Data Protection Agreement

Preamble

The Client wishes to commission the Contractor with the services specified in Sections 1 and 2. The processing of personal data (“data”) is part of the execution of the contract. In particular Art. 28 GDPR places certain requirements on such order processing. In order to comply with these requirements, the parties conclude the following contract:

1. Scope and responsibility

The Contractor shall provide the Client with services in the field of communication technology on the basis of the main contract. The Contractor shall be granted access to personal data within the meaning of Art. 4 No. 1 GDPR and shall process such data on behalf of the Client.

The parties conclude the present contract in order to specify the data protection rights and obligations of both parties. In case of doubt, the provisions of the present contract shall take precedence over the provisions of the main contract.

The provisions of this Agreement shall apply to all activities related to the main Agreement in which the Contractor and its employees or agents of the Contractor come into contact with personal data originating from or collected on behalf of the Principal.

Within the framework of this contract, the Client shall be solely responsible for compliance with the statutory provisions of the data protection laws, in particular for the legality of the data transfer to the Contractor and for the legality of the data processing (“Responsible” in the sense of Art. 4 No. 7 GDPR).

The Client undertakes to inform his employees and other persons employed by her, whose data are processed by the Contractor on the basis of the main contract and this contract (“Reporting Party”), about data processing in accordance with Art. 13, 14 GDPR. The information sheet “Information for notifiers”, which the Client will hand over to the notifiers, serves to fulfil these information obligations.

The instructions shall initially be determined by the main contract and may then be amended, supplemented or replaced by the Principal in writing or in an electronic format (text form) to the place designated by the Contractor. Instructions which are not provided in the main contract shall be treated as a request for a change in performance.

Verbal instructions must be confirmed immediately in writing or in text form.

2. Subject-matter and scope of the processing of personal data

The scope and purpose of the data processing are defined in the main contract and the associated service description. Within the framework of the execution of the main contract, the Contractor shall have access to the following types of personal data from the following persons concerned for the following purposes:

Type fo data Type and purpose of use Affected persons
First name Last name email address telephone number password Creation of a user profile for the processing of messages Confidants1
Sex Information for the repoer in the selection of the confidant Confidants
General working hours2 Generation of individual welcome messages for the reporter Confidants
Photo2 Use in chat and possibly on other sites for the purpose of confidence building Confidants
E-mail address, first name, last name2, 3 Notifications for:
  • Receipt confirmation of the message
  • New Messages
  • Changes to case status
  • Changes to confidant(s)
  • Completion of the incident
Reporter
Incident category, Incident type, Sex2
Time of the incident2
Time of the incident report2
Frequency of the incident2
  • Information for confidant
  • Statistical recording in the dashboard
Reporter
Content of the chat history, first name, last name3 Information for confidant to deal with the report Persons about whom a complaint is lodged

If the contractor merely makes the communication system available to the Client (i.e. the concerns of the reporters are handled exclusively by case managers of the Client), the contractor does not receive any insight into or knowledge of the content of the message processes.

If the contractor is also responsible for complaint management (i.e. the reports of the case managers of the contractor) on behalf of the Client, the contractor also acts exclusively in accordance with instructions for complaint management. Alone in this case the Contractor shall be given access to and knowledge of the content of the message flow between the reporter and the case manager appointed by her. In this case, the Contractor shall notify the principal to provide access to the message flow, in particular when

  • the Client has a justified suspicion due to his (welfare) duties as an employer within the meaning of ArbSchG, StGB, BetrVG, AGG or similar legal texts, or
  • the contractor determines within the framework of complaint management that the disclosure of the course of the message to the Client in the sense of his (welfare) duties in the sense of ArbSchG, StGB, BetrVG, AGG or similar legal texts is expedient, and/or imminent danger.

The data processing within the framework of the complaint management assumed by the contractor is carried out by trained specialist personnel of the contractor. Reporters who have expressly stated that they wish to remain anonymous will be made anonymous or unrecognisable prior to inspection by the Client in accordance with the aforementioned paragraph of this section. In this case, the Client or its Case Manager will only be informed of the content of the concern of the Reporting Party, but not of the identity of the Reporting Party.

