19
Agreement on Data Processing Outsourcing as defined by section 11 of Germany’s Federal Data Protection Act (BDSG)
Stand 01.01.2017
Agreement onData Processing Outsourcingas defined by section 11 of Germany’s Federal Data Protection Act (BDSG)
2Agreement on Data Processing Outsourcing
Agreement on Data Processing Outsourcing (conformable §11 BDSG)
between:(please complete below)
Company
Address
Postal code / city
Country
– “Principal” –
and:
AEB Gesellschaft zur Entwicklung von Branchen-Software mbH
Sigmaringer Str. 109 70567 StuttgartGermany
– “Agent” or “AEB” –
3Agreement on Data Processing Outsourcing
Table of contents
1 Scope, responsibilities 4
2 Detailed instructions for data processing 4
3 Instructions of Principal 5
4 Technical and organizational measures 6
5 Data secrecy, monitoring, publicly accessible index 6
6 Violations of data privacy provisions or agreements 7
7 Information 7
8 Storage media, return, deletion 7
9 Audit and inspection rights of the Principal 8
10 Subcontractors 8
11 Threat from third-party actions 9
12 Applicable law, jurisdiction 9
13 Final provisions 10
14 Attachments 11
4Agreement on Data Processing Outsourcing
Scope, responsibilities1
a) This annex sets forth the data privacy obligations of the parties deriving from the outsourced processing of data as detailed in the main agreement (including its annexes such as the system description). This annex applies to all activities relating to the main agreement and in which employees of the Agent or third parties subcontracted by the Agent may come into contact with the Principal’s personal data.
b) The main agreement consists of orders for services from the Agent, including the permission to use software solutions
provided by AEB; and associated services (such as support and
hosting). These contracts are listed in Annex 2. This list
can be extended in common if additional cont-racts should emerge. Both parties will take care of possible consequences to this agreement.
c) The Principal has carefully selected the Agent, giving special consideration to the suitability of the technical and organizational measures
undertaken by the Agent. Before data processing begins and at regular intervals thereafter, the Principal shall audit and document compliance with the technical and organizational measures.
d) The Agent processes personal data on behalf of the Principal. The Principal is responsible for complying with the provisions of data protection laws within the scope of this agreement, especially the legality of transmitting data to the Agent and the legality of the data processing. The Principal remains the “controller” as defined in sections 11 and 3 (7) of Germany’s Federal Data Protection Act (BDSG). This does not affect the obligations of the Agent as set forth in BDSG section 11.
e) The Agent and any persons it contracts in fulfilling its contractual duties must exercise care and follow all applicable provisions whenever they access data processing resources of the Principal (dialog systems, databases, etc.); such resources may not be destroyed, falsified, or used in a manner other than stipulated.
a) The subject and duration of the outsourced data processing derive from the main agreement (including support agreements and the product system description). This mandate ends upon termination of the main agreement.
b) The extent, type, and purpose of the collection, processing, and use of data; the type of data; and the category of data subjects also derive from the main agreement or system description.
c) The terminology from BDSG section 11 (2) is specified as follows from the perspective of the Principal:
Categories of data: Personnel master data, contact information, user data, customer data/addresses; and
i) in conjunction with products from Import/Freight/O&P also: supplier data/addresses
ii) in conjunction with Compliance, extended where applicable to include the address types from sanctions list screening
Detailed instructions for data processing2
5Agreement on Data Processing Outsourcing
Detailed instructions for data processing2
Category of data subjects: Customers, employees as defined in BDSG section 3 (11); and
i) in conjunction with products from Import/Freight/O&P also: suppliers
ii) in conjunction with Compliance, extended where applicable to include the data subjects from addresses in sanctions list screening
d) The applications do not contain any special categories of personal data as defined in BDSG section 3 unless such data has been added by the Principal.
