Order processing contract
The order processing contract regulates the data protection obligations between iMATRIX GmbH (provider) and its customers (client) and refers to the General Terms and Conditions and the DSE. It applies to all activities in which the provider’s employees or commissioned third parties process the client’s personal data. The data protection officer of the provider can be reached at email@example.com for all data protection-related questions.
1. Object of the order, duration and specification of the order processing
1.1. The subject and duration of the order as well as the type and purpose of the processing are generally based on the General Terms and Conditions (GTC), provided that the following provisions do not result in any further obligations.
1.2. The exact object, type and purpose of the order processing are specified in the order processing contract.
2. Responsibility & Scope
2.1. The provider carries out the processing of personal data on behalf of the client. The scope of this processing is specified in the terms and conditions on the provider’s website.
2.2. The client is solely responsible for compliance with the legal provisions on data protection, in particular with regard to the legality of data transmission to the provider and the legality of data processing.
2.3. By filling out the registration form and ordering a user account (“Manaxo account”) on the provider’s website, the client gives the provider the corresponding instructions for data processing. The client can supplement, change or revoke his instructions via his Manaxo account or by notifying the provider. Instructions not provided for in the GTC will be treated as a request to change the service. Oral instructions are to be followed immediately in writing or by corresponding actions in the client’s Manaxo account.
3. Duties & Obligations of the Provider
3.1. The provider only processes personal data of data subjects within the framework of the contractual relationship in accordance with the terms and conditions and the AVV, unless there is a legally regulated exception.
3.2. The provider designs its internal organization in such a way that it meets the requirements of data protection. He takes technical and organizational measures to protect the client’s data that comply with the legal requirements. These measures ensure the confidentiality, integrity, availability and resilience of the systems and services related to the processing. The client is informed about these measures and is responsible for ensuring that an appropriate level of protection is guaranteed for the data to be processed.
3.3. The specific measures may include alternative appropriate measures in accordance with technical progress and further development, as long as the agreed security level of this AVV is not undershot.
3.4. If possible, the provider supports the client in fulfilling data protection requirements and claims of data subjects as well as in complying with data protection obligations, if this has been agreed. According to the terms and conditions, the provider has the right to demand an appropriate expense allowance for this.
3.5. The provider’s employees commissioned with processing the data and other third parties working for the provider process the data exclusively within the framework of the contractual relationship in accordance with the General Terms and Conditions and the AVV and are obliged to maintain secrecy.
3.6. If the provider becomes aware of a breach of the protection of personal data, it will take appropriate measures to protect the data and to mitigate any possible adverse consequences for the data subjects. Provider also fully complies with all applicable data breach notification requirements.
3.7. The provider guarantees compliance with all applicable data protection regulations and regularly checks the effectiveness of the technical and organizational measures to ensure the security of the processing.
3.8. The provider processes and stores personal data only for the duration of the existing contractual relationship between him and the client. At the instruction of the customer and within the framework of the instructions, the contractual data will be corrected or deleted. This does not apply to data that must be processed further due to legal regulations or compelling internal purposes. The provision and the corresponding remuneration of the data are regulated in the General Terms and Conditions.
4. Tasks & Obligations of the Client
4.1. The client should inform the provider immediately in writing or via the Manaxo account of errors or irregularities in relation to data protection regulations in the order results.
4.2. The client gives the provider the contact person for data protection issues during the contractual relationship, if this differs from the named contact person.
4.3. The customer is solely responsible for informing the persons affected by the data processing with regard to possible data use, processing and transfer by the provider in accordance with the provisions of the General Terms and Conditions and this AVV. If data subjects do not agree to the planned data processing, it is the client’s responsibility to delete the relevant data in their Manaxo account.
4.4. By accepting the terms and conditions, the client expressly agrees to the transfer of his data to iMATRIX GmbH and providers. The client releases the provider from any possible claims. The consent of the persons concerned to the data transfer is the responsibility of the client.
5. Data Subject Requests
5.1. If a data subject sends requests for correction, deletion or information to the provider, the provider will refer the data subject to the client, provided that it is possible to assign the data subject’s request to the client. The provider forwards the request of the person concerned to the client within a reasonable period of time. The provider can support the client with data protection claims of a data subject according to his possibilities. In this case, the provider is entitled to demand an appropriate expense allowance. The provider is not liable if the client does not answer the request of the person concerned, does not answer it correctly or does not answer it in a timely manner.
6. Verification options
6.1. The provider demonstrates the fulfillment of the obligations specified in section vis-à-vis the customer by providing suitable evidence, e.g. through a self-audit and/or certification.
