Contract for the processing of personal data on behalf of you (order processing contract)

Between

certready.eu GmbH
Unter den Linden 26
35410 Hungen
Germany

- hereinafter referred to as "Processor" -


and

Customers of the certready.eu training platform

- hereinafter referred to as "Controller" -

- both hereinafter referred to as "the Parties" -

All terms are understood to be gender-neutral.

the following data processing agreement is concluded:

Preamble and Scope

The Processor processes personal data on behalf of the Controller. This Data Processing Agreement specifies the processing on behalf of the Controller with regard to its subject matter and the claims and obligations arising from the processing relationship between the Parties.

This Data Processing Agreement does not apply if the GDPR is not applicable to the Controller’s processing of personal data (for example, in the case of purely personal or household activities pursuant to Art. 2(2)(c) GDPR) and the Processor therefore does not act as a processor within the meaning of Art. 4(8) GDPR.

1. Terms and Definitions

  1. "Processing on behalf" - In accordance with Art. 4(8) GDPR, "processing on behalf" is to be understood as processing of personal data pursuant to Art. 4(2) GDPR by the Processor on behalf of the Controller, regardless of the number of processors involved, in accordance with the subject of this Data Processing Agreement.
  2. "Main Agreement" - The term Main Agreement includes all types of ongoing business relationships between the Controller and the Processor in which the Processor processes personal data on behalf of and according to the instructions of the Controller, as specified in this Data Processing Agreement. If the applicability of this Data Processing Agreement has otherwise been limited (i.e., within this agreement or outside it, in other contracts or regulations) to certain types or specific business relationships, contracts, etc., these shall each be understood as a Main Agreement. The term Main Agreement also includes ongoing individual orders placed by the Controller with the Processor within the scope of the Main Agreement (e.g., in the case of framework agreements).
  3. "Controller" - The "Controller" is the natural or legal person which, alone or jointly with others, determines the purposes and means of the processing (Art. 4(7) GDPR).
  4. "Personal data" - "Personal data" (hereinafter also referred to as "data") in accordance with Art. 4(1) GDPR means any information relating to an identified or identifiable natural person (data subject); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
  5. "Data subjects" - Data subjects (short "data subjects") are, in accordance with Art. 4(1) GDPR, persons who are at least identifiable by means of personal data. The data subjects affected by this processing on behalf result from the subject matter of the processing.
  6. "Third parties" - "Third parties" are, in accordance with Art. 4(10) GDPR, natural or legal persons, public authorities, agencies, or bodies other than the data subject, the Controller, the Processor, and persons who, under the direct authority of the Controller or Processor, are authorized to process personal data;
  7. "Sub-processing" - If a processor has not been directly engaged by the Controller but by a processor of the Controller, "sub-processing" is present and the processors following the first processor are referred to as "Sub-processors".
  8. "Electronic format" - Declarations are deemed to be made in "electronic format" within the meaning of Art. 28(9) GDPR if the declaring person is identifiable and the electronic declaration format is suitable for evidencing the declaration. "Electronic format" includes, in particular, text form, an agreement stored on durable media (e.g., email), digital signature procedures, or the use of dedicated online functions (e.g., in user accounts).

    9. 2. Subject Matter of the Processing on Behalf

    1. The processing on behalf takes place within the following legal relationship (Main Agreement): The subject of the processing on behalf is the provision and operation of the certready.eu online training platform for customers and their employees based on the terms of use of certready.eu GmbH.
    2. Detailed information on the subject of the processing carried out on behalf, the personal data processed, the data subjects affected by the processing, as well as the nature, scope, and purpose of the processing, is determined by the provisions of the Annex "Subject Matter of the Processing on Behalf".

    3. Nature of the Processing on Behalf

  9. Insofar as the Controller acts as the controller of the processing, the Controller is responsible under this Data Processing Agreement for compliance with data protection laws, in particular for the lawfulness of the data processing and for the lawfulness of engaging the Processor. Insofar as the Controller itself acts as a processor, it engages the Processor as a Sub-processor. The controller of the processing may rely directly on the rights to which the Controller is entitled against the Sub-processor on the basis of this Data Processing Agreement.