e) The Agent shall render its services within the following territory: EU / EEA Countries classified by the EU Commission as
having an appropriate level of data protection. Services may be provided from other countries
as well if appropriate security mechanisms have been put into place by mutual consent and following the consent of the Principal, and in compliance with applicable laws (such as the EU General Data Protection Regulation (GDPR), Articles 3, 44 ff.).
a) The Agent may collect, process, and/or use data only within the scope of the Principal’s instructions. Instructions are written orders by the Principal directing the Agent to handle (collect, process, and/or use) personal data in a specific manner. Initial instructions are defined by the main agreement and may be modified, extended, or replaced by the Principal through a single written instruction (individual instruction).
b) The Principal may issue specific instructions to request that data be corrected, deleted, or blocked.
c) The Agent shall execute individual instructions of the Principal that go beyond the contractually agreed scope only after an agreement on compensation has been reached. Otherwise, the current hourly rates of the Agent shall apply. The Principal indemnifies the Agent from all claims arising from the resulting delay in executing such individual instructions.
Instructions of Principal3
6Agreement on Data Processing Outsourcing
Technical and organizational measures4
a) The Agent shall undertake the necessary technical and organizational measures pursuant to BDSG section 9 and organize its internal business in such a way that it complies with the specific requirements for protecting personal data. This specifically includes the following: Block unauthorized parties from physical
access to data processing systems that process and use personal data (physical access control)
Prevent unauthorized parties from using data processing systems (electronic access control)
Ensure that those authorized to use a data processing system can only access the data for which they are authorized and that personal data is not subject to unauthorized viewing, copying, modification, or deletion when it is processed or used or after it is stored (user access control)
Ensure that personal data cannot be viewed, copied, modified, or deleted without authorization while it is electronically transmitted, transported, or saved on storage media, and ensure that it is possible to monitor
and determine the intended destinations of personal data transferred using data transmission equipment (transmission control)
Ensure that it is possible to subsequently check and determine whether and by whom personal data was entered into data processing systems, modified, or deleted (input control)
Ensure that personal data processed on behalf of others can only be processed according to the Principal’s instructions (order control)
Ensure that personal data is protected against accidental destruction or loss (availability control)
Ensure that data collected for different purposes can be processed separately (separation control)
b) The technical and organizational measures are set forth in Annex 1 (Security Concept at AEB). The technical and organizational measures may be updated during the contractual relationship in response to technical and organizational improvements by the Agent.
a) The Agent’s employees that are involved in processing the Principal’s data are subject to the terms of BDSG section 5 (“Confidentiality”) and must be instructed in the data protection provisions of BDSG.
b) The Agent has appointed a data privacy officer, who can be reached at [email protected]. The Agent is subject to the supervisory authority of the State Commissioner for Baden-Württemberg.
c) Should the Principal be obligated to maintain a publicly accessible index pursuant to BDSG section 4g (2) sentence 2, the Agent shall provide the Principal with the necessary information if any service of the Agent under this agreement is affected.
Data secrecy, monitoring, publicly accessible index5
7Agreement on Data Processing Outsourcing
If data privacy laws compel the Principal to provide an individual with information on the collection, processing, or use of that individual’s data, the Agent shall support the Principal in providing this information if the Principal submits a corresponding written request to the Agent and the Principal reimburses the Agent for the associated costs of such support. The terms for this reimbursement are as follows: The time spent by the Agent in cooperating to provide information is reimbursed by the Principal at an
hourly rate of EUR 100. The amount of billed time shall not exceed what is customary and expected for this type of contract or transaction. If it seems likely that more time is required, the parties shall enter into a separate agreement on compensation.
The Principal is aware that the Agent’s support (especially the type, extent, and duration of such support) depends primarily on ensuring that the security of personal and business data of the Agent’s other customers is not compromised.
