Data Protection Notice

General Data Protection Notice for Apps

As the data protection officer, we hereby inform you about the processing of your personal data during the use of our mobile applications (apps) for mobile devices such as smartphones and tablets and our browser-based editorial system (APPsolute Mobility Platform) as well as about your rights as a user.

The security of your personal data is a high priority for us. We therefore protect your data stored with us by technical and organizational measures to effectively prevent loss or misuse by third parties. In particular, our employees who process personal data are bound to data secrecy and must comply with it. To protect your personal data, it is transmitted in encrypted form. To ensure the permanent protection of your data, the technical security measures are regularly reviewed and, if necessary, adapted to the state of the art. These principles also apply to companies that process and use data on our behalf and according to our instructions.

Information in accordance with Articles 13 and 14 of the General Data Protection Regulation (GDPR).

With the following general information, we would like to inform you as a data subject,

– on what basis we process your personal data,
– how we handle your personal data,
– what rights you have against us under data protection law and
– whom you can contact to assert your rights or if you have questions about data protection.

Personal data within the meaning of Article 4 (1) GDPR are, for example, information about you, but also about facts that are related to your person. Depending on the processing situation, we collect personal data from you (e.g. in the event of a visit to our website or other offers) or also from publicly accessible sources (e.g. the Internet).

You will find general information on data processing by us below. Detailed information on various case constellations can be found under „Data protection statements on individual processing situations“. If your concerns are not adequately reflected here or if there are any questions or uncertainties, please contact our data protection officer.

Contact details of the controller
The controller responsible for the processing of personal data is:

APPsolute Mobility GmbH
Allersberger Str. 185, Building L4
90461 Nuremberg
Managing Directors: Victoria von Wachtel, Alexandra Kulfanová
E-mail: info@appsolute-mobility.com
Phone: +49 911 893139-0

Contact details of the data protection officer
Questions on the subject of data protection can be directed to our data protection officer:
Bernhard Höllerer
Management & Personnel Consulting
E-mail: datenschutz@appsolute-mobility.com

Purposes and legal bases of processing
As a matter of principle, we only process your personal data insofar as this is necessary for the provision of our content and services or if you have given your consent.

Fulfillment of a contractual obligation
When processing personal data that is required to fulfill a contract, Article 6 (1) (b) GDPR also serves as the legal basis in individual cases.

Consent
Insofar as we obtain the consent of the data subject for processing operations of personal data, Art. 6 (1) (a) GDPR is the legal basis for the processing of your personal data.

Existence of a legal obligation
When processing personal data where we are subject to a legal obligation (such as to comply with tax obligations), Art. 6(1)(c) GDPR is the legal basis for processing your personal data.

Legitimate interest
When processing personal data based on our legitimate interests (e.g., when using service providers in the processing of your orders, such as shipping service providers or when conducting statistical surveys and analyses and logging registration procedures), Art. 6 (1) (f) GDPR is the legal basis for processing your personal data. Our interest is directed towards the use of a user-friendly, appealing and secure presentation as well as optimization of our offer, which both serves our business interests and meets your expectations.

Existence of special categories
Special categories of personal data (such as health data) are processed by us on the basis of Art. 9 para. 2 GDPR and the respective legal basis, insofar as this is necessary in exceptional cases within the scope of our activities.

Existence of other purposes
If the processing of personal data takes place for a purpose other than the one for which it was collected, the legal basis results from Article 6 (4) GDPR.

Recipients of personal data
We only disclose your personal data to our employees and third parties on the basis of legal requirements or if we have your express consent.
Within our company, only those persons who need to access your personal data in order to perform their tasks are granted access to it.
In addition, we sometimes work together with order processors. These can be natural or legal persons, authorities, institutions or other bodies that process personal data on our behalf. The contractor is bound by instructions, which means that he may only process the data in a way that we have explicitly instructed him to do.

Data Transfer to Third Party Providers/To Third Party Countries.
Our business activities are supported by a network of computers, cloud-based servers and other infrastructure and information technologies. Furthermore, we use various service providers („Third-Party Providers“) or their products to optimize our offerings and services; this also applies when our services link to other platforms such as social media. The aforementioned parties may be located in countries outside the European Union, the European Economic Area and Switzerland, if applicable. In these cases, we share personal data with the aforementioned parties in order to provide the requested service.

