Compliance abhaken: Jetzt mit SECJUR durchstarten und ab Januar 2024 zahlen.
.svg)
.svg)
Version: February 26, 2025
secjur GmbH, Falkensteiner Ufer 40, 22587 Hamburg (hereinafter "SECJUR") offers technological software solutions in the field of compliance through a Software-as-a-Service model (hereinafter "Digital Compliance Office" or "DCO"). The contractual partner of SECJUR (hereinafter "Client") intends to use the DCO provided by SECJUR for a fee.
1. Applicability
1.1. These General Terms and Conditions (hereinafter "GTC Software") apply exclusively to the provision and use of the DCO. They, together with the respective offer detailing the services provided (hereinafter "Offer") and the associated Special Terms, as well as any additional contractual agreements, constitute the Contract (hereinafter "Contract") concluded between SECJUR and the Client.
1.2. The GTC Software shall also apply to all future services provided to the Client without the need for a new agreement.
1.3. The Client’s terms and conditions shall not apply, even if SECJUR does not expressly object to their validity in individual cases. Even if the Client refers to a letter containing or referencing their own terms and conditions, SECJUR’s unconditional performance of the services does not imply agreement to the validity of those terms. Any deviating, conflicting, or supplementary terms and conditions of the Client shall only become part of the Contract if the parties have expressly agreed to their validity in writing.
2. Offer and Conclusion of Contract
SECJUR's Offer is non-binding and without obligation unless it is expressly designated as binding or includes a specific acceptance period.
3. Scope of Functions of the DCO
3.1. SECJUR provides the Client with the DCO in its current version as a technical tool to assist in the independent fulfillment of obligations and implementation of requirements in the field of compliance for the duration of this Contract, via a server that is accessible to the Client over the Internet using a standard browser in the current version, for a fee.
3.2. The scope of functions of the DCO is provided to the Client through an Offerspecifying the listed services and associated Special Terms, as well as any additional contractual agreements. The information contained therein is not to be understood as a guarantee of the quality of the DCO, unless explicitly stated as such in the product description. This is due to the fact that SECJUR continuously develops the DCO.
3.3. The delivery point of the DCO is the router output of SECJUR's cloud provider.
3.4. SECJUR may provide services through subcontracting to third parties (hereinafter "Subcontractors").
3.5. The services listed in the Offer may be specified by SECJUR in a service description. The service description is part of the Contract.
3.6. The parties agree that the agreed-upon services may be adjusted by SECJUR as necessary during the term of the Contract due to changes in technical, legal, or factual requirements and needs and/or due to technological advancements.
3.7. The exercise of the right to determine the scope of services is only permissible insofar as SECJUR takes the legitimate interests of the Client into account.
3.8. 3.6. The exercise of the right to determine the scope of services must not restrict the core service provision to the detriment of the Client.
3.9. Unused services from SECJUR will ex-pire at the end of the following quarter. In the case of KYC, KYB, PEP, and Sanction List scans, they will expire at the end of the current contract year.
3.10. If SECJUR provides a whistleblowing tool, the "GENERAL TERMS AND CONDITIONS for the usage of the Whistleblowing Solution of SECJUR GmbH" shall apply.
4. Availability
4.1. SECJUR provides the DCO with an availability of 99 % on an annual average.
4.2. The availability percentage is calculated using the following formula: Availability = ([Total time in minutes – Downtime in minutes] / Total time in minutes) x 100.
4.3. The total time in minutes is based on the agreed operating hours per calendar month. The operating hours are from Monday to Sunday, from 00:00 to 24:00.
4.4. Downtime refers to those minutes during which dco.secjur.com is not accessible.
4.5. Excluded are maintenance periods and downtime during which the server is unavailable due to other technical issues that are outside SECJUR’s control (e.g., force majeure). Additionally, downtime caused by the wrongful actions or omissions of the Client or an unauthorized third party is excluded. Also excluded are planned maintenance activities (e.g., DCO updates) that occur outside of Monday to Friday between 9:00 AM and 6:00 PM. SECJUR will promptly inform the Client about any planned maintenance activities, where possible.
5. Renumeration and Payment
5.1. The Client is obligated to pay SECJUR the remuneration specified in the Offer. Any additional or special services will be charged separately.
5.2. The remuneration is due immediately and must be paid in full, without any deductions, no later than fourteen (14) days after receipt of the invoice to the account specified by SECJUR. Recurring and one-time payments are to be made annually in advance.
