Between the Customer as Controller and Interloom Technologies GmbH as Processor
1. Subject of the Assignment
The Controller commissions the Processor to process personal data based on the contract to which this processing agreement is annexed (the "Main Agreement"). This Data Processing Agreement shall take precedence over the Main Agreement in the event of any contradictions.
In the context of the Main Agreement, the Processor provides a platform for the management and orchestration of business processes and workflows.
The purpose of processing personal data by the Processor is to provide the services agreed upon in the Main Agreement. The categories of data subjects and personal data affected by the processing shall be specified by the Controller in the customer dashboard settings under "Processing of personal data." If no indication is made, the customers and employees of the Controller (current, potential, and former) as well as all types of data shall be affected by the processing.
2. Place of Commissioned Processing
Any transfer of processing to a third country may only take place if the conditions of Art. 44 et seq. GDPR are met or if it is carried out at the instruction of the Controller.
3. Responsibility and Right of Instruction of the Controller
- The Controller is responsible for the commissioned processing within the meaning of Art. 4 No. 7 GDPR. The Controller is responsible for compliance with the legal provisions on data protection, particularly for the legality of the transfer of data to the Processor and the legality of data processing by the Processor.
- The Controller has the right to issue supplementary instructions regarding the type, scope, and method of processing personal data at any time. Instructions may be given verbally or in text form. Verbal instructions must be confirmed by the Controller in text form without delay.
- The Processor shall inform the Controller immediately in text form if, in its opinion, an instruction violates statutory regulations. Until the parties resolve the Processor’s concerns, the Processor is entitled to suspend the execution of the instruction.
4. Duties of the Processor
- Any processing of personal data shall be carried out exclusively in accordance with the specifications of the Main Agreement and any instructions issued by the Controller.
- The Processor must ensure that the persons authorized to process the personal data are bound by confidentiality obligations.
- The Processor shall support the Controller in complying with the obligations set out in Articles 32 to 36 GDPR, considering the type of processing and the information available to it.
5. Security of Processing
- The Processor shall take all measures required under Art. 32 GDPR, particularly appropriate technical and organizational measures to ensure a level of protection appropriate to the risk of data processing.
- The Processor is entitled to adapt the security measures to changed technical or legal circumstances.
6. Data Subject Rights
- The Processor shall, to the extent possible and reasonable, assist the Controller with appropriate technical and organizational measures in fulfilling its obligation to respond to requests to exercise the rights of data subjects.
7. Control Rights of the Controller
- The Controller has the right to monitor the Processor’s compliance with data protection regulations.
- The Processor shall assist in the exercise of these control rights.
8. Subprocessors
- The Processor shall use the subprocessors listed in Annex 1 for processing.
- The Controller may object to changes regarding subprocessors within two weeks after receiving notification.
9. Violation of Data Protection Regulations
- The Processor must inform the Controller immediately in text form about any violation of data protection regulations.
- The notification must include a description of the nature of the breach and corrective measures taken.
10. Duration and Termination
- The duration of this Agreement corresponds to the duration of the Main Agreement.
- After the processing services are completed, all personal data must be deleted unless there is a legal obligation to retain it.
Annex 1 - Technical and Organizational Measures
Confidentiality (Art. 32 para. 1 lit. b GDPR)
-
Access Control
- Personal and individual user log-in when accessing the system or company network
- Authorization process for access permissions
- Limitation of authorized users
- Electronic documentation of passwords and protection against unauthorized access
- Logging of system access
- Automatic locking of clients after a period of inactivity
-
Access Control to Data
- Management and documentation of differentiated authorizations
- Encryption of external hard disks and laptops
- Authorization process for permissions
- Logging of data access
-
Separation Control
- Storage of datasets in separate databases
- Processing on separate systems
- Multi-client capability of IT systems
Integrity (Art. 32 para. 1 lit. b GDPR)
-
Transfer Control
- Encryption of email attachments
- Secure file transfer
- Encryption of external hard drives
- Logging of data transmissions
-
Input Control
- Access rights management
- Logging of data modifications
- Document Management System with change tracking
Availability and Resilience (Art. 32 para. 1 lit. b GDPR)
- Availability Control
- Backup procedures
- Secure network data storage
- Regular security updates
- Virus protection
- Redundant, geographically separate data storage
Procedures for Regular Review, Assessment, and Evaluation (Art. 32(1)(d) GDPR)
Annex 2 - Subprocessors
-
Microsoft Deutschland GmbH
Walter-Gropius-Str. 5
80807 Munich
Germany
-
Google Ireland Limited
Gordon House, Barrow Street
Dublin 4
Ireland