...
1.1 The terms used in this agreement are to be understood in line with the definition in the EU General Data Protection Regulation. The definitions and interpretation provisions in this section shall apply to this agreement.
Subscription fees: | the usage fees that the customer must pay to the contractor for each employee file |
Customer: | any natural or legal person, authority, organisation or other party that commissions the contractor to process personal information |
Customer data: | personal information entered by customers, authorised users, or by the contractor on behalf of a customer, in order to use the services or to facilitate the use of services by the customer |
Documentation: | any document made available to the customer by the contractor |
Business day: | any day that is not a Saturday, Sunday or public holiday |
Subscription term: | refers to the definition under clause 13.1 (i.e. the original term plus all subsequent renewal periods) |
Services: | the subscription services provided by the contractor to the customer under this agreement, as described in the documentation |
Non-conformity: | any defect, error or bug having a materially adverse effect on the appearance, operation or functionality of the services, but excluding any defect, error or bug caused by or arising as a result of: |
User subscriptions: | the user subscriptions acquired by the customer in accordance with clause 8.1 that allow authorised users to access and use the services and the documentation specified under this agreement |
Application: | the contractor’s software (on-premise) or cloud or SaaS application that provides the services |
Service Desk: | the contractor’s mandatory platform for support requests by the customer and for providing information to the customer, which manages ticket ownership (responsibility), ensures traceability and whose extracts are binding for the parties |
Support services: | the contractor’s policies for providing support in relation to the services as described in detail in the documentation |
Virus: | an object or a device (including software, code, files or programs) that can prevent, impair or otherwise adversely affect the use of computer software, hardware or networks, telecommunication services, equipment or networks; that can prevent, impair or otherwise adversely affect the access to or the use of programs or data, including the reliability of programs or data, (whether by complete or partial reorganisation, modification or deletion of the program or data); or adversely affect user experience, including worms, trojans, viruses and other similar objects or devices |
1.2 The headings of clauses, tables (if available) and paragraphs do not affect the interpretation of this agreement.
...
2.3. The contractor shall take every technical and organisational measure to fulfil the requirements in accordance with the applicable data protection laws. The contractor shall take and continuously implement every appropriate technical and organisational measure to safeguard personal information and to protect it from unauthorised or unlawful processing and unintentional loss, unintentional destruction or accidental damage. In particular, the contractor shall take the following measures for data protection purposes and shall regularly review their implementation:
a. Access control: The contractor shall control and log access to the data processing systems.
c. Access restriction control: The contractor shall define, implement and monitor a concept for user rights, password rules and login procedure for remote or physical access to the service by its staff for the purpose of operating, maintaining, supporting or securing the service.
d. Transfer checks: The contractor shall secure the transfer of personal information in encoded form or by a safe alternative process. Transfers must be logged.
e. Input checks: The contractor shall implement a detailed logging system for the input, change and deletion or blocking of personal information to the greatest possible extent that can be supported by the subscription.
f. Job checks: The contractor shall define and implement control mechanisms to ensure strict compliance with the data controller’s instructions as communicated by the customer, accepted by the contractor and set out in the terms and conditions for data processing.
g. Availability checks: The contractor shall operate a state-of-the-art backup system and shall define a recovery procedure to protect personal data from accidental destruction and loss.
h. Data separation: The contractor shall ensure that personal data collected for different purposes (e.g. different customers) can be processed separately by technical means and by means of defined organisational procedures. Technical means can be separate computer systems or a demonstrably logical separation in a multi-client architecture. Access by a customer to data of other customers is to be prevented.
i. If the contractor provides the subscription to all customers via a uniform, hosted, web-based application, all appropriate and current technical and organisational measures apply to all of the contractor's customers for whom the subscription is hosted by the same data centre and who have subscribed to the same service. The customer is aware and agrees that the technical and organisational measures depend on technical progress and technical development. With respect to this, the contractor is authorised, in particular, to implement adequate alternative measures provided that the security level of the measures is maintained. In the event of essential changes, the contractor shall send the customer appropriate notification together with any necessary documentation by e-mail or by posting on the website for the subscription or an alternative website easily accessible to the customer.
2.4 If the security measures taken by the contractor do not comply with the legal requirements, the contractor shall inform the customer immediately.
...