4. Authority to Issue Instructions

  1. The Processor may process personal data only within the scope of the Main Agreement and the Controller’s instructions and only to the extent that processing is required under the Main Agreement.
  2. The instructions are initially set out in the Main Agreement or this Data Processing Agreement and may thereafter be changed, supplemented, or replaced by the Controller through instructions in written form or in an electronic format (text form, e.g., email) to the Processor or the office designated by the Processor.
  3. Oral instructions may be given if required by the circumstances (e.g., urgency) and must be confirmed without delay in writing or in electronic form.
  4. If, on the basis of objective circumstances, the Processor is of the opinion that an instruction from the Controller violates applicable data protection law, the Processor shall inform the Controller without delay and justify its view objectively. In this case, the Processor is entitled to suspend execution of the instruction until the instruction is expressly confirmed by the Controller and to refuse obviously unlawful instructions.
  5. The Processor may refuse instructions if their fulfillment is not possible or not reasonable for the Processor (in particular because compliance would involve disproportionate effort or lacks technical feasibility). Refusal may only take place with appropriate consideration of the protection of data subjects’ data and entitles the Controller to extraordinary termination of this Data Processing Agreement if its continuation is unreasonable for the Controller.
  6. The Processor may be obliged by Union or Member State law and by administrative or judicial measures to carry out processing or to disclose information. In such a case, the Processor shall inform the Controller of the legal requirements of the mandatory legal obligation prior to processing, unless the relevant law or order prohibits such notification due to an important public interest; in the event of a prohibition of notification, the Processor shall take all possible and reasonable measures to prevent or limit the legally mandatory processing.
  7. The Processor shall document the instructions given and their implementation.
  8. The Processor shall designate contact persons authorized to receive instructions and is obliged to inform the Controller without delay of changes to the contact persons or their contact details, as well as representatives in the event of a non-temporary absence or incapacity.

5. Technical and Organizational Measures (Security and Protection Concept)

  1. The Processor shall design its internal organization within its area of responsibility in accordance with legal requirements and, in particular, shall implement technical and organizational measures (hereinafter "TOMs") to adequately secure, in particular, the confidentiality, integrity, and availability of the Controller’s data, taking into account the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of the processing, as well as the varying likelihood and severity of risks to the rights and freedoms of data subjects, and shall ensure their maintenance, in particular through regular, at least annual evaluations. With regard to the protection of personal data, TOMs include, in particular, physical access control, system access control, data access control, transfer control, input control, order control, integrity and availability control, separation control, as well as safeguarding the rights of data subjects.
  2. The TOMs communicated by the Processor at the time of conclusion of the contract define the minimum security level owed by the Processor. The TOMs may be further developed and replaced by adequate protective measures in line with technical and legal progress, provided they do not fall below the security level of the defined measures and material changes are communicated to the Controller. The description of the measures must be sufficiently detailed so that a knowledgeable third party can, based on the description alone, recognize at any time without doubt that the required legal data protection level and the defined minimum security level are not undercut.
  3. The Processor ensures that employees, agents, and other persons engaged by the Processor in processing the data are prohibited from processing personal data outside the instructions. The Processor shall also ensure that persons authorized to process the Controller’s data have been instructed in the legal data protection provisions and those arising from this Data Processing Agreement and have been bound to confidentiality and secrecy or are subject to a corresponding and appropriate statutory duty of confidentiality. The Processor shall ensure that persons engaged in the processing on behalf are continuously and appropriately guided and supervised with regard to compliance with data protection requirements.
  4. The Processor shall ensure that persons employed in processing participate at appropriate intervals in recurring training and awareness measures regarding the protection of personal data and compliance with statutory data protection provisions.
  5. Processing of personal data outside the Processor’s business premises (e.g., in home or mobile office or via remote access) is permissible provided that the necessary technical and organizational measures are taken and documented, appropriately taking into account the particularities of these processing situations and, in particular, enabling adequate control of data processing (e.g., conclusion of a home and mobile office data protection agreement with employees). The Processor shall provide the Controller, upon request, with documentation of the implemented technical and organizational measures for such home, mobile, or other remote processing.
  6. Processing of personal data on private devices of the Processor’s employees and agents is only permitted with the Controller’s consent.
  7. Where required by law, the Processor shall appoint a data protection officer in accordance with legal requirements. The Processor shall provide the Controller with the contact details of the data protection officer and any subsequent changes.
  8. The processing operations carried out on behalf shall be documented separately by the Processor to a reasonable extent in a record of processing activities and made available to the Controller upon request.
  9. The data and data carriers provided within the scope of this Data Processing Agreement and all copies made thereof remain the property or possession of the Controller, are subject to the Controller’s right of disposal, must be carefully stored by the Processor, protected from access by unauthorized third parties, and may only be destroyed with the Controller’s consent. Destruction must be carried out in accordance with data protection requirements and in such a way that restoration, even of residual information, is no longer possible and not to be expected with reasonable effort. Copies of data may only be made if they are necessary to fulfill the Processor’s primary and ancillary performance obligations to the Controller (e.g., backups) and the contractual as well as the legal data protection level is ensured.
  10. The Processor is obliged to ensure prompt return or deletion of data and data carriers as required under this Data Processing Agreement also at Sub-processors.
  11. The Processor shall provide proof of proper destruction or deletion of data and files carried out under this Data Processing Agreement and make it available to the Controller upon request.
  12. The defense of a right of retention is excluded with regard to the data processed on behalf and the associated data carriers.
  13. The Processor shall provide, to a reasonable extent, regular proof of fulfillment of its obligations, in particular the complete implementation of the agreed technical and organizational measures and their effectiveness (e.g., through regular checks, audits, etc.). The proof shall be provided to the Controller upon request. The proof may be provided by approved codes of conduct or an approved certification procedure.
  14. If the security measures taken do not or no longer meet the Processor’s requirements or legal requirements, the Processor shall notify the Controller without delay.
  15. The technical and organizational measures existing at the time of conclusion of this Data Processing Agreement are listed by the Processor in the Annex "Technical and Organizational Measures" and accepted by the Controller.

