Annex E – Data Controller to Processor Agreement
1. Introduction
This Annex details the Parties obligations on the protection of all personal data processed in the course of the fulfillment of the Agreement (“Data”) and all processing activities associated therewith which Company, Company’s employees or any third party, acting on behalf of the Company, carry out on behalf of the Customer (“Contract Processing” or „Processing”).
2. Scope, Objectives and Duration
2.1 The scope and duration and the detailed stipulations on the type and purpose of Contract Processing shall be defined and governed by the Agreement. Further details about the scope of the Contract Processing are determined in Exhibit 1 to this Annex E. Details about the processing activities, the Data specifically, included (without limitation) in the Contract Processing and the data subjects concerned are defined and listed in Exhibit 1 to this Annex E.
2.2 Within the scope of the Agreement, Company may gain access to Data of Customer or other third parties. The Processor will use such Data provided only for the purposes defined under the Agreement and this Annex E.
2.3 Company shall process Data solely on behalf and based on written instructions of Customer. Customer remains “controller” of the Data as defined in Article 4 (7) of the General Data Protection Regulation (“GDPR”) and is responsible within the meaning of this statutory provision for the legitimacy of the processing of the Data.
2.4 It is the responsibility of Customer to disclose by transmission or make available as little Data as possible to Company in order to comply with the principle of data minimization and to distinguish in how far Data may be pseudonymized or anonymized before made available or disclosed to Company.
2.5 Regarding Customer ́s individual instructions on processing, Customer shall be entitled to, in writing or in any other recordable format of notification set forth in the Agreement, modify, amend or replace such individual instructions by issuing such instructions to the point of contact designated by Company. For the avoidance of doubt, the scope and purposes of Contract Processing shall be defined and governed by the Agreement and shall not be extended by Controller’s instructions.
2.6 Company is entitled to generate necessary Data temporarily or duplicate the Data for technical procedures and safety reasons, as far as it does not modify or transform its contents. Company is not permitted to make unauthorized permanent copies of Data, unless stated otherwise in the Agreement.
2.7 Company and any person acting under the authority of Customer or of Company, who has access to personal data, shall not process such Data except on instructions from Customer, unless required to do so by European Union or Member State law. In such case Company shall notify Customer of such legal requirement before processing, unless that law prohibits such notification on important grounds of public interest. To the extent that Data belonging to Customer is concerned, Company ensures that persons authorized to process such Data have committed themselves to confidentiality and secrecy or are under an appropriate statutory obligation of confidentiality.
2.8 The period of this Annex E is defined by the period of the Agreement.
3. Territory
3.1 The Processing and use of the Data primarily takes place in the territory of the Federal Republic of Germany, in a Member State of the European Union (“EU”) or in another contracting state to the Agreement on the European Economic Area (“EEA”).
3.2 Company may process Data outside the EU or the EEA (“Third Country”) if and provided that (i) an appropriate level of data protection has been established for that Third Country on the basis of a valid decision by the European Commission, or (ii) the processing is performed in accordance with the applicable EU Standard Contractual Clauses (“SCC”), which must be agreed to between Customer and the respective third party (“Data Importer”). Unless the Data Importer and Company are identical, Company shall join those SCC. The provisions set forth in this Annex E remain unaffected.
4. Technical and Organizational Measures
4.1 Company has implemented and will apply the technical and organizational measures set forth in Exhibit 2. Customer has reviewed such measures and agrees that the measures are appropriate taking into account the state of the art, nature, scope, context and purposes of the Processing.
4.2 In the event that Customer has to carry out an assessment of the impact of the processing operations on the protection of personal data, including the consultation of the supervisory authority pursuant to Articles 35, 36 of the GDPR, Company shall spend best efforts to support Customer as far as technically and commercially feasible.
4.3 With regard to compliance with the Protective Measures agreed upon and their verified effectiveness, parties refer to Company’s existing ISO27001 certification issued by ‘TÜV Rheinland’ presented to and sufficient for Customer as proof of the appropriate guarantees, as documented in Exhibit 2 to this Annex E and as required in section 4.1.
