The Client wishes to commission the Contractor with the services specified in Sections 1 and 2. The processing of personal data (“data”) is part of the execution of the contract. In particular Art. 28 GDPR places certain requirements on such order processing. In order to comply with these requirements, the parties conclude the following contract:
The Contractor shall provide the Client with services in the field of communication technology on the basis of the main contract. The Contractor shall be granted access to personal data within the meaning of Art. 4 No. 1 GDPR and shall process such data on behalf of the Client.
The parties conclude the present contract in order to specify the data protection rights and obligations of both parties. In case of doubt, the provisions of the present contract shall take precedence over the provisions of the main contract.
The provisions of this Agreement shall apply to all activities related to the main Agreement in which the Contractor and its employees or agents of the Contractor come into contact with personal data originating from or collected on behalf of the Principal.
Within the framework of this contract, the Client shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the legality of the data transfer to the Contractor and for the legality of the data processing (“Responsible” in the sense of Art. 4 No. 7 GDPR).
The Client undertakes to inform his employees and other persons employed by her, whose data are processed by the Contractor on the basis of the main contract and this contract (“Reporting Party”), about data processing in accordance with Art. 13, 14 GDPR. The information sheet “Information for notifiers”, which the Client will hand over to the notifiers, serves to fulfil these information obligations.
The instructions shall initially be determined by the main contract and may then be amended, supplemented or replaced by the Principal in writing or in an electronic format (text form) to the place designated by the Contractor. Instructions which are not provided in the main contract shall be treated as a request for a change in performance.
Verbal instructions must be confirmed immediately in writing or in text form.
The scope and purpose of the data processing are defined in the main contract and the associated service description. Within the framework of the execution of the main contract, the Contractor shall have access to the following types of personal data from the following persons concerned for the following purposes:
|Type fo data||Type and purpose of use||Affected persons|
|First name Last name email address telephone number password||Creation of a user profile for the processing of messages||Confidants1|
|Sex||Information for the repoer in the selection of the confidant||Confidants|
|General working hours2||Generation of individual welcome messages for the reporter||Confidants|
|Photo2||Use in chat and possibly on other sites for the purpose of confidence building||Confidants|
|E-mail address, first name, last name2, 3||Notifications for:||Reporter|
| Incident category, Incident type, Sex2|
Time of the incident2
Time of the incident report2
Frequency of the incident2
|Content of the chat history, first name, last name3||Information for confidant to deal with the report||Persons about whom a complaint is lodged|
If the contractor merely makes the communication system available to the Client (i.e. the concerns of the reporters are handled exclusively by case managers of the Client), the contractor does not receive any insight into or knowledge of the content of the message processes.
If the contractor is also responsible for complaint management (i.e. the reports of the case managers of the contractor) on behalf of the Client, the contractor also acts exclusively in accordance with instructions for complaint management. Alone in this case the Contractor shall be given access to and knowledge of the content of the message flow between the reporter and the case manager appointed by her. In this case, the Contractor shall notify the principal to provide access to the message flow, in particular when
The data processing within the framework of the complaint management assumed by the contractor is carried out by trained specialist personnel of the contractor. Reporters who have expressly stated that they wish to remain anonymous will be made anonymous or unrecognisable prior to inspection by the Client in accordance with the aforementioned paragraph of this section. In this case, the Client or its Case Manager will only be informed of the content of the concern of the Reporting Party, but not of the identity of the Reporting Party.
The Contractor shall take all necessary protective measures to adequately protect the data of the Client in accordance with Art. 32 GDPR. Further details are set out in section 5 of this Agreement.
The Contractor shall support the Client, to the extent agreed, to the extent possible, in fulfilling the requests and claims of the persons concerned in accordance with Chapter III of the GDPR and in complying with the obligations set out in Art. 33 to 36 GDPR.
The persons employed in the data processing by the contractor are prohibited from collecting, processing or using personal data without authorisation. The contractor shall obligate all persons entrusted by her with the processing and performance of this contract accordingly (obligation to confidentiality, Art. 28 para. 3 lit. b) GDPR) and shall ensure compliance with this obligation with due care, unless there is an appropriate statutory obligation to maintain secrecy. Upon request, the obligations of the Client must be proven in a suitable manner.
The contractor has appointed a data protection officer. The contractor shall publish the contact details of the Data Protection Officer on his website and communicate them to the Supervisory Authority. At the request of the contracting authority, the contractor shall provide appropriate proof of publication and notification.
The contractor corrects or deletes the contractual data if the Client decides to do so and this is covered by the scope of the instructions. If a deletion in conformity with data protection or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in conformity with data protection on the basis of an individual order by the Client or return these data carriers to the Client, unless already agreed in the contract.
Data, data carriers and all other materials shall either be surrendered or deleted at the Client’s request at the end of the order. If additional costs are incurred as a result of deviating specifications for the surrender or deletion of the data, these shall be borne by the Client.
In the event of a claim against the Client by an affected person with regard to any claims pursuant to Art. 82 GDPR, the Contractor undertakes to support the Client in defending the claim within the scope of his possibilities.