6. Information and Assistance Obligations of the Processor

  1. The Processor may provide information to third parties or the data subject only with the prior consent of the Controller or in the case of mandatory legal obligations, court orders, or legal information duties. If a data subject contacts the Processor and asserts their data subject rights (in particular rights to access or rectification or deletion of personal data), the Processor shall refer the data subject to the Controller, provided assignment to the Controller is possible based on the data subject’s information. The Processor shall immediately forward the data subject’s request to the Controller and support the Controller to the extent reasonable and possible. The Processor shall not be liable if the Controller fails to respond to the data subject’s request, responds incorrectly, or fails to respond in time, insofar as this is not attributable to the Processor.
  2. The Processor shall inform the Controller immediately and fully if the Processor identifies errors or irregularities in compliance with this Data Processing Agreement and/or relevant data protection regulations regarding the processing of personal data. The Processor shall take the necessary measures to secure personal data and mitigate possible adverse effects for data subjects and shall coordinate with the Controller without delay.
  3. The Processor shall inform the Controller without delay if a supervisory authority acts against the Processor and its actions may affect the data processed for the Controller. The Processor shall support the Controller in fulfilling its obligations (in particular to provide information and tolerate inspections) vis-à-vis supervisory authorities.
  4. If the security of the Controller’s personal data is jeopardized by actions of third parties (e.g., creditors, authorities, courts, etc.) (seizure, confiscation, insolvency proceedings, etc.), the Processor shall inform the third parties without delay that the sovereignty and ownership of the data lie exclusively with the Controller and, after consultation with the Controller, take appropriate protective measures if necessary (e.g., file objections, applications, etc.).
  5. The Processor shall provide the Controller with information regarding the processing of data under this Data Processing Agreement that is necessary for the Controller to fulfill its legal obligations (which may include, in particular, data subject or authority inquiries and compliance with accountability obligations of a data protection impact assessment) and shall support the Controller in complying with the obligations set out in Art. 32-36 GDPR.
  6. The Processor’s information obligations initially extend to information available to the Processor, its employees, and agents. Information does not need to be obtained from third-party sources if procurement by the Controller would be possible within a reasonable scope and no other agreement has been made.
  7. The Processor must be able to demonstrate at any time, by appropriate means, compliance with its contractual and legal obligations arising from the processing on behalf.

7. Measures in Case of Risk or Breach of Data Protection

  1. If the Processor identifies facts that suggest that the protection of personal data processed for the Controller may have been breached within the meaning of Art. 4(12) GDPR, the Processor shall inform the Controller immediately and fully, take the necessary protective measures without delay, and support the Controller in fulfilling its obligations, in particular in connection with notification to the competent authorities or data subjects.
  2. Information about a (possible) personal data breach must be provided without delay, in principle within 24 hours of becoming aware of it.
  3. The Processor’s notification must, in accordance with Art. 33(3) GDPR, contain at least the following information:
    • Description of the nature of the personal data breach, where possible indicating the categories of data affected and the approximate number of data subjects affected and the approximate number of personal data records concerned;
    • The name and contact details of the data protection officer or other contact point for further information;
    • A description of the likely consequences of the personal data breach (e.g., with further details: identity theft, financial loss, etc.);
    • A description of the measures taken or proposed by the Processor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects
  4. Significant disruptions in the performance of the order as well as violations by the Processor or by persons employed by it or commissioned by it against data protection regulations or the provisions of this Data Processing Agreement must also be reported without delay.