Information7
a) Any storage media and any copies thereof remain the property of the Principal. The Agent must safeguard them carefully so they cannot be accessed by unauthorized parties. The Agent shall destroy testing and scrap materials in compliance with data protection guidelines when explicitly instructed by the Principal; the Principal shall assume the costs so incurred.
b) Upon completion of the main agreement, the Agent shall surrender the storage media and/or delete or block the data in accordance with BDSG specifications if requested by the Principal
except where prohibited by the recordkeeping requirements to which the Agent is subject. This does not affect the principle of separation as set forth in BDSG. The Principal must submit any such request in writing within one month following the end of the contract term. The Principal is responsible for the costs incurred by the Agent in surrendering, deleting, or blocking the data.
c) AEB is entitled to delete original and results files from Compliance 31 days after the relevant screening is carried out.
Storage media, return, deletion8
The Agent shall notify the Principal of any violations of data privacy guidelines or contractual provisions that the Agent, its employees, or other third parties commit as soon as the Agent is made aware of such violations.
Violations of data privacy provisions or agreements6
8Agreement on Data Processing Outsourcing
Audit and inspection rights of the Principal9
a) The Principal or a designated proxy is entitled to visit the Agent’s premises during normal business hours to audit the technical and organizational measures pursuant to BDSG section 9. Audits require appropriate advance notification and must not disrupt the Agent’s business operations. The time spent by the Agent in cooperating with such an audit is reimbursed by the Principal at an hourly rate of EUR 100 when efforts exceed an amount of 4 person hours per year. The amount of billed time shall not exceed what is customary and expected for this type of contract or transaction. If it seems likely that more time is required, the parties shall enter into a separate agreement on compensation.
b) The Agent agrees to comply within a reasonable period with written requests by the Principal for any information needed to conduct a thorough
audit.c) The auditing rights do not extend to areas that
involve the Agent’s business secrets unless the personal data of the Principal that is the subject of the data processing outsourcing is affected by such areas.
d) The findings and results obtained in exercising on-site auditing rights must be put into writing and provided to the Agent free of charge.
e) The Principal must provide the Agent with prompt and complete information of any irregularities with regard to data protection provisions that the Principal identifies while checking the results of the outsourced data processing.
a) The Principal is aware that as an IT provider, AEB provides services to a variety of customers. This means that even sub-contracting is generally assigned without any disclosure of customer identities.
b) As of the start of the contract term, the contractual services are carried out with the assistance of the following subcontractors:
c) The Agent is permitted to use companies within its corporate group and other subcontractors to perform its contractual obligations, exercising the due care stipulated by law, without obtaining special written consent if it duly notifies the Principal before such processing or use begins (generally 6 weeks before data processing begins).
d) Contracts with the subcontractors must comply with the terms of confidentiality, data privacy, and data security agreed between the parties. The Principal must be granted auditing rights as set forth in section 9 above. The Principal is entitled to request in writing from the Agent information on the key content of the contract and the subcontractor’s implementation of the data privacy obligations, if necessary by reviewing the contractual agreements relating to the outsourced data processing.
Subcontractors10
Subcontractors Function Location
AFI Solutions GmbH
Maintenance and sup-port for middle ware (communication soft-ware)
StuttgartGermany
Trivadis GmbH Database administra-tion and support
StuttgartGermany
Hewlett Packard GmbH
Hardware supplier BöblingenGermany
9Agreement on Data Processing Outsourcing
Subcontractors10
e) The Agent shall notify the Principal of any intended change regarding the addition or replacement of other subcontractors, giving the Principal the opportunity to object to such changes.
f) If no objection from the Principal is received within 4 weeks following receipt of the notification
of the addition or change of subcontractors, the subcontracting is considered to be confirmed under the general written consent.
g) The Principal shall not unduly refuse to give such consent and not object without a good reason that is comprehensible for the Agent.
The Agent shall notify the Principal without delay if the Principal’s data held by the Agent is in danger of being seized or confiscated or is threatened by insolvency or receivership proceedings or other
events or measures of third parties. In such a situation, the Agent shall also promptly notify all relevant third parties known to the Agent that the Principal has sovereignty over the data.
