This Data Processing Addendum is incorporated into, and is subject to the terms and conditions of the Agreement between Vertical-Life (hereinafter referred to us Data Processor) and the customer entity (hereinafter referred to us Client; together referred to us Parties) that is a party to the Agreement.
Introduction, scope, definitions
1.1 This contract regulates the rights and obligations of the Client and the Data Processor in the context of the processing of personal data on behalf of the Client.
1.2 This contract applies to all activities in which employees of the Data Processor or subcontractors (subcontractors) commissioned by the Data Processor process personal data of the Client.
1.3 Terms used in this Agreement shall be understood in accordance with their definition in the General Data Protection Regulation (EU).
Subject and duration of processing
2.1 Subject: The Data Processor processes data of the Client for the execution of the SCG-Service.
The processing is based on the Agreement existing between the parties.
2.2 Duration: The processing shall commence on the date of signature of the order form and shall continue indefinitely until the termination of the Agreement by either Party.
Nature and purpose of the data collection, processing or use
3.1 Type and purpose of processing
3.1.1 The processing is as follows: collection, recording, organization, arrangement, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, cross-checking or linking, limitation, erasure or destruction of data.
3.1.2 The processing serves the following purpose: execution of the SCG-Service.
3.2 Type of data
3.2.1 Employee data of the GYM:
user identification
surname and first name
address
postcode
phone nr.
mobile phone nr.
salary
username
password
last login
Last Login IP
3.2.2 User login information:
IP address
user identification
time
3.2.3 User action log:
Customer ID
user identification
Log_note
log data
3.2.4 Company data of the Client:
Customer ID
first name
Surname
Address
postcode
phone nr
Company
Made in
Updated
active
status
Bank Account Owner
Bank Account ID
Bank sort code
Bank Name
Bank_IBAN
Bank Bic
Bank Swift
Bank Confirmed
Bank Info added
Last invoice decision
Monthly payment
Revenues via POS system
entrances
3.2.5 Customer data of the Client:
phone nr.
annotations
AGB ́s accepted
Contact ID
Customer ID
first name
Surname
Address
Postcode / City
Company
date of birth
comment
payment procedures
IBAN
BIC
3.2.6 Messages:
From user ID
To user ID
message
3.2.7 Categories of data subjects concerned by the processing:
- Employee of the Client
- Company data of the Client
- Customers of the Client
3.3 Prohibited Data: Customer will not provide any sensitive Data to Data Processor for processing under the Agreement and Data Processor will have no liability whatsoever for sensitive Data, whether in connection with a security incident or otherwise. For the avoidance of doubt this Data processing addendum will not apply to sensitive Data.
3.4 The Client represents and warrants that it has complied and will continue to comply with all applicable laws, including data protection laws, with respect to the processing of Client data and all processing instructions it gives to Data Processor; and that it has made and will continue to make all notifications and has received and will receive all consents and rights necessary under data protection laws for the processing of personal data by Data processor for the purposes described in the Agreement. The Client is solely responsible for the accuracy, quality and lawfulness of the Client's data and the means by which the Client has acquired the Client's data. Without prejudice to the generality of the foregoing, Client agrees that it is responsible for compliance with all laws (including data protection laws).
3.5 The Client will assure that the processing of data by the Data Processor in accordance with the Client's instructions will not cause the Data Processor to violate any applicable laws, rules or regulations, including but not limited to data protection laws.
Obligations of the data processor
4.1 The Data Processor processes personal data exclusively as contractually agreed or as instructed by the Client, unless the Data Processor is legally obliged to certain processing. If such obligations exist for the Data Processor, the Data Processor shall notify the Client thereof prior to processing, unless such notification is prohibited by law. Furthermore, the Data Processor shall not use the personal data provided for processing for any other purpose, in particular not for his own purposes.
4.2 The Data Processor confirms that he is aware of the relevant general data protection regulations. He shall observe the principles of proper data processing.
4.3 The Data Processor undertakes to maintain strict confidentiality during processing.
4.4 Persons who may gain knowledge of the data processed must undertake in writing to maintain confidentiality unless they are already legally subject to a relevant confidentiality obligation.
4.5 The Data Processor warrants that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this contract prior to commencement of processing. Appropriate training and awareness-raising measures must be repeated at regular intervals. The Data Processor shall ensure that persons used for order processing are continuously instructed and monitored appropriately with regard to the fulfillment of data protection requirements.
4.6 In connection with the commissioned processing, the Data Processor shall support the Client in compiling and updating the list of processing activities and in carrying out the data protection impact assessment. All necessary information and documentation must be provided and forwarded to the Client immediately upon request.
4.7 If the Client is subject to inspection by supervisory authorities or other bodies or if persons concerned assert rights against him, the Data Processor undertakes to inform the Client immediately and to support the Client to the necessary extent as far as the processing in the order is concerned.
4.8 The Data Processor may only provide information to third parties or the person concerned with the prior consent of the Client. The Data Processor shall immediately forward any inquiries addressed directly to him to the Client.