8. Reviews and Inspections

  1. The Controller has the right to verify compliance with legal requirements and the provisions of this Data Processing Agreement, in particular the TOMs at the Processor, at any time to the necessary extent, either itself or through third parties, and to carry out the necessary reviews, including inspections.
  2. The Processor shall support the Controller in the necessary scope during checks and inspections (e.g., by providing personnel and granting access and access rights).
  3. On-site inspections shall take place during normal business hours and must be announced by the Controller with reasonable notice (at least 14 days). In emergencies, i.e., if waiting would unreasonably endanger the rights of data subjects and/or the Controller, a reasonably shorter period may be chosen. Conversely, a longer period may be necessary (e.g., if extensive preparations are required or during holiday periods). Deviations from the notice period must be justified by the Party invoking them.
  4. Inspections shall be limited to the necessary scope and must take into account the Processor’s trade and business secrets as well as the protection of personal data of third parties (e.g., other customers or employees of the Processor). Avoidable operational disruptions are to be avoided. Where sufficient for the purpose of the review, inspections should be limited to spot checks.
  5. Only qualified persons who can provide identification and who are bound to confidentiality and secrecy with regard to the Processor’s trade and business secrets, internal processes, and personal data are permitted to conduct the review. The Processor may require proof of such an obligation. If the auditor engaged by the Controller is in a competitive relationship with the Processor or there is another justified reason for rejection, the Processor has the right to object to this auditor.
  6. Instead of providing access and conducting on-site inspections, the Processor may refer the Controller to an equivalent review by independent third parties (e.g., neutral data protection auditors), compliance with approved codes of conduct (Art. 40 GDPR), or suitable data protection or IT security certifications pursuant to Art. 42 GDPR. This applies only if the reference is reasonable for the Controller and the nature and scope of the reviews and references correspond to the nature and scope of the Controller’s legitimate inspection plans. The Processor undertakes to inform the Controller without delay of the exclusion from approved codes of conduct pursuant to Art. 41(4) GDPR, the revocation of a certification pursuant to Art. 42(7) GDPR, and any other form of suspension or material change of the aforementioned evidence.
  7. The Controller shall generally exercise its right of inspection no more frequently than every 12 months, unless a specific reason (in particular a data breach, a security incident, or the result of an audit) requires inspections before the end of this period.

9. Sub-processing Relationships

  1. Without prejudice to any restrictions under the Main Agreement, the Controller expressly agrees that the Processor may use Sub-processors in the context of processing on behalf. The Processor shall inform the Controller with reasonable prior notice, which is regularly 14 business days, about new Sub-processors and give the Controller the opportunity to reasonably review the Sub-processors before their engagement and to object to their use where there is a legitimate interest. If the Controller does not object within the notice period, the Sub-processor may be engaged. The Controller shall exercise its right to object to changes only in accordance with the principles of good faith, reasonableness, and fairness.
  2. If the Processor engages a Sub-processor (e.g., a subcontractor) to carry out certain processing activities on behalf of the Controller, the Processor must impose on the Sub-processor, by contract or by another legally permissible instrument, the same data protection obligations as those to which the Processor is bound under this Data Processing Agreement (in particular regarding compliance with instructions, adherence to TOMs, provision of information, and tolerance of inspections).
  3. The Processor shall carefully select the Sub-processor, paying particular attention to its suitability and reliability to comply with the obligations under this Data Processing Agreement and the suitability of the TOMs implemented by the Sub-processor.
  4. The transfer of personal data processed on behalf to Sub-processors is permissible only after the Processor has ensured that the Sub-processor has fully fulfilled its obligations. The review must be documented and the documentation presented to the Controller upon request.
  5. The Processor shall regularly, at least every 12 months, review compliance with the Sub-processors’ obligations, in particular the TOMs, to a reasonable extent. The review and its results shall be documented in a manner comprehensible to a knowledgeable third party. The documentation shall be presented to the Controller upon request. Instead of its own review, the Processor may refer to a review by independent third parties (e.g., neutral data protection auditors), compliance with approved codes of conduct (Art. 40 GDPR), or suitable data protection or IT security certifications pursuant to Art. 42 GDPR. The Processor undertakes to inform the Controller without delay of the exclusion from approved codes of conduct pursuant to Art. 41(4) GDPR, the revocation of a certification pursuant to Art. 42(7) GDPR, and any other form of suspension or material change of the aforementioned evidence at the Sub-processor.
  6. The responsibilities for fulfilling the obligations under this Data Processing Agreement and under the law must be clearly regulated and separated between the Processor and the Sub-processor.
  7. The Controller’s rights must also be enforceable against Sub-processors. In particular, the Controller must be entitled to carry out inspections at Sub-processors at any time within the scope defined in this Data Processing Agreement or to have them carried out by third parties.
  8. If the Sub-processor fails to comply with its data protection obligations, the Processor shall be liable to the Controller for such failure.
  9. Processing of personal data that is not directly related to the provision of the main service under the Main Agreement and in which the Processor uses third-party services as a purely ancillary service to carry out its business activities (e.g., cleaning, security, maintenance, telecommunications, or transport services) does not constitute sub-processing within the meaning of the above provisions of this Data Processing Agreement. Nevertheless, the Processor must ensure, e.g., through contractual agreements or notices and instructions, that the security of the data is not jeopardized and that the provisions of this Data Processing Agreement and data protection regulations are complied with.
  10. Sub-processing relationships that were communicated to the Controller upon conclusion of this Data Processing Agreement shall be deemed approved to the communicated extent under the provisions of this Data Processing Agreement on sub-processing relationships.
  11. The sub-processing relationships existing at the time of conclusion of this Data Processing Agreement are listed by the Processor in the Annex "Sub-processing Relationships" and updated by the Processor.

