1. INTRODUCTION, SCOPE, DEFINITIONS
1 The subject of the DPA is the commissioning of yawave by the customer (Client) within the scope of the functions of the yawave Software Suite used by the customer. The processing is based in particular on the General Terms and Conditions existing between the parties (yawave GTC No. 9). yawave processes personal data for the customer within the meaning of Art. 4 No. 2 and Art. 28 GDPR on the basis of this GTC.
2 This Agreement is an integral part of the Contract and it shall enter into force upon the conclusion of the Contract. In the event of a conflict between the provisions of the Contract and the DPA or contradictory statements in the Contract and the DPA, the provisions of the DPA shall prevail over the provisions of the Contract with respect to the respective conflict or contradiction.
3 yawave updates these terms and conditions regularly. If the customer has an active yawave subscription, yawave will notify the customer of any updates by email or in the application.
4 The term of this DPA is determined by the term of the Contract. All terms have the meaning specified in the Contract, unless another meaning is specified in this DPA.
5 Terms used in this contract are to be understood according to their definition in the EU General Data Protection Regulation (GDPR). In this sense, the customer is the “responsible party”, yawave is the “processor”.
2. NATURE, PURPOSE AND DATA SUBJECTS OF DATA PROCESSING
6 Personal data is processed by the customer via the yawave software suite in the following manner: Collecting, recording, organizing, arranging, storing, adapting or modifying, reading, querying, using, disclosing by transmission, dissemination or any other form of making available, matching or linking, restricting, deleting or destroying data.
7 The underlying purpose of the processing is described in the yawave GTC.
8 The following categories of personal data are processed in the process:
– Personal master data such as title, first name, last name, address data, e-mail addresses
– Behavioral data such as visits to specific publications, form submissions, news preferences
– Billing and payment data such as bank details, payment and account data
– Server log data such as browser type and version, operating system used, referrer URL, host name of the accessing computer, time of server request, IP address.
– All other categories, which, for example, come into the knowledge of yawave through simple indexing or through causal relationships.
9 The categories of persons concerned by the processing are the following:
– Interested parties, users and customers of the customer
– Employees and contact persons of the customer
– Suppliers and service providers of the customer
3. DUTIES OF YAWAVE
10 yawave processes personal data exclusively as contractually agreed or as instructed by the customer, unless yawave is legally obligated to a certain processing. If such obligations exist, yawave shall notify the custom-er thereof prior to processing, unless such notification is prohibited by law. yawave shall furthermore not use the data provided for processing for any other purposes, in particular for its own purposes.
11 yawave confirms that the relevant, general data protection regulations are known and observes the principles of proper data processing.
12 yawave undertakes to strictly maintain confidentiality during processing. Persons who may gain knowledge of the data processed on behalf of yawave are obligated in writing to maintain confidentiality.
13 yawave assures that the persons employed by yawave for processing are familiarized with the relevant provisions of data protection before processing begins. Corresponding training and sensitization measures are repeated appropriately on a regular basis. yawave ensures that persons employed for commissioned processing are appropriately instructed and monitored with regard to compliance with data protection requirements on an ongoing basis.
14 In connection with the commissioned processing, yawave shall support the customer to the extent necessary in fulfilling its obligations under data protection law, in particular in creating and updating the directory of processing activities, in carrying out the data protection impact assessment and any necessary consultation with the supervisory authority. The required information and documentation will be provided to the customer upon request.
15 yawave shall notify the customer immediately of any violations of the protection of personal data processed on behalf of the customer. Reasonable suspicions thereof shall also be notified. The notification must contain at least the following information:
– A description of the nature of the personal data breach, including, to the extent possible, the categories and approximate number of individuals affected, the categories affected, and the approximate number of personal data records affected;
– the name and contact details of the data protection officer or other point of contact for further information;
– a description of the likely consequences of the personal data breach;
– A description of the measures taken or proposed by yawave to address the personal data breach and, if applicable, measures to mitigate its potential adverse effects
16 Significant disruptions in the execution of the order as well as violations of data protection regulations or the provisions of this contract by yawave or its employees must also be reported immediately.
17 yawave shall inform the customer without delay of controls or measures by supervisory authorities or other third parties, insofar as these relate to the commissioned processing.
18 yawave assures to support the customer in his obligations according to Art. 33 and 34 of the General Data Protection Regulation to the necessary extent.
19 If the customer is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against it, yawave undertakes to support the customer to the extent necessary insofar as the processing on behalf is concerned.
20 Information to third parties or the person concerned may yawave only with the prior consent of the customer. Requests addressed directly to him yawave will forward to the customer.
21 yawave appoints a competent and reliable person as data protection officer. In case of doubt, the customer may contact the data protection officer directly. Changes in the person or the internal tasks of the representative will be communicated to the customer by yawave.
22 As a matter of principle, the commissioned processing shall take place within the EU or the EEA. Any relocation to a third country may only take place with the consent of the Customer and under the conditions contained in Chapter V of the General Data Protection Regulation and in compliance with the provisions of this Agreement.