Threat from third-party actions11
a) This agreement is subject to German law to the exclusion of the United Nations Convention on Contracts for the International Sale of Goods (CISG).
b) For all disputes arising in connection with this agreement and its extensions or additions or with regard to its validity that the parties cannot settle among themselves, AEB may initiate mediation and/or seek a resolution at its discretion either through an arbitration tribunal without recourse to the courts or through the standard jurisdiction of the courts.
c) As the future defendant or otherwise passive participant in judicial proceedings, AEB is obligated to exercise its discretion in advance of any trial within two weeks of receiving a written request from the counterparty. If the counterparty does not receive a written decision from AEB within this period, AEB is no longer entitled to demand mediation or object to the jurisdiction of the arbitration tribunal.
d) If AEB opts for mediation, the case is brought before the mediation center of the German Association of Law and Informatics (DGRI, www.dgri.de) for partial, provisional, or final
Applicable law, jurisdiction12
10Agreement on Data Processing Outsourcing
resolution of the dispute in accordance with the DGRI rules of mediation current at the time mediation is initiated. The expiration of all claims arising from the actual circumstances under mediation is suspended from the time mediation is requested until such proceedings are complete. Section 203 BGB applies with the necessary modifications.
e) If AEB opts for a decision by an arbitration tribunal, the dispute is ultimately decided according to the rules of arbitration of the Stuttgart Chamber of Commerce and Industry (IHK) without recourse to
the courts. The place of arbitration proceedings is Stuttgart. The arbitration tribunal shall consist of a single arbitrator. The applicable substantive law is that of the Federal Republic of Germany. Arbitration shall be conducted in German.
f) If AEB opts for a decision by the courts, the venue is that of AEB’s main offices. AEB is also entitled, however, to assert claims in the venue of the counterparty’s main offices.
Applicable law, jurisdiction12
Additions and other changes to this annex must be in writing (BDSG section 11 (2)).
Final provisions13
11Agreement on Data Processing Outsourcing
Attachments14
Principal
Place
Date
Name / position
Signature
Agent
Place
Date
Name / position
Signature
Annex 1: List of technical and organizational measures; as a document attachment with the current status (July, 2016) entitled: “Security Concept at AEB Gesellschaft zur Entwicklung von Branchen-Software mbH.”
Annex 2: Summary of contracts as main agreement (provides reason for this agreement on data processing outsourcing)
Stand 01.01.2017
Security Conceptat AEB Gesellschaft zur Entwicklung von Branchen-Software mbH
(Technical and organizational measures / Controls)
Attachement 1, as of June 30, 2016
13Attachement 1: Security Concept at AEB GmbH
Table of contents Attachement 1
A Basic Information 14
1. Concerning data protection 14
2. Concerning SOX Compliance 14
B Description of IT General Controls 14
1. Application Process Control 14
2. Organizational Control (management systems) 15
3. Technical and organizational measures 15
C Description of Application Controls 17
1. Quality Assurance 17
2. Quality Assurance by Defined Processes 17
3. Quality Assurance by External Auditors 17
14Attachement 1: Security Concept at AEB GmbH
Basic InformationA
This document contains all Security control systems covering services of AEBs computer center. The according measures can be both of technical or organizational type. They must be state of the art and shall include the human factor.AEB is allowed to change and update the neccessary measures as long the Security level reached won’t be reduced. The measures you find here are general and sweeping and not customer-specific.This document is released with date information.
1. Concerning data protection In accordance with applicable laws of data
protection (like German Federal Data Protection Act – BDSG) there are adequate technical and/or organizational measures grouped in some controls to choose to meet the protection needs of personal data. Measures shall be considered necessary where the effort they involve is proportionate to the objective they are designed to achieve in terms of protection.
2. Concerning SOX Compliance The requirements for service providers, especially
those outlined in Section 404 of the Sarbanes-Oxley Act (SOX), oblige companies that are
subject to SOX to include outsourced compliance-relevant tasks in their internal controls.
