all documents, created processing and usage results as well as databases in connection with the contractual relationship to the Client or destroy them in accordance with data protection regulations with prior consent. The same applies to test and scrap material. Upon request, the Contractor will provide the Client with information on the nature and time of deletion.

    3. Documentation that serves as evidence of contractual and proper data processing must be kept by the Contractor beyond the end of the contract in accordance with the respective retention periods. He can hand them over to the Client for his relief at the end of the contract.

11. Other agreements

    1. Fees

       A fee for this contract is not required. Insofar as the Client needs support in accordance with Section 4 for answering inquiries from those concerned, he must reimburse the costs incurred.

       Insofar as the Client exercises control rights in accordance with Section 7, the amount of the fee to be agreed in advance is based on an hourly rate determined for the employee assigned to the service by the Contractor.

       If the Client issues instructions to the Contractor in accordance with Section 9, he must reimburse the costs incurred as a result of these instructions.

    2. Contract duration

       This agreement is dependent on the content of a main contractual relationship in accordance with Section 1. The termination or other termination of the main contractual relationship in accordance with Section 1 simultaneously terminates this agreement.

       The right to isolated, extraordinary termination of this agreement as well as the exercise of statutory rights of withdrawal specifically for the agreement remain unaffected.

    3. Applicable law

       The law of the Republic of Malta.

    4. Place of jurisdiction

       The parties agree that the place of jurisdiction is the registered adress of alkima WEB & DESIGN ®.

Appendix 1 to the contract in accordance with Article 28 GDPR:
List of personal data and the purpose of their processing as well as subcontractors

Type of data

The subject of the additional agreement is the following data types and categories:

• Personal master data

• Communication data (e.g. telephone, email)

• Contract master data

• Log data

Circle of those affected

The group of those affected by this additional agreement includes:

• Customers and interested parties of the Client

• Employees and suppliers of the Client

Subcontractors

• Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen

• Host Europe GmbH, Hansestrasse 111, 51149 Cologne

• InterNetX GmbH, Johanna-Dachs-Str. 55, 93055 Regensburg

• Bitrix24 Ltd., Poseidonos, 1, LEDRA BUSINESS CENTER Egkomi,2406, Nicosia, Cyprus

• 23M GmbH, Johann-Krane-Weg 18, 48149 Münster

• Amazon Web Services EMEA SARL, 38 Avenue John F. Kennedy, L-1855, Luxembourg

• Friendly Captcha GmbH, Am Anger 3-5, 82237 Wörthsee

Appendix 2 to the contract in accordance with Article 28 GDPR:
Technical and organizational measures according to Article 32 GDPR and annex

• Access control

  • for the main contract "Managed Server", "Web Hosting", "StorageBox".

    • Access is password-protected, access is only available to authorized employees of the Contractor; Passwords used must have a minimum length and are renewed at regular intervals.

  • Access control.

    • for internal management systems of the Contractor.

      • The Contractor ensures that unauthorized access is prevented through regular security updates (according to the current state of the art).

      • Audit-proof, binding authorization procedure for employees of the Contractor.

    • for the main contract "Managed Server", "Web Hosting", "StorageBox".

      • The Contractor ensures that unauthorized access is prevented through regular security updates (according to the current state of the art).

      • Audit-proof, binding authorization procedure for employees of the Contractor.

      • The Client is solely responsible for the transferred data / software with regard to security and updates.

  • Separation control.

    • for internal management systems of the Contractor.

      • Data is stored physically or logically separately from other data.

      • The data is also backed up on logically and / or physically separate systems.

    • for the main contract "Managed Server", "Web Hosting", "StorageBox".

      • Data is stored physically or logically separately from other data.

      • The data is also backed up on logically and / or physically separate systems.

  • Pseudonymization

    • The Client is responsible for the pseudonymization.

• Integrity (Article 32 Paragraph 1 Letter b GDPR)

  • Transfer control

    • All employees are instructed within the meaning of Article 32 (4) GDPR and are obliged to ensure that personal data is handled in accordance with data protection regulations.

    • Data protection-compliant deletion of the data after the end of the contract.

    • Possibilities for encrypted data transmission are made available in the scope of the service description of the main contract.

  • Input control

    • for internal management systems of the Contractor.

      • The data is entered or recorded by the Client himself.

      • Changes to the data are logged.

    • for the main contract "Managed Server", "Web Hosting", "StorageBox".

      • The data is entered or recorded by the Client himself.

      • Changes to the data are logged.

• Availability and resilience (Article 32 Paragraph 1 Letter b GDPR)

  • Availability control.

    • for internal management systems of the Contractor.

      • Backup and recovery concept with daily backup of all relevant data.

      • Expert use of protection programs (virus scanners, firewalls, encryption programs, SPAM filters).

      • Use of hard disk mirroring on all relevant servers.

      • Monitoring of all relevant servers.

      • Use of uninterruptible power supply, emergency power system.

    • for the main contract "Managed Server", "Web Hosting", "StorageBox".

      • Backup and recovery concept with daily data backup depending on the services booked in the main contract.

      • Use of hard disk mirroring.

      • Use of uninterruptible power supply, emergency power system.

      • Use of software firewall and ports regulations.

  • Rapid recoverability (Article 32 Paragraph 1 Letter b GDPR).

    • An escalation chain is defined for all internal systems, specifying who is to be informed in case of an error in order to restore the system as quickly as possible.

• Procedure for regular review, assessment and evaluation (Article 32 Paragraph 1 Letter d GDPR; Article 25 Paragraph 1 GDPR)

  •  

    • The data protection management system and the information security management system were combined to form a DIMS (data protection information security management system).

    • Incident response management is included.

    • Data protection-friendly default settings are taken into account when developing software (Article 25 Paragraph 2 GDPR).

  • Contract control

    • Our employees are instructed in data protection law at regular intervals and they are familiar with the procedural instructions and user guidelines for data processing on behalf, also with regard to the Client's right to issue instructions.

Other information

• Imprint

• Terms and conditions

• Privacy policy

• Software maintenance agreement

• “alkima MAIL” extended Terms and Conditions