1. Introduction, Scope, Definitions

1. This Agreement governs the rights and obligations of both parties (hereinafter “the Parties”) relating to the processing of personal data by the Processor on behalf of the Controller.


2. It applies to all activities in which the Processor or its subcontractors process personal data of the Controller.


3. The terms used in this Agreement shall have the meanings assigned to them in the GDPR. Where “written form” is required, Section 126 BGB applies.

2.1 Subject
The Processor shall perform the following processing activities:

• [See submitted form entries]

The processing is based on the underlying main service agreement (“Main Agreement”).
2.2 Duration
Processing starts on 29.09.2025 and continues indefinitely until termination of this Agreement or the Main Agreement by either Party.
3.1 Type and Purpose

• Type: Collection, recording and storage of data


• Purpose: To enable contact with the Processor

3.2 Types of Data

• [See submitted form entries]

3.2.1 Categories of Data Subjects

• [See submitted form entries]

4. Duties of the Processor

• Process personal data only as instructed and as contractually agreed.


• Ensure confidentiality of all data and instruct staff accordingly.


• Provide sufficient training and ongoing supervision of staff.


• Support the Controller in maintaining the record of processing activities and in data protection impact assessments.


• Notify the Controller immediately about any data protection incidents, official inspections, or data subject requests.


• Appoint a qualified Data Protection Officer (DPO) where required and provide contact details.


• Process data only within the EU/EEA unless otherwise agreed under GDPR Chapter V.


• Appoint an EU representative if not established within the EU.

5. Technical and Organizational Measures (TOMs)

• The minimum security measures described in Annex 1 apply.


• Measures must be detailed and up to date to ensure confidentiality, integrity and availability.


• The Processor must notify the Controller immediately of significant changes, deficiencies, or security incidents.


• Data processed on behalf of the Controller must be strictly separated from other data.


• Copies or duplicates of data may only be created with the Controller’s knowledge (except for temporary technical copies).


• Data processing in private homes or on private devices requires prior written consent and must uphold the same level of data protection.

6. Correction, Deletion, Blocking of Data

• Data may only be corrected, deleted, or blocked as contractually agreed or instructed by the Controller.


• Instructions remain binding even after the Agreement ends.

7. Sub processing

• Subcontractors may only be engaged with prior written approval of the Controller.


• Subcontractors must be bound by comparable data protection obligations.


• Controller retains full audit rights over subcontractors.


• Current approved subcontractors are listed in Annex 2.

8. Rights and Duties of the Controller

• Controller remains responsible for legality of data processing.


• Controller issues documented instructions; urgent instructions may be given orally but must be documented promptly.


• Controller may audit compliance with data protection obligations at reasonable intervals.

9. Incident Reporting
Processor shall promptly (within 24 hours) notify the Controller of any personal data breach or suspected breach including:

• Description of the nature of the breach (categories, numbers of data subjects, data sets affected)


• Contact details of the DPO


• Likely consequences


• Measures taken or proposed

10. Instructions

• The Controller retains a comprehensive right to issue instructions.


• Authorized individuals are listed in Annex 3.


• Processor must flag if any instruction appears unlawful.

11. Termination

• Upon termination, Processor must return or securely destroy all personal data at the Controller’s discretion, including copies at subcontractors.


• Processor must document and prove deletion or destruction (DIN 66399 standard).


• Documentation necessary to prove compliance must be retained per legal retention periods.

12. Remuneration
The Processor’s remuneration is governed exclusively by the Main Agreement.
13. Liability

• Controller and Processor are jointly liable to data subjects for unlawful processing.


• Processor bears the burden of proof and indemnifies the Controller unless the damage is not attributable to the Processor.

14. Contractual Penalty
A contractual penalty of €5,000 per incident applies for violations, especially deficiencies in technical or organizational measures.
15. Special Termination Right
The Controller may terminate this Agreement and the Main Agreement immediately in case of serious violations of data protection rules or failure to comply with agreed measures.
16. Confidentiality and Miscellaneous

• Both Parties must maintain confidentiality of all information and security measures beyond termination of the Agreement.


• Any ownership of the Controller endangered by third-party measures must be reported immediately.


• Side agreements must be in writing.


• If any provision is invalid, the rest remains effective.

Annex 1 — Technical and Organizational Measures (TOMs)
Minimum TOMs include:

1. Information security organization


2. Personnel security


3. Asset management


4. Access control


5. Cryptography


6. Physical and environmental security


7. Operational security


8. Communications security


9. Acquisition, development and maintenance of systems


10. Supplier relationships


11. Handling of information security incidents


12. Business continuity management


13. Compliance