External Data Processing Agreement [Note for drafter: Please note, that some parts of this agreement are marked in yellow. This indicates, that something has to be entered or a decision between alternatives has to be made.] between Viessmann Entity Address of Viessmann Entity – as the data controller – – hereinafter referred to as the “Client” – and [Name of the Service Provider] [Address of the Service Provider] – as the data processor – – hereinafter referred to as the “Supplier” – [Whenever the Supplier is located outside the EU, the authorised representative in accordance with Article 27 GDPR, should be named here as a contractual party]: Subject matter and duration of the Data Processing Agreement The Subject matter of this Data Processing Agreement results from the [Service Agreement/SLA/ …………….. dated ………….,] which is referred to here (hereinafter referred to as “Service Agreement”). [If no Service Agreement/SLA/ exist, the following apply: The subject matter of this Data Processing Agreement regarding the processing of data is the execution of the following services or tasks by the Supplier (Please enter a description of the services performed by Supplier)]. Nature and purpose of the intended processing of data are precisely defined in the Service Agreement [If this is not the case, please use the following clause: Detailed description of the subject matter with regard to the nature and purpose of the services provided by the Supplier: (please describe the purpose of the data processing)]. The duration of this Data Processing Agreement corresponds to the duration of the Service Agreement. [in the case of an absence of a Service Agreement, the duration should be regulated in the following way: The Data Processing Agreement is authorised for an unlimited period and can be cancelled by either Party with a notice period of……(time period) to …….(deadline) . This does not prejudice the right to termination of the contract without notice.] The subject matter of the processing of personal data comprises the following data types/categories: [Please name the data categories or choose from the following examples: Personal Master Data (Key Personal Data), B2B Contact Data, B2C Contact Data, Key Contract Data (Contractual/Legal Relationships, Contractual or Product Interest), Customer History, Contract Billing and Payments Data, Disclosed Information (from third parties, e.g. Credit Reference Agencies or from Public Directories), Other:… (Please specify)]. The categories of data subjects comprise of: [Please name the data categories or choose from the following examples: Customers, Potential Customers, Subscribers, Employees, Suppliers, Authorised Agents, Contact Persons, Other:…... (Please specify)] International data transfer The undertaking of the contractually agreed processing of data shall be carried out exclusively within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA). Each and every transfer of data to a state which is not a member state of either the EU or the EEA requires the prior agreement of the Client and shall only occur if the specific conditions of Article 44 et seq. GDPR have been fulfilled. [The following section shall only be filled out, if the data processing takes places outside the EU Supplier has designated in writing a representative in the EU an authorized representative in accordance with Article 27 GDPR. The adequate level of protection in …………. (e.g. country, territory or specific sectors within a country) [Please delete the rules which do not apply] has been decided by the European Commission (Article 45 Paragraph 3 GDPR); is the result of Standard Data Protection Clauses (Article 46 Paragraph 2 Points c and d GDPR); is the result of approved Codes of Conduct (Article 46 Paragraph 2 Point e in conjunction with Article 40 GDPR); is the result of an approved Certification Mechanism. (Article 46 Paragraph 2 Point f in conjunction with Article 42 GDPR). is established by other means:………. (Article 46 Paragraph 2 Point a, Paragraph 3 Points a and b GDPR) Technical and organisational measures Before the commencement of processing, the Supplier shall document the execution of the necessary technical and organisational measures set out in advance of the conclusion of this Data Processing Agreement and shall present these documented measures to the Client for inspection. The documentation must point out all relevant security and risk management standards that are followed by Client (like ISO/IEC 2700x, Common Criteria (ISO/IEC 15408), PCI DSS, MaRisk). If a third party has certificated the adherence to such a standard, a scan of the certification should be provided. Upon acceptance by the Client, the documented measures become the foundation of the contract as ANNEX 1. Insofar as the inspection/audit by the Client shows the need for amendments, such amendments shall be implemented by mutual agreement. The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 Paragraph 1 GDPR must be taken into account. The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes must be documented. Authority of the Client to issue instructions The Client Authority of the Client to issue instructions. The Client shall immediately confirm oral instructions (at the minimum in text form). The Supplier shall inform the Client immediately if he considers that an instruction violates data protection regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them. The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client. Insofar as a data subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the data subject’s request to the Client. Insofar as it is included in the scope of services, the erasure policy, ‘right to be