4.9 To the extent required by law, the Data Processor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the agent. In cases of doubt, the Client may contact the data protection officer directly. The Data Processor shall immediately inform the Client of the contact details of the data protection officer or of the reasons why no officer has been appointed. The Data Processor shall immediately inform the Client of any changes in the person or internal tasks of the data protection officer.
4.10 The processing of orders shall generally take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the Client and under the conditions contained in Chapter V of the General Data Protection Regulation (EU) and in compliance with the provisions of this contract.
Technical and organizational measures
5.1 The data security measures described in Annex 3 shall be established as mandatory. They define the minimum owed by the Data Processor. The description of the measures must be detailed in such a way that a competent third party can at any time determine beyond doubt what the minimum owed is solely on the basis of the description. A reference to information which cannot be taken directly from this agreement or its annexes is not permissible.
5.2 The data security measures can be adapted to the technical and organizational further development as long as they do not fall below the level agreed here. The Data Processor shall immediately implement any changes required to maintain data security. The Client must be informed immediately of any changes. Material changes are to be agreed upon between the parties.
5.3 If the security measures taken do not or no longer meet the requirements of the Client, the Data Processor shall notify the Client immediately.
5.4 The Data Processor warrants that the data processed in the order will be strictly separated from other data sets.
5.5 Copies or duplicates shall not be made without the knowledge of the Client. Technically necessary, temporary duplicates are excluded as far as an impairment of the data protection level agreed here is excluded.
5.6 The processing of data in private homes is permitted. Insofar as such processing takes place, the Data Processor must ensure that a level of data protection and data security corresponding to this contract is maintained.
5.7 Dedicated data carriers originating from the Client or used for the Client are specially marked and are subject to ongoing administration. They must be stored appropriately at all times and must not be accessible to unauthorized persons. Inputs and outputs are documented.
5.8 The Data Processor shall provide regular proof of the fulfillment of his obligations, in particular, the complete implementation of the agreed technical and organizational measures and their effectiveness. The proof shall be provided to the Client upon request. The proof can be provided by approved rules of conduct or an approved certification procedure.
Regulations for the correction, deletion, and blocking of data
6.1 The Data Processor shall correct, delete or block data processed within the scope of the order only in accordance with the contractual agreement reached or in accordance with the instructions of the Client.
6.2 The Data Processor shall comply with the relevant instructions of the Client at all times and also beyond the termination of this agreement.
Subcontracting
7.1 Commissioning shall only be possible if the subcontractor has at least been contractually bound to data protection obligations comparable to those agreed in this contract.
7.2 The responsibilities of the Data Processor and the subcontractor shall be clearly defined.
7.3 Further subcontracting by the subcontractor is not permitted.
7.4 The subcontractor shall be carefully selected by the Data Processor with particular regard to the suitability of the technical and organizational measures taken by the subcontractor.
7.5 Data processed on behalf of the subcontractor may only be forwarded to the subcontractor after the Data Processor has satisfied himself in a documented manner that the subcontractor has fulfilled his obligations in full.
7.6 The commissioning of subcontractors who do not carry out the processing on behalf exclusively within the territory of the EU or the EEA is only possible if the conditions set out in Article 5 are complied with. In particular, it shall only be permissible to the extent that and as long as the subcontractor offers appropriate data protection guarantees.
7.7 If the subcontractor does not comply with his data protection obligations, the Data Processor shall be liable to the Client for this.
7.8 At present, the subcontractors named in Annex 1 are engaged in the processing of personal data to the extent specified therein.
Rights and obligations of the gym
8.1 The Client is solely responsible for assessing the permissibility of the commissioned processing and for safeguarding the rights of data subjects.
8.2 The Client documents all orders, partial orders or instructions. In urgent cases, instructions may be given verbally. The Client shall immediately confirm such instructions in documented form.
8.3 The Client shall inform the Data Processor without delay if it detects errors or irregularities in the examination of the order results.
8.4 The Client shall be entitled to monitor compliance with the provisions on data protection and the contractual agreements with the Data Processor to an appropriate extent itself or by third parties, in particular by obtaining information and inspecting the stored data and data processing programs.
8.5 Checks on the Data Processor's premises must be carried out without avoidable disruptions to his business operations. Unless otherwise indicated by the Client for urgent reasons to be documented by the Client, inspections shall take place after reasonable advance notice and during business hours of the Data Processor and not more frequently than every 12 months.
Reporting obligations
9.1 The Data Processor shall immediately notify the Client of any violations of the protection of personal data. The notification must be sent within 24 hours of the knowledge of the Data Processor of the relevant event to an address specified by the Client. It must contain at least the following information:
a description of the nature of the breach of the protection of personal data, indicating where possible the categories and approximate number of persons concerned, the categories concerned and the approximate number of personal data records concerned;
the name and contact details of the Data Protection Officer or any other contact point for further information;
a description of the measures taken or proposed by the Data Processor to remedy the breach of the protection of personal data and, where appropriate, measures to mitigate its possible adverse effects
9.2 Also to be notified without delay are any significant disruptions in the execution of the order as well as any infringements by the Data Processor or the persons employed by it of data protection provisions or the provisions made in this contract.