Data transfers to countries that do not have an adequate level of data protection that complies with the requirements of the GDPR („third countries“) may therefore arise in the context of the administration, development and operation of IT systems, marketing and customer communications and securing our offers.

Such data transfers only take place insofar as the transfer is permissible in principle and special requirements for a transfer to a third country exist. In particular, we ensure that the party processing the data there guarantees an adequate level of data protection in accordance with the EU standard contractual clauses for the transfer of personal data to data processors in third countries. Other data transfers may be based on other contractual protections.

We conclude contracts with our partners and service providers to ensure an adequate level of data protection, depending on the respective circumstances. These may be data processing agreements (DPAs) where there is commissioned processing, contracts based on the EU standard contractual clauses (SCCs) where there is shared responsibility, or binding corporate rules (BCRs).

Storage period
Personal data collected by us may be recorded both in paper form and electronically. According to Art. 17 GDPR, personal data must be deleted as soon as they are no longer required for the above-mentioned purposes and the deletion does not conflict with any legal retention requirements. We thus process and store your personal data only for the period of time required to fulfill the purpose of storage or if this has been provided for in laws or regulations. After discontinuation or fulfillment of the purpose, your personal data will be deleted or blocked. In the case of blocking, deletion will take place as soon as legal, statutory or contractual retention periods do not conflict with this, there is no reason to assume that deletion would impair your interests worthy of protection and deletion would not cause disproportionately high expense due to the special nature of the storage.

Data subject rights
You have the following rights vis-à-vis us, which you can assert with regard to the personal data concerning you:

Right to information, Art. 15 GDPR.
You have the right to information about whether we process personal data about you. In addition, the right of access provides you with information about the data concerning you and some other important criteria, such as the purposes of processing or the duration of storage. It makes it much easier for us to provide information if you tell us in what context we receive your data.

Right to rectification, Art. 16 GDPR
You have the right to rectification if you wish to have inaccurate personal data corrected.

Right to erasure, Art. 17 GDPR
Under the conditions of Art. 17 GDPR, you can request that we delete your personal data. However, this is only possible if the personal data concerning you is no longer necessary, is being processed unlawfully, or consent in this regard has been revoked.

Right to restriction of processing, Art. 18 GDPR.
The right to restriction of processing gives you the opportunity to prevent further processing of the personal data concerning you for the time being. The GDPR restricts this right when it concerns the exercise of legal claims, public interests worthy of protection or interests of another person.

Right to object, Art. 21 GDPR
According to Art. 21 GDPR, you have the possibility to object to the processing of personal data concerning you. This means that in a specific situation, you may object to the further processing of your personal data insofar as it is carried out on the basis of the performance of public tasks.

Right to data portability, Art. 20 GDPR.
The right to data portability means the possibility for you to receive your personal data from us in a common, machine-readable format in order to transfer it to another controller, if necessary. However, according to Article 20 (3) sentence 2 GDPR, this right does not apply to data processing that is in the public interest or in the exercise of official authority.

Right to revoke consent, Art. 7 (3) GDPR
Insofar as the processing of personal data is based on consent, you may revoke this consent at any time for the relevant purpose. The lawfulness of the processing based on the consent given remains unaffected until receipt of the revocation.

Right of complaint, Art. 77 GDPR
You also have a right of appeal to the supervisory authority under data protection law.

You can also contact our data protection officer mentioned above with questions and complaints.

Subject to change
We reserve the right to change the data protection information in order to adapt it to changed legal situations, or in the event of changes to the service or data processing. In the course of the further development of our Internet offer and the technologies used, changes to this data protection information may also become necessary. We therefore recommend that you visit this page regularly if you wish to be kept up to date. If your consent is required or parts of the data protection information contain regulations of the contractual relationship with you, the changes will only be made with your consent.

You will find the current status of this data protection notice at the end of this document.

Data Protection Notices for special processing situations App and Cockpit

Automated collection of data via our editorial system / the cockpit (website).

Purpose of processing
When visiting the editorial system (website), data is required to provide the corresponding service. The data is stored in central log system.

This information is used by us exclusively for purposes of technical administration of our editorial system, in support cases, for performance monitoring and ensuring the required performance; and for defense against illegal actions in connection with our system.

