Group Internal Framework Data Processing Agreement between all entities which have signed this agreement, whereby the roles of the parties (either “Client” or “Supplier”) are defined in the annexes on the level of each data processing activity. Framework Agreement Under this “Framework Agreement” one or more “Data Processing Agreements” are concluded according to Article 28 GDPR. A Data Processing Agreement is concluded when the details about the processing activity are described in Annex 1 and both party agree on the conclusion of the agreement in text form (for example e-Mail). Each concluded Data Processing Agreement shall became an Annex of this Framework Agreement. Annex 1 may refer to underlying service agreements between the parties, which hereinafter are referred to as “Service Agreement” International data transfer The undertaking of the contractually agreed processing of data shall be carried out exclusively within a member state of the European Union (EU) or within a member state of the European Economic Area (EEA). Any exception of § 2 (1) must be indicated in Annex 1 including an explanation of how the parties comply with the requirements of Article 44 et seq. GDPR (for example by Technical and organisational measures The Supplier shall establish the security in accordance with Article 28 Paragraph 3 Point c, and Article 32 GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 GDPR. The parties agree that the implementation of the Company internal IT-security guideline (“RL019”) is sufficient to fulfil the above mentioned requirements. The technical and organisational measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In doing so, the security level of the defined measures must not be reduced. Substantial changes must be documented. Authority of the Client to issue instructions The Client has the authority to issue instructions. The instruction described in annex 1 are valid until they are withdrawn. The Client shall immediately confirm oral instructions (at the minimum in text form). The Supplier shall inform the Client immediately if he considers that an instruction violates data protection regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them. The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client, but only on documented instructions from the Client. Insofar as a data subject contacts the Supplier directly concerning a rectification, erasure, or restriction of processing, the Supplier will immediately forward the data subject’s request to the Client. General duties of the Supplier In addition to complying with the rules set out in this Data Processing Agreement, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements: Confidentiality in accordance with Article 28 Paragraph 3 Sentence 2 Point b, Articles 29 and 32 Paragraph 4 GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract that have been bound to confidentiality and have previously been familiarised with the data protection provisions relevant to their work. Where Client’s data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Supplier’s control, Supplier shall notify Client of such action without undue delay. Supplier shall, without undue delay, notify to all pertinent parties in such action, that any data affected thereby is in company’s sole property and area of responsibility, that data is at Client’s sole disposition, and that company is the data controller in the sense of Article 4 No. 7 GDPR. The Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks out of this Data Processing Agreement. If the supplier answers to a request of a supervisory authority in written from or in text-form (for example per email), the communication towards the supervisory authority must be made available to Client, in due time for detailed assessment before it will be send to the supervisory authority Insofar as the client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject (for example claims based on Article 15 to Article 21 or 82 GDPR) or by a third party or any other claim in connection with the Data Processing Agreement, the Supplier shall make every effort to support the Client. Supplier and Client support each other in drafting the necessary records of processing activities according to Article 30 Paragraph 1 and 2 GDPR. Supplier shall mark the data which is stored and processed according to this Data Processing Agreement with the aim to make all data identifiably as Client’s data and make the data clearly assignable to the Client. The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the GDPR. These include: Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events. The obligation to report a personal data breach immediately to the Client The duty to assist the Client with regard to the Client’s obligation to provide information to the data subject concerned and to immediately provide the Client with all relevant information in this regard. Supporting the Client with its data protection impact assessment. Supporting the Client with regard to prior consultation of the supervisory authority. Subcontracting Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services. Outsourcing to subcontractors or changing the existing subcontractor are permissible when: The Supplier submits such an outsourcing to a subcontractor to the Client in writing or in text form with appropriate advance notice; and The Client has not objected to the planned outsourcing in writing or in text form by the date of handing over the data to the Supplier; and The subcontracting is based on a contractual