3. Processor’s obligations

3.1. Processor shall collect, process and use Personal Data only within the scope of Client’s Instructions as set-out in this Agreement.

3.2. Processor shall keep the Personal Data confidential and shall ensure the reliability of its employees who have access to the Personal Data.

3.3. Processor will, at Client’s cost, reasonably assist Client with meeting Client’s compliance obligations with respect to the rights exercised by Data Subjects under the Data Protection Legislation, taking into account the nature of Client’s processing and the information available to the Processor, as well as, where reasonably feasible for Processor and at Client’s costs, to undertake data protection impact assessments and reporting to and consulting with supervisory authorities under the Data Protection Laws.

3.4. Processor shall implement appropriate technical and organizational measures with respect to the Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects. Such measures shall be designed to ensure a level of security appropriate to the risk in order to protect Personal Data from accidental or unlawful destruction, loss, alteration, unauthorized disclosure, access or use. Such measures hereunder shall include, but are not limited to taking reasonable steps to achieve the following:

  • (a) the prevention of unauthorized persons from gaining access to Personal Data Processing systems (physical access control),
  • (b) the prevention of Personal Data Processing systems from being used without authorization (logical access control),
  • (c) persons entitled to use a Personal Data Processing system gain access only to such Personal Data as they are entitled to accessing in accordance with their access rights, and that, in the course of processing or use and after storage, Personal Data cannot be read, copied, modified or deleted without authorization (data access control),
  • (d) Personal Data cannot be read, copied, modified or deleted without authorization during electronic transmission, transport or storage on storage media, and that the target entities for any transfer of Personal Data by means of data transmission facilities can be established and verified (data transfer control),
  • (e) the establishment of an audit trail to document whether and by whom Personal Data have been entered into, modified in, or removed from Personal Data Processing systems, (entry control),
  • (f) Personal Data Processed are Processed in accordance with the Instructions (control of instructions),
  • (g) Personal Data are protected against accidental destruction or loss (availability control),
  • (h) Personal Data collected for different purposes can be processed separately (separation control).

A measure as referred to in lit. a) to h) above shall be in particular, but shall not be limited to, the use of appropriate encryption technology. An overview of the above-entitled technical and organizational measures are listed in Annex 2.

3.5. Processor shall notify to Client the contact details of Processor’s data protection officer. The Processor’s data protection official is:

TÜV SÜD Sec-IT GmbH

Stefan Eisert

Ridlerstr. 65

80339 München

Deutschland

Tel. +49 89 500 84 868

3.6. If applicable, Client shall retain title as to any carrier media provided to Processor as well as any copies or reproductions thereof. Processor shall store such media safely and protect them against unauthorized access by third parties. Processor shall, upon Client’s request, provide to Client all information on Client’s Personal Data and information. Processor shall be obliged to securely delete any test and scrap material based on an Instruction issued by Client on a case-by-case basis. Where Client so decides, Processor shall hand over such material to Client or store it on Client’s behalf.

3.7. Processor shall provide reasonable assistance to the Client with any data protection impact assessment which the Client is required to undertake in order to Comply with Articles 35 and 36 of the GDPR, in each case solely in relation to the processing of Personal Data and taking into account the nature of the processing and information available to Processor and shall make available to Client on request such information as is reasonably necessary to demonstrate its compliance with this DPA and shall reasonably allow for and contribute to audits, including inspections, conducted by the Client or another auditor mandated by the Client and approved by Processor for the purpose of demonstrating compliance by Processor with its obligations under Data Protection Laws in respect of the Personal Data.

3.8. Processor shall return or, and to the extent technically possible, at the Client’s written request, delete and procure the deletion of all copies of the Personal Data after Processing by Processor of any Personal Data is no longer required for the purpose of Processor’s performance of its relevant obligations under this DPA.