Order processing contract
Order processing contract
Accentoris AG
This data processing agreement (hereinafter “DPA”) specifies the obligations regarding
Data protection arising from the contractual relationship between Accentoris AG (hereinafter referred to as “Provider”)
and their customers (hereinafter referred to as “clients”). Basis for the
The contractual relationship between the parties is formed by the General Terms and Conditions (hereinafter “GTC”) and
the privacy policy (hereinafter “DPA”) and these are therefore an integral part of the DPA.
The DPA shall apply to all activities arising from the contractual relationship between the parties in which employees of the Provider or third parties commissioned by the Provider process personal data (hereinafter “Data”) of the Client. For all data protection issues arising, the Client may contact the Provider’s data protection officer via
Reach datenschutz@accentoris.com.
1. subject matter, duration and specification of the order processing
1.1. The subject matter and duration of the order as well as the type and purpose of the processing are generally set out in the GTC, unless the following provisions contain additional obligations.
1.2. Annex A to the DPA specifies the subject matter, type and purpose of the order processing.
2. scope of application and responsibility
2.1. The provider processes personal data on behalf of the client. This includes activities that are specified in the GTC, the DSE, in Annex A of the GCU and in the current service description on the provider’s website.
2.2. Within the scope of the contractual relationship, the client is solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the lawfulness of data transfer to the provider and for the lawfulness of data processing.
2.3. By filling out the contact form on the provider’s website, the client gives the provider the corresponding instructions for data processing. The Client may amend, change or withdraw its instructions by notifying the Provider. Instructions that are not provided for in the GTC shall be treated as a request for a change in service. Verbal instructions must be followed up immediately by the client in writing or by making a corresponding entry in the Buchassist account.
3. obligations of the provider
3.1. The Provider processes data of data subjects only within the scope of the contractual relationship in accordance with the GTC, the DSE and this DPA, unless there is a legally regulated exception.
3.2. The Provider shall design the internal organization in its area of responsibility in such a way that it meets the special requirements of data protection. He shall take technical and organizational measures to adequately protect the client’s data in accordance with the relevant legal requirements. In particular, these ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term. The client is aware of these technical and organizational measures and is responsible for ensuring that they offer an appropriate level of protection for the risks of the data to be processed.
3.3. If agreed, the Provider shall support the Client within the scope of its possibilities in fulfilling the requests and claims of data subjects under data protection law and in complying with data protection obligations. In accordance with the GTC, the Provider is entitled to charge a fee for this.
3.4. The employees involved in the processing of the client’s data and other third parties working for the provider process the data exclusively within the framework of the contractual relationship in accordance with the GTC, the DSE and this DPA and are obliged to maintain confidentiality.
3.5. If the Provider becomes aware of a breach of the protection of personal data, it shall take reasonable measures to secure the data and to mitigate any possible adverse consequences for the data subjects. In addition, the provider fully complies with the applicable legal provisions regarding the reporting of breaches of data protection.
3.7. The Provider fully complies with the applicable data protection regulations and regularly reviews the effectiveness of the technical and organizational measures to ensure the security of processing.
3.8. The Provider processes and stores personal data for as long as the contractual relationship between the Provider and the Client exists. The Provider shall correct or delete the contractual data if instructed to do so by the Client and if this is covered by the scope of the instructions. This does not apply to data that is required for further processing due to legal regulations or for mandatory internal purposes. The release of the data and the corresponding remuneration is regulated in the GTC.
4. obligations of the client
4.1. The Client must inform the Provider immediately and in full in writing if it discovers errors or irregularities in the results of the order with regard to data protection regulations.
4.2. The Client shall inform the Provider of the contact person for data protection issues arising within the scope of the contractual relationship, if this differs from the contact person named.
4.3. The Customer declares that it bears sole responsibility for informing the persons affected by the data processing regarding the possible storage, use, processing and forwarding of data by the Provider in accordance with the provisions of the GTC, the DSE and this DPA. If individual data subjects do not agree with the intended data processing, the client is responsible for deleting the respective data in their Buchassist account accordingly.
5. inquiries from affected persons
5.1. If a data subject contacts the provider with requests for rectification, erasure or information, the provider will refer the data subject to the client, provided that an assignment to the client is possible according to the data subject. The Provider shall forward the data subject’s request to the Client within a reasonable period of time. The Provider may support the Client in the event of data protection claims by a data subject within the scope of its possibilities. In this case, the Provider is entitled to demand compensation for expenses. The Provider shall not be liable if the Client fails to respond to the data subject’s request or fails to respond correctly or on time.
6. verification options
6.1. The Provider shall provide the Client with evidence of compliance with the obligations set out in this Annex by suitable means. This is done through a self-audit and/or
ISO certification.
6.2. Should inspections by the client or an auditor commissioned by the client be necessary in individual cases (e.g. due to the GDPR), these will be carried out during normal business hours without disrupting operations after notification, taking into account a reasonable lead time. The Provider may make this dependent on prior registration with a reasonable lead time and on the signing of a confidentiality agreement regarding the data of other customers and the technical and organizational measures that have been put in place. If the auditor commissioned by the client is in a competitive relationship with the provider, the provider may reject the auditor and propose a neutral person. The Provider may charge the Client for any costs associated with the inspection, in particular if no irregularities are found.
6.3. Should a data protection supervisory authority or another sovereign supervisory authority of the client carry out an inspection, Section 6.2 shall apply accordingly. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or statutory confidentiality, where a breach is punishable under the Criminal Code.
7. subcontractors (other processors)
7.1. The Provider may engage subcontractors to fulfill the contractual service. The commissioning of subcontractors as processors by the Provider is permitted, provided that they in turn fulfill the requirements of this DPA within the scope of the subcontract. The Provider shall enter into agreements with subcontractors to the extent necessary to ensure appropriate data protection and information security measures. Subcontractors who do not have access to customer data or do not process personal data as processors are excluded from this section. A list of current subcontractors in the sense of a processor (hereinafter referred to simply as “subcontractors”) can be requested if required
.
7.2. The Client agrees that the Provider may use the subcontractors named on the Provider’s website. The Provider shall inform the Client by updating its website before engaging further subcontractors. The overview on the website must be updated at least 14 days before the consultation. The client will view the overview on a regular basis. The client may object to the change for good cause within 14 days of becoming aware of it. If no objection is raised within the deadline, the amendment shall be deemed to have been approved. If there is an important reason under data protection law and if it is not possible to find a solution by mutual agreement between the parties, the provider is granted a special right of termination.
8. information obligations
8.1. If the client’s data is seized or confiscated by the provider,
due to insolvency or composition proceedings or other events or
measures by third parties are jeopardized, the Provider must inform the Client immediately.
about this. The Provider will inform all persons responsible in this context
inform you immediately that the sovereignty and ownership of the data
are the sole responsibility of the client.
9. liability
9.1. Liability is governed by the corresponding provisions in the GTC.
10. other
10.1. In all other respects, the provisions of the GTC and DSE apply. In the event of any contradictions
between the GCU and the GTC, the provisions in the GTC shall take precedence. Should individual
If parts of the GTC are invalid, this shall not affect the validity of the GTC and the remaining parts.
provisions of the GCU.
Last version: November 2023
Accentoris AG
Auerstrasse 14
9442 Berneck