We reserve the right to check this log data retrospectively if there is a justified suspicion of an illegal act on the basis of concrete indications. Insofar as personal data is processed in this context, we do so exclusively to protect our legitimate interest in defending against unlawful acts in connection with our website for the editorial system.

Categories of personal data
During your visit to our editorial system, the following data is collected, among others:

– Information about IP address
– referring URL
– user ID
– date
– time of day
– browser version
– operating system
– URL

Storage period
The data is stored for a maximum period of 6 months and then automatically deleted if there are no indications of illegal use.

Legal basis
The legal basis for the processing of your personal data is our legitimate interest (Art. 6 para. 1 lit. f GDPR) or, if the user has given his consent, Art. 6 para. 1 lit. a GDPR.

Processing of data in our apps and in our editorial system (website)
Activation, registration, user account

Purpose of data processing
Only data that is required for the smooth functioning and processing of your activities with the editorial system is stored in your user account. You can edit this information at any time in your user account.
All data fields marked as mandatory for the activation and registration of the user account are required for the execution of the contract. Failure to provide this information will result in the contractual service not being able to be performed. The provision of further data is voluntary.

Legal basis
The legal basis for the processing of your personal data is the performance of contractual obligations (Art. 6 para. 1 lit. b GDPR).

Delete user

Purpose of data processing
This function allows you to permanently and irrevocably delete your access to the app solution and your data processed in the app. The contract data is stored by us for the duration of the applicable retention regulations.

Legal basis
The legal basis for the processing of your personal data is the performance of contractual obligations (Art. 6 para. 1 lit. b GDPR).

Feedback function
Purpose of data processing

We offer feedback functions in some of our apps and in the editorial system, whereby additional personal data must be stored in order to display the functionality.

Categories of personal data
When you use the feedback function, the following data, among others, are collected:

– Email address
– Feedback text

Legal basis
The legal basis for the processing of your personal data is your consent (Art. 6 para. 1 lit. a GDPR).

Information when using our apps
Purpose of data processing

We regularly make apps available for download on sites of third-party providers (such as App Store, Google Play Store, etc.). If, according to the applicable terms of use of such a provider, we become your contractual partner for the purchase of the app, we process the data provided to us by the third-party provider to the extent necessary in each case for the performance of the contract so that you can download the app to your mobile device.
Our apps use the following permissions for the purposes listed behind them, which give them access to certain features of your mobile device:

– Memory – to store data in the app.
– Network connections – for checking, establishing and disconnecting a mobile network connection
– WLAN connection information – for checking, establishing and disconnecting a WLAN connection
– Microphone – composing voice messages, dictation function
– Album / photos – uploading photos in the feedback form
– Calendar – access to calendars installed on the device
– Camera – creating photos/videos/live stream, using the barcode scanner
– Contacts – access to the address books/contacts installed on the device
– Push notifications – sending push messages to the mobile device
– Location data – to determine the current location of the device via GPS

Cookies
Purpose of data processing

For the correct functioning of our website for the editorial system, we need to set a few cookies. These are so-called „essential cookies“, without which the functions we offer cannot be realized. Your consent is not required for these types of cookies. We do not use any other cookies beyond these essential cookies.

In addition, you can manage cookies in your web browser and delete them completely. We would like to point out that this may result in functional restrictions.

You can set your browser so that you are informed about the setting of cookies and only allow cookies in individual cases, exclude the acceptance of cookies for certain cases or in general and activate the automatic deletion of cookies when closing the browser. If you deactivate cookies, the functionality of this website may be limited; this may mean that you cannot use certain functions at all.
When using apps, a technology comparable in function is used instead of cookies.

Legal basis
We use cookies in the legitimate interest to be able to make them an attractive fully functional offer (Art. 6 para 1 lit. f GDPR). Furthermore, all technically necessary cookies are required for the performance of the contract (Art. 6 para 1 lit. b GDPR). If this information is not stored, the consequence is that the contractual service cannot be fully performed.

Tracking and analysis
Purpose of data processing

In some of our apps, we partially use tracking services. Usage profiles can be created from the collected data. We use this information to tailor the use of the app in an automated and real-time manner. All data is stored pseudonymously.