3. Duties of the Contractor

The contractor may only process data of persons concerned within the scope of the order and the instructions of the Client. The contractor shall inform the Client without delay if she is of the opinion that an instruction violates applicable laws. The Contractor may suspend the implementation of the instruction until it has been confirmed or amended by the Client.

The Contractor shall take all necessary protective measures to adequately protect the data of the Client in accordance with Art. 32 GDPR. Further details are set out in section 5 of this Agreement.

The Contractor shall support the Client, to the extent agreed, to the extent possible, in fulfilling the requests and claims of the persons concerned in accordance with Chapter III of the GDPR and in complying with the obligations set out in Art. 33 to 36 GDPR.

The persons employed in the data processing by the contractor are prohibited from collecting, processing or using personal data without authorisation. The contractor shall obligate all persons entrusted by her with the processing and performance of this contract accordingly (obligation to confidentiality, Art. 28 para. 3 lit. b) GDPR) and shall ensure compliance with this obligation with due care, unless there is an appropriate statutory obligation to maintain secrecy. Upon request, the obligations of the Client must be proven in a suitable manner.

The contractor has appointed a data protection officer. The contractor shall publish the contact details of the Data Protection Officer on his website and communicate them to the Supervisory Authority. At the request of the contracting authority, the contractor shall provide appropriate proof of publication and notification.

The contractor corrects or deletes the contractual data if the Client decides to do so and this is covered by the scope of the instructions. If a deletion in conformity with data protection or a corresponding restriction of data processing is not possible, the Contractor shall undertake the destruction of data carriers and other materials in conformity with data protection on the basis of an individual order by the Client or return these data carriers to the Client, unless already agreed in the contract.

Data, data carriers and all other materials shall either be surrendered or deleted at the Client’s request at the end of the order. If additional costs are incurred as a result of deviating specifications for the surrender or deletion of the data, these shall be borne by the Client.

In the event of a claim against the Client by an affected person with regard to any claims pursuant to Art. 82 GDPR, the Contractor undertakes to support the Client in defending the claim within the scope of his possibilities.

4. Duties of the Client

The Client shall inform the Contractor immediately and completely if it detects errors or irregularities in the results of the order with regard to data protection regulations.

In the event of a claim against the Principal by a person concerned with regard to any claims under Art. 82 GDPR, section 3 Para. 8 shall apply mutatis mutandis.

The Client shall inform the Contractor of the contact person for data protection issues arising within the framework of the main contract.

5. Technical and organisational measures

In her area of responsibility, the Contractor shall design the internal organisation in such a way that it meets the special requirements of data protection. She shall take all necessary technical and organisational measures for the adequate protection of the data of the Client according to Art. 32 GDPR. To this end, the Contractor shall in particular (i) ensure the confidentiality, integrity, availability and resilience of the systems and services in connection with the processing in the long term, as well as (ii) the ability to ensure the availability of the data and access to them during a physical or technical incident on the part of the Contractor. The contractor shall, prior to the commencement of the processing of the data, have complied with the requirements listed in Annex A to this contract. technical and organisational measures to ensure the security of the processing of the data and maintain it for the duration of this Agreement.

The contractor guarantees to fulfil his obligations according to Art. 32 para. 1 lit. d) GDPR, to use a procedure to regularly check the effectiveness of the technical and organisational measures to ensure the security of the processing.

As the technical and organisational measures are subject to technical progress and further technological development, the contractor shall be permitted to implement alternative and adequate measures as long as they do not fall below the level of safety laid down in Annex A. The contractor shall be entitled to take such alternative and adequate measures to ensure that the safety of the installation is maintained. The contractor shall document such changes. The Client may request a current version of the technical and organisational measures at any time.

The Client is aware of the technical and organisational measures taken by the Contractor. The Client is responsible for ensuring that these provide an appropriate level of protection for the risks of the data to be processed..

6. Reports of data protection violations

The Contractor shall inform the Client without delay if it becomes aware of any infringements or potential infringements of the protection of personal data of the Client. The Contractor shall also inform the Client of the nature of the infringement, if possible, stating the categories and the number of persons concerned, the data records concerned and their number.

The Contractor shall immediately take the necessary measures to secure the data and to reduce possible negative consequences for the persons concerned, inform the Client thereof and consult with the Client without delay. In addition, the Contractor shall be obliged to provide the Client with information at any time if the Client’s data are affected by an infringement pursuant to section 1.