4.4 The Protective Measures are subject to technological progress and development and Company reserves the right to implement alternative and adequate Protective Measures at any time without prior notice, provided that the level of security of such alternative Protective Measures shall not be less protective than the ones set forth in Exhibit 2. In such case, Company will notify Customer in order to enable Customer to evaluate the level of security resulting from such changes.
5. Subcontractors
5.1. Customer hereby generally consents to Company’s use of subcontractors. Company will provide Customer with a list of all subcontractors already assigned at the Effective Date of the Agreement within Exhibit 1 of this Annex E.
5.2. Company shall, prior to the replacement or change of subcontractors, inform Customer thereof in writing or any applicable recordable form of notification set forth in the Agreement. In the event that a replacement or change is needed du to urgent emergency or security reasons, Company may notify Customer after the change or replacement has been made. In any case, Customer shall be entitled to reasonably oppose to any change or replacement of subcontractors within ten (10) business days and for materially important reasons. Where Customer fails to oppose to such change within such period of time, Customer shall be deemed to have expressed its consent to such change or replacement. Where a materially important reason for such opposition exists and failing a bona fide resolution of this matter by the Parties, either Party shall be entitled to terminate the Agreement with immediate effect.
5.3. Where Company commissions subcontractors for the purpose of Contract Processing, Company shall contractually ensure that Company’s obligations on data protection resulting from the Agreement and this Annex E are valid and binding upon subcontractor.
6. Notification obligations
6.1. In each case where Company reasonably believes that an instruction would be in breach of applicable law, Company shall notify Customer of such breach without undue delay. Company shall be entitled to suspend the performance on such instruction until Customer confirms or modifies such instruction.
6.2. In the event that Company has a valid reason to believe that either itself, its employees or any third party acting on behalf of Company is being in breach of any of the data protection and/or data security provisions set forth in this Annex E or in any data protection statutory provisions, Company will notify Customer without undue delay. This applies only if Data belonging to Customer ́s domain are affected. In cases where either Company itself or its employees or subcontractors are being in breach of the provisions set forth herein, Company shall or shall procure its subcontractors to implement the measures necessary for securing the Data and for mitigating potential negative consequences for the data subject. Company shall coordinate such efforts with Customer without undue delay.
6.3. Where the Data becomes subject to search and seizure, an attachment order, confiscation during bankruptcy or insolvency proceedings, or similar events or measures by third parties while in Company’s control, Company shall notify Customer of such action without undue delay. Company shall further notify to all pertinent parties in such action, that any Data affected thereby is in Customer’s sole property and area of responsibility, that Data is at Customer’s sole disposition, and that Customer ́s is the responsible body in the sense of the GDPR.
6.4. In the event Company becomes aware of a personal data breach Company shall notify Customer without undue delay. If Customer has to communicate a personal data breach to the data subject pursuant to Article 34 of the GDPR,Companywill support Customer and provide Customer with appropriate information as far as this is technically and commercially feasible.
7. Customer’s Right to Instruct and Inspection
7.1. Within the framework of the Agreement and this Annex E Customer reserves the right to issue instructions about manner, scope and processing procedures that can be concretized by giving single documented instructions. Any changes of the Data or of the procedures shall be jointly agreed upon.
7.2. If Company is not able to comply with any requests or instructions given by Customer, regardless of the reason, the processor is obliged to notify Customer immediately, who under those circumstances may postpone the Data transfer.
7.4. Where, in individual cases, audits and inspections by Customer or an independent auditor appointed by Customer are necessary, such inspections will be conducted during Company’ s normal business hours, and without interfering with Company ́s operations, upon prior notice of not less than fourteen (14) calendar days. Such inspections are subject to the execution of a confidentiality agreement with provisions being at least as restrictive as the confidentiality provisions contained within the Agreement.Companyshall be entitled to reject inspectors which are or act on behalf of competitors of Company. Any inspector appointed by Customer has to comply with the same confidentiality obligations as defined and applied between the Parties.
7.5. In the event the aforementioned audits or inspections shall take place more frequently than once per contract year, Company shall be entitled to requesting a remuneration for Company’s support in conducting such audits or inspections.
7.6. Where a data protection supervisory authority or another authority with statutory competence for the subject matter conducts an inspection on behalf of Customer, section 7.5. shall apply in appropriate manner.