The Client shall inform the Contractor immediately and completely if it detects errors or irregularities in the results of the order with regard to data protection regulations.
In the event of a claim against the Principal by a person concerned with regard to any claims under Art. 82 GDPR, section 3 Para. 8 shall apply mutatis mutandis.
The Client shall inform the Contractor of the contact person for data protection issues arising within the framework of the main contract.
In her area of responsibility, the Contractor shall design the internal organisation in such a way that it meets the special requirements of data protection. She shall take all necessary technical and organisational measures for the adequate protection of the data of the Client according to Art. 32 GDPR. To this end, the Contractor shall in particular (i) ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term, as well as (ii) the ability to ensure the availability of the data and access to them during a physical or technical incident on the part of the Contractor. The contractor shall, prior to the commencement of the processing of the data, have complied with the requirements listed in Annex A to this contract. technical and organisational measures to ensure the security of the processing of the data and maintain it for the duration of this Agreement.
The contractor guarantees to fulfil his obligations according to Art. 32 para. 1 lit. d) GDPR, to use a procedure to regularly check the effectiveness of the technical and organisational measures to ensure the security of the processing.
As the technical and organisational measures are subject to technical progress and further technological development, the contractor shall be permitted to implement alternative and adequate measures as long as they do not fall below the level of safety laid down in Annex A. The contractor shall be entitled to take such alternative and adequate measures to ensure that the safety of the installation is maintained. The contractor shall document such changes. The Client may request a current version of the technical and organisational measures at any time.
The Client is aware of the technical and organisational measures taken by the Contractor. The Client is responsible for ensuring that these provide an appropriate level of protection for the risks of the data to be processed..
The Contractor shall inform the Client without delay if it becomes aware of any infringements or potential infringements of the protection of personal data of the Client. The Contractor shall also inform the Client of the nature of the infringement, if possible, stating the categories and the number of persons concerned, the data records concerned and their number.
The Contractor shall immediately take the necessary measures to secure the data and to reduce possible negative consequences for the persons concerned, inform the Client thereof and consult with the Client without delay. In addition, the Contractor shall be obliged to provide the Client with information at any time if the Client’s data are affected by an infringement pursuant to section 1.
The contractor is obliged to document all (potential) violations of data protection, including all related facts, in a way that enables the Client to prove compliance with any relevant legal reporting obligations (e.g. according to Art. 33, 34 GDPR).
Should the Client’s data be endangered by seizure or confiscation by the Contractor, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall immediately inform the Client thereof. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client within the meaning of the GDPR.
If a data subject addresses the contractor with requests for correction, deletion or information, the contractor shall refer the data subject to the contracting authority, as long as assignment to the contracting authority is possible according to the data of the data subject. The Contractor shall forward the application of the person concerned to the Client without delay. The Contractor shall support the Client within the scope of her possibilities on instruction if agreed. The Contractor shall not be liable if the Client does not respond to the request of the person concerned, does not respond correctly or does not respond in due time.
The contractor shall prove to the Client by appropriate means that the obligations laid down in this contract have been fulfilled.If, in individual cases, inspections are to be carried out by the Client or by an inspector commissioned by the Client these will be carried out during normal business hours without disrupting the course of business after login and registration with regard to a reasonable lead time. The contractor may make this dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement with regard to the data of other Clients of the contractor and the technical and organizational measures set up. If the inspector commissioned by the Client is in a competitive relationship with the contractor, the contractor has a right of objection against this.The contracting authority agrees to the appointment by the contractor of an independent external auditor, provided that the contractor provides a copy of the audit report.If a data protection supervisory authority or another sovereign supervisory authority of the Client carries out an inspection, section 2 shall apply mutatis mutandis. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or legal confidentiality, where a violation is punishable under the Criminal Code.
The use of third-party providers as further contract processors is only permissible if the Client has given his prior consent.
A third-party supplier relationship requiring approval exists if the contractor commissions further contractors to perform all or part of the service agreed in the main contract. The Contractor shall enter into agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures.
The contractually agreed services or the partial services described below are carried out with the involvement of third parties:
The Contractor shall obtain the Client’s consent prior to the involvement of further third parties or the replacement of listed third parties, whereby such consent may not be withheld without good cause under data protection law.
The Contractor shall not pass on orders to third parties within the framework of the activities agreed in the main contract.
If the Contractor places orders with third parties, the Contractor shall be responsible for transferring its data protection obligations under this contract to the third party.
The Client and the contractor shall be liable to the persons concerned in accordance with the provisions of Art. 82 GDPR.
The term of this agreement corresponds to the term of the main agreement. Termination of the main contract automatically results in termination of this contract. An isolated termination of this contract is excluded.
The Client shall be entitled to terminate this contract and the main contract for good cause if the Contractor breaches material obligations under this contract or instructions of the Client and fails to remedy the breach in question on warning of the Client.
Upon termination of this Agreement, the Contractor shall, at the option of the Client, delete all data of the Client unless an obligation to store personal data exists under Union law or the law of the Federal Republic of Germany, or return such data in an appropriate manner.
