Terms and DPA for SaaS use

This Agreement and the Order Data Processing Agreement are entered into between DC and the person or company using Software as a Service (SaaS) products from DC (“Customer”). This Agreement shall become effective at the time Customer clicks a button to indicate its agreement to the terms of this Agreement, when Customer completes an order form or similar form or login from DC that references or otherwise incorporates this Agreement, or upon Customer’s use of the Service, whichever occurs first.

If this Agreement is entered into on behalf of an entity, that entity shall be deemed to be Customer and the person acting on behalf of the entity represents that he or she has authority to bind that entity by this Agreement.

DC and the Customer are hereinafter also referred to as the “Contracting Party” or the “Parties”.

1 Praembel

Digital Control operates software for media planning and digital marketing processes. Digital Control provides its customers with a platform for its campaign management and this software as a cloud-based service.

In essence, this involves access to and use of a campaign management platform with the products Media Desk, Intelligence Qube, Campaign Planner and Finance Desk.

2 Definitions

The Campaign Management Platform provided by DC “as a Service” is hereinafter referred to as the “DC Platform”.

The “Media Desk”, “Intelligence Qube”, “Campaign Planner” and “Finance Desk” products provided on the DC Platform as a Service, are hereinafter referred to as “DC Products”.

“DC Services”. collectively means the DC Platform and DC Services offered by DC through its websites and applications (including all optional applications and apps), as a cloud service (“as-a-Service”), and which are accessible under the terms and conditions set forth in this Agreement.

“End Users” may be employees of Customer itself or employees of Customer’s service providers or employees of Customer’s own customers.

“End User Accounts” means the accounts on the DC Platform individually set up for the End Users to use the DC Products.

“Customer Data” means the data that Customer or the End Users may upload to the DC Platform, including the results provided to Customer on the DC Platform as part of Customer’s use of the DC Products.

3 DC Services

3.1 Rights of Access and Use

DC grants Customer a non-exclusive, non-sublicensable, non-transferable right, limited to the purposes of this Agreement, that its End Users may access the DC Platform during the term of this Agreement and use the DC Products there in accordance with the more detailed provisions of this Agreement. The use is limited to the number of agreed end user accounts.

The right to all work results obtained by DC in connection with the provision of Additional Contractual Services shall remain with DC. Customer shall be granted the simple, geographically unlimited and non-transferable right to use the contractually agreed Additional Contractual Services and work results in accordance with their purpose during the term of the contract. Any use and/or granting of rights to Additional Contractual Services and work results that deviate from or go beyond this shall require a separate agreement.

3.2 Provision of the DC Services

The DC Services shall be accessible and usable exclusively via internet browser. DC shall provide the necessary technical infrastructure for this purpose. DC shall inform the Customer from time to time about compatible browsers and browser versions; as a rule, the latest browser version shall be used. At the time of the conclusion of the contract, browsers with Webkit or Gecko Engine are supported (e.g. Chrome). DC intends to ensure and maintain the functionality for as many other browsers as possible.

3.3 Provision of the End User Accounts

The use of the DC Services requires that an end user account be created on a per-user basis for the respective end user to be named by Customer. Customer will define a unique, personal email address for each account, which will then be used to log in to the respective account. In order to gain access to the end user account, the end user will receive an email with a password. Customer shall ensure that End Users provide complete and current information about themselves and shall be responsible for ensuring that Access Data remains confidential and secure. The Customer is aware that misuse or malicious third-party use of the system can cause significant financial damage.

3.4 Account management and responsibility

Customer acknowledges that it retains administrative control over who it grants access to the DC Services, including stored data. Customer is responsible for maintaining the security of end user accounts and passwords. It has also obtained all legally required consents and permissions from End Users for the collection and processing of personal data by the DC Services.