agreement in accordance with Article 28 paragraphs 2–4 GDPR. If the subcontractor provides the agreed service outside the EU/EEA, the Supplier shall ensure compliance with EU data protection regulations by appropriate measures. The same applies if service providers are to be used within the meaning of Paragraph 1 Sentence 2. Further outsourcing by the subcontractor is not permitted. Supervisory powers of the Client The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time. The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures. Evidence of such measures, which concern not only this specific Data Processing Agreement, may be provided by Compliance with approved codes of conduct pursuant to Article 40 GDPR; Certification according to an approved certification procedure in accordance with Article 42 GDPR; Current auditor’s certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, data protection officer, IT security department, data privacy auditor, quality auditor); A suitable certification by IT security or data protection auditing (e.g. according to ISO/IEC 27001). For the avoidance of doubt: The Client is free in assessing if provided certificates are sufficient to show full compliance with the requirements of Article 28 and 32 GDPR. Deletion and return of personal data after termination Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data. After conclusion of the contracted work, or earlier upon request by the Client, at the latest upon termination of the Service Agreement/this Data Processing Agreement, the Supplier shall hand over to the Client or – subject to prior consent – destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession, in a data-protection compliant manner. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request. Documentation which is used to demonstrate orderly data processing in accordance with this Data Processing Agreement shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods. It may hand such documentation over to the Client at the end of the contract duration to relieve the Supplier of this contractual obligation. No Payment The payment of fee for services is exhaustively covered in the underlying Service Agreement. The parties are therefore not allowed to claim a fee for any activities which serves to fulfill the obligations under this Data Processing Agreement. If there is no underlying Service Agreement, Supplier is not allowed to charge any fee for the service performed under this Data Processing Agreement. No limitation of liability If the underlining Service Agreement contains a liability clause, the liability clause of the Service Agreement shall prevail over the rules set forth in this Section 10. If there is no underlining Service Agreement or if the underlining Service Agreement does not provide a clause on liability the following shall apply: Supplier shall be liable without limitation for damage arising from culpable harm to life, body or health. Supplier shall only be liable for any other damage if such damage is based on wilful intent or gross negligence of its legal representatives, employees or vicarious agents. Unless Provider is rightfully accused of intent, the liability for damages shall be limited to foreseeable damage, typically occurring with such agreements. Administrative fines are foreseeable within this meaning. In the event of slight negligence, Supplier shall only be liable where material contractual obligations have been violated. Material contractual obligations are such obligations, the fulfilment of which allow the proper performance of the contract in the first place and the breach of which endangers the achievement of the purpose of the contract and on the compliance which Contractual Partner may regularly rely upon. Even in such event, the liability shall be limited to the foreseeable damage, typically occurring with such agreements. Miscellaneous; Choice of Law The parties agree that the plea of retention of title by the contractor regarding the processed data and the associated data carrier is excluded. No modification of this annex and/or any of its components – including, but not limited to, Supplier’s representations and warranties, if any – shall be valid and binding unless made in writing and then only if such modification expressly states that such modification applies to the regulations of this annex. The foregoing shall also apply to any waiver or modification of this mandatory written form. In case of any conflict, the regulations of this annex shall take precedence over the regulations of the Agreement. Where individual regulations of this annex are invalid or unenforceable, the validity and enforceability of the other regulations of this annex shall not be affected. This Framework Agreement and all concluded Data Processing Agreements hereunder shall be subject to the laws of the Federal Republic of Germany. The place of jurisdiction shall Frankfurt am Main _ ANNEX 1 – Template for a Data Processing Agreement This Data Processing Agreement is concluded on the basis of the Company Group International Framework Data Processing Agreement between the following parties: Entity 1 Address of Company Entity – as the data controller – Entity 2 Address of Company Entity – as the data controller – Company Entity 2 Address of Company Entity – as the data controller – – hereinafter referred to as the “Clients” – and Company Entity Address of Company Entity – as the data processor – – hereinafter referred to as the “Supplier” – [Note for drafter: Please insert a table for each data proce