forgotten’, rectification, data portability and access shall be ensured by the Supplier in accordance with documented instructions from the Client without undue delay. Even if the aforementioned services are not included in the scope, Supplier supports Client in complying with Article 17 GDPR (’deletion of data’). General duties of the Supplier In addition to complying with the rules set out in this Data Processing Agreement, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements: Appointed data protection officer, who performs his/her duties in compliance with Articles 38 and 39 GDPR. The Client shall be informed of his/her contact details for the purpose of direct contact. The Client shall be informed immediately of any change of Data Protection Officer. [If the Supplier is not obliged to appoint a Data Protection Officer, the following clause should be used instead of the foregoing clause: “Mr/Ms [enter: given name, surname, organisational unit, telephone, e-mail] is designated as the Contact Person on behalf of the Supplier and will be available with respect to data protection issues.] Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract that have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law. Where Client’s data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Supplier’s control, Supplier shall notify Client of such action without undue delay. Supplier shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in company’s sole property and area of responsibility, that data is at Client’s sole disposition, and that company is the data controller in the sense of Article 4 No. 7 GDPR. The Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks out of this Data Processing Agreement. If the supplier answers to a request of a supervisory authority in written from or in text-form (for example per email), the communication towards the supervisory authority must be made available to Client, in due time for detailed assessment before it will be send to the supervisory authority Insofar as the client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject (for example claims based on Article 15 to Article 21 or 82 GDPR) or by a third party or any other claim in connection with the Data Processing Agreement, the Supplier shall make every effort to support the Client. The Supplier shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject. Verifiability of the technical and organisational measures conducted by the Client as part of the Client’s supervisory powers referred to in item 7 of this contract. Supplier and Client support each other in drafting the necessary records of processing activities according to Article 30 Paragraph 1 and 2 GDPR. Supplier shall mark the data which is stored and processed according to this Data Processing Agreement with the aim to make all data identifiably as Client’s data and make the data clearly assignable to the Client. The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include: Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events. The obligation to report a personal data breach immediately to the Client The duty to assist the Client with regard to the Client’s obligation to provide information to the data subject concerned and to immediately provide the Client with all relevant information in this regard. Supporting the Client with its data protection impact assessment. Supporting the Client with regard to prior consultation of the supervisory authority. Subcontracting Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services. [There are basically two approaches with respect to the acceptance of subcontractors: either it is allowed for Supplier to choose – on his own discretion – a subcontractor which fulfils specific requirements (if this solution shall be chosen, section (2) should be used) or a subcontractor is only allowed, if the Client explicitly declares his consent (if this solution shall be chosen, section (3) and (4) should be used] Outsourcing to subcontractors or changing the existing subcontractor are permissible when: The Supplier submits such an outsourcing to a subcontractor to the Client in writing or in text form with appropriate advance notice; and The Client has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2–4 GDPR. The Supplier may commission subcontractors (additional contract processors) only after prior explicit written or documented consent from the Client. [If specific subcontractors shall be accepted from the beginning of the contract, the subcontractors shall be mentioned in the following section: The Client agrees to the commissioning of the following subcontractors on the condition of a contractual agreement in accordance with Article 28 paragraphs 2–4 GDPR: Company subcontractor Address/country Service The transfer of personal data from the Client to the subcontractor and the subcontractors commencement of the data processing shall only be undertaken after compliance with all requirements has been achieved. If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU data protection regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2. Further outsourcing by the subcontractor is not permitted. [If this is necessary, as there are “sub-sub-contractors” the following clause shall apply: “Requires the express consent of the main Client (at the minimum in text form). All contractual provisions in the contract chain shall be communicated to and agreed with each and every additional subcontractor.] Supervisory powers of the Client The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time. The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures. Evidence of such measures, which concern not only this specific Data Processing Agreement, may be provided