3.5 Handling of the DC Services; Obligations of the Customer

The Customer shall

Always allow End User Accounts and their logins to be used only by the individual End Users designated for the respective End User Account (except that End User Accounts may be reassigned to new End Users as replacements for individuals who permanently cease to use the DC Services for any reason. Unless otherwise agreed in this Agreement, sharing of logins across different individuals is not permitted. Customer agrees that IP addresses may be collected in this context and that other technologies may be used to verify compliance;
not rent, sublicense, resell, assign, transfer, distribute, grant time-share use of, or similarly exploit DC Services;
do not reverse engineer, copy, modify, adapt, hack or otherwise attempt to gain unauthorized access to the DC Services or any systems or networks connected to the DC Services;
not access DC Services, DC Documentation or DC Confidential Information to build a competing product or service;
ensure that its end users do not access or use the DC Services in any of the following ways:
to send or store infringing, obscene, threatening, or otherwise unlawful material, including material that violates a third party’s right of informational self-determination;
in violation of applicable laws;
to knowingly or intentionally send or store material that contains software viruses, worms, Trojan horses or other harmful computer code, files or scripts;
in a manner that violates the integrity or performance of the DC Services (or the data contained therein).

3.6 Compliance Responsibility.

Customer is responsible for its End Users’ use of the DC Services and for End Users’ compliance with this Agreement. Customer shall also be solely responsible for the accuracy, quality, legality, reliability and appropriateness of all Customer Data stored in Contractor’s systems.

Customer shall notify DC immediately if it becomes aware of any unauthorized use of or access to Customer’s account or the DC Software.

3.7 Prohibited use

Customer is prohibited from the following actions:

Accessing, tampering with, or using non-public areas of DC’s services and websites, DC’s computer systems, or DC’s providers’ technical support systems;
examining, interrogating or testing the vulnerabilities of any system or network, or violating or circumventing any security or authentication measures;
Accessing or searching DC’s services by means other than DC’s publicly supported interfaces (e.g., “scraping”);
Attempting to disrupt or overburden DC’s infrastructure by intentionally making inappropriate requests or straining resources (e.g., using “bots” or other automated systems to send requests to DC’s servers beyond what a human user could send in the same time period); or
Interfering with or disrupting access by users, hosts or networks, including, without limitation, by sending viruses, overloading, flooding, spamming, mail-bombing the DC Services and the Websites, or scripting the creation of User Content in a manner that interferes with or imposes an unreasonable load on the DC Services and the Websites.
3.8 Indemnification, Access Restriction.

Customer shall indemnify DC against any claim by third parties in connection with a breach of the obligations under this Section 3, including any costs triggered by the claim.

In case of an imminent or actual breach of the obligations under clause 3 as well as in case of the assertion of not obviously unfounded claims of third parties against DC for the omission of the complete or partial presentation of the contents stored on the DC Platform via the Internet, DC shall be entitled, also taking into account the legitimate interests of the Customer, to temporarily or permanently suspend or otherwise block the connection of such contents to the Internet in whole or in part with immediate effect if the Customer does not block such contents himself within a period of 24 hours after receipt of a respective request. In case of (i) a material breach of the aforementioned obligations, (ii) special urgency or imminent danger, (iii) a not obviously illegal official order or a court decision as well as (iv) in case of a legal obligation, DC may also discontinue or otherwise block the connection of such content without prior notice; in such case DC shall inform Customer about such measure without undue delay.

4 Updates

Updates of the existing functions within the defined scope of services are included during the term of the contract. Within the scope of maintenance, the DC Services shall be adapted to technical changes customary in the market, but shall endeavor to avoid fundamental and comprehensive changes, each of which would require a new creation of the DC Services or parts thereof.

Since DC also provides the Services to essentially all Customers in a uniform manner as so-called Software-as-a-Service Services, the DC Services agreed with the Customer shall be subject to a unilateral right of modification by DC, provided that such modification is necessary for the correction of errors, for updating and completion, for program-technical optimization, for better handling or for licensing reasons. If such a change leads to a not only insignificant devaluation of the services to which the Customer is entitled, the Customer may either demand a reduction of the remuneration in accordance with the devaluation or terminate the contract without notice. The right of termination may be exercised within a period of eight weeks from the occurrence of the change.

5 Additional services

Customer requests exceeding the contractually agreed scope of functions of the DC Services may be commissioned after a feasibility check via separate cost estimates. These development services shall be invoiced on the basis of time, material and effort.

6 Support

For the communication of the Customer with the technical service desk of DC, a ticket system shall be provided upon request of the Customer and only against appropriate remuneration, which can be reached by e-mail. Incidental problems will be recorded in the ticket system and the problem solution will be controlled and documented via this system.

The contact of the support will be acknowledged with a confirmation of receipt. The subsequent feedback includes (as far as possible at this point in time) information on the duration of the problem resolution.

