Partner Tech

Contract for the

processing of data


on behalf of


between the customer, individually also referred to as "party" 

and Partner Tech Europe GmbH, individually also referred to as "Contractor" or "Party" 

and collectively referred to as "Parties".



1. General

  1. Within the scope of the provision of services under the main contract concluded between the parties, it cannot be ruled out that, in the course of maintaining and servicing the hardware and software provided, the contractor may come into contact with personal data (hereinafter referred to as customer data) for which the customer is the responsible body within the meaning of data protection regulations. This data processing agreement specifies the rights and obligations of the parties in connection with the handling of the customer's personal data. 
  2. The contractor processes personal data on behalf of the customer within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This agreement regulates the rights and obligations of the parties in connection with the processing of personal data on behalf of the customer. The individual services provided by the contractor are described in more detail in the main contract concluded between the parties. Further details on data collection, processing and use can be found in the contractor's offers underlying the business relationship and, if applicable, in further individual orders.
  3. If terms are used in this contract that are legally defined in the GDPR, the corresponding definition from the GDPR shall be adopted and used as a basis for this contract. This applies in particular to the term "processing" (of data) in Art. 4 No. 2 GDPR.


2. Subject matter of the contract

The subject matter of the processing, the nature and purpose of the processing, the type of personal data and the categories of data subjects are specified in the main contract.


3. Rights and obligations of the customer

  1. The customer is the controller within the meaning of Art. 4 No. 7 GDPR for the processing of data on behalf of the contractor. 
  2. The customer is responsible for safeguarding the rights of data subjects. The contractor shall inform the customer immediately if data subjects assert their rights against the contractor.
  3. The customer has the right to issue supplementary instructions to the contractor at any time regarding the type, scope and procedure of data processing. Instructions must be given in text form (e.g. email). Verbal instructions must be confirmed in text form without delay.
  4. Provisions regarding any compensation for additional expenses incurred by the contractor as a result of supplementary instructions from the customer remain unaffected.
  5. The customer shall inform the contractor immediately if it discovers errors or irregularities in connection with the processing of personal data by the contractor.
  6. In the event that there is an obligation to provide information to third parties in accordance with Articles 33 and 34 of the GDPR or any other legal reporting obligation applicable to the customer, the customer shall be responsible for compliance with such obligations.


4. General obligations of the contractor

  1. The contractor shall process personal data exclusively within the scope of the agreements made and/or in compliance with any supplementary instructions issued by the customer. This does not apply to legal regulations that may oblige the contractor to process data in a different manner. In such a case, the contractor shall inform the customer of these legal requirements prior to processing, unless the relevant law prohibits such notification on grounds of an important public interest. Otherwise, the purpose, type and scope of data processing shall be governed exclusively by this contract and/or the customer's instructions. The contractor is prohibited from processing data in any other way unless the customer has given their written consent.
  2. The processing of the customer's data by the contractor on behalf of the customer shall generally take place within the member states of the European Union (EU) or the European Economic Area (EEA). However, the contractor may also process customer data outside the EEA in compliance with the provisions of this contract if it fulfils the requirements of Art. 44 ff. GDPR.
  3. The contractor shall inform the customer immediately if, in its opinion, an instruction given by the customer violates legal regulations. The contractor is entitled to suspend the execution of the instruction in question until it has been confirmed or amended by the customer. If the contractor can demonstrate that processing in accordance with the customer's instructions could lead to liability on the part of the contractor under Art. 82 GDPR, the contractor is free to suspend further processing in this respect until the liability between the parties has been clarified.
  4. The processing of data on behalf of the customer outside the contractor's business premises or subcontractors is only permitted with the customer's consent, which must be given in writing at least. The processing of data for the customer in private homes is generally permitted. The customer has the right to object to such processing in private residences in justified cases; the contractor may, at its discretion, continue the processing at its place of business or remedy the customer's reasons for objection.
    The contractor shall ensure that the technical and organisational measures in particular are complied with. The customer is aware that this may result in restrictions on control options.
  5. The contractor shall process the data it processes on behalf of the customer separately from other data. Physical separation is not mandatory. 

5. Data protection officer of the contractor
  1. The contractor confirms that it has appointed a data protection officer in accordance with Art. 37 GDPR. The contractor shall ensure that the data protection officer has the necessary qualifications and expertise. The contractor shall provide the customer with the name and contact details of its data protection officer in writing upon request. 
  2. The obligation to appoint a data protection officer in accordance with paragraph 1 shall not apply if the contractor can prove that it is not legally obliged to appoint a data protection officer and the contractor can prove that operational regulations are in place which ensure that personal data is processed in compliance with the statutory provisions, the provisions of this contract and any further instructions from the customer.