In the event of the deletion of the data of the Client, the Contractor shall document this in a protocol.
Documentation which serves as proof of orderly and proper data processing or statutory retention periods shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods.
Amendments and supplements to this contract and all its components – including any assurances by the contractor – require a written agreement, which can also be made in an electronic format (text form), and an express reference to the fact that these terms and conditions are amended or supplemented. This also applies to the waiver of this formal requirement.
In the event of any contradictions, the provisions of this contract on data protection shall take precedence over the provisions of the main contract. Should individual provisions of this contract be wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions of this contract.
This contract is subject to German law. The exclusive place of jurisdiction is Münster.
 Case managers should be trained individuals from at least one of the following groups: Confidential Representatives, Equality Officers, Compliance Officers, Ethics Officers, Human Resources Officers, Works Council Members, Internal/External Lawyers, Internal/External Psychologists.
 Voluntary information
 Processing and knowledge of this data by the contractor will only take place if the contractor also takes over the complaint management.
The application data is processed in two different rooms, the Lytt office and data centres provided by subcontractors.
Lytt uses a subcontractor, the Open Telekom Cloud of Telekom Deutschland GmbH, for server operation in the data center. The subcontractor will be audited by Lytt in accordance with the contract agreement. The data center of the subcontractor contracted by Lytt meets at least the following requirements:
These security measures are ensured by the subcontractors around the clock, seven days a week.
The offices of Lytt GmbH are located on the 4th floor of Alter Fischmarkt 12 in 48143 Münster. Access to the offices is protected by the following measures:
Lytt takes extensive measures to prevent unauthorized use of its employees’ computers, its own servers and external services (e.g. administration of rented servers):
Lytt uses a variety of measures to ensure that people can only access IT systems and the data stored on them in accordance with the access rights they have been granted. This is achieved by the following measures:
With the following measures Lytt realizes the separation of the data of different Clients or Client projects:
Lytt ensures that data records are pseudonymized and encrypted even when they are transmitted to third parties.
Data between the Client and the contractor are exclusively transmitted electronically, data transport by data carrier does not take place. Accordingly, the following measures will be taken to secure personal data during transmission:
The following measures shall ensure verification and determination of whether and by whom personal data have been entered, modified or removed:
Personal data will be processed in the subcontractor’s computer centre and in Lytt’s offices. Accordingly, in order to protect personal data from accidental destruction or loss, a distinction must be made between the measures taken at both sites.
The subcontractor for the server operation in the data center is contractually obliged to ensure availability at least with the following measures:
To protect personal data from accidental loss, destruction or damage, all relevant data is backed up on a daily basis. (Art. 32 GDPR).
Data backup includes both the database and all uploaded files in online stores. This ensures the integrity of all data collected.
The backups are performed daily and stored in a separate memory from normal operation. The retention periods are as follows:
All data will be irretrievably deleted after expiry of the respective deadlines. All files are backed up completely (non-incrementally) so that the integrity of only one backup is required for recovery.
The result of the data backup is encrypted before it is transferred to the backup memory. The synchronous AES encryption, which complies with the highest security standards, is used with a key length of 256 bit. The key is stored in a keychain, to which only Administrators have access. The memory that is separate from normal operation is accessed using the same arrangements secured like the infrastructure of normal operation: selective access only for necessary persons (administrators) and two-factor authentication. Only when the data has been restored the backup outside the backup memory is decrypted again. So there is never any unencrypted data in the memory. The backup itself is also transferred via an encrypted connection. Thus data in transit as well as at-rest are always encrypted.
In order to comply with the storage limitation, the automated blocking and deletion rules relevant for personal data are applied to the data before a restored data backup is put into operation. This ensures that data that has been deleted in the meantime but was still present in the backup is deleted again. (Art. 5 GDPR).
The program that backs up the data is also used to restore the data. Both backup and recovery are documented and can be easily implemented by authorized persons (see above).
The daily data backup is monitored. In the event of an error, qualified employees are notified immediately. The notification takes place via an escalation system, which first sends SMS messages and then makes automated telephone calls to the employees. The escalation is not stopped until the employees confirm the escalation. In addition, if an error occurs, the system automatically tries several times to restart the data backup.
In order to ensure that personal data processed on behalf of the Client are processed only in accordance with the instructions of the Client, Lytt shall, inter alia, take the following measures:
Lytt guarantees that persons and freelancers who have access to personal data will only process them on the instructions of the data controller or processor and will take the following measures to this end:
The chat sessions conducted via Lytt’s communication system are always encrypted (two-way communication). Furthermore, a role concept has been set up to restrict data access and user rights. In addition, Lytt uses flexible audit trails to ensure data minimization.
Within the Lytt communication system, chat histories are automatically stored in encrypted form. Access rights are automatically adjusted or restricted to the different user roles (Admin, Reporter, Third Party, Case Manager). Lytt employees’ access rights to devices connected to the Lytt network are automatically restricted.
Last modified: August 2019