5.3. All prices are exclusive of applicable statutory VAT.
5.4. If the Client is in default of payment, SECJUR may charge default interest at a rate of nine ( 9 ) percentage points above the applicable base interest rate per annum. The right to claim further damages due to delay remains reserved.
5.5. SECJUR is entitled to adjust the contractually agreed remuneration annually based on the German Consumer Price Index (Verbraucherpreisindex, VPI). In addition to the ad-justment according to the VPI, the remuneration will increase annually by 2.9%. Theseprovisions reflect the continuous added value due to the increasing innovation of the software and address the inflation risk without providing SECJUR with nominally better terms. The first adjustment will take place one year after the start of the contractual term. The adjustment of the remuneration serves to reflect the development of the costs that are relevant for the price calculation. These include, among other things, changes in the costs of procuring hardware and software, energy, the use of communication networks, as well as changes in labor costs and other changes in the economic or legal framework conditions.
5.6. The Client is only entitled to offset claims to the extent that their counterclaim has been legally established or is undisputed. The Client is only entitled to assert a right of retention due to counterclaims arising from this contractual relationship.
6. Obligations of the client
6.1. The Client is obligated to use the DCO only within the scope of the usage rights granted to them. In this regard, the Client is required to ensure that the natural persons designated by the Client are obligated to comply with the usage rights granted to the Client.
6.2. The Client's employees use the DCO after creating a personal password. The Client is required to ensure that their employees are obligated to keep the individual passwords confidential and not make them accessible to third parties.
6.3. The Client is obligated to obtain the necessary consent from the data subjects, insofar as this is required for the use of the DCO and no alternative legal basis for processing applies.
6.4. Upon termination of the Contract, the Client's access to the DCO will be blocked. The Client is obligated to back up relevant data on their systems until the end of the Contract.
6.5. The Client ensures that all necessary provisions and cooperation services are provided in a timely manner and at no cost to SECJUR
6.6. The Client ensures the greatest possible support for SECJUR's employees and potential subcontractors in performing the required services. This includes, among other things,providing a qualified employee for support and coordination and ensuring that SECJUR receives all necessary information in a timely manner.
6.7. If the Client fails to provide a required cooperation service, fails to provide it on time, or does not fulfill it in the agreed manner, the Client shall bear the resulting damages and expenses (e.g., delays, additional effort). As long as the Client’s cooperation services are not provided in accordance with the contract, SECJUR is fully or partially relieved from its corresponding performance obligation to the extent that SECJUR depends on such cooperation or provision. SECJUR is not responsible for service disruptions caused by the Client's failure to provide cooperation services in accordance with the contract.
6.8. The Client is obligated to provide files and data carriers that are free from defects both in content and technical integrity—particularly free of malware (e.g., "viruses")—and to com-pensate SECJUR for any resulting damages, as well as to indemnify SECJUR from all third-party claims.
6.9. The Client is obligated to regularly back up their data, at the latest by the end of the contract term, on their own systems.
6.10. The Client is obligated to act in compliance with the law, meaning they must fulfill their contractual obligations and adhere to all applicable legal regulations, particularly in relation to SECJUR, end customers, prospects, and other third parties. If the Client is legally required to provide proof of compliance with certain requirements, they must provide this proof to SECJUR, where permissible. Certificates or audit reports shall suffice as proof, unless stricter legal requirements apply.
6.11. In the event of defects or other disrup-tions, the Client is obligated to report them to SECJUR without delay and provide all necessary information available to them for troubleshooting. This includes a clear description of the error symptoms (particularly through screenshots). The notification must be sent via the email address bug@secjur.com.
7. Usage Rights
7.1. The Client is granted a simple, non-sub-licensable, non-transferable, time-limited (for the duration of this Contract), geographically unrestricted, non-exclusive right to use the DCO for internal purposes via a browser. The granting of rights does not apply to the source code of the DCO. No rights are granted for modification, distribution, or public disclosure of the DCO.
7.2. The Client is not authorized to make the DCO available to third parties for use, whether for a fee or free of charge. Subleasing of the DCO is expressly prohibited.
7.3. The use of the DCO is only permitted by the natural persons designated by the Client (hereinafter "Named Users").
7.4. Even under the granted usage rights, all ownership rights to the DCO remain with SECJUR.
7.5. The DCO contains software components that are licensed under the GNU General Public License (GPL). The corresponding license terms of the GPL can be found at https://www.gnu.org/licenses/gpl-3.0.de.html. You have the right to obtain, modify, and distribute the source code of these components, as permitted by the GPL. For further information or to obtain a copy of the source code, please contact us at info@secjur.com.