These controls can be simplified by commissioning a report (certification) on the outsourced services. In this report, the service provider describes its own internal control system (data privacy, data security, access security, data integrity, etc.). This control system must be sophisticated enough to achieve the stated objectives. And it must be fully implemented.
This present document tries to support that by describing all the control systems of the AEB GmbH computer center services
Some more hints: See more concerning SSAE16 (Statement on
Standards for Attestation Engagements No. 16) with link zu Standard ISAE 3402 (International Standard on Assurance Engagements No. 3402)
Summarized from: Institute of Information Systems of the University of Bern, Switzerland, work report no. 190: Compliance Verification in IT Outsourcing, Gerhard F. Knolmayer, August 2006. Available online (in German) at http://www.ie.iwi.unibe.ch/publikationen/berichte/resource/WP-190.pdf.
Ealier Standard: American Institute of Certified Public Accountants: AICPA Audit Guide. Service Organizations: Applying SAS No. 70, as Amended. With Conforming Changes as of May 1, 2006. AICPA, New York 2006.
1. Application Process Control Ensures that applications are correctly
implemented and process data correctly. Both the services and the associated
technologies and processes are tested by the
ATLAS coordinating office (KoSt) at the Karlsruhe Regional Finance Office and certified only if all requirements are mapped.
The testing and certification logs are also available from the ATLAS coordinating office.
Description of IT General ControlsB
15Attachement 1: Security Concept at AEB GmbH
Description of IT General ControlsB
2. Organizational Control (management systems)
2.1 Data Privacy The company’s Data Protection Officer tests and
controls compliance with applicable law like the provisions of the German Federal Data Protection Act (BDSG). Some of the following organizational and security controls are required in §9 BDSG.
A limited selection of IT teams assigns access rights using four-eyes-principle. IT/Organization carries out regularly or event-driven checks of access rights with the authority to object to or veto a particular access right.
2.2 Security control, risk management From a high-level-view operation of ISMS
(Information Security Management System in context with ISO 27001) ensures IT-security management in a continuous PDCA-life-cycle as a process. This process based on assets includes protection needs analysis and detailed risk management (estimation, evaluation, treatment).
Most important security criterions: Availability Confidentiality Integrity
ISMS itself includes regularly internal and external audits and management reviews. A further level is ensuring high security awareness for staff by adequate comprehensive package of measures (f.e. training).
For an overview to Information Security please see also our Guideline Integrated Management System (including Information Security) in https://service.aeb.com/en/open/guidelines-and-certificates.
3. Technical and organizational measures
3.1 Input Control Ensures that it is possible to subsequently check
and determine whether and by whom personal data was entered into data processing systems, modified or deleted. All products that process personal data keep a
log of all data entry, modifications and deletions. Personalized user accounts in applications
3.2 Order Control Ensures that personal data from orders can only
be processed according to the client’s instructions. The customer handles user and rights
administration at the user level in the products. Contracts (f.e. concerning outsourced data
processing) define the obligations of both parties.
Use of standardized and proven contracts in conformity with the applicable law.
Also possible subcontractors work according underlying contracts (covering f.e. confidentiality, data processing, possible system access conditions).
Access to business data have only employees with adequate roles and competences (like database administrators from System Management), working according to defined purposes.
16Attachement 1: Security Concept at AEB GmbH
Description of IT General ControlsB
3.3 Separation Control Ensures that data collected for different purposes
can be processed separately. Separation of:
Employee data Customer contact data Customer test data (project work, customer
developments) Remote maintenance access data Customer data in the AEB computer center
System level: Customer data in the computer center is
administered in strict separation and in separate systems (databases, etc.) from customer (f.e. CRM) data of the AEB.
Different applications: Customer data and employee data are
processed using separate applications. Rights within the application:
Customer contact data is strictly separated from remote maintenance access data.
3.4 Physical Access Control Blocks unauthorized parties from physical access
to data processing systems that process and use personal data. Multilevel technical locking systems, partially
equipped with alerting system Security patrol service Control of identity (reception desk, registration of
guests, security awareness measures) Servers and remote maintenance routers are
protected by controlled access (coded locks) to the server room.