6. Contractor's reporting obligations

  1. The contractor is obliged to immediately notify the customer of any violation of data protection regulations or of the contractual agreements made and/or the instructions issued by the customer, which has occurred in the course of the processing of data by him or other persons involved in the processing. The same applies to any breach of the protection of personal data that the contractor processes on behalf of the customer.
  2. Furthermore, the contractor shall immediately inform the customer if a supervisory authority takes action against the contractor in accordance with Art. 58 GDPR and this may also affect the processing carried out by the contractor on behalf of the customer.
  3. The contractor shall support the customer in fulfilling the reporting obligations pursuant to Art. 33 GDPR and the notification obligation pursuant to Art. 34 GDPR. The contractor's report to the customer must include the following information in particular:

    • a description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned, the categories of personal data concerned and the approximate number of personal data records concerned;
    • a description of the measures taken or proposed by the contractor to remedy the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.


7. Contractor's obligations to cooperate

  1. The contractor shall support the customer in its obligation to respond to requests for the exercise of data subject rights in accordance with Articles 12-22 GDPR. The provisions of Section 11 of this contract shall apply.
  2. The contractor shall assist the customer in compiling the records of processing activities. It shall provide the customer with the necessary information in this regard in an appropriate manner.
  3. The contractor shall support the customer in complying with the obligations set out in Articles 32-36 GDPR, taking into account the nature of the processing and the information available to it.


8. Control powers

  1. The customer shall have the right to monitor the contractor's compliance with the statutory provisions on data protection and/or the contractual provisions agreed between the parties and/or the customer's instructions at any time to the extent necessary.
  2. The contractor is obliged to provide the customer with information to the extent necessary to carry out the monitoring within the meaning of paragraph 1.
  3. The customer may request access to the data processed by the contractor for the customer as well as to the data processing systems and programmes used.
  4. The customer may, after giving reasonable notice, carry out the inspection within the meaning of paragraph 1 at the contractor's premises during normal business hours. The customer shall ensure that the inspections are only carried out to the extent necessary so as not to disproportionately disrupt the contractor's business operations.
  5. The inspection pursuant to the preceding point (4) may also be carried out by an expert appointed by the customer. The contractor must be notified of this appointment in advance and in good time so that it can object to the appointment in justified cases, e.g. if the expert is a potential competitor of the contractor. In the event of such an objection, the customer may, at its discretion, carry out the relevant inspection itself or remedy the contractor's reasons for objection (e.g. by appointing another expert). 
  6. In the event of measures taken by the supervisory authority against the customer within the meaning of Art. 58 GDPR, in particular with regard to information and control obligations, the contractor is obliged to provide the customer with the necessary information and to enable the respective competent supervisory authority to carry out an on-site inspection. The customer must be informed by the contractor of any such planned measures.


9. Subcontracting

  1. The customer agrees that the contractor may engage subcontractors. The contractor shall inform the customer before engaging additional subcontractors or replacing existing subcontractors. The customer may object to the change for good cause within two weeks of receiving the information from the contractor by notifying the office designated by the contractor. If no objection is made within this period, consent to the change shall be deemed to have been given. The subcontractors employed by the contractor at the time of signing the contract are listed on the following page XXX and are accepted by the customer.
  2. The contractor shall conclude a data processing agreement with the subcontractor that complies with the requirements of Art. 28 GDPR. In addition, the contractor shall impose on the subcontractor the same obligations to protect personal data as those agreed between the customer and the contractor. A copy of the data processing agreement shall be provided to the customer upon request.
  3. The contractor is in particular obliged to ensure through contractual provisions that the control powers (Section 8 of this contract) of the customer and supervisory authorities also apply to the subcontractor and that corresponding control rights of customers and supervisory authorities are agreed. It must also be contractually stipulated that the subcontractor must tolerate these control measures and any on-site inspections.
  4. Services that the contractor uses from third parties as purely ancillary services in order to carry out its business activities are not to be regarded as subcontracting relationships within the meaning of clause 9. These include, for example, cleaning services, pure telecommunications services without any specific connection to services that the contractor provides for the customer, postal and courier services, transport services and security services. The contractor is nevertheless obliged to ensure that appropriate precautions and technical and organisational measures have been taken to guarantee the protection of personal data, even in the case of ancillary services provided by third parties. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship requiring consent and order processing within the meaning of Art. 28 GDPR if the maintenance and testing relate to IT systems that are also used in connection with the provision of services for the customer and if personal data processed on behalf of the customer can be accessed during maintenance.