8. Warranty
8.1. SECJUR will provide the software free from material and legal defects (e.g., infringement of third-party rights) and will maintain the software in a condition suitable for its contractual use during the term of the Contract.
8.2. A defect in the DCO exists if it does not meet the contractually agreed specifications. The contractual specifications of the DCO are derived from the Offer detailing the listed services and the associated Special Terms, as well as any additional contractual agreements. If no specifications have been agreed upon, thepresence of a defect is to be assessed according to statutory regulations.
8.3. The obligation to report defects is governed by Clause 6.11 of these GTC Software.
8.4. In the case of proven substantial defects, SECJUR will provide supplementary performance by remedying the defect or providing a replacement. SECJUR is entitled to at least two attempts to provide supplementary performance. The Client is excluded from the right to remedy the defect themselves, unless this would be unreasonable in the specific case (e.g., in cases of particular urgency).
8.5. SECJUR is entitled to propose temporary workarounds and address the underlying cause later through software adjustments, provided this is reasonable for the Client.
8.6. SECJUR will bear the costs required for supplementary performance, including transportation, travel, labor, and material costs, only if it is later determined that a defect actually ex-ists.
8.7. The liability for initial defects independent of fault according to § 536a ( 1 ) Alternative 1 of the German Civil Code (BGB) is excluded.
8.8. Claims for defects expire within twelve (12) months. This does not apply in cases of claims for damages for which SECJUR is mandatorily liable under the law (see Section 9).
9. Liability
9.1. SECJUR shall be liable for damages and compensation for expenses in accordance with statutory provisions in cases of injury to life, body, or health, as well as for damages that give rise to a manufacturer’s liability under § 1 of the German Product Liability Act (Produkthaftungsgesetz, ProdHaftG).
9.2. For other damages, SECJUR shall be liable exclusively in accordance with the following provisions. SECJUR shall be liable under statutory provisions for damages caused by fraudulent conduct, intent, or gross negligence. In cases of simple negligence, SECJUR shall only be liable if essential contractual obligations (so-called cardinal obligations) are violated. Essential contractual obligations are those whose fulfillment is necessary for the proper execution of the Contract and on which the Client regularly relies and may rely. In such cases, liability islimited to the amount of the typical, foreseeable damage under the Contract.
9.3. In the event of liability for simple negligence, SECJUR’s obligation to compensate for advisory errors is limited to the maximum cov-erage amount of its financial loss liability insurance, which is EUR 10,000,000.00 per claim.
9.4. The above exclusions and limitations of liability shall apply to the same extent in favor of SECJUR’s corporate bodies, legal representa-tives, employees, and other agents
10. Competition
10.1. The Client undertakes not to solicit SECJUR’s qualified personnel during the term of the Contract. Solicitation is deemed to include the submission of a concrete offer for alternative employment.
10.2. The Client shall not employ any person belonging to SECJUR’s qualified personnel for a period of twelve months after the termination of their employment relationship with SECJUR, regardless of the legal reason for termination, unless SECJUR has initiated the termination or has given prior written consent (§ 126 I BGB) in the specific case.
11. Reference
11.1. SECJUR is entitled to name the Client as a reference within the legal limits (hereinafter “Reference Mention”). The Reference Mention includes, among other things: the mention of the company name and the display of current and past company logos and trademarks, as well as a description of the content and scope of the services provided. The right to Reference Mention extends to, among others: all websites, blogs, and social media channels; press releases; interviews; professional articles; print advertisements; internal company documents; tenders; presentations; webinars; the Digital Compliance Office; company premises; and trade fairs.
11.2. The Client grants SECJUR and its affiliated companies a simple, non-transferable, unlimited right in terms of time and geography to use the necessary name and trademark rights for the purpose of the Reference Mention.
11.3. The provisions of this section shall remain in effect for a period of four years after the termination of the Contract.
12. Text Form
Amendments and modifications to the agreements made shall only be effective if provided in text form (§ 126b BGB). This also applies to changes to this text form clause.
13. Notifications
13.1. The contractual parties shall mutually agree on organizational arrangements after the conclusion of the Contract. The parties agree to record specific agreements concerning cooperation – particularly scheduling arrangements – in text form (§ 126b BGB).