Remote maintenance systems are secured as follows: Access to remote maintenance data is
restricted to authorized persons. Systems for customer remote maintenance
are in a separate special protected network area.
3.5 Electronic Access Control Ensures that those authorized to use a data
processing system can only access the data for which they are authorized and that personal data is not subject to unauthorized viewing, copying, modification or deletion when it is processed or used or after it is stored.
Central rights management separates system access from application access.
Users can not change their own rights. Users can not request a change without
approval by their supervisor. Change management of user rights in
accordance with changing roles (f.e. at movements within the company)
External access is restricted to VPN- or SSH-secured connections.
Regularly Security checks of external access are carried out by appropriately specialized companies.
Internal Security regulation including need to know principle
Workstation computers are secured as follows: Users must log on through a centrally
controlled identity management system. Employees are required to lock their
computers. Computers are automatically locked after
15 minutes of idle time.3.6 Transmission Control Ensures that personal data can not be viewed,
copied, modified or deleted without authorization while it is electronically transmitted, transported or saved on storage media and that it is possible to monitor and determine the intended destinations of personal data transferred using data transmission equipment. The enterprise-wide data security policy
prohibits all transmission of unencrypted data. All upload/download connections via Internet
are secured through either SSL, SSH or VPN. All branch offices or mobile systems rely
exclusively on VPN- or SSH-secured connections controlled by AEB.
No personal data is stored locally; all data is stored centrally in Stuttgart/Germany.
External connections are possible only through approved applications.
External connections are possible only through approved services.
All remote data transfer connections are logged wherever technically possible.
Managed process for disposing of waste with confidential data in accordance with legal requirements.
17Attachement 1: Security Concept at AEB GmbH
Description of IT General ControlsB
3.7 Availability Control Ensures that personal data is protected against
random destruction or loss. Redundant systems
Database: clusters Fileserver: clusters File server: SAN systems with redundant
components Uninterruptible power supply, back-up generator
(diesel units) Fire alarm or extinguishing systems (with argon
pressure) Water detection system
Connection to 24/7 security agency Tape protection
Daily tape backups Data storage in separate fire containment
section Additionally regularly data backups based
on Database tools Sophisticated system for monitoring and
alerting as part of business continuity management (principle of early detection)
System for incident and problem management for external and internal use
Providing emergency process
Description of Application ControlsC
1. Quality Assurance Quality is a top priority throughout AEB and is
assigned a special status. Owners of applications and processes are responsible for assuring quality in applications and processes. Based on continuous PDCA-lifecycle they are defining, optimizing and testing the processes of not only application development but maintenance and service too. To manage and enforce these common tools like guides, various templates and checklists are used. Main aim is working service- and process-oriented and establishing of cross-product standards.
The application testing includes both functional and usability tests. Each update is subject to multiple testing and approval phases.
Constant monitoring and implementation ensures that the latest technical requirements are met. Maintenance and service is evaluated and optimized in close cooperation with customers.
2. Quality Assurance by Defined Processes All new development steps and application
maintenance proceed according to defined processes (principle of transparency). All application development and maintenance tasks are executed as projects with a defined project workflow and a defined process using sample projects, a controlled sophisticated role concept and providing several steps of acceptances needed. In critical steps 4-eyes-principle is mandatory used. Where necessary security checks are intregrated.
3. Quality Assurance by External Auditors Applications are tested and certified by external
auditors where needed. This testing and certification is based in part on
IDW auditing standards and position papers such as IDW AuS 330 (“Auditing for the Use of Information Technology”) or IDS RS FAIT 1 (“Principles of Proper Accounting for the Use of Information Technology”).
Stand 01.01.2017
List of Contracts
Attachement 2
19Attachement 2: List of contracts
Contracts
The following contracts provide the legal basis for having the situation of Data Processing Outsourcing between Principal and Agent:
...
...
...