10. Territorial Scope of the Processing on Behalf

  1. Personal data shall be processed on behalf in a Member State of the European Union (EU) or in another contracting state of the Agreement on the European Economic Area (EEA) or Switzerland.
  2. Processing may take place in third countries, provided that the special requirements of Art. 44 et seq. GDPR are met, i.e., in particular, a) the EU Commission has determined an adequate level of data protection; b) on the basis of effective standard contractual clauses (SCC); or c) on the basis of recognized binding corporate rules.
  3. The Controller’s approval of sub-processing relationships under this Data Processing Agreement also extends to the territorial scope of the processing on behalf.
  4. Processing on behalf in a country other than those mentioned above, including by Sub-processors, requires the prior approval of the Controller.

11. Obligations of the Controller

  1. The Controller shall inform the Processor immediately and fully if it identifies errors or irregularities in the deliverables, instructions, or processing procedures with regard to data protection provisions.
  2. The Controller shall designate contact persons authorized to receive instructions and is obliged to inform the Processor without delay of changes to the contact persons or their contact details, as well as representatives in the event of a non-temporary absence or incapacity.
  3. In the event that the Processor is claimed against by data subjects, third-party companies, bodies, or authorities regarding possible claims arising from the processing of personal data under this Data Processing Agreement, the Controller undertakes to support the Processor in defending the claim to the extent of its capabilities and taking into account the degree of fault of the Parties.

12. Liability

The statutory liability provisions apply, in particular Art. 82 GDPR and, in the case of the use of a Sub-processor, Art. 28(4) sentence 2 GDPR.

13. Term, Continuing Effect After Contract End, and Data Deletion

  1. This Data Processing Agreement becomes effective upon its signature or conclusion in an electronic format.
  2. The term and end of this Data Processing Agreement are determined by the term and end of the Main Agreement.
  3. The Parties reserve the right to extraordinary termination, particularly in the event of a serious breach of the obligations and requirements of this Data Processing Agreement and applicable data protection law. A serious breach occurs in particular if the Processor has not fulfilled, or has substantially failed to fulfill, the obligations specified in the Data Processing Agreement and the agreed technical and organizational measures.
  4. In the case of minor breaches of duty, extraordinary termination must be preceded by a warning of the breaches with a reasonable period to remedy them; a warning is not required if it cannot be expected that the breaches will be remedied or if they are so serious that it would be unreasonable for the terminating Party to continue the Data Processing Agreement.
  5. Termination of this Data Processing Agreement, as well as the repeal of this form clause, must be made at least in electronic format.
  6. After completion of the processing services under this Data Processing Agreement, the Processor shall, at the Controller’s choice, either destroy or return all personal data and copies thereof (as well as all documents obtained in connection with the processing relationship, processing and usage results created, and data sets), unless there is a legal obligation to store the personal data; in such case, the Processor shall inform the Controller of the obligation and its scope, unless the Controller can be expected to be aware of the obligation. Destruction or deletion must be carried out in accordance with data protection requirements and in such a way that restoration, even of residual information, is no longer possible and not to be expected with reasonable effort. The defense of a right of retention is excluded with regard to the processed data and the associated data carriers. With regard to deletion or return, the Controller’s rights to information, proof, and control apply in accordance with this Data Processing Agreement.
  7. The obligations arising from the Data Processing Agreement to protect confidential information continue to apply after the end of the Data Processing Agreement, provided that the Processor continues to process the personal data covered by the Data Processing Agreement and compliance with the obligations is reasonable for the Processor even after the end of the contract.
  8. Documentation serving as evidence of proper data processing and ensuring TOMs must be retained by the Processor for at least three years beyond the end of the contract, in accordance with the Controller’s respective retention and deletion periods known to the Processor (or those that should be known). The Processor may hand over the documentation to the Controller upon termination of the contract for its own discharge.

14. Final Provisions

  1. The applicable law is determined by the Main Agreement.
  2. The place of jurisdiction is determined by the Main Agreement.
  3. This Data Processing Agreement constitutes the complete agreement between the Parties. There are no collateral agreements.
  4. Upon conclusion of this Data Processing Agreement, any prior contracts concluded between the Parties governing the processing of personal data on behalf are terminated, if and to the extent that they concern the same subject matter of processing and unless otherwise expressly agreed in writing between the Parties.
  5. Amendments and additions to this Data Processing Agreement, as well as the repeal of this form clause, must be made at least in electronic format.
  6. In the event of any contradictions, the provisions of this Data Processing Agreement regarding data protection take precedence over the provisions of the Main Agreement.
  7. If one or more provisions of this Data Processing Agreement are invalid or unenforceable, the validity of the remaining provisions shall not be affected. The invalid provisions shall instead be replaced, by way of supplementary interpretation, with a provision that most closely reflects the economic purpose the Parties clearly intended with the invalid provision(s). If the aforementioned supplementary interpretation is not possible due to mandatory legal requirements, the Parties shall agree on a corresponding provision.

This Data Processing Agreement forms part of the Main Agreement and becomes effective upon its conclusion.