13.2. Where applicable, the Client is obligated to use the ticketing system provided by SECJUR for all communications related to the Contract.
14. Protection of Personal Data
14.1. If SECJUR processes personal data on behalf of the Client, the provisions of the Data Processing Agreement between the parties shall apply (see Annex Data Processing Agree-ment).
14.2. If SECJUR processes the Client’s personal data as a data controller, the Client shall support SECJUR in fulfilling its legal information obligations toward the affected individuals.
15. Confidentiality
15.1. „Confidential Information" includes all information, regardless of whether it is disclosed in writing, orally, or in any other form, that (i) is inherently confidential or requires confiden-tiality, or (ii) should be recognized as confidential by the receiving party under the given circumstances. This includes, but is not limited to, technical data, trade secrets, software, product descriptions, pricing structures, and other business-related information.
15.2. The parties agree to: (i) not disclose confidential information of the other party to third parties without prior express written consent, unless necessary to fulfill the contractual obligations; (ii) use confidential information solely for the purposes specified in the contract; (iii) take appropriate security measures to maintain the confidentiality of the information, at least to the same extent as they protect their own confidential information; (iv) promptly inform the other party in writing of any misuse or suspected misuse of confidential information.
15.3. The confidentiality obligation does not apply to information that: (i) was already known to the receiving party prior to receipt and was not subject to any existing confidentiality obligation; (ii) was disclosed by a third party who is not bound by a confidentiality obligation; (iii) is publicly known or becomes publicly known without fault of the receiving party; (iv) was independently developed by the receiving party without relying on confidential information of the disclosing party; (v) must be disclosed due to legal requirements or governmental orders, provided that the dis-closing party is informed in a timely manner about the request to take legal protective measures.
15.4. The confidentiality obligation remains in effect for a period of five years after the termination of this Contract or until the confidential information no longer retains its confidential nature, whichever occurs first.
15.5. Both parties are entitled to disclose confidential information to subcontractors, provided that the subcontractors are obligated to comply with confidentiality obligations to an extent that aligns with these provisions
16. Duration, Termination
16.1. The term of the Contract begins on the 1st and 15th of the month following the contract signing (hereinafter "Contract Start").
16.2. The contract has a term of two ( 2 ) years from the start of the contract.
16.3. The contract, including all booked additional services, will be extended by two ( 2 ) additional years at the end of each term unless it is terminated with a notice period of three ( 3 ) months before the end of the respective term, except for statutory special provisions.
16.4. The right of both parties to terminate the Contract for good cause remains unaffected by the preceding clauses. If the good cause is a breach of a contractual obligation, termination is only permitted after the unsuccessful expiration of a deadline set for remedy or after an unsuccessful warning, unless a deadline is unnecessary due to mandatory legal provisions.
16.5. A significant cause justifying SECJUR’s right to extraordinary termination of the Contract is, in particular, if the Client has not performed a required cooperation action to fulfill theContract within a reasonable deadline set by SECJUR, provided SECJUR has specifically identified the action to be taken and declared that the Contract will be terminated extraordinarily if the action is not performed by the end of the deadline.
16.6. A significant cause justifying SECJUR’s right to extraordinary termination of the Contract also exists if the Client is in default of payment for at least two ( 2 ) monthly invoices.
17. Right to Amend
SECJUR reserves the right to amend these GTC Software to accommodate legal, technical, or business changes. Any amendments to the GTC Software will be communicated to the Client in text form (e.g., by email) at least four ( 4 ) weeks before the planned effective date. If the amendment is disadvantageous to the Client, the Client has the right to object in writing within two ( 2 ) weeks after receiving the notice. The notice of amendment will include information on the change, the right to object, the objection period, the requirement for text form, and the consequences of the objection. If the Client does not object within the specified period, the changes will be deemed accepted. In the case of a timely objection, the Contract will continue under the previous terms, with SECJUR reserving the right to terminate the Contract extraordinarily with one ( 1 ) month's notice.
18. Final Provisions
18.1. In the case of conflicts between different parts of this Contract, the provisions of the Offer shall take precedence. Contractual provisions of these GTC Software and the annexed Data Processing Agreement shall take precedence over the special conditions for additional services.
18.2. Should any provision of the Contract and/or its amendments or supplements be or become invalid, the validity of the remaining provisions of the Contract shall not be affected. The parties are obligated, in the event of invalidity of a provision, to negotiate a valid and reasonable replacement provision that comes as close as possible to the economic purpose pursued by the parties with the invalid provision.