8. Enquiries and claims by Data Subjects
8.1. Where a data subject asserts claims regarding its rights prescribed by the GDPR against Company and where Company is able to correlate the data subject to Customer, based on the information provided by the data subject, Company shall refer such data subject to Customer. Company shall forward the data subject ́s request to Customer.Companyshall support Customer, where legally required and technically feasible. Except for cases of gross negligence and willful intent, the Company shall not be liable in cases where Customer fails to respond to the data subject ́s request in total, correctly, or in timely manner.
8.2. In the event that such support leads to unreasonable efforts for Company, Customer shall remunerate any such efforts based on the man-day rate agreed to between the Parties in the Agreement or elsewhere.
8.3. Subject to the provision of section 9, in the event that a data subject asserts any claims against Customer in accordance with Article 82 of the GDPR, Company shall spend best efforts to support Customer in defending against such claims, where legally required, technically and commercially feasible. In the event that such support leads to unreasonable efforts for Company, Customer shall remunerate any such efforts based on the man-day rate agreed to between the Parties in the Agreement or elsewhere.
9. Liability and Damages
9.1. In the event that a breach of any obligation set forth in this Annex E or under applicable law causes a third-party claim or leads to statutory fines or any other claims towards either Customer or Company, both are jointly liable following the principal of Art. 82 of the GDPR.
9.2. Company is solely liable towards Customer subject to the applicable liability provisions and limitations of the Agreement, for damages caused within his sphere of responsibility and only in the event that he culpably
9.2.1. did not comply with the specific statutory processing obligations set forth in the provisions of the GDPR applicable to data processors;
9.2.2. processed Customer’s Data or otherwise acted irrespective of and not in compliance with the legitimate instructions provided by Customer in regard to the Data;
9.2.3. actively infringed Customer ́s legitimate instructions; or
9.2.4. is in breach of this Annex E.
9.3. In the event that Customer is liable towards the data subject, Customer may recover any damages paid to such data subject only under the provision of section 9.2.
10. Correction and Deletion of Data
10.1 In conformity with the instructions of Customer, Company is obliged to correct, delete or restrict the Data processed. Once a data subject refers to Company for the purpose of correction, deletion or restriction of his/her personal data and Company can uniquely assign the data subject to Customer, Company is obliged to inform Customer and pass the request to Customer immediately.
10.2 Company shall completely and irrevocably delete or destroy Data provided to him by Customer including all copies made due to technical and organizational necessities as soon as the processing of the Data has been completed or after termination of the Agreement and/or if Data storage is no longer required due to Customer ́s instruction. Insofar as Company is obliged to legal storage and retention periods, the Data shall be deleted by Company immediately by the end of such particular period. In lieu of or in addition to deletion or destruction of Data, Company and Customer can agree that Company returns all Data to Customer in a standardized and machine-readable format. In the event that Customer opts to receive the Data in such format or requires Company to apply specific deletion or erasure procedures, to hand over, sanitize or destroy any media or data carrier, the Data has been or is stored on, Company may request remuneration for any additional efforts related to such requirements. Such remuneration shall be based on the man-day rate agreed between the parties in the Agreement or elsewhere.
11. Miscellaneous
11.1. In case the Parties have already signed mutual data processing agreements, these agreements shall be replaced by this Annex E.
11.2. This Annex E is subject to law and forum of the jurisdiction and competent courts set forth in the Agreement. In the event that the Agreement does not contain a choice of law and forum provision, it shall be governed by German law and the parties hereby unconditionally submit to the exclusive jurisdiction of the Courts of Cologne, Germany.
11.3. In the event that any of these provisions of the Annex E or its amendments is or becomes ineffective the validity of the other implied provisions shall not be affected. In the event of the ineffectiveness of a provision, the Parties shall be obliged to negotiate on an effective and reasonable substitute provision with due regard to the economic purpose of the ineffective provision.