15. Annex: Subject Matter of the Processing on Behalf

The following information on the nature and purpose of the processing, the type of personal data, and the categories of data subjects determine the subject matter of the processing governed by the Data Processing Agreement. Changes to the subject matter of the processing and further procedural changes must be jointly coordinated and documented by the Parties.

The Controller’s personal data is processed on the basis of this Data Processing Agreement for the following purposes:

The subject of the processing on behalf is the provision and operation of the certready.eu online training platform as well as user accounts for the Controller and its employees.

The following types and categories of personal data are processed on the basis of this Data Processing Agreement:

  1. Names of employees.
  2. Contact details of employees.
  3. Login information of employees.
  4. Information on participation in and completion of courses as well as issued certificates.
  5. Selection options and inputs as part of tests.
  6. Log files relating to logins and use of the services including details of time and user.

The following groups of persons are affected by the processing of personal data on the basis of this Data Processing Agreement:

Employees (salaried/freelance/trainees and interns)

The data processed on the basis of this Data Processing Agreement is collected or otherwise received from the following sources or within the procedures mentioned:

  1. Collection from data subjects.
  2. Entries or information provided by the Controller.
  3. Collection in the course of using certready.eu.

Annex: Technical and Organizational Measures (TOMs)

An appropriate level of protection is ensured for the specific processing on behalf and the personal data processed within its scope, commensurate with the risk to the rights and freedoms of natural persons affected by the processing. In particular, the protection goals of confidentiality, integrity, and availability of systems and services and their resilience are taken into account with respect to the nature, scope, circumstances, and purpose of processing such that appropriate technical and organizational corrective measures sustainably reduce risk.

Organizational Measures

Organizational measures have been taken to ensure an appropriate level of data protection and its maintenance.

  1. The Processor has implemented an appropriate data protection management system or data protection concept and ensures its implementation.
  2. An appropriate organizational structure for data security and data protection is in place, and information security is integrated into company-wide processes and procedures.
  3. Internal security policies and guidelines have been defined and are communicated internally to employees as binding rules.
  4. System and security tests, such as code scans and penetration tests, are carried out regularly and also without specific cause.
  5. Developments in the state of the art as well as threats and security measures are continuously monitored and appropriately incorporated into the Processor’s own security concept.
  6. A concept exists that ensures the Controller’s safeguarding of data subject rights (in particular with regard to access, rectification, deletion or restriction of processing, data transfer, withdrawals, and objections). The concept includes informing employees about information obligations towards the Controller, establishing implementation procedures, appointing responsible persons, as well as regular monitoring and evaluation of the measures taken.
  7. A concept exists that ensures an immediate response compliant with legal requirements to risks and personal data breaches. The concept includes informing employees about information obligations towards the Controller, establishing implementation procedures, appointing responsible persons, as well as regular monitoring and evaluation of the measures taken.
  8. Security incidents are consistently documented, even if they do not lead to an external notification (e.g., to the supervisory authority or data subjects) (so-called "security reporting").
  9. Service providers engaged to perform ancillary business tasks (maintenance, security, transport, and cleaning services, freelancers, etc.) are carefully selected, and it is ensured that they observe the protection of personal data. If, in the course of their activities, service providers gain access to the Controller’s personal data or there is otherwise a risk of access to personal data, they are specifically bound to confidentiality and secrecy.
  10. The protection of personal data is taken into account, considering the state of the art, implementation costs, and the nature, scope, circumstances, and purposes of processing as well as the varying likelihood and severity of risks for the rights and freedoms of natural persons, already when developing or selecting hardware, software, and procedures, in accordance with the principles of data protection by design and by default.
  11. Software and hardware in use are always kept up to date, and software updates are carried out without delay within a period appropriate to the risk level and any need for review. No software or hardware is used that is no longer updated by providers with regard to data protection and data security concerns (e.g., end-of-life operating systems).
  12. Standard software and corresponding updates are obtained only from trustworthy sources.
  13. A deletion and disposal concept exists that complies with the data protection requirements of processing on behalf and the state of the art. The physical destruction of documents and data carriers is carried out in accordance with data protection requirements and in line with legal requirements, industry standards, and state-of-the-art industrial norms (e.g., DIN 66399). Employees have been informed about legal requirements, deletion periods, and, where applicable, specifications for data or device destruction by service providers.
  14. Processing of the Controller’s data that has not been deleted in accordance with the agreements of this Data Processing Agreement (e.g., due to statutory archiving obligations) is restricted to the necessary extent by means of blocking notes and/or segregation.

Employee-Level Data Protection

Measures have been taken to ensure that employees involved in processing personal data have the necessary data protection expertise and reliability.