18.3. The Contract represents the complete and final agreement between the parties withregard to the subject matter of the Contract and supersedes all prior written, oral, and implied agreements, understandings, or arrangements. No side agreements, whether written, oral, or implied, have been made.
18.4. The Contract and all non-contractual matters or obligations arising from the Contract or the services provided shall be governed by the law of the Federal Republic of Germany, ex-cluding the United Nations Convention on Contracts for the International Sale of Goods of April 11, 1980 (CISG).
18.5. The exclusive place of jurisdiction, to the extent permitted by law, is Hamburg, Germany, or, at SECJUR's discretion, (i) the court where the SECJUR branch primarily responsible for providing the services is located, or (ii) the courts at the location where the Client is domiciled.
Annex 1: Purpose, Nature and Scope Of Data Processing, Type of Data and Categories of Data Subjects
Categories of data subjects: Clients; suppliers; employees; interested parties; other contractual partners and third parties whose personal data are processed in the Digital Compliance Office.Purposes, nature and scope of processing: fulfilment of legal obligations; creation and filing/storage of documents; communication between the contracting parties.Type of data: master data; contact data; content data; usage data; other personal data defined in Art. 4 No. 1 GDPR and transmitted or stored by the Client while using the Digital Compliance Office; special categories of personal data, if applicable.
Annex 2: Subcontractors
Annex 3: Technical and Organisational Measures
The following measures provide an overview of the implemented technical and organisational measures pursuant to Art. 32 GDPR to protect the integrity, confidentiality, and availability of personal data at SECJUR GmbH. The measures are always selected considering the existing risk of unauthorised disclosure, unauthorised modification or loss of personal data and are regularly reviewed for their effectiveness. The current state of the art is considered in the regular review so that no outdated protection mechanisms are implemented.
Annex 4: Data Processing Agreement
To the extent that processing activities of SECJUR qualify as processing on behalf of the Client, the following Data Processing Agreement shall apply to the parties:
§ 1 Subject Matter of the Agreement Within the scope of the provision of services under the Agreement (hereinafter "Main Agreement"), it is necessary for SECJUR (hereinafter "Processor") to handle personal data for which the Client acts as the controller within the meaning of the data protection provisions (hereinafter "Client Data"). This Data Processing Agreement (hereinafter “DPA”) specifies the rights and obligations of the contracting parties under data protection law in connection with the Processor's handling of Client Data for the purpose of implementing the Main Agreement.
§ 2 Scope of the Assignment
2.1 The Processor shall process the Client Data on behalf of and according to the instructions of the Client within the meaning of Art. 28 GDPR (data processing on behalf). The Client shall remain the controller in the sense of data protection law.
2.2 The processing of Client Data by the Processor shall be carried out in the manner, to the extent and for the purpose as specified in Annex 1 to this DPA; the processing concerns the types of personal data and categories of data subjects designated therein. The duration of the processing shall correspond to the term of the Main Agreement.
2.3 The Processor reserves the right to anonymize or aggregate Client Data so that it is no longer possible to identify individual data subjects and to use it in this form for the purpose of demand-oriented design, further development and optimization as well as the provision of the service agreed upon in accordance with the Main Agreement. The Parties agree that anonymized Client Data or Client Data aggregated in accordance with the above provision shall no longer be deemed Client Data within the meaning of this DPA.
2.4 The Processor may process and use the Client Data for its own purposes and on its own responsibility within the scope of what is permissible under data protection law if a statutory permission provision or a declaration of consent by the data subject permits to do so. This DPA does not apply to such data processing.
2.5 The processing of Client Data by the Processor shall generally take place within the European Union or in another state being part of the Agreement on the European Economic Area (EEA). However, the Processor shall be permitted to process Client Data outside the EEA in compliance with the provisions of this DPA if the Processor informs the Client in advance of the location of the data processing and the requirements of Art. 44-48 of the GDPR are met or an exception pursuant to Art. 49 of the GDPR applies.
§ 3 Client's Right to Instructions
3.1 The Processor shall process Client Data in accordance with the Client's instructions, unless the Processor is required by law to process them otherwise. In the latter case, the Processor shall notify the Client of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important reason of public interest.
