Pursuant to Art 28 of the GDPR
Concluded between
Linearis GmbH, Zirkusgasse 15/17, 1020 Vienna, Austria, represented by Mag. Robert Lochner, hereinafter referred to as the processor
and the
contractual partner [customer], represented by [contact person according to order], hereinafter referred to as the responsible.
Together they are called parties or contracting parties.
1. Introduction
1.1 The responsible has commissioned the processor to provide IT services. This con-tract regulates the processing of personal data on behalf of the responsible by the processor.
1.2 According to Article 28 paragraph 3 of the GDPR, the responsible is obliged to conclude a written contract with the processor for the processing of personal data. With this contract, the responsible fulfils this obligation.
1.3 The processor undertakes to comply with all provisions of the GDPR as well as the Austrian Data Protection Act in its currently valid version and the other specific da-ta protection laws and regulations.
2. Description of the processing of personal data
2.1 The data processing undertaken by the processor is based on the Software-as-a-Service contract (hereinafter referred to as SaaS contract) concluded between the parties, which takes precedence over this processor contract.
2.2 Processing shall begin with the registration of a so-called application by the re-sponsible in the data1.io Cloud service and shall continue indefinitely until the ter-mination of this contract.
2.3 The processing of data fulfils the following purposes:
The software data1.io is used to collect, aggregate and share company data within the scope of customer-specific applications, for example for sales forecasts, group controlling, human resource (HR) planning, project controlling, financial planning and much more.
2.4 The following data is processed
User master data: E-mail address and name of each user, password (encrypted), role(s) and rights in the data1.io applications of the responsible`s company.
Usage metrics: Logging of the time and type of each activity in the software, log-ging of so-called session variables from the client.
Data provided by the responsible: All personal data that the responsible enters and processes in the context of the Software.
2.5 The data of the following persons or groups is processed:
All active (and with data1.io registered) users in a so-called application of the re-sponsible.
3. General obligations of the processor
3.1. The processor shall process the personal data solely on the basis of this contract or as separately instructed by the responsible in a documented manner, unless Un-ion law or the law of a Member State of the European Union to which the processor is subject requires the processor to process the data in a different manner. Where such an obligation exists, the processor shall notify the responsible prior to pro-cessing, unless the applicable law prohibits such notification for important public in-terest reasons. Processing of personal data for the processor’s own purposes re-quires a written order.
3.2. The processor is entitled to evaluate and process the usage metrics of the respon-sible for the purpose of continuous improvement of the software.
3.3. The processor warrants that persons who have or may have knowledge of the data processed under the order undertake in writing to maintain confidentiality before processing or becoming aware of such data, unless they are already subject to an appropriate legal obligation of confidentiality.
3.4. The processor will, if possible, support the responsible with appropriate technical and organizational measures (TOM) in answering and fulfilling requests from data subjects in accordance with chapter III of the GDPR (transparent information, communication and modalities; information obligations and rights of access; data correction and deletion; processing restrictions; notification obligations; data transmission; opposition; automated decisions and profiling), so that the responsi-ble can fulfil his obligations in this regard. The processor will receive a remunera-tion based on the support conditions for the time spent by his employees on such support services.
3.5. The processor shall support the responsible and take all necessary measures in accordance with Art 32 of the GDPR so that both parties jointly take appropriate technical and organizational measures (TOM) to ensure a level of protection ap-propriate to the respective risk.
3.6. The assessment of the level of protection is based in particular on the risks associ-ated with data processing, such as destruction, loss, alteration or unauthorized dis-closure of or access to processed personal data.
3.7. The processor will assist the responsible in complying with the obligations set out in Articles 32 to 36 of the GDPR (security of processing, notification of violations of personal data protection to the supervisory authority, notification of the person af-fected by a violation of personal data protection, data protection impact assess-ment, prior consultation).
3.8. Upon completion of the processing services, the processor shall, at the choice of the responsible, either delete or return all personal data within the legal time limits, unless there is an obligation to store personal data under European Union or na-tional law.
4. Subcontracting
4.1. The commissioning or use of sub-contractors (hereinafter referred to as sub-contractors) is in principle permitted to the processor, provided that he informs the responsible in advance of any intended commissioning or use of sub-contractors and the responsible is free to object to such commissioning or use without giving reasons. In the event of such an objection, the processor will not engage or use the subcontractor.
4.2. The above point 4.1 shall also apply to cases of modification or replacement of subcontractors already approved by the responsible.
4.3. The processor is authorized under this Agreement to use the following company (including its subsidiaries) as subcontractor:
Microsoft Corporation
One Microsoft Way
Redmond, WA 98052-6399
USA
4.4. The processor shall only select sub-contractors who, on the basis of the technical and organizational measures taken by them and documented to the processor, are suitable and obliged to carry out the processing of Personal Data in accordance with the requirements of the GDPR.
4.5. The processor shall enter into the necessary agreements with the subcontractor in accordance with Art 28 para. 4 of the GDPR.
4.6. If the subcontractor does not comply with its (data protection) obligations, the pro-cessor shall be liable to the responsible.
5. Informations obligations of the processor and audit-rights of the responsible
The processor is obliged to provide responsible with all information necessary to prove that the processor has complied with the obligations imposed on him in this contract. If the processor is of the opinion that an instruction issued by the respon-sible violates the GDPR or other data protection regulations of the EU or its mem-ber states, it must inform the responsible immediately and with justification. The re-sponsible is entitled to check the compliance with all relevant data protection regu-lations and the observance – including inspections – of the contractual provisions it-self or by third parties at the processor and any subcontractors.
6. Costs of participation
The costs incurred in connection with the exercise of the necessary rights of partic-ipation of the processor (in particular, but not exclusively, in connection with an in-spection and the exercise of data subject rights) shall be borne by the responsible. In these cases, the hourly rate agreed in the SaaS contract shall apply.
7. Limitation of liability
In the event of joint and several liability due to the violation of data protection regu-lations (this includes for example fines in the sense of Art 83 of the GDPR, obliga-tions to pay damages in the sense of Art 82 DSGVO as well as warnings in the sense of the UWG „Austrian act against unfair business practises“), the liability of the processor is limited to twelve times the monthly fee to be paid by the responsi-ble to the processor. This limitation of liability shall not apply in case of intentional damage caused by the processor. In the event of a claim being made against the processor in the external relationship, the responsible shall indemnify the proces-sor in respect of the amount exceeding the limitation in the sense of this point.
8. Termination of contract
8.1. The duration of this contract depends on and is linked to the underlying SaaS con-tract (Attachment ./A).
8.2. Upon termination of the contract (or at any time beforehand at the request of the responsible), the processor will either destroy the data processed in the order (in-cluding any copies) or hand them over to the responsible in their entirety at the free discretion of the responsible.
9. Final clauses
9.1. Amendments and/or supplements to this contract must be in writing and signed by both parties to the contract in order to be legally effective; the written form is also necessary for waiving this formal requirement.
9.2. Austrian law shall apply to all legal questions arising from or in connection with this contract, including the question of its valid conclusion and its pre- and post-effects, to the exclusion of its referral provisions.
9.3. For all disputes arising out of or in connection with this contract, including the ques-tion of its valid status and its pre- and post-effects, the contracting parties agree on the exclusive jurisdiction of the respective competent court in Vienna.
9.4. If any provision of this Agreement is or becomes void, unenforceable and/or inva-lid, this shall not cause the voidness, unenforceability and/or invalidity of the entire Agreement. In such a case, the parties undertake to replace the void, unenforcea-ble and/or invalid provision by a provision which comes closest to the economic purpose of the void, unenforceable and/or invalid provision.