  1. Employees are bound to confidentiality and secrecy (data protection confidentiality).
  2. Employees are sensitized and instructed regarding data protection in accordance with the requirements of their function. Training and sensitization are repeated at appropriate intervals or when circumstances require.
  3. Keys, access cards, or codes issued to employees, as well as authorizations granted regarding the processing of personal data, are collected or revoked when they leave the Processor’s services or change responsibilities.
  4. Employees are required to leave their work environment tidy and, in particular, to prevent access to documents or data carriers containing personal data (clean desk policy).

Physical Access Control

Measures have been taken to ensure physical access control, preventing unauthorized persons from physically approaching systems, data processing equipment, or procedures used to process personal data.

  1. With the exception of workstation computers and mobile devices, no data processing systems are operated in the Processor’s own business premises. The Controller’s data is stored with external server providers in compliance with the requirements for processing on behalf.
  2. Personal checks are carried out at the gate or reception.
  3. Access is secured by a manual locking system.
  4. The issuance and return of keys and/or access cards are logged.
  5. Employees are required to lock devices or otherwise secure them when leaving their work environment or the devices.
  6. Documents (files, records, etc.) are stored securely, e.g., in filing cabinets or other appropriately secured containers, and adequately protected from access by unauthorized persons.
  7. Data carriers are stored securely and adequately protected from access by unauthorized persons.

System Access Control

Measures have been taken to ensure electronic system access control, preventing unauthorized access (i.e., even the possibility of use, utilization, or observation) to systems, data processing equipment, or procedures.

  1. A password policy stipulates that passwords must have a minimum length and complexity in line with the state of the art and security requirements.
  2. All data processing systems are password-protected.
  3. Passwords are not stored in plain text and are transmitted only hashed or encrypted.
  4. Access data is deleted or deactivated when its users leave the Processor’s company or organization.
  5. Server systems and services with intrusion detection systems are used.
  6. Server systems and services with intrusion prevention and protection systems are used.
  7. Up-to-date anti-virus software is used.
  8. Use of hardware firewall(s).
  9. Use of software firewall(s).

Internal Data Access Control and Input Control (Permissions for User Rights to Access and Modify Data)

Measures have been taken to ensure data access control so that authorized users of a data processing system can access only the data covered by their access authorization, and that personal data cannot be read, copied, modified, or removed without authorization during processing. Furthermore, measures have been taken to ensure input control so that it can subsequently be verified and determined whether and by whom personal data has been entered, modified, removed, or otherwise processed in data processing systems.

  1. A permissions and roles concept ensures that access to personal data is possible only for a group of persons selected according to necessity and only to the required extent.
  2. The permissions and roles concept is regularly evaluated at reasonable intervals and whenever circumstances require (e.g., violations of access restrictions) and updated as needed.
  3. Logins to data processing systems are logged.
  4. Administrators’ activities are appropriately monitored and logged within the legally permissible possibilities and within a technically reasonable effort.
  5. It is ensured that it is traceable which employees or agents had access to which data and when (e.g., by logging software usage or deducing from access times and the permissions concept).

Transfer Control

Measures have been taken to ensure transfer control so that personal data cannot be read, copied, modified, or removed without authorization during electronic transmission, transport, or storage on data carriers, and so that it can be verified and determined to which locations a transmission of personal data by data transmission facilities is intended.

  1. When accessing internal systems from outside (e.g., during remote maintenance), encrypted transmission technologies are used (e.g., VPN).
  2. Emails are encrypted during transmission, meaning they are protected from being read by anyone with access to the networks through which the email is sent during its transit from sender to recipient.
  3. The transmission and processing of the Controller’s personal data via online offerings (websites, apps, etc.) is protected using TLS or equivalently secure encryption.

Order Control, Purpose Limitation, and Separation Control

Measures have been taken to ensure order control, guaranteeing that personal data processed on behalf is processed only in accordance with the Controller’s instructions. The measures ensure that the Controller’s personal data collected for different purposes is processed separately and that no mixing, merging, or other processing contrary to the order takes place.

  1. The processing activities carried out for the Controller are documented separately to a reasonable extent in a record of processing activities.
  2. Careful selection of Sub-processors and other service providers.
  3. Employees and agents are clearly and comprehensibly informed of the Controller’s instructions and the permissible processing framework and instructed accordingly. Separate information and instruction are not required if compliance with the permissible framework can, in any case, be reliably expected (e.g., due to other agreements or company practice).
  4. Compliance with the Controller’s instructions and the permissible scope of processing personal data by employees and agents is reviewed at appropriate intervals.
  5. The deletion periods applicable to the processing of the Controller’s personal data are documented within the Processor’s deletion concept and, where necessary, separately.
  6. Required evaluations and analyses of the processing of the Controller’s personal data are, where possible and reasonable, processed anonymously (i.e., without any personal reference) or at least pseudonymized in accordance with Art. 4(5) GDPR (i.e., in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, which is kept separately and is subject to technical and organizational measures to ensure that the personal data is not attributed to an identified or identifiable natural person).
  7. The Controller’s personal data is processed logically separated from data of other processing procedures of the Processor and protected against unauthorized access, linking, or merging with other data (e.g., in different databases or by appropriate attributes).