7 Data Protection

DC and the Customer assure to observe and comply with all legally applicable data protection regulations as well as all official requirements. Insofar as DC acts as a processor of the Customer within the scope of the DC Services, the contracting parties shall conclude a contract processing agreement.

Customer shall be responsible for the permissibility under data protection law of the transfer of Customer Data, including the personal data of its end users. Customer shall ensure that it is authorized to transfer the relevant Customer Data to DC so that DC and its service providers may lawfully use, process and transfer the Customer Data on behalf of Customer in accordance with this Agreement.

8 Access to Data by DC

Customer shall provide DC with all data necessary for DC to fulfill its contractual obligations. Customer hereby grants DC the right to host, copy, access, process, transmit and display such data in order to

maintain, provide and improve the DC Services and to perform this Agreement;
prevent or manage technical or security problems and resolve support requests;
investigate whether Customer or any End User has violated this Agreement or any legal requirements.

9 Warranty

DC points out that according to the current state of the art it is not possible to create hardware and software in such a way that it works error-free in all application combinations or can be protected against any manipulation by third parties. DC therefore does not warrant that hardware and software used or provided by DC will meet Customer’s requirements, will be suitable for particular applications, and further that they will be free from crashes, errors and malware.

The Customer shall notify DC in writing or in text form in a comprehensible manner of any defects and errors which have occurred immediately after their discovery.

Insofar as the contractual use of the DC Services is suspended as a result of a defect which is subject to the liability for defects under the lease agreement, the Customer shall be released from the payment of the remuneration for the impaired service for the period during which the use is suspended. For the time during which the suitability for the contractual operation is reduced, the Customer shall only pay an appropriately reduced remuneration.

As far as the services rendered by DC are subject to the liability for defects under the contract for work and services, DC shall have the right of choice regarding the subsequent performance. If DC is not able to remedy the defect or to replace the defect free, DC shall show the Customer workarounds. As far as these are reasonable for the Customer, they shall be deemed as supplementary performance.

10 Limitation of Liability

DC shall be liable, irrespective of the legal grounds, only in accordance with the following provisions.

10.1 DC shall be liable for intent and gross negligence in accordance with the statutory provisions.

10.2 In the event of slight negligence, DC shall only be liable in the event of a breach of a material contractual obligation, the fulfillment of which is a prerequisite for the proper performance of the contract and on the observance of which the Customer may regularly rely (cardinal obligation). In these cases DC shall only be liable to the amount of the foreseeable damage typical for the contract. Liability for indirect and / or consequential damages as well as for pure financial losses, such as loss of profit, loss of savings or loss of use is excluded. In cases of slight negligence, liability shall be limited to the amount of the net remuneration per claim paid in the 12 months preceding the claim. In cases of slight negligence, liability for all other damages, in particular indirect damages, is excluded.

10.3 The above limitations shall not apply in the event of injury to life, limb or health, or in the event of liability under the Product Liability Act.

10.4 DC shall not be liable for the loss of data and/or programs insofar as the damage is due to the fact that the Customer has failed to carry out proper data backups incumbent upon it and thus to ensure that lost data can be restored with reasonable effort.

10.5 DC shall not be liable for interruptions, malfunctions, failures or other events causing damage which are beyond DC’s control and for which DC is not responsible (e.g. hacker attacks / other cyber risks/attacks).

10.6 Any strict liability of DC for initial defects based on § 536a BGB is excluded. For such initial defects, DC shall therefore only be liable if and to the extent DC is responsible for them.

10.7 To the extent that DC’s liability is excluded or limited, this shall also apply to the liability of DC’s employees, other staff, representatives and vicarious agents.

11 Third Party Rights / Indemnification / Special Termination

11.1 DC shall indemnify the Customer at its own expense against all claims of third parties based on infringement or unlawful use of intellectual property rights of such third party by the DC Services. This shall not apply if such claim is based on a culpable breach of duty by the Customer towards DC under this Agreement. The Customer shall inform DC without undue delay about the asserted claims of third parties. If he does not inform DC immediately about the asserted claims, this right of indemnification shall expire.

11.2 In the event of a claim for indemnification due to infringement of property rights within the meaning of Section 12.1, DC may, at its own discretion and at its own expense, (a) after prior consultation with the Customer, make changes with regard to the affected performance which, while safeguarding the interests of the Customer, ensure that there is no longer any infringement of property rights, or (b) acquire the necessary rights of use for the Customer.