3.2 The instructions of the Client are generally conclusively defined and documented by the provisions of this DPA. Individual instructions deviating from the stipulations of this DPA or imposing additional requirements are subject to the prior approval of the Processor and shall be carried out in accordance with the amendment procedure stipulated in the Main Agreement, where the instruction shall be documented and the assumption of any resulting additional costs incurred by the Processor shall be borne by the Client.
3.3 The Processor warrants to process Client Data in accordance with Client's instructions. If the Processor is of the opinion that an instruction of the Client violates this DPA or the applicable data protection law, it shall be entitled, following a corresponding notification to the Client, to suspend the execution of the instruction until the Client confirms the instruction. The Parties agree that the sole responsibility for the processing of Client Data in accordance with the instructions lies with the Client.
§ 4 Client Responsibility
4.1 The Client shall be solely responsible for legal compliance of the processing of Client Data as well as for the protection of the rights of the data subjects regarding the contractual relationship between the parties. To the extent that third parties assert claims against the Processor based on the processing of Client Data in accordance with this DPA, the Client shall indemnify against and hold the Processor harmless from against all such claims upon first request.
4.2 The Client shall be responsible for providing the Processor with Client Data in due time for the performance of services under the Main Agreement and shall be responsible for the quality of the Client Data. The Client shall inform the Processor immediately and in full if he discovers errors or irregularities with regard to data protection provisions or its instructions when checking the Processor's order results.
4.3 Upon request, the Client shall provide the Processor with the information referred to in Article 30 (2) of the GDPR, unless the Processor is in possession of such information itself.
4.4 If the Processor is obligated vis-à-vis a government agency or individual to provide information on the processing of Client Data or to otherwise cooperate with such agencies, the Client shall be obligated to support the Processor upon first request in providing such information or in fulfilling other obligations to cooperate.
§ 5 Requirements for Personnel
The Processor shall oblige all persons who process Client Data to maintain confidentiality regarding the processing of Client Data.
§ 6 Security of Processing
6.1 In accordance with Article 32 of the GDPR, the Processor shall take the necessary, appropriate technical and organisational measures, taking into account the state of the art, the implementation costs and the nature, scope, context and purposes of the processing of Client Data as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, in order to ensure a level of protection for the Client Data appropriate to the risk. A specification of the technical and organisational measures implemented is included in Annex 3.
6.2 The Processor shall be permitted to modify or adapt technical and organisational measures during the term of the DPA as long as they continue to meet the legal requirements.
§ 7 Use of Subprocessors
7.1 The Client hereby grants the Processor general approval to involve other processors with regard to the processing of Client Data (hereinafter “Subprocessor”. All Subprocessors engaged at the time of conclusion of this DPA are listed in Annex 2. No approval shall generally be required for contractual relationships with service providers that involve the testing or maintenance of data processing procedures or systems by other bodies or other ancillary services, even if access to Client Data cannot be excluded in the process, as long as the Contractor makes appropriate arrangements to protect the confidentiality of such Client Data.
7.2 The Processor shall inform the Client of any intended changes regarding the involvement or replacement of Subprocessors. In individual cases, the Client shall have the right to object to the engagement of a potential Subprocessor. Such objection may only be raised by the Client for good cause to be proven to the Processor. If the Client does not raise an objection within fourteen (14) days after receipt of the notification, its right to object concerning the corresponding engagement shall expire. If the Client raises an objection, the Processor shall be entitled to terminate the Main Agreement and this DPA with a notice period of three (3) months.
7.3 The Agreement between the Processor and any Subprocessor shall impose the same obligations on the latter as are imposed on the Processor by virtue of this DPA. The parties agree that this requirement is met if the Agreement has a level of protection corresponding to this DPA or if the obligations set out in Article 28 (3) GDPR are imposed on the Subprocessor.
§ 8 Rights of the Data Subjects
8.1 The Processor shall support the Client with technical and organisational measures within reasonable limits in fulfilling its obligation to respond to requests to exercise the rights of data subjects to which they are entitled.
8.2 Insofar as a data subject asserts a request to exercise the rights to which it is entitled directly against the Processor, the Processor shall promptly forward this request to the Client.
8.3 The Processor shall provide the Client with information about the stored Client Data, the recipients to which the Processor transfers Client Data in accordance with the order, and the purpose of the storage, unless the Client has access to said information himself or can obtain it on his own.
8.4 The Processor shall enable the Client to correct, delete or restrict the further processing of Client Data within the scope of what is reasonable and necessary against reimbursement of the expenses and costs to be proven incurred by the Processor as a result thereof or, at the request of the Client, to rectify, block or restrict further processing itself if and to the extent this cannot be done by the Client on his own.
