Annex F – Obligations under Telecommunication Law

1. Introduction

This Annex defines the obligations of each party of the Agreement concerning the application of the telecommunication laws with respect to the cloud services performed under the Agreement referenced above (“the Service”).

Company is governed by its national law. Depending on the Customer’s service and location, further national or international laws might be applicable.

2. Applicability

Notwithstanding Company’s own legal obligations, the Customer is obligated to protect the personal data of the subscribers and Users of the Service, for which the Customer remains responsible to the subscribers, Users and authorities. The Controller to Processor Agreement (Annex E) regulates this in detail. In particular, the Customer is subject to the obligations of information, documentation and registration.

As far as legally required, the Customer must make instructions in regard to the processing of personal data and to the data security known prior to the conclusion of the Agreement as part of the Controller to Processor Agreement (Annex E).

3. Telecommunications Secrecy

To the extent that Customer will be providing a telecommunication service on a commercial basis utilizing the Service, Customer must inform Company of such. Customer is obliged to keep all data contained in the Service confidential to the extent required by applicable telecommunication regulation. As far as legally permitted, Company will forward any enquiries about Customer’s and its User’s data from public authorities or private persons or entities to Customer.

4. Deletion of Data

Customer is responsible for compliance with deletion periods and the timely deletion and blocking of Customer data and traffic data. Customer is aware of the deletion periods planned in the Service. If Customer requires different specific deletion periods, it must inform OX about such without undue delay.

5. Public Availability

As far as Customer will provide a publicly available telecommunication service using the Service, it must inform OX about such.

Notwithstanding an obligation for the protection of telecommunications secrecy (as defined in 3), the Customer is responsible for the provision of the Service with regards to the Customer’s subscribers and the Users. In particular, the Customer concludes contracts for their own responsibilities regarding the use of the the Service with the subscribers or Users. The authority over the provision of the Service and over the attached email server operated remains with Customer at all times.

6. Obligation of Registration

The Customer is responsible for the fulfilment of any potential obligation to register its utilization of the Service to authorities and other responsible national or international offices.

7. Message Transfer System

The Customer is responsible for compliance with the legal specifications with regards to the transfer and interim storage of message content. To the extent that messages are stored on the systems that are operated by Company, Customer must ensure in particular that the access rights and the intended deletion periods for messages correspond to the legal specifications or comply with deletion periods contractually agreed upon with the subscribers and Users.

8. Technical Protection Measures

Customer is responsible for meeting the legally mandated technical precautions and other measures for the protection of telecommunications secrecy and against the violation of the protection of personal data. Customer is aware of the security precautions provided for the Service.

As far as Customer, in particular for the fulfillment of a documentation obligation, requires additional information, which is only known to Company and cannot reasonably be procured by the Customer, Company will make such information available upon request.

As far as special technically protective measures are required for the fulfillment of Customer’s legal obligations, Customer must indicate such before the conclusion of the agreement. As far as such legal obligations change during the Term and Customer subsequently demands additional or changed measures to be implemented into the Service, the Parties shall mutually and in good faith agree to a technically and commercially feasible solution to fulfill such obligations.

9. Data Breach Notification

Customer is responsible for any potential obligation to notifying authorities or affected data subjects of any breach of the protection of personal data. 

10. Monitoring Measures and Provision of Information

Customer is responsible for the implementation of monitoring measures, the provision of corresponding precautions and the issuance of information to the security authorities and in particular for any possible notification to the oversight authorities. Monitoring requests will not be implemented by Company. Requests for monitoring telecommunications shall not be directed to Company.

11. Data Retention and other Legal Provisions

As far as additional obligations affect the Customer (e.g. from national or international laws, ordinances, guidelines, official specifications, contracts or other special provisions essential for them) such as for the traffic data retention, Customer shall be responsible for their fulfilment. This also applies expressly for requirements that result from applicable governing law agreed upon between the parties.

To the extent that special duties, which cannot be assumed by Customer due to public legal or other enforceable legal requirements, result for Company (as Customer’s contractor) from such, Customer must inform OX about such before the conclusion of the Agreement and continuously thereafter as soon as there is a change in the legal position and requirements result thereof.

12. Configurations, compensation and information

With regard to the legal requirements mentioned above, Customer shall design the Service individually and adjust the Service through corresponding configurations and parameters as part of the configuration provided on the system side and to the extent agreed upon in this Agreement.

As far as further configurations or adjustments are required for the fulfilment of the legal obligations, the Customer shall indicate such before the conclusion of the agreement.

OX will prepare any potentially required adjustments to the OX as a Service (e.g. deletion or blocking periods, technical interfaces for the provision of information and monitoring) based on a SOW at the express request to the extent that the technical possibilities exist; any compensation will be subject to the conditions as set out in this Agreement or in the respective SOW.

Insofar as the Customers requires necessary information for the fulfilment of any obligation mentioned above, which is only known to OX and cannot be procured by the Customer or only under difficult conditions, OX will make such available upon request.