10. Confidentiality and secrecy obligation

  1. Both parties undertake to treat all information they receive in connection with the performance of this contract as confidential for an unlimited period of time and to use it only for the performance of the contract. 
  2. Neither party is entitled to use this information, in whole or in part, for purposes other than those just mentioned or to make this information available to third parties. The above provision does not apply to audits within the scope of order processing.
  3. The above obligations under (1) and (2) shall not apply to information that one of the parties has demonstrably received from third parties without being obliged to maintain confidentiality, or that is publicly known.
  4. The contractor is obliged to maintain confidentiality when processing data and information that it receives or becomes aware of in connection with the order. The contractor undertakes to observe the same confidentiality rules as those incumbent on the customer. The customer is obliged to inform the contractor of any special confidentiality rules.
  5. The contractor warrants that it is familiar with the applicable data protection regulations and is familiar with their application. The contractor further warrants that it will familiarise its employees with the relevant data protection provisions. 
  6. The contractor further warrants that it has additionally obliged the employees involved in the performance of the work to maintain confidentiality and has informed them of the customer's instructions. The customer shall be provided with evidence of this obligation on the part of the employees upon request.


11. Protection of data subjects' rights

  1. The contractor is obliged to support the customer in its obligation to process requests from data subjects in accordance with Articles 12-22 GDPR. In doing so, the contractor shall in particular ensure that the necessary information is provided to the customer without delay so that the customer can fulfil its obligations under Art. 12 (3) GDPR. In particular, the contractor shall take the necessary measures in accordance with the customer's instructions. 
  2. In the event that a data subject contacts the contractor to exercise their rights in relation to the processing of their data, the contractor shall forward the relevant information to the customer.



12. Technical and organisational measures for data security

  1. The contractor undertakes to the customer to comply with the technical and organisational measures necessary to comply with the applicable data protection regulations. This includes, in particular, the requirements of Art. 32 GDPR.
  2. The status of the technical and organisational measures existing at the time of conclusion of the contract is documented at [LINK]. The parties agree that changes to the technical and organisational measures may be necessary in order to adapt to technical and legal circumstances. Measures that do not adversely affect the integrity, confidentiality and availability of personal data may be implemented by the contractor without consultation with the customer. The customer may view a current version of the technical and organisational measures taken by the contractor at any time via the above link. 
  3. The contractor shall regularly and also on an ad hoc basis check the effectiveness of the technical and organisational measures it has taken and generally provide information about necessary changes on the relevant page.


13. Term of the contract; termination

  1. The term of this contract corresponds to the term of the main contract. The provisions governing ordinary termination of the main contract shall apply accordingly.
  2. The customer is entitled to terminate this contract extraordinarily at any time for good cause. Good cause shall be deemed to exist for the customer in particular if
    • the contractor violates an essential obligation under this contract,
    • the contractor uses the customer's data for purposes other than those permitted under this contract,
    • the contractor fails to carry out an instruction from the customer,
    • the contractor refuses to exercise the customer's rights of control or significantly impedes such exercise, or
    • the contractor engages another processor contrary to the provisions of clause 9.
  3. In the event of termination of this contract, the main contract may only be continued if it is excluded that the contractor processes customer data. In case of doubt, termination of the main contract shall also be deemed termination of this contract, and termination of this contract shall also be deemed termination of the main contract.


14. Liability

The contractor shall be liable in accordance with the statutory liability provisions for any damage suffered by the customer as a result of culpable breaches of this contract by the contractor or of the statutory data protection obligations directly applicable to the contractor. Any other limitations of liability agreed between the parties (e.g. in the main contract) shall not apply in this regard. 


15. Termination

  1. Upon termination of the contract, the contractor shall delete all documents, data and processing or usage results created in connection with the contractual relationship that have come into its possession. The deletion shall be documented in an appropriate manner. 
  2. Any statutory retention obligations or other obligations to store the data remain unaffected. In the case of data carriers, these must be destroyed if the customer requests deletion, whereby at least security level 3 of ISO 21964-1 to 3 must be observed; proof of destruction must be provided to the customer.
  3. The customer has the right to check that the data has been returned and deleted by the contractor in full and in accordance with the contract. This can also be done by inspecting the data processing equipment at the contractor's premises. The customer shall give reasonable notice of any on-site inspection.


16. Right of retention

The parties agree that the contractor's right of retention within the meaning of Section 273 of the German Civil Code (BGB) is excluded with regard to the processed data and the associated data carriers.


17. Final provisions

  1. If the customer's property at the contractor's premises is endangered by measures taken by third parties (e.g. through seizure or confiscation), by insolvency proceedings or by other events, the contractor shall inform the customer immediately. The contractor shall immediately inform the creditors that the data in question is being processed on behalf of the customer.
  2. Ancillary agreements must be made in writing.
  3. Should individual parts of this contract be invalid, this shall not affect the validity of the remaining provisions of the contract. The parties undertake to replace the invalid provision with a legally permissible provision that comes closest to the purpose of the invalid provision and best meets the requirements of Art. 28 GDPR.
  4. In the event of contradictions between this contract and other agreements between the parties, in particular the main contract and the General Terms and Conditions, the provisions of this contract shall take precedence.
  5. This contract is attached to the General Terms and Conditions and forms an integral part of the contractual agreements between the parties. A separate declaration of intent by the parties to conclude this data processing agreement (e.g. by signature) is not required.