The contractor is obliged to document all (potential) violations of data protection, including all related facts, in a way that enables the Client to prove compliance with any relevant legal reporting obligations (e.g. according to Art. 33, 34 GDPR).

Should the Client’s data be endangered by seizure or confiscation by the Contractor, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall immediately inform the Client thereof. The Contractor shall immediately inform all persons responsible in this context that the sovereignty and ownership of the data lies exclusively with the Client within the meaning of the GDPR.

7. Requests from data subjects

If a data subject addresses the contractor with requests for correction, deletion or information, the contractor shall refer the data subject to the contracting authority, as long as assignment to the contracting authority is possible according to the data of the data subject. The Contractor shall forward the application of the person concerned to the Client without delay. The Contractor shall support the Client within the scope of her possibilities on instruction if agreed. The Contractor shall not be liable if the Client does not respond to the request of the person concerned, does not respond correctly or does not respond in due time.

8. Detection possibility

The contractor shall prove to the Client by appropriate means that the obligations laid down in this contract have been fulfilled.

If, in individual cases, inspections are to be carried out by the Client or by an inspector commissioned by the Client these will be carried out during normal business hours without disrupting the course of business after login and registration with regard to a reasonable lead time. The contractor may make this dependent on prior notification with a reasonable lead time and on the signing of a confidentiality agreement with regard to the data of other Clients of the contractor and the technical and organizational measures set up. If the inspector commissioned by the Client is in a competitive relationship with the contractor, the contractor has a right of objection against this.

The contracting authority agrees to the appointment by the contractor of an independent external auditor, provided that the contractor provides a copy of the audit report.

If a data protection supervisory authority or another sovereign supervisory authority of the Client carries out an inspection, section 2 shall apply mutatis mutandis. It is not necessary to sign a confidentiality agreement if this supervisory authority is subject to professional or legal confidentiality, where a violation is punishable under the Criminal Code.

9. Third party provider

The use of third-party providers as further contract processors is only permissible if the Client has given his prior consent.

A third-party supplier relationship requiring approval exists if the contractor commissions further contractors to perform all or part of the service agreed in the main contract. The Contractor shall enter into agreements with these third parties to the extent necessary to ensure appropriate data protection and information security measures.

The contractually agreed services or the partial services described below are carried out with the involvement of third parties:

  1. Hosting of the application via the “Open Telekom Cloud” service in Magdeburg, Germany by Telekom Deutschland GmbH in Landgrabenweg 151, 53227 Bonn, Germany
  2. Monitoring of the application incl. log files by AppSignal B.V. in Herengracht 504, 1017 CB Amsterdam, Netherlands
  3. Monitoring of the application including log files and error messages by Functional Software, Inc. dba Sentry, 132 Hawthorne Street, San Francisco, CA 94107, USA
  4. Sending of notifications by Mailjet GmbH, Rankestr. 21, 10789 Berlin, Germany

The Contractor shall obtain the Client’s consent prior to the involvement of further third parties or the replacement of listed third parties, whereby such consent may not be withheld without good cause under data protection law.

The Contractor shall not pass on orders to third parties within the framework of the activities agreed in the main contract.

If the Contractor places orders with third parties, the Contractor shall be responsible for transferring its data protection obligations under this contract to the third party.

10. Liability and compensation

The Client and the contractor shall be liable to the persons concerned in accordance with the provisions of Art. 82 GDPR.

11. Vertragsdauer und Kündigung​

The term of this agreement corresponds to the term of the main agreement. Termination of the main contract automatically results in termination of this contract. An isolated termination of this contract is excluded.

The Client shall be entitled to terminate this contract and the main contract for good cause if the Contractor breaches material obligations under this contract or instructions of the Client and fails to remedy the breach in question on warning of the Client.

12. Termination of the main contract

Upon termination of this Agreement, the Contractor shall, at the option of the Client, delete all data of the Client unless an obligation to store personal data exists under Union law or the law of the Federal Republic of Germany, or return such data in an appropriate manner.

In the event of the deletion of the data of the Client, the Contractor shall document this in a protocol.

Documentation which serves as proof of orderly and proper data processing or statutory retention periods shall be retained by the Contractor beyond the end of the contract in accordance with the respective retention periods.