Exhibit 1
Scale, scope and purpose of Data Collection, Processing and Use; List of Subcontractors; Categories of Personal Data and Data subjects
1. Type and Scope of Data Processing
| Name Procedure/System/Process | Name of Assigned Systems | Point of Contact | Data Categories | Purpose of Data Processing |
| Destructions of files and data media | external company | HR | anything you can imagine to a natural person | comply with legal or contractual obligations regarding data deletion |
| Firewall | Sophos | Research and Developement | IP addresses, usernames | access management referring to IUK technology and corporate network |
| Groupware (E-Mail-System/ electronic calendar and directory) | Open-Xchange App Suite & Dovecot | Research and Developement | name, address, email, phone number or any other information relating to an identified or identifiable natural person | support of customers and business partners regarding their contractual obligations; shipping of goods/provision of services, customer care, application management, communication via electronic media, contacting employees, documentation of appointments, management of internal and external contact information, appointments and documents |
| Backups and filing | – | Research and Developement | name, address, email, phone number or any other information relating to an identified or identifiable natural person | storage of data in case of an error, auditability |
| Encrypted and access-protected connection to corporate network (VPN) | Sophos | Research and Developement | IP addresses, usernames | access management referring to IUK technology and corporate network, management of authorizations |
| Confluence | Atlassian Confluence | Research and Developement | email (employee & customer), name (employee & customer), IP address (employee & customer) | internal storage and distribution of information; Know-How Management |
| Ticketing system | OTRS | Services | name (employee & customer), email address (employee & customer), IP address (employee & customer) | capture of external requests and request of internal support, logging of data regarding any failure and administration of its correction |
| Project management | Atlassian Jira | Research and Developement | email (employee & customer), name (employee & customer), IP address (employee & customer) | project planning, administration of tasks, steering |
| Email Security | Vade Secure | any information relating to an identified or identifiable natural person | Transport of all incoming and outgoing emails. Filtering for Viruses, SPAM and malware | |
| Email Transport | MTA | any information relating to an identified or identifiable natural person | Accepting incoming emails from internet email servers and forwarding them to internal systems, or vice versa. | |
| Email Servers | Dovecot | any information relating to an identified or identifiable natural person | Accepting internal emails from incoming MTAs and storing them in the storage system. Providing users access to the emails via POP3 or IMAP protocol | |
| Groupware Servers | AppSuite | any information relating to an identified or identifiable natural person | Providing users access to emails via webfrontend. Providing users access to calendar, address book, tasks, stored files. Allowing users to edit documents via webfrontend | |
| Database Servers | MySQL | any information relating to an identified or identifiable natural person | Storing user login data. Storing all non-email data: calendars, contacts, tasks, file meta-data. | |
| Directory Servers | OpenLDAP | authentication data, email addresses | Storing user login data and mailrouting information | |
| Storage Servers | Ceph/Scality | any information relating to an identified or identifiable natural person | Storing email data | |
| Logging Servers | email addresses, IP addresses, login names | Monitoring and analysis |
2. Type of Service
| Outsourcing/ partial outsourcing of a business process or (customer care, sales, accounting, development, collection etc.) | |
| x | Operating (application, system, components) |
| Support (application, system, components) | |
| x | Hosting (data, applications, systems, components) |
| x | Maintenance (application, system, components) |
3. Place/Location of Data Storage
| X | German Federal Republic (eu. platforms) |
| X | USA ( us. platforms) |
| Other Country within EU or EEA: Finland, France, Spain, Italy | |
| Third Country: Japan |
4. Place/Location of Data Access
| X | German Federal Republic |
| X | USA |
| Other Country within EU or EEA: Finland, France, Spain, Italy | |
| Third Country: Japan |
5. List of Subcontractors per Section 5.1 of Annex E
| Name | Address | Role |
| audriga GmbH | Spitalstrasse 23A, 76227 Karlsruhe, Germany | Migration Services |
| MicroDoc Computersysteme GmbH | Elektrastrasse 6A, München, Germany | OX Software Development & Support |
| M-Way Solutions GmbH | Stresemannstraße 79, Stuttgart, Germany | OX Software Development & Support |