11.3 If the measures described under (a) and (b) above cannot be implemented or can only be implemented with disproportionate effort, DC may terminate the affected part of the contract extraordinarily and without observing a notice period. If the remaining part of the contractual services is no longer reasonable for the Customer, the Customer may for its part terminate the contract extraordinarily and with immediate effect within two weeks after receipt of the notice of termination from DC.

12 Availabilities, Maintenance Windows

DC shall ensure that the DC Services are provided essentially in accordance with the defined scope of functions

DC shall ensure a minimum availability of the DC Services of approximately 98% per calendar month, although shortfalls are possible and common. In the event of a failure of availability which is within the Contractor’s sphere of responsibility, the Contractor shall immediately take all commercially reasonable steps to restore availability.

Maintenance windows, the application of patches, updates or upgrades and upgrades of the hardware infrastructure shall be coordinated with the Customer, as far as possible, and shall not be included in the calculation of availability.

13 Remuneration and term

13.1 Remuneration

Fees are specified in the applicable Order Form and are based on the number of End Users and the version of the Service purchased. Customer shall pay all fees when due and is responsible for providing complete and accurate billing information. If such fees are paid by credit card or other electronic means, Customer authorizes DC to bill such fees using Customer’s chosen payment method. DC reserves the right to block Customer’s account and any other rights available to it in the event that Customer defaults on payment of the Fee.

13.2 Term and renewal

Customer agrees that its subscription will automatically renew annually or monthly depending on Customer’s subscription. Customer must cancel prior to the renewal date to avoid being billed for subscription fees for the next period. DC reserves the right to periodically determine the total number of End Users and, in the event that the number of End Users is greater than provided for in Customer’s current Subscription, to bill Customer for the applicable tier on a pro rata basis for the remaining period of the Subscription.

13.3 Changes to the remuneration

DC reserves the right to change the fee rates and/or billable amount structure for the Service at any time. DC will notify Customer in text form of any changes to the remuneration at least six weeks before the changes come into effect. If the Customer objects at least in text form within four weeks after receipt of a notification about a price increase, DC shall have the option to continue the contract at unchanged conditions or to terminate the contract subject to a notice period of three months.

14 Termination

14.1 Termination

The contract may be terminated by the Customer in writing by giving three months’ notice to the end of the respective contract term. DC may terminate the contract at any time by giving three months’ notice.

14.2 Termination for cause

The right to terminate the contract without notice for good cause shall remain unaffected. An important reason exists for DC in particular if the customer

– is in default with the payment of the remuneration with an amount in total of two monthly remunerations or a not insignificant part of the monthly remuneration;

– culpably violates an essential contractual obligation and the customer fails to remedy the situation within a reasonable period of time despite a warning;

– gets into an economic situation or a substantial deterioration of the customer’s assets occurs, which makes it likely that the customer will no longer be able to fulfill his contractual obligations;

– violates legal prohibitions, in particular the infringement of copyright, competition, name or data protection laws;

– seriously or repeatedly violates its obligations under Section 3.6, Section 3.7, Section 3.8 or other provisions of this Agreement that protect IT security or the rights of third parties; or

– publishes national socialist, racist, radical or illegal content.

DC shall also be entitled to terminate without notice if an application for the opening of insolvency proceedings or comparable proceedings has been filed against the Customer’s assets and has not been rejected or withdrawn by the insolvency court within two months after filing the application or if the opening of insolvency proceedings has been rejected for lack of assets.

15 Confidentiality

Each of the contracting parties undertakes to keep confidential the contents of this Agreement and the information and documents disclosed by the respective other contracting party and/or a company affiliated with the latter within the meaning of Sections 15 et seq. AktG (German Stock Corporation Act) in connection with this Agreement orally, in writing or in any other way, not generally and/or publicly and/or already known to the Receiving Party (“Confidential Information”) during and after the termination of this Agreement. The Receiving Party further undertakes to use the Confidential Information exclusively for the purposes of this Agreement and not to disclose the Confidential Information directly or indirectly to third parties and to make it available only to such employees, (external) staff and consultants who absolutely need the Confidential Information for the purposes of this Agreement and who are in turn correspondingly obliged to maintain confidentiality. Companies affiliated with the receiving Contracting Party within the meaning of § 15 et seq. AktG (German Stock Corporation Act) shall not be deemed third parties within the meaning of the preceding sentence, provided that such companies are themselves subject to a corresponding confidentiality obligation vis-à-vis the receiving Contracting Party and that their employees, (external) staff and consultants are also subject to a corresponding confidentiality obligation. All rights to the Confidential Information shall remain with the respective disclosing Contracting Party.