6.2. If inspections by the client or an auditor commissioned by the client are required (e.g. within the framework of the GDPR), these will be carried out during normal business hours, with prior notice and taking into account a reasonable lead time so as not to disrupt operations. The provider can make the performance of such inspections dependent on timely registration and the signing of a confidentiality agreement on the data of other customers and the implemented technical and organizational measures. If the auditor commissioned by the client is in a competitive relationship with the provider, the provider can reject this and propose a neutral person. If necessary, the client can be charged for the costs associated with the inspection, especially if no irregularities were found.
6.3. If a data protection supervisory authority or another official supervisory authority of the client wishes to carry out an inspection, the provisions in Section 6.2 apply accordingly. In this case, signing a confidentiality agreement is not required if this supervisory authority is subject to professional secrecy or a statutory duty of confidentiality, the breach of which constitutes a criminal offence.
7. Subcontractors (other processors)
7.1. The provider can call in subcontractors to fulfill the contractual services. The commissioning of subcontractors as processors by the provider is permitted, provided that they in turn meet the requirements of the present AVV. The provider makes appropriate agreements with the subcontractors to ensure appropriate data protection and information security measures. Subcontractors who do not have access to customer data or do not process personal data as processors are excluded from this section. A current list of subcontractors acting as processors is available on the following website: https://www.manaxo.com/commissioning-contract/
7.2. The client agrees that the provider uses the subcontractors specified on the provider’s website. Before engaging further subcontractors, the provider informs the client by updating his website. The overview on the website must be updated at least 14 days before it is consulted. The client regularly checks the overview. The client can object to the change for good cause within 14 days of becoming aware of it. If there is no objection within this period, the consent to the change is deemed to have been granted. In the case of a relevant data protection reason and if an amicable solution between the parties is not possible, the provider has a special right of termination.
8. Information Obligations
8.1. If the client’s data at the provider is endangered by seizure, confiscation, insolvency or composition proceedings or other events or measures by third parties, the provider must inform the client immediately. The provider will also promptly inform the relevant parties that the data is solely owned and owned by the client.
9.1. Sealing regulations are defined according to the relevant provisions in the General Terms and Conditions.
10.1 Otherwise, the provisions of the General Terms and Conditions apply. In the event of inconsistencies between the GCU and the GTC, the provisions in the GTC shall prevail. If individual parts of the AVV are ineffective, this has no influence on the effectiveness of the GTC and the remaining provisions of the AVV.
11. Subject, Purpose & Scope
Purpose and scope of the order:
Processing of the customer’s personal data in the course of his use of the provider’s services as part of Software as a Service.
Type of purpose of the intended data processing:
The personal data transmitted by the client are processed by the provider as part of the software as a service. The provider processes this data in accordance with the terms and conditions and the corresponding service descriptions on the provider’s website, including order management, contact management (CRM), project management, accounting, warehouse management, etc.
Type of personal data:
The specific ones are based on the information provided by the client. These can include in particular (depending on the order):
- Name, contact details and address
- gender and date of birth
- Financial information and payment details – professional and educational information
- Communication history and correspondence
- Usage data and activities on the platform
- Other information necessary for the provision of the Services
Categories of data subjects:
The specific categories of persons concerned depend on the data transmitted by the client. These can include in particular (depending on the order):
- Employees of the client (including applicants and former employees)
- Service providers of the client
- Customers of the client
- Contact details of contact persons
- Interested parties of the client
Data Deletion, Blocking and Correction
Requests for deletion, blocking and correction should be addressed to the client. The other regulations on this subject are contained in the General Terms and Conditions and the present AVV.
12. Technical and organizational measures (TOM)
The following technical and organizational measures (TOM) are crucial for data processing.
01. Laying of security areas
- Realization of an effective access protection
- Definition of authorized persons
- Management and documentation of personal access authorizations over the entire life cycle
- Access logging
Surveillance of the rooms outside of the closing times
02. Access Control
- Definition of authorized persons
- Management and documentation of personal authentication media and access authorizations
- Automatic and manual access lock
- Secured transmission of verification secrets (credentials) on the network
- Access logging
03. Access Control
- Assignment of minimum authorizations
- Verification and documentation of access authorizations for individuals
- Logging of data access
04. Transfer Control
- Secured interfaces, untransmitted security of the oldest bestvecurity gateways on the network devices of the systems
- Data Guide and Annihilation Objects
- Data protection-compliant deletion or destruction procedure
05. Input control
- Automatic recording of input permissions
- Logging of entries
06. Order control
- Documentation of permissions to the data
- Logging of the entries made
07. Availability control
- Backup and restore concept
- Storage and management of backups
- Emergency planning and preparation
Review of emergency measures
08. Separation requirement
- Ensure data-saving data collection
- Ensure separate processing of the data
Last update: July 27, 2023