13. Final provisions

Amendments and supplements to this contract and all its components – including any assurances by the contractor – require a written agreement, which can also be made in an electronic format (text form), and an express reference to the fact that these terms and conditions are amended or supplemented. This also applies to the waiver of this formal requirement.

In the event of any contradictions, the provisions of this contract on data protection shall take precedence over the provisions of the main contract. Should individual provisions of this contract be wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions of this contract.

This contract is subject to German law. The exclusive place of jurisdiction is Münster.

[1] Case managers should be trained individuals from at least one of the following groups: Confidential Representatives, Equality Officers, Compliance Officers, Ethics Officers, Human Resources Officers, Works Council Members, Internal/External Lawyers, Internal/External Psychologists.

[2] Voluntary information

[3] Processing and knowledge of this data by the contractor will only take place if the contractor also takes over the complaint management.

Annex A – Technical and organisational measures in accordance with Art. 32 GDPR

1. Privacy (Art. 32 I lit. b) GDPR)

a. Entry control

The application data is processed in two different rooms, the Lytt office and data centres provided by subcontractors.

Data center

Lytt uses a subcontractor, the Open Telekom Cloud of Telekom Deutschland GmbH, for server operation in the data center. The subcontractor will be audited by Lytt in accordance with the contract agreement. The data center of the subcontractor contracted by Lytt meets at least the following requirements:

Entry controls

  • Alarm monitoring
  • Person verification and identification on access
  • Access Logging
  • Camera surveillance and motion and intrusion detectors
  • Personnel control and monitoring by on-site personnel

These security measures are ensured by the subcontractors around the clock, seven days a week.

Office premises

The offices of Lytt GmbH are located on the 4th floor of Alter Fischmarkt 12 in 48143 Münster. Access to the offices is protected by the following measures:

  • Transponder locking system
  • Access Logging
  • Documented output and return or locking of the transponders

b. General Access control

Lytt takes extensive measures to prevent unauthorized use of its employees’ computers, its own servers and external services (e.g. administration of rented servers):

  • All non-public services are basically protected by individual username/password combinations.
  • Logging in to critical services is only possible with two-factor authentication, i.e. with user name, password and an additional, separately generated one-time token.
  • External access to the office network is only possible via an encrypted VPN connection.
  • If employees use company-owned smartphones, these are protected by full encryption and can be deleted by a central administration platform in the event of theft or loss.
  • The data on the employees’ computers is completely encrypted and can only be decrypted after the user has logged in, in order to prevent access to the data in the event of loss or theft of the computer.
  • The exclusive use of Linux and Apple computers significantly reduces the possibility of attacks on the systems.

c. Special Access control

Lytt uses a variety of measures to ensure that people can only access IT systems and the data stored on them in accordance with the access rights they have been granted. This is achieved by the following measures:

  • Users and their access rights are centrally managed, activated and blocked.
  • The administration of the users for security and data protection relevant systems is only possible by the managing director and a leading employee.
  • For the access to the used systems password guidelines incl. password length and change intervals are given, if technically possible.
  • For the proper destruction of documents and optical data carriers, a document shredder of security level 3 according to DIN 32757 is used.

d. Separation control

With the following measures Lytt realizes the separation of the data of different Clients or Client projects:

  • During operation, the data of different Clients are stored on their own servers.
  • Productive and test systems are operated separately
  • If a logical Client separation within the application is necessary, this is carried out together with the Client within the framework of the application development.

e. Pseudonymization and Encryption (Art. 32 I lit. a) GDPR)

Lytt ensures that data records are pseudonymized and encrypted even when they are transmitted to third parties.

2. Integrity (Art. 32 I lit. b) GDPR)​

a. Forwarding control

Data between the Client and the contractor are exclusively transmitted electronically, data transport by data carrier does not take place. Accordingly, the following measures will be taken to secure personal data during transmission:

  • Data is transmitted exclusively encrypted (via SSH, TLS or VPN connection).
  • If application data is required to demonstrate functions of the application (so-called test data), it is pseudonymized before it is transferred to the test system.
  • Access to systems with personal data is logged.

b. Input control

The following measures shall ensure verification and determination of whether and by whom personal data have been entered, modified or removed:

  • During application development and operation, Lytt shall not enter or modify any application data. This is the sole responsibility of the Client.
  • The deletion of data backup files within the scope of operation is carried out after the deadline specified by the Client.
  • Measures within the application which ensure the traceability of data changes and implement deletion and blocking periods are to be commissioned by the Client within the framework of the cooperation.

