This condition describes the obligations of the parties to data protection arising from the contracts of the parties. It applies to all activities that are related to a contract and in which employees of the contractor or by the contractor process personal data („data“) of the client.

§ 1 Scope and Responsibility

The contractor processes personal data on behalf of the client. This includes activities specified in the respective contract and, if applicable, in the specifications. Within the scope of every contract, the client is solely responsible for complying with the statutory provisions of the data protection act, in particular for the lawfulness of data transmission to the contractor and for the lawfulness of the data processing („controller“ within the meaning of Art. 4 No. 7 GDPR.

The type of data to be processed and the categories of affected persons are a result from the service descriptions of the DATEV services commissioned by the customer and the corresponding data protection profiles. These are available at

§ 2 Obligations of the Contractor

  1. The contractor may process data of affected persons only within the scope of the order and the instructions of the client, unless there is an exceptional case within the meaning of Article 28 para. 3 a) GDPR. The contractor shall inform the client without delay if he considers that a directive violates applicable laws. The contractor may suspend the implementation of the instruction until it has been confirmed or modified by the client.
  2. In his area of responsibility, the contractor will design the in-house organization in such a way that it meets the special requirements of data protection. He will take technical and organizational measures to adequately protect the data of the client that meet the requirements of the General Data Protection Regulation (Art. 32 GDPR. The contractor shall take technical and organizational measures to ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing on a permanent basis. The customer is aware of these technical and organizational measures and is responsible for ensuring that they provide an adequate level of protection for the risks of the data to be processed.
    The change in the security measures taken is reserved to the contractor, but it must be ensured that the level of protection that is appropriate or contractually agreed is not undercut.
    A description of the technical and organizational measures, of the Contractor can be found following these conditions.
  3. The contractor supports the client within the scope of his possibilities in the fulfillment of the requests and claims affected persons acc. Chapter III of the GDPR and in compliance with the obligations set out in Art. 33 to 36 GDPR. This expense will be paid to the contractor by the client at the respectively applicable hourly rates of the contractor.
  4. The contractor warrants that the employees involved in processing the data of the client and other persons working for the contractor are prohibited from processing the data outside of the instructions. Furthermore, the contractor guarantees that the persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate legal secrecy obligation. The confidentiality/secrecy remains even after completion of the contract.
  5. The contractor informs the client immediately if he or she becomes aware of violations of the protection of personal data of the client.
    The contractor shall take the necessary measures to safeguard the data and to reduce the possible adverse consequences of the persons concerned and shall immediately discuss this with the client.
  6. The contractor shall inform the client of the contact person for data protection issues arising in the context of the contract.
  7. The contractor guarantees his obligations under Art. 32 para. 1. d GDPR comply with and a procedure for regular Verify the effectiveness of the technical and organizational measures to ensure the safety of the processing.
  8. The contractor rectifies or deletes the contractual data if instructed by the client. If a data protection conforming deletion or a corresponding limitation of the data processing is not possible, the contractor takes over the data protection compliant destruction of data media and other materials based on an individual commissioning by the client or returns these data carriers to the client, if not already agreed in the contract.
    In special cases determined by the client, a storage or handover, compensation and protective measures are agreed separately, unless already agreed in the contract.
  9. Data, data media as well as all other materials are either to be issued to the client at the end of the contract or be deleted at the request of the client.
  10. In the case of a claim of the client by an affected person with regard to any claims under Art. 82 GDPR, the contractor undertakes to assist the client in defending the claim to the best of his ability. The expenses described above are to be paid by the client to the contractor at their respectively valid prices according to the price list.

§ 3 Obligations of the Client

  1. The client must inform the contractor immediately when it finds regarding the contract, errors or irregularities or Detects data-protection regulations.
  2. In case of a claim of the client by a data subject with regard to any claims according to Art. 82 GDPR, §3 (10) shall apply accordingly.
  3. The client shall provide the contractor with the contact person for data protection issues arising in the context of the contract.

§ 4 Requests of affected Persons

If an affected person with claims for correction deletion or information to the contractor, the contractor will refer the person concerned to the client, if an assignment to the client according to the data subject is possible. The contractor forwards the claim of the data subject to the client immediately. The contractor supports the client as far as possible within the scope of his possibilities. The contractor is not liable if the request of the data subject is not answered by the client, incorrectly or not in due time.

§ 5 Proof Options

  1. The contractor shall inform the client of the compliance with the obligations laid down in this contract by appropriate means.
  2. In individual cases, inspections by the client or an inspector commissioned by the latter are required; they will be carried out during normal business hours without disruption to the operation after registration, taking into account a reasonable lead-time. The contractor may make these dependent on the prior notification with reasonable lead-time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures that have been set up. If the examiner commissioned by the client is in a competitive relationship with the contractor, the contractor has a right of appeal against him.
    For the assistance in carrying out an inspection with the client, the contractor will be reimbursed for his expenses at his respective valid hourly rates.
  3. If a data protection supervisory authority or another sovereign supervisory authority of the client carries out an inspection, paragraph 2 shall apply accordingly. A signing of a confidentiality obligation is not required if this supervisory authority is subject to a professional or legal secrecy, in which a violation under the Criminal Code is punishable.

§ 6 Subcontractor (other Contracts)

  1. The Contractor can use subcontractors as listed in Appendix 4 to fulfil its contractual obligations.
  2. A subcontractor relationship exists if the contractor commissions further contractors with all or part of the performance agreed in the contract. The contractor will make agreements with these third parties to the extent necessary to ensure adequate privacy and information security measures.
    The client agrees that the contractor will involve subcontractors. Before contracting or replacing the subcontractors, the contractor will inform the client with a notice period of three weeks. The client may object to the change – for a good reason – within a reasonable period. If there is no objection within the time deadline, the change is considered as accepted.
  3. If the contractor places orders with subcontractors, it is the contractor‘s responsibility to transfer his data protection obligations under this contract to the subcontractor.

§ 7 Information obligations, written from clause, choice of law

  1. If the data of the client are endangered by attachment or seizure, by a bankruptcy or settlement procedure or by other events or measures of third parties, the contractor shall inform the client immediately. The contractor will inform all persons responsible in this regard immediately that the sovereignty and the ownership of the data are exclusively with the client as „responsible person“ within the meaning of the General Data Protection Regulations.
  2. Changes and additions to these terms and all of its components – including any warranties of the contractor – require a written agreement, which is also in an electronic format (text form) done can and the explicit reference to the fact that it is a change or supplement these terms and conditions is. This also applies to the waiver of this form requirement.
    In case of any contradictions, regulations of this annex on data protection are subject to the regulations of the contract. Should individual parts of these conditions be ineffective, this does not otherwise affect the effectiveness of the system.
  3. German law applies.

Released May 2018