The pseudonymized usage profiles are not merged with personal data about the bearer of the pseudonym without a separate consent to be given, unless you have given us a corresponding consent.

Categories of personal data

Examples of the categories of data collected are:

– Which templates and documents were worked with, when and for how long,
– which data sets were saved and shared via the „Sharing Center“,
– whether the blank templates or PDF documents were shared via the „Sharing Center“,
– which links were clicked and when.

Legal basis
The legal basis for the processing of your personal data is your consent (Art. 6 para. 1 lit. a GDPR) or our legitimate interest in optimizing our services (Art. 6 para. 1 lit. f GDPR).

Google Crashlytics
Crashlytics is an analytics tool; it can be used to generate so-called crash reports, i.e. reports about malfunctions or failures of the app, where and in what context they occurred, how many users of the app are affected by them, and other information related to your problem.

Purpose of data processing
We use these reports to learn about malfunctions or failures, to be able to react faster, more targeted and more efficiently and to improve the App technically accordingly. With the information, Crashlytics (and thus we) subsequently we gain insights into whether and how the App is working and being used, especially including any malfunctions or failures that occur.

Categories of Personal Data
Crashlytics records information about the crash and general data of the respective IT environment together with your App ID; in particular, this is information about the terminal device used, the mobile carrier and the operating system.

Storage period
Insofar as personal or pseudonymous data is contained in the collected data, Crashlytics deletes it after seven days at the latest.

Legal basis
The legal basis for the processing of your personal data is your consent (Art. 6 para. 1 lit. a GDPR) or our legitimate interest in optimizing our services (Art. 6 para. 1 lit. f GDPR).

Subcontractors involved
The recipient of your personal data as a processor is:

Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.

A transfer of data to the USA cannot be ruled out. The recipient of your personal data in this case is.

Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

We have concluded an order processing agreement with Google; in this agreement, Google undertakes to process personal data within the framework of the standard data protection clauses approved by the EU Commission. The basis for this is Art. 46 GDPR.

Google Firebase Push Notification Service
For some of our apps, we use the Firebase Push Notification Service for push notifications. For this, a unique identification string is generated when logging in to the service, which allows to send messages to a specific device. These unique strings are linked to the logged-in user on our servers in order to notify them specifically about information available to them.

Legal basis
The legal basis for the processing of your personal data is the performance of contractual obligations (Art. 6 para. 1 lit. b GDPR).

Involved subcontractors
The recipient of your personal data as a processor is:

Google Ireland Ltd, Gordon House, Barrow Street, Dublin 4, Ireland.

A transfer of data to the USA cannot be excluded. The recipient of your personal data in this case is.

Google Inc, 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA.

We have concluded an order processing agreement with Google; in this agreement, Google undertakes to process personal data within the framework of the standard data protection clauses approved by the EU Commission. The basis for this is Art. 46 GDPR.

ElasticSearch
Purpose of data processing

We rely on ElasticSearch as a centralized logging platform.
We use these reports to learn about malfunctions or failures, to be able to react faster, more targeted and more efficiently, and to improve the apps and Cockpit technically accordingly. With this information, we gain insights into whether and how the Apps and Cockpit are functioning and being used, especially including malfunctions and failures that occur.

Categories of personal data
– Information about IP address
– referring URL
– URL
– user ID
– date
– time of day
– browser version
– Operating System
– App name
– App version

Storage period
The data is stored for a maximum period of 6 months and then automatically deleted if there are no indications of illegal use.

Legal basis
The legal basis for the processing of your personal data is the performance of contractual obligations (Art. 6 para. 1 lit. b GDPR).

Status: July 2022

1. General

(1) The contractor shall process personal data on behalf of the client within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This agreement regulates the rights and obligations of the parties in connection with the processing of personal data.

(2) Where the term “data processing” or “processing” (of data) is used in this agreement, the definition of “processing” within the meaning of Art. 4 (2) GDPR shall apply.

2. Subject of the agreement

The subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are set out in Annex 1 to this agreement.

3. Rights and obligations of the client

(1) The client is the responsible person within the meaning of Art. 4 (7) GDPR for the processing of data on behalf of the contractor. Pursuant to clause 4 (5), the contractor shall be entitled to notify the client if data processing which it considers to be legally inadmissible is the subject of the order and/or an instruction.