3. Availability and resilience (Art. 32 I lit. b) GDPR)

Personal data will be processed in the subcontractor’s computer centre and in Lytt’s offices. Accordingly, in order to protect personal data from accidental destruction or loss, a distinction must be made between the measures taken at both sites.

a. Data center

The subcontractor for the server operation in the data center is contractually obliged to ensure availability at least with the following measures:

  • Uninterruptible power supply operation
  • Temperature, humidity and climate monitoring
  • Fire and smoke detection systems
  • Automatic fire extinguishing systems

b. Recoverability (Art. 32 I lit. c) GDPR)​

To protect personal data from accidental loss, destruction or damage, all relevant data is backed up on a daily basis. (Art. 32 GDPR).

Data backup includes both the database and all uploaded files in online stores. This ensures the integrity of all data collected.

The backups are performed daily and stored in a separate memory from normal operation. The retention periods are as follows:

  • Daily backup for one month (30 days)
  • Weekly backup for one year

All data will be irretrievably deleted after expiry of the respective deadlines. All files are backed up completely (non-incrementally) so that the integrity of only one backup is required for recovery.

The result of the data backup is encrypted before it is transferred to the backup memory. The synchronous AES encryption, which complies with the highest security standards, is used with a key length of 256 bit. The key is stored in a keychain, to which only Administrators have access. The memory that is separate from normal operation is accessed using the same arrangements secured like the infrastructure of normal operation: selective access only for necessary persons (administrators) and two-factor authentication. Only when the data has been restored the backup outside the backup memory is decrypted again. So there is never any unencrypted data in the memory. The backup itself is also transferred via an encrypted connection. Thus data in transit as well as at-rest are always encrypted.

In order to comply with the storage limitation, the automated blocking and deletion rules relevant for personal data are applied to the data before a restored data backup is put into operation. This ensures that data that has been deleted in the meantime but was still present in the backup is deleted again. (Art. 5 GDPR).

The program that backs up the data is also used to restore the data. Both backup and recovery are documented and can be easily implemented by authorized persons (see above).

The daily data backup is monitored. In the event of an error, qualified employees are notified immediately. The notification takes place via an escalation system, which first sends SMS messages and then makes automated telephone calls to the employees. The escalation is not stopped until the employees confirm the escalation. In addition, if an error occurs, the system automatically tries several times to restart the data backup.

4. Procedures for periodic review, evaluation and evaluation (Art. 32 I lit. d) GDPR)

In order to ensure that personal data processed on behalf of the Client are processed only in accordance with the instructions of the Client, Lytt shall, inter alia, take the following measures:

  • Review of existing subcontractor certifications (specifically ISO 9001, ISO 27001 and ISO 27018)
  • Conclusion of a contract data processing agreement or EU standard contractual clauses.
  • Reviewing other documentation and research results that allow an assessment of a vendor’s reliability
  • Control of contract execution

5. Obligation of persons involved in data processing (Art. 32 IV GDPR)

Lytt guarantees that persons and freelancers who have access to personal data will only process them on the instructions of the data controller or processor and will take the following measures to this end:

  • Information about the rights and obligations in handling personal data
  • Conclusion of a confidentiality agreement between Lytt and the persons
  • Regular training courses in handling personal data

6. Data protection through technology design and data protection-friendly presettings (Art. 25 I and II GDPR)​

a) Data protection through technology design

The chat sessions conducted via Lytt’s communication system are always encrypted (two-way communication). Furthermore, a role concept has been set up to restrict data access and user rights. In addition, Lytt uses flexible audit trails to ensure data minimization.

b) Privacy friendly presets

Within the Lytt communication system, chat histories are automatically stored in encrypted form. Access rights are automatically adjusted or restricted to the different user roles (Admin, Reporter, Third Party, Case Manager). Lytt employees’ access rights to devices connected to the Lytt network are automatically restricted.

Last modified: August 2019