9.3 The Data Processor shall inform the Client without delay of any controls or measures taken by supervisory authorities or other third parties, insofar as these have references to order processing.
9.4 The Data Processor undertakes to support the Client in his duties in accordance with Art. 33 and 34 of the General Data Protection Regulation (EU) to the extent necessary.
Instructions
10.1 The Client reserves the right to give comprehensive instructions regarding the processing on behalf of the Data Processor.
10.2 The Client and the Data Processor shall name the persons exclusively authorized to issue and accept instructions in Annex 2.
10.3 In the event of a change or long-term prevention of the named persons, successors or representatives must be notified to the other party without delay.
10.4 The Data Processor shall draw the attention of the Client to any instruction given by the Client which in his opinion violates statutory provisions. The Data Processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the responsible person at the Client.
Termination of the contract
11.1 Upon termination of the contractual relationship or at any time upon request of the Client, the Data Processor shall either destroy the data processed in the order or hand them over to the Client at the Client's option. All existing copies of the data must also be destroyed. The destruction must be carried out in such a way that it is no longer possible to restore even residual information at a reasonable cost.
11.2 The Data Processor shall be obliged to bring about the immediate return or deletion also of subcontractors.
11.3 Documentations which serve as proof of proper data processing shall be stored by the Data Processor in accordance with the respective retention periods even after the end of the Agreement. He may hand them over to the Client at the end of the Agreement in order to relieve his responsibility.
Remuneration
12.1 The remuneration of the Data Processor is conclusively regulated in the Agreement. A separate remuneration or reimbursement of costs within the scope of this contract does not take place.
Miscellaneous
13.1 The parties shall be obliged to treat as confidential all knowledge of trade secrets and data security measures of the other party acquired within the scope of the contractual relationship, even upon termination of the contract. If there is any doubt as to whether information is subject to confidentiality, it shall be treated as confidential until released in writing by the other party.
13.2 Should individual parts of this Agreement be invalid, this shall not affect the validity of the remainder of the Agreement.
13.3 This Agreement shall be governed by and construed in accordance with Italian law and any dispute arising out of this Agreement shall be subject exclusively to the jurisdiction of the courts of Bolzano.
Annex 1 - Approved subcontractors
Hosting, Network und Data Services: Google Cloud (GDPR); Amazon Web Services (GDPR)
Web Application Firewall: Cloudflare (GDPR)
Performance Monitoring: App Signal (GDPR)
E-Mail Service: Mailgun (GDPR)
Business Administration: Reviso Cloud Accounting; Atlassian Jira;
Annex 2 - Persons authorized to issue instructions
The following persons are authorized to issue and receive instructions:
Matthias Polig
Iiro Virtanen
Annex 3: Technical-organisational security measures
Vertical-Life takes the following security measures:
1. Confidentiality
1.1 Access control
Measures designed to prevent unauthorized persons from gaining access to data processing equipment that processes or uses personal data:
keys
burglar-resistant windows and security doors
accompaniment of visitors in the company building
Measures designed to prevent data processing systems (computers) from being used by unauthorized persons:
passwords
encryption of data
Measures to ensure that persons authorized to use a data processing system have access only to data subject to their right of access and that personal data cannot be read, copied, altered or removed without authorization during processing, use and after storage:
suitable authorization concepts that enable differentiated control of access to data
logging of accesses
safe storage of media
clear-desk/clear-screen policy
1.2 Separation control
Measures to ensure that data collected for different purposes can be processed separately. This can be ensured, for example, by logical and/or physical separation of the data.
2. Integrity (Art. 32 para. 1 lit. b GDPR)
2.1 Handover control
Measures to ensure that personal data cannot be read, copied, altered or removed without authorization during their electronic transmission or during their transport or storage on data carriers and that it is possible to verify and establish the points at which personal data are to be transmitted by data transmission facilities:
encryption of data
safe physical storage of data (cloud hosting)
2.2 Input control
Measures to ensure that it can be subsequently verified and established whether and by whom personal data have been entered, modified or removed in data processing systems:
data logs, which can take place at various levels (e.g. operating system, network, firewall, database, application)
document management
3. Availability and resilience
3.1 Availability control
Measures to protect against accidental or intentional destruction or loss:
availability protection guarantees that the service automatically recovers to another data-center in case of a failure
backup strategy (online/offline; on-site/off-site)
anti-virus protection
firewall
3.2 Recoverability
Data is automatically backed up on a daily basis and can be restored in any point of time.
4. Procedure for regular review, assessment, and evaluation
4.1 Privacy management
Yearly and periodic privacy assessment for all our services.
4.2 Incident response management
Support in responding to security breaches.
4.3 Data protection-friendly default settings
Privacy by design/privacy by default
4.4 Order control (outsourcing to third parties)
Measures to ensure that personal data processed on behalf of the customer can only be processed in accordance with the instructions of the customer. All independent contractors and/or consultants will abide by the defined data processing policies.