by Compliance with approved codes of conduct pursuant to Article 40 GDPR; Certification according to an approved certification procedure in accordance with Article 42 GDPR; Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor); A suitable certification by IT security or data protection auditing (e.g. according to ISO/IEC 27001). For the avoidance of doubt: The Client is free in assessing if provided certificates are sufficient to show full compliance with the requirements of Article 28 and 32 GDPR. Deletion and return of personal data Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data. After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement/this Data Processing Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request. Documentation which is used to demonstrate orderly data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation. No Payment The payment of fee for services is exhaustively covered in the underlying Service Agreement. The parties are therefore not allowed to claim a fee for any activities which serves to fulfill the obligations under this Data Processing Agreement. If there is no underlying Service Agreement, Supplier is not allowed to charge any fee for the service performed under this Data Processing Agreement No limitation of liability The liability of Supplier under this Data Processing Agreement is not limited. If the underlining Service Agreement contains a liability clause, this liability clause shall also apply on any liability deriving from the execution of this Data Processing Agreement Miscellaneous Choice of Law The parties agree that the plea of retention of title by the contractor regarding the processed data and the associated data carrier is excluded. No modification of this annex and/or any of its components – including, but not limited to, Supplier’s representations and warranties, if any – shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form. In case of any conflict, the regulations of this annex shall take precedence over the regulations of the Agreement. Where individual regulations of this annex are invalid or unenforceable, the validity and enforceability of the other regulations of this annex shall not be affected. This annex is subject to the laws of the Federal Republic of Germany and the place of jurisdiction is Frankfurt am Main, if the underlying Service Agreement does not contain a deviating choice of law and jurisdiction [any other choice of law and place of jurisdiction might be entered here]. ANNEX 1 - Technical and organisational measures [This annex must be filled out by Supplier. For each section (“Confidentiality”, “Integrity”, “Availability and resilience” and “Procedures for regular testing, assessment and evaluation”), the measures actually implemented by the supplier must be described in such a detail, that an audit could be possible. The more sensitive the processed data is and the more personal data is processed, the more detailed the description must be. The below examples are intended to convey an idea of how a description might look in an average case.] Confidentiality (Article 32 Paragraph 1 Point b GDPR) Physical access control No unauthorised access to data processing facilities, e.g.: magnetic or chip cards, keys, electronic door openers, facility security services and/or entrance security staff, alarm systems, video/CCTV Systems Electronic access control No unauthorised use of the data processing and data storage systems, e.g.: (secure) passwords, automatic blocking/locking mechanisms, two-factor authentication, encryption of data carriers/storage media Internal access control (permissions for user rights of access to and amendment of data) No unauthorised reading, copying, changes or deletions of data within the system, e.g. rights authorisation concept, need-based rights of access, logging of system access events Isolation control The isolated processing of data, which is collected for differing purposes, e.g. multiple Client support, sandboxing; Pseudonymizing (Article 32 Paragraph 1 Point a GDPR; Article 25 Paragraph 1 GDPR) The processing of personal data in such a method/way, that the data cannot be associated with a specific data subject without the assistance of additional information, provided that this additional information is stored separately, and is subject to appropriate technical and organisational measures. Integrity (Article 32 Paragraph 1 Point b GDPR) Data transfer control No unauthorised reading, copying, changes or deletions of data with electronic transfer or transport, e.g.: encryption, virtual private networks (VPN), electronic signature; Data entry control Verification, whether and by whom personal data is entered into a data processing system, is changed or deleted, e.g.: logging, document management Availability and resilience (Article 32 Paragraph 1 Point b GDPR) Availability control Prevention of accidental or wilful destruction or loss, e.g.: backup strategy (online/offline; on-site/off-site), uninterruptible power supply (UPS), virus protection, firewall, reporting procedures and contingency planning Rapid recovery (Article 32 Paragraph 1 Point c GDPR) Procedures for regular testing, assessment and evaluation (Article 32 Paragraph 1 Point d GDPR; Article 25 Paragraph 1 GDPR) Data protection management; Incident response management; Data protection by design and default (Article 25 Paragraph 2 GDPR); Order control No third-party data processing as per Article 28 GDPR without corresponding instructions from the Client, e.g.: clear and unambiguous contractual arrangements, formalised order management, strict controls on the selection of the service provider, duty of pre-evaluation, supervisory follow-up checks.