(2) The client shall be responsible as the controller for safeguarding the rights of the data subjects. The contractor shall inform the client without delay if data subjects assert their data protection rights against the contractor.

(3) The client shall have the right to issue supplementary instructions to the contractor at any time regarding the type, scope and procedure of data processing. Instructions must be given in text form (e.g. email).

(4) Regulations on any remuneration of additional expenses incurred by the contractor due to supplementary instructions of the client shall remain unaffected.

(5) The client may appoint persons authorised to issue instructions. If persons authorised to issue instructions are to be named, they shall be specified in Annex 1. In the event that the persons authorised to give instructions at the client change, the client shall notify the contractor thereof in text form.

(6) The client shall inform the contractor without delay if it discovers errors or irregularities in connection with the processing of personal data by the contractor.

(7) In the event that there is an obligation to inform third parties pursuant to Art. 33, 34 GDPR or any other statutory notification obligation applicable to the client, the client shall be responsible for compliance therewith.

4. General obligations of the contractor

(1) The contractor shall process personal data exclusively within the framework of the agreements made and/or in compliance with any supplementary instructions issued by the client. This does not apply to legal regulations which may oblige the contractor to process the data in another way. In such a case, the contractor shall notify the client of these legal requirements prior to the processing, unless the law in question prohibits such notification due to an important public interest. The purpose, nature and scope of the data processing shall otherwise be governed exclusively by this agreement and/or the client’s instructions. The contractor is prohibited from processing data in any way deviating from this, unless the client has agreed to this in writing.

(2) The contractor itself shall only transfer data in member states of the European Union (EU) or the European Economic Area (EEA) in the case of commissioned data processing. If this cannot be guarantees, e.g. in the case of subcontractors, only companies in countries for which the European Commission has decided that they have a level of data protection comparable to the EU will be selected in any case.

(3) In the area of commissioned data processing, the contractor shall ensure that all agreed measures are carried out in accordance with the agreement.

(4) The contractor shall be obliged to organise its company and its operating procedures in such a way that the data which it processes on behalf of the client are secured to the extent necessary in each case and protected against unauthorised access by third parties. The contractor shall coordinate with the client in advance changes in the organisation of the commissioned data processing which are significant for the security of the data.

(5) The contractor shall inform the client without delay if, in its opinion, an instruction issued by the client violates statutory regulations. The contractor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the client. If the contractor can demonstrate that processing in accordance with the client’s instructions may lead to liability on the part of the contractor pursuant to Art. 82 GDPR, the contractor shall be entitled to suspend further processing in this respect until the liability between has been clarified between the parties.

(6) The commissioned processing of data on behalf of the client outside the premises of the contractor or subcontractors is only permitted with the consent of the client in writing or text form. Processing of data for the client in private residences is only permitted in individual cases with the consent of the client in writing or text form.

(7) The contractor shall process the data it processes on behalf of the client separately from other data. Physical separation is not mandatory.

(8) The contractor may name to the client the person(s) authorised to receive instructions from the client. If persons authorised to receive instructions are to be named, they shall be specified in Annex 1. In the event that the persons authorised to receive instructions change at the contractor, the contractor shall notify the client thereof in text form.

5. Data protection officer of the contractor

(1) The contractor confirms that it has appointed a data protection officer in accordance with Art. 37 GDPR. The contractor shall ensure that the data protection officer has the necessary qualifications and expertise. The contractor shall inform the client of the name and contact details of its data protection officer separately in text form.

(2) The obligation to appoint a data protection officer pursuant to paragraph 1 may be waived at the discretion of the client if the contractor can prove that it is not legally obliged to appoint a data protection officer and the contractor can prove that operational regulations are in place which ensure the processing of personal data in compliance with the statutory provisions, the provisions of this agreement and any further instructions of the client.

6. Reporting obligations of the contractor

(1) The contractor is obliged to notify the client without delay of any infringement of data protection regulations or of the contractual agreements made and/or of the client’s instructions, which has occurred in the course of the processing of data by the contractor or other persons involved in the processing. The same shall apply to any breach of the protection of personal data processed by the contractor on behalf of the client.