8.5 Insofar as the data subject has a right to data portability vis-à-vis the Client with regard to Client Data pursuant to Art. 20 GDPR, the Processor shall support the Client within the scope of what is reasonable and necessary in providing the Client Data in a common and machine-readable format against reimbursement of the resulting expenses and costs to be proven incurred by the Processor, if the Client cannot procure the data otherwise.
§ 9 Notification and Support Obligations of the Processor
9.1 Insofar as the Client is subject to a legal obligation to report or notify a breach of the protection of Client Data (in particular pursuant to Art. 33, 34 GDPR), the Processor shall inform the Client in due time about any reportable events in his area of responsibility. The Processor shall support the Client in fulfilling the reporting and notification obligations at the Client's request within the scope of what is reasonable and necessary against reimbursement of the resulting expenses and costs to be proven incurred by the Processor.
9.2 The Processor shall support the Client within the scope of what is reasonable and necessary against reimbursement of the resulting expenses and costs to be proven incurred by the Processor in connection with any data protection impact assessments to be carried out by the Client and any subsequent consultations with the supervisory authorities pursuant to Art. 35, 36 GDPR.
§ 10 Data Deletion
10.1 The Processor shall delete Client Data after termination of this DPA, unless there is a legal obligation for the Processor to retain the Client Data.
10.2 Documentation which serves as evidence of the proper processing of Client Data in accordance with the order may be retained by the Processor even after the end of this DPA.
§ 11 Verifications and Audit Rights
11.1 The Processor shall provide the Client at the latter's request with all information required and available at the Processor to prove compliance with its obligations under this DPA.
11.2 The Client shall be entitled to verify the Processor with regard to compliance with the provisions of this DPA, in particular the implementation of the technical and organisational measures; including by means of audits.
11.3 In order to carry out any audits in accordance with Section 11.2, the Client shall be entitled to enter the Processor's business premises where Client Data are processed during normal business hours (Monday to Friday from 10 a.m. to 6 p.m.) at its own expense and after giving due notice in accordance with Section 11.5, without disrupting operations and subject to strict confidentiality of Processor's trade and business secrets.
11.4 The Processor shall be entitled, at its own discretion, considering the Client's legal obligations, not to disclose information which is sensitive with regard to the Processor's business or if the Processor would violate legal or other contractual regulations by disclosing such information. The Client shall not be entitled to have access to data or information concerning other Clients of the Processor, to information regarding costs, to quality review and Agreement management reports and to any other confidential data of the Processor which is not directly relevant for the agreed review purposes.
11.5 The Client shall inform the Processor in due time (as a rule at least two (2) weeks in advance) about all circumstances related to the performance of the audit. The Client may carry out one audit per calendar year. Further inspections shall be carried out against reimbursement of costs and after coordination with the Processor.
11.6 If the Client engages a third party to carry out the audit, the Client shall obligate the third party in writing in the same way as the Client is obligated to the Processor pursuant to Section 11 of this DPA. In addition, the Client shall bind the third party to maintain secrecy and confidentiality, unless the third party is subject to a professional confidentiality obligation. Upon request of the Processor, the Client shall immediately submit the obligation Agreements with the third party to the Processor. The Client may not engage any competitor of the Processor to carry out audit.
11.7 At the Processor's sole discretion, proof of compliance with the obligations under this DPA may, instead of an audit, also be provided by the submission of a suitable, up-to-date attestation or report by an independent body (e.g., auditor, audit, data protection officer, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit - e.g., in accordance with BSI-Grundschutz - (hereinafter "Audit Report") if such Audit Report reasonably enables the Client to assure himself of compliance with the obligations under this DPA.
§ 12 Term and Termination
The term and termination of this DPA shall be governed by the provisions governing the term and termination of the Main Agreement. Termination of the Main Agreement automatically results in termination of this DPA. An isolated termination of this DPA is excluded.
§ 13 Final Provisions
13.1 If individual provisions of this DPA are or become invalid or contain omissions, this shall not affect the remaining provisions. The parties undertake to replace the invalid provision with a legally permissible provision that comes as close as possible to the purpose of the invalid provision and meets the requirements of Article 28 GDPR.
13.2 In case of contradictions between this DPA and other Agreements between the Parties, in particular the Main Agreement, the provisions of this DPA shall prevail.