16 General Provisions

No ancillary agreements have been made to this contract. Amendments to the contract must be made in writing. This shall also apply to agreements on the cancellation of the agreed written form requirement.

This contract shall be governed by the laws of the Federal Republic of Germany to the exclusion of the UN Convention on Contracts for the International Sale of Goods.

Place of performance shall be the registered office of DC. The place of jurisdiction for all disputes between the contracting parties arising from and in connection with the present contractual relationship shall be Düsseldorf. DC shall furthermore be entitled to sue the Customer at its respective place of business.

Should any provision of the contract be or become invalid or should the contract contain a gap that needs to be filled, this shall not affect the validity of the remaining provisions. The contracting parties undertake to replace the invalid provision with a valid provision that comes closest to the economic purpose of the invalid provision. The same shall apply in the event of a gap in the contract.

Data Processing Agreement (DPA)

DPA in accordance with §28 of the General Data Protection Regulation (German DSGVO)
and § 62 Federal Data Protection Act (German BDSG)

Between the customer / (responsible person)

and

Digital Control GmbH & Co. KG
Kaistraße 16a
40221 Düsseldorf

GERMANY

– Contractor / Processor  –

1 General

The Contractor processes personal data on behalf of the Customer within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 – General Data Protection Regulation (GDPR). This contract regulates the rights and obligations of the parties in connection with the processing of personal data. It applies to all
activities in which employees of the Processor or other Processors commissioned by the Processor may come into contact with personal data of the Controller.

Insofar as the term “data processing” or “processing” (of data) is used in this contract, the definition of “processing” within the meaning of Art. 4 No. 2 DSGVO shall apply.

2 Subject of the commission

The Processor processes personal data of the Controller exclusively on behalf of and according to the instructions of the Controller. The subject of the processing, the type and purpose of the processing, the type of personal data and the
categories of data subjects are set forth in “Annex 1 – Subject Matter of the Order” to this Agreement.

3 Rights and Obligations of the Customer

3.1

The Customer is the controller within the meaning of Art. 4 No. 7 DSGVO for the processing of data on behalf of the Contractor. The Customer shall remain solely responsible for the processing of personal data carried out on its behalf. The Contractor shall therefore only process this data on the Customer’s instructions, unless it is obliged to process it otherwise in accordance with statutory provisions.

3.2

As the responsible party, the Customer shall be responsible for safeguarding the rights of the data subject. The Contractor shall inform the Customer without delay if data subjects assert their data subject rights against the Contractor.

3.3

The Customer shall have the right to issue supplementary instructions to the Contractor at any time regarding the type, scope and procedure of data processing. Instructions must be given in text form (e.g. e-mail).

3.4

The Customer warrants that the data to be collected for it or transmitted by it does not directly reveal racial and ethnic origin, political opinions, religious or ideological convictions or trade union membership. Likewise, it does not transmit data on criminal convictions or criminal offenses, genetic data, biometric data, health data or data on a person’s sex life or sexual orientation.

3.5

The Customer may name persons authorized to issue instructions. If persons authorized to give instructions are to be named, they shall be named in the Annex. In the event that the persons authorized to give instructions change at the Customer, the Customer shall notify the Contractor thereof in text form.

3.6

The Customer shall inform the Contractor without undue delay if it discovers errors or irregularities in connection with the processing of personal data by the Contractor. In case of erroneous transmission of data, the Customer shall inform the Contractor without undue delay and support the Contractor and possible subcontractors in removing the relevant information from the systems at its own expense.

3.7

In the event that a duty to inform third parties pursuant to Art. 33, 34 DSGVO
or any other statutory notification obligation applicable to the Customer, the Customer shall be responsible for compliance therewith.