(2) Furthermore, the contractor shall inform the client without undue delay if a supervisory authority takes action against the contractor pursuant to Art. 58 GDPR; this may also concern an inspection of the processing that the contractor provides on behalf of the client.

(3) The contractor is aware that the client may be subject to a reporting obligation pursuant to Art. 33, 34 GDPR, which provides for notification to the supervisory authority within 72 hours of becoming aware of it. The contractor shall support the client in the implementation of the reporting obligations. The contractor shall in particular notify the client of any unauthorised access to personal data processed on behalf of the client without undue delay, but at the latest within 48 hours of becoming aware of such access. The contractor’s notification to the client shall in particular contain the following information:

• A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects, the categories concerned and the approximate number of personal data records concerned;

• A description of the measures taken or proposed by the contractor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.

7. Cooperation obligations of the contractor

(1) The contractor shall support the client in its obligation to respond to requests for the exercise of data subject rights pursuant to Art. 12-23 GDPR. The provisions of clause 11 of this agreement shall apply.

(2) The contractor shall participate in the drawing up of the registers of processing activities by the client. It shall provide the client with the information required in this respect in an appropriate manner.

(3) The contractor shall support the client in complying with the obligations set out in Art. 32-36 GDPR, taking into account the nature of the processing and the information available to it.

8. Inspection rights

(1) The client shall have the right to inspect the contractor’s compliance with the statutory provisions on data protection and/or compliance with the contractual provisions made between the parties and/or compliance with the client’s instructions at any time to the extent required.

(2) The contractor is obliged to provide the client with information, insofar as this is necessary to carry out the inspections within the meaning paragraph 1.

(3) The client may demand to inspect the data processed by the contractor on behalf of the client as well as the data processing systems and programmes used.

(4) The client may carry out the inspections within the meaning of paragraph 1 at the contractor’s premises during normal business hours after prior notification with reasonable notice period. The client shall ensure that the inspections are only carried out to the extent necessary in order not to disproportionately disrupt the contractor’s operations as a result of the inspections.

(5) The contractor shall be obliged, in the event of measures taken by the supervisory authority vis-à-vis the client within the meaning of Art. 58 GDPR, in particular with regard to information and inspection obligations, to provide the necessary information to the client and to enable the respective competent supervisory authority to carry out an on-site inspection. The client shall be informed by the contractor about corresponding planned measures.

9. Subcontracting

(1) The commissioning of subcontractors by the contractor is only permissible with the consent of the client in text form. The contractor shall list all subcontracting relationships already existing at the time of the conclusion of the agreement in Annex 2 to this agreement.

(2) The contractor shall carefully select the subcontractor and check before commissioning that the subcontractor can comply with the agreements made between the client and the contractor. In particular, the contractor shall check in advance and regularly during the term of the agreement that the subcontractor has taken the technical and organisational measures required under Art. 32 GDPR to protect personal data. The result of the check shall be documented by the contractor and transmitted to the client upon request.

(3) The contractor shall be obliged to have the subcontractor confirm that it has appointed an in-house data protection officer in accordance with Art. 37 GDPR. In the event that no data protection officer has been appointed at the subcontractor’s, the contractor shall point this out to the client and provide information to the effect that the subcontractor is not legally obliged to appoint a data protection officer.

(4) The contractor shall ensure that the regulations agreed in this agreement and, if applicable, supplementary instructions of the client also apply to the subcontractor.

(5) The contractor shall conclude a data processing agreement with the subcontractor that complies with the requirements of Art. 28 GDPR. In addition, the contractor shall impose the same personal data protection obligations on the subcontractor as are laid down between the client and the contractor. The client shall be provided with a copy of the data processing agreement upon request.

(6) The contractor shall in particular be obliged to ensure by contractual provisions that the inspection rights (clause 8 of this agreement) of the client and of supervisory authorities also apply vis-à-vis the subcontractor and that corresponding inspection rights of the client and supervisory authorities are agreed. It must also be contractually stipulated that the subcontractor must tolerate these inspection measures and any on-site inspections.