| tarent solutions GmbH | Rochusstrasse 2-4 53123 Bonn, Germany | Professional Services & Software Development |
| VADE SECURE SAS | 3 Avenue Antoine Pinay, 59510 HEM | Anti-Spam/Anti-Virus |
| X-ION GmbH | Sonnenau 19, Hamburg, Germany | IaaS platform |
| Scality | 11 rue Tronchet, 75008 Paris, France | Storage platform |
| Rackspace | 1 Fanatical Pl, San Antonio, TX 78218, USA | IaaS platform |
| Open-Xchange S.r.l. (OX Group) | Via Treviso 12, 10144 Torino, Italy, | Support and Professional Services |
| Open-Xchange SAS (OX Group) | 33 Rue La Fayette, 75009 Paris, France | Support and Professional Services |
| Open-Xchange S.L. (OX Group) | Camino del Cerro de los Gamos 1 Edificio 1, 28224 Pozuelo de Alarcon, Madrid, Spain | Support and Professional Services |
| Open-Xchange AG (OX Group) | Hohenzollernring 72, 50672 Cologne, Germany | Parent Company |
| Open-Xchange Oy (OX Group) | Lars Sonckin Kaari 16, Espoo, Finland | Mail Server |
| OX Dovecot K.K. (OX Group) | 4F Hamacho Koen Building, 2-60-10 Nihonbashihamacho Chyuo-ku 103-0007 Tokyo | Support and Professional Services |
| Open-Xchange Inc. (OX Group) | 530 Lytton Avenue, Palo Alto, CA 94301, USA | Support and Professional Services |
| FUAGO GmbH | Untertürkheimer Straße 24, 66117 Saarbrücken, Germany | Provisioning Tool |
6. Categories of Data Subjects
| X | Customers (resp. their persons in charge) |
| Potential Customers, Prospects | |
| Suppliers (resp. their persons in charge) | |
| X | End Users; End Customers |
7. Categories of Data
| X | Master Data – means data required to establish, accomplish or – if necessary – terminate a contractual relationship, (e.g.: name, customer ID, contract numbers, information regarding products, tariffs, invoices etc.) |
| X | Contact Information – e.g. postal address, email-address, phone number, messenger Ids etc. |
| X | Banking Information – e.g. account number, IBAN/BIC, credit card information etc. |
| X | Communication Information – e.g. email content, messenger content etc. |
| X | Geodata – e.g. from network communication, GPS, IP-Locating, etc. |
| Others (Please specify): | |
| X | Traffic Data (excl. Geodata) – means information necessarily incurred while initiation, maintenance or transaction of a communication process such as IP-address, device identifier, log-files etc. |
| X | Device Data (excl. Geodata) – means e.g. information read by mobile Apps; log-files; system status; user settings, browser information etc. |
| X | User Data – means information regarding type, extent, duration or date of usage |
| X | User Generated Content – means content such as documents, pictures, soundfiles, email text content etc. made by data subjects on purpose |
| X | User-Account-Information – e.g: username, password, private settings etc. |
8. Special Categories of Personal Data*
| X | Data revealing Racial or Ethnic Origin |
| X | Data revealing Religious or Philosophical Beliefs |
| X | Genetic Data |
| X | Data concerning Health |
| X | Data revealing Political Opinions |
| X | Data revealing Trade Union Membership |
| X | Biometric Data |
| X | Data concerning Sex Life and Sexual Orientation |
9. Data Protection Officers
| OX | |
| Data Protection Officer | Title: Mrs First Name: Juliane Last Name: Rychlik Address: Fuhlsbüttler Straße 389; 22309 Hamburg/ Germany |
| FUAGO | |
| Data Protection Officer |
Exhibit 2
Technical and Organizational Measures
| 1. | Corporate measures of access and data media control, which prevent unauthorized persons from getting physical access to the information systems, the data processing device and the confidential files and data media | Implemented mechanisms: key management / documentation of key distribution door protection (electronic door-opener; biometric access control) special server room protection restricted areas International standards ISO/IEC 27001:2013 certified, determined in No. 9.1 (Secure areas), 9.2 (Equipment security) |
| 2. | Corporate security measures concerning user control, which prevent data processing systems from being used without authorization | Implemented mechanisms: personal and individual user-log-in to the system resp. network keyword policies (description of keyword parameter concerning complexity and interval of updating) additional system-log-in for certain applications automatic blocking of clients after a certain time lapse without user activity (password protected screen saver or automatic log-off) International standards ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls), 11.4 (Network access control) and 11.5 (Operating system access control); 12.3 (Cryptographic controls) |