  8. Production and test data are strictly separated and stored in different systems. Production systems are operated separately and independently from development and test systems.

Safeguarding Data Integrity and Availability and the Resilience of Processing Systems

Measures have been taken to ensure that personal data is protected against accidental destruction or loss and can be quickly restored in emergencies.

  1. Redundant, fail-safe server systems and services are used.
  2. The availability of data processing systems is continuously monitored and controlled, particularly for availability, errors, and security incidents.
  3. Personal data is stored with external hosting providers. Hosting providers are carefully selected and meet the state-of-the-art requirements regarding protection against damage from fire, moisture, power failures, disasters, unauthorized access, as well as data backup and patch management, and building security.
  4. The processing of personal data takes place on data processing systems that are subject to a regular and documented patch management, i.e., in particular, they are regularly updated.
  5. The server systems and services used for processing are subjected to stress tests and hardware tests at appropriate intervals.
  6. The server systems used for processing are protected against denial-of-service (DoS) attacks.
  7. The server systems used for processing have an uninterruptible power supply (UPS), are adequately secured against failures, and ensure a controlled shutdown in emergencies without data loss.
  8. Video surveillance at the server location.
  9. Intrusion and contact detectors at the server location.
  10. The server systems used for processing have adequate fire protection (fire and smoke detection systems as well as appropriate fire extinguishing systems or fire extinguishers).
  11. Server systems are used that provide protection against moisture damage (e.g., moisture detectors).
  12. Server systems and services are used that maintain a backup system at other locations where current data is kept and thus provide an operational system even in the event of a disaster.
  13. The Controller’s data sets are protected by the system against accidental modification or deletion (e.g., through access restrictions, security prompts, and backups).
  14. Server systems and services are used that have an appropriate, reliable, and controlled backup and recovery concept.
  15. At reasonable intervals, restore tests are regularly performed to verify that data backups can actually be restored (data integrity of backups).

Annex: Sub-processors

The Processor engages the following Sub-processors in the processing of data for the Controller:

  • GAL Digital GmbH: Provision and/or support of the digital and administrative management structure, including: technical platform with hosting and computing services, accounting and office services, personnel management, customer management, marketing, on the basis of a data processing agreement; Service provider: GAL Digital GmbH, Unter den Linden 26, 35410 Hungen, Germany. Privacy policy: https://www.gal-digital.de/de/datenschutz.
  • Brevo: Email sending and automation services; Service provider: Sendinblue GmbH, Köpenicker Str. 126, 10179 Berlin, Germany; Website: https://www.brevo.com/; Privacy policy: https://www.brevo.com/legal/privacypolicy/. Data Processing Agreement: Provided by the service provider.
  • bunny.net: Content Delivery Network (CDN) service that helps deliver content of an online offering, especially large media files such as graphics or program scripts, faster and more securely using regionally distributed servers connected via the internet. Also used to manage rights to transmitted content and to help prevent unauthorized use of provided materials; Data Processing Agreement: Provided by the service provider; Service provider: BUNNYWAY d.o.o., Cesta komandanta Staneta 4A, 1215 Medvode, Slovenia; Website: https://bunny.net. Privacy policy: https://bunny.net/privacy/.
  • Hetzner: Services in the field of providing information technology infrastructure and related services (e.g., storage and/or computing capacity); Service provider: Hetzner Online GmbH, Industriestr. 25, 91710 Gunzenhausen, Germany; Website: https://www.hetzner.com; Privacy policy: https://www.hetzner.com/de/rechtliches/datenschutz. Data Processing Agreement: https://docs.hetzner.com/de/general/general-terms-and-conditions/data-privacy-faq/.
  • Microsoft Azure: Services in the field of providing information technology infrastructure and related services (e.g., storage and/or computing capacity); Service provider: Microsoft Ireland Operations Limited, One Microsoft Place, South County Business Park, Leopardstown, Dublin 18, D18 P521, Ireland; Website: https://azure.microsoft.com; Privacy policy: https://privacy.microsoft.com/de-de/privacystatement. Data Processing Agreement: https://azure.microsoft.com/de-de/support/legal/.
  • pathway solutions: Retrieval and processing of orders, customer data, and payment data from shop systems and other transaction platforms via interfaces. The collected data is then converted into booking information optimized for accounting procedures; Service provider: Pathway Solutions GmbH, Alstertwiete 3, 20099 Hamburg, Germany; Website: https://www.pathway-solutions.de/; Privacy policy: https://www.pathway-solutions.de/pages/datenschutzerklaerung. Data Processing Agreement: Provided by the service provider.
KI-VO Made in Germany
Made in Germany
Hungen location
KI-VO GDPR-compliant
GDPR-compliant
German server location
KI-VO EU compliant
EU compliant
AI expertise in accordance with KI-VO
© Copyright 2025 by certready.eu GmbH