(7) Services which the contractor uses from third parties as a purely ancillary service in order to carry out the business activity are not to be regarded as subcontracting relationships within the meaning of paragraphs 1 to 6. This includes, for example, cleaning services, pure telecommunication services without any specific reference to services provided by the contractor to the client, postal and courier services, transport services, security services. The contractor shall nevertheless be obliged, also in the case of ancillary services provided by third parties, to ensure that appropriate precautions and technical and organisational measures have been taken to guarantee the protection of personal data. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship requiring consent and commissioned data processing within the meaning of Art. 28 GDPR if the maintenance and testing concerns IT systems that are also used in connection with the provision of services to the client and personal data processed on behalf of the client can be accessed during the maintenance.

10. Confidentiality obligation

(1) When processing data for the client, the contractor is obliged to maintain the confidentiality of data which it receives or becomes aware of in connection with the data processing. The contractor undertakes to observe the same rules on the protection of secrets as are incumbent on the client. The client shall be obliged to inform the contractor of any special rules on the protection of secrets.

(2) The contractor warrants that it is aware of the applicable data protection regulations and is familiar with their application. The contractor further warrants that it has familiarised its employees with the provisions of data protection applicable to them and has obliged them to maintain confidentiality. The contractor further warrants that it has in particular obliged the employees engaged in the performance of the work to maintain confidentiality and has informed them of the client’s instructions.

(3) The obligation of the employees pursuant to paragraph 2 shall be proven to the client upon request.

11. Safeguarding of data subject rights

(1) The client shall be solely responsible for safeguarding the rights of the data subjects. The contractor is obliged to support the client in its duty to process requests from data subjects in accordance with Art. 12-23 GDPR. The contractor shall in particular ensure that the information required in this respect is provided to the client without delay so that the client can in particular fulfil its obligations under Art. 12 (3) GDPR.

(2) Insofar as the cooperation of the contractor is necessary for the safeguarding of data subject rights – in particular for information, rectification, blocking or erasure – by the client, the contractor shall take the respective necessary measures according to the client’s instructions. The contractor shall, as far as possible, support the client with suitable technical and organisational measures in fulfilling its obligation to respond to requests to exercise data subject rights.

(3) Regulations on any remuneration of additional expenses incurred by the contractor due to cooperation in connection with the assertion of data subject rights vis-à-vis the client shall remain unaffected.

12. Secrecy obligations

(1) Both parties undertake to treat all information received in connection with the performance of this agreement as confidential for an unlimited period of time and to use it only for the performance of the agreement. Neither party is entitled to use this information in whole or in part for purposes other than those just mentioned or to make this information available to third parties.

(2) The above obligation shall not apply to information which one of the parties has demonstrably received from third parties without being obliged to maintain confidentiality or information which is publicly known.

13. Remuneration

The contractor’s remuneration shall be agreed separately.

14. Technical and organisational measures for data security

(1) The contractor undertakes vis-à-vis the client to comply with the technical and organisational measures required to comply with the applicable data protection provisions. This includes, in particular, the requirements of Art. 32 GDPR.

(2) The status of the technical and organisational measures existing at the time of the conclusion of the agreement shall be an integral part of this agreement. The parties agree that changes to the technical and organisational measures may be necessary in order to adapt to technical and legal circumstances. The contractor shall agree in advance with the client on any significant changes that may affect the integrity, confidentiality or availability of the personal data. Measures that only entail minor technical or organisational changes and do not negatively affect the integrity, confidentiality and availability of the personal data may be implemented by the contractor without consultation with the client. The client may request an up-to-date version of the technical and organisational measures taken by the contractor at any time.

(3) The contractor shall check the effectiveness of the technical and organisational measures it has taken on a regular basis and also on an ad hoc basis. In the event that there is a need for optimisation and/or modification, the contractor shall inform the client.

15. Duration of the data processing agreement

(1) The agreement shall commence upon signature and shall be concluded for an indefinite period.

(2) It may be terminated with three months’ notice to the end of the quarter.

(3) The client may terminate the agreement at any time without notice if there is a serious breach by the contractor of the applicable data protection provisions or of obligations under this agreement, if the contractor is unable or unwilling to carry out an instruction of the client or if the contractor refuses access by the client or the competent supervisory authority in breach of the agreement.

16. Termination

(1) After termination of the agreement, the contractor shall return to the client or delete, at the client’s discretion, all documents, data and processing or utilisation results produced which have come into its possession and which are connected with the contractual relationship. The deletion shall be documented in a suitable manner. Any statutory retention obligations or other obligations to store the data remain unaffected. In the case of data carriers, these must be destroyed if the client wishes to delete them, whereby at least security level 3 of DIN 66399 must be complied with; proof of destruction must be provided to the client with reference to the security level in accordance with DIN 66399.