| 3. | Corporate measures of access control, which ensure that users entitled to use a data processing system can only access data to which they have a corresponding right of access | Implemented mechanisms: administration of access and/or authorization rights as well as of system roles groups documentation of access rights authorization routine logging regularly reviewing / auditing encryption of notebooks, PCs and external hard drives keyword identification for shell access International standards ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls); 10.1.3 (Segregation of duties); 8 (Human resources), 10.10 (Monitoring) |
| 4. | Corporate security measures taken concerning transmission and storage control, to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or transport | Implemented mechanisms: encryption of end user emails encryption of notebooks, PCs and external hard drives tunneled remote access (VPN) logging secured WLAN with WPA-enterprise SSL-encryption for web-access rules of destruction of data carriers International standards ISO/IEC 27001:2013 certified, determined in No. 12.3 (Cryptographic Controls); 9.2.7 (Removal of property); 10.8 (Exchange of information) |
| 5. | Corporate measures of input controlthat ensure to determine who has entered, modified or removed data from relevant systems | Implemented mechanisms: access rights logging within the system security and/or logging software “group based” and/or “function-related responsibilities” International standards ISO/IEC 27001:2013 certified, determined in No. 12.2 (Correct processing in applications); 10.10 (Monitoring) |
| 6. | Corporate measures guaranteeing that controller’s personal data are processed just on behalf of the Controller and just within the Controller’s instructions (commission control) | Implemented mechanisms: regular training of employees with access rights regular refresher courses separate commitment of relevant employees on data protection compliance regular data protection audits determination of contact persons and responsibilities International standards ISO/IEC 27001:2013 certified, determined in No. 12.5 (Security in development and support processes); 10.2 (Third party service delivery management); 6.2.3 (Addressing security in third party agreements) |
| 7. | General corporate security measures concerning availability control and reliability against accidental loss or destruction of electronic data, files and data media | Implemented mechanisms: back-up procedures mirroring of servers and/or hard drives uninterruptible electric power supply storage procedures for back-ups (save deposit at a bank) antivirus protection / firewall emergency plans air conditioning of server room International standards: ISO/IEC 27001:2013 certified, determined in No. 10.5 (Information backup); 14 (Business continuity management) |
| 8. | Measures in the Processor’s systems which guarantee that data can be processed separately for separate purposes so that there is no unnecessary access to data which are stored for other purposes (separation control) | Implemented mechanisms: separated systems separated databases access authorization separation by access rights International standards: ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls); 10.1.3 (Segregation of duties); 10.10 (Monitoring) |
| 9. | Corporate measures of recoverability guaranteeing that deployed relevant systems can be restored in case of failure | Implemented mechanisms: back-up procedures mirroring of servers and/or hard drives storage procedures for back-ups (save deposit at a bank) emergency plans International standards: ISO/IEC 27001:2013 certified, determined in No. 10.5 (Information backup); 14 (Business continuity management) |
| 10. | Corporate measures of data integrityto prevent stored personal data from damages caused by malfunctions of relevant systems | Implemented mechanisms: access authorization separation by access rights separation by test and production environments International standards: ISO/IEC 27001:2013 certified, determined in No. 11 (Access controls); 10.1.3 (Segregation of duties); 10.10 (Monitoring) |
| 11. | Corporate measures of transport control, which ensure that the privacy and integrity of data is protected when transmitting personal data when transporting data media | Implemented mechanisms: encryption of end user emails encryption of notebooks, PCs and external hard drives tunneled remote access (VPN) logging secured WLAN with WPA-enterprise SSL-encryption for web-access International standards: ISO/IEC 27001:2013 certified, determined in No. 12.3 (Cryptographic Controls); 9.2.7 (Removal of property); 10.8 (Exchange of information) |
| 12. | Corporate measures to ensure encryption and pseudonymizationof data in order to ensure the integrity of personal data, as far as technically feasible. | Implemented mechanisms: encryption of end user emails encryption of notebooks, PCs and external hard drives SSL-encryption for web-access Adherence to the privacy policy that regulates storage and encryption partial encryption of the storage International standards: ISO/IEC 27001:2013 certified, determined in No. 12.3 (Cryptographic Controls); 9.2.7 (Removal of property); 10.8 (Exchange of information) |