(2) The client has the right to check the complete and contractual return and deletion of the data at the contractor. This can also be done by inspecting the data processing equipment at the contractor’s premises. The on-site inspection shall be announced by the client with reasonable notice.

17. Right of retention

The parties agree that the defence of the right of retention by the contractor within the meaning of § 273 BGB (German Civil Code) is excluded with regard to the processed data and the associated data carriers.

18. Final provisions

(1) Should the property of the client at the contractor be endangered by measures of third parties (for example by seizure or attachment), by insolvency proceedings or by other events, the contractor shall inform the client immediately. The contractor shall inform the creditors without delay of the fact that the data involved is being processed on behalf of a client.

(2) The written form is required for ancillary agreements.

(3) Should individual parts of this agreement be invalid, this shall not affect the validity of the remaining provisions of the agreement.

 

Page break

Annex 1 – Subject of the agreement

1. Subject matter and purpose of the processing

The client’s commissioning of the contractor includes the following work and/or services:

The type, scope and purpose of the data processing result from the main agreement.

2. Type(s) of personal data

The following types of data are regularly the subject of processing:

• Email address, password and user name
• The data types of further personal data depend on which information the respective APPsolute Mobility user specifies as relevant in the app. As a rule, these are likely to be:

1. a) Full name, company, email, password, gender, etc.
2. b) Contact details of contact persons’ business cards, e.g. company name, postal and/or email address, telephone and/or fax numbers as text and/or as image information;
3. c) Photos of the contact person or other identification documents (driving licence, ID card, etc.)
4. d) Time and place of the meeting, including the name of the meeting/event, etc.
5. e) Bank details of the contact person
6. f) Signatures as text and/or as image information
7. h) Various media (photos, audios, videos, …)
8. i) Barcode information
9. j) Location data via GPS
10. Categories of data subjects

Groups of data subjects affected by the data processing:

• a) Users authorised by the client to use APPsolute Mobility (identified by email and names of users)

 

(b) Other persons who are/were in contact with the user and whose data was recorded using the APPsolute Mobility App. This can include, among others: Names, contact and address data, dates of birth, bank details, etc. (see also § 2)

4. Persons authorised to receive instructions at the contractor

 

1. Data protection officer

datenschutz@appsolute-mobility.comPage break

Annex 2 – Subcontractor

For the processing of data on behalf of the client, the contractor uses the services of third parties who process data on its behalf (“subcontractors”).

This is the following company or companies:

Subcontractor 1

Theano GmbH

Kiefernweg 8

49205 Hasbergen

www.theano.de

Phone: +49 (0)5405-9282 5431

(1) Tasks of the subcontractor

1. a) IBAN calculator (the IBAN validator functionality can be booked as an option in the FORMS module of the APPsolute Mobility platform)

 

Subcontractor 2

Byteplant GmbH Software Solutions & Consulting

HeilsbronnerStrasse 4

91564 Neuendettelsau

www.byteplant.com

Phone: +49 (0)9874 322 466

(1) Tasks of the subcontractor

1. a) Address validator (the address validator functionality can be optionally booked in the FORMS module of the APPsolute Mobility platform)

 

 

Subcontractor 3

Hetzner Online GmbH

Industriestr. 25
91710 Gunzenhausen

www.hetzner.com

Phone: +49 (0) 9831 505-0

(1) Tasks of the subcontractor

1. a) Data centre / web hosting

 

Subcontractor 4

Telekom Deutschland GmbH
Landgrabenweg 151

D-53227 Bonn

www.telekom.de

Phone: +49 (0) 228 – 181 0

(1) Tasks of the subcontractor

1. a) Open Telekom Cloud data centre / web hosting

 

Subcontractor 5

Google Ireland Limited

Gordon House

Barrow Street

Dublin 4 – Ireland

1. Tasks of the subcontractor
2. Crashlytics: Crash Report Service

Firebase Push Notification Service: Service for sending push notifications (the push notifications functionality can be optionally booked in the APPsolute Mobility platform)