4 General obligations of the Contractor

4.1

The Contractor shall process personal data exclusively within the framework of the agreements made and/or in compliance with any supplementary instructions issued by the Customer. Exceptions to this are legal regulations which may require the Contractor to process the data in a different manner. In such a case, the Contractor shall notify the Customer of such legal requirements prior to processing, unless the relevant law prohibits such notification due to an important public interest. The purpose, nature and scope of the data processing shall otherwise be governed exclusively by this Agreement and/or the Customer’s instructions. The Contractor is prohibited from processing data in a manner deviating from this unless the Customer has consented to this in writing.

4.2

The commissioned processing shall take place in the member states of the European Union (EU). The transfer of Processed Data to a third country requires the Customer’s consent, which may only be refused for good cause. A reason for refusal is in particular if the third country does not offer an adequate level of protection or otherwise the legal requirements for a transfer of data to the respective country are not met.

4.3

The Contractor shall be obliged to design its company and its operating procedures in such a way that the data which it processes on behalf of the Customer are secured to the extent required in each case and protected against unauthorized access by third parties.

4.4

The Contractor shall inform the Customer without delay if, in its opinion, an instruction issued by the Customer violates statutory regulations. The Contractor shall be entitled to suspend the implementation of the relevant instruction
until such time as it is confirmed or amended by the Customer. If the Contractor can demonstrate that processing according to the Customer’s instructions may lead to a liability of the Contractor pursuant to Art. 82 of the GDPR, the Contractor shall be entitled to suspend further processing in this respect until the liability between the parties has been clarified.

4.5

The processing of data on behalf of the Customer outside the Contractor’s premises or subcontractors (e.g. home office) is permitted.

4.6

The Contractor may name to the Customer the person(s) authorized to receive instructions from the Customer. If persons authorized to receive instructions are to be named, they shall be named in the Annex. In the event that the persons authorized to receive instructions change at the Contractor, the Contractor shall notify the Customer thereof in text form.

5 Data Protection Officers

5.1

The Contractor confirms that it has appointed a data protection officer in accordance with Art. 37 DSGVO. The Contractor shall ensure that the data protection officer has the required qualifications and expertise. The Customer’s data protection officer is authorized to issue instructions, the Contractor’s data protection officer to receive instructions.

5.2

The obligation to appoint a data protection officer may be waived at the discretion of the Contractor if the Contractor can prove that it is not required by law to appoint a data protection officer and the Contractor can prove that operational regulations exist which ensure that personal data is processed in compliance with the statutory provisions, the provisions of this Agreement and any further instructions issued by the Customer.

5.3

The data protection officer shall be involved by the respective party in all matters relating to the protection of personal data and shall monitor compliance with the provisions of data protection law. The parties may consult the data protection officer of the respective other party on all issues relating to the processing of personal data pursuant to this Agreement.

6 Reporting obligations of the Contractor

6.1

The Contractor shall be obliged to notify the Customer without undue delay of any infringement of data protection regulations or of the contractual agreements made and/or the instructions issued by the Customer which has occurred in the course of the processing of data by the Contractor or other persons involved in the processing. The same shall apply to any violation of the protection of personal data processed by the Contractor on behalf of the Customer.

6.2

Furthermore, the Contractor shall inform the Customer without undue delay if a supervisory authority takes action against the Contractor pursuant to Art. 58 DSGVO and this may also concern a control of the Processing that the Contractor performs on behalf of the Customer.

6.3

The Contractor is aware that there may be a notification obligation for the Customer pursuant to Art. 33, 34 DSGVO, which provides for a notification to the supervisory authority within 72 hours after becoming aware of it. The Contractor shall support the Customer in implementing the reporting obligations. In particular, the Contractor shall notify the Customer of any unauthorized access to personal data processed on behalf of the Customer without undue delay, but no later than within 48 hours of becoming aware of such access. The Contractor’s notification to the Customer shall in particular include the following information:

a description of the nature of the personal data breach,including, to the extent possible, the categories and approximate number of data subjects, the categories affected and the approximate number of personal data records affected;
A description of the measures taken or proposed by the Contractor to address the Personal Data Breach and, if applicable, measures to mitigate its potential adverse effects.

7 Duties of the Contractor to Cooperate

7.1

The Contractor shall support the Customer in its obligation to respond to requests for the exercise of data subject rights pursuant to Art. 12-23 GDPR. If a Data Subject contacts the Contractor, the Contractor shall forward the Data Subject’s request to the Customer without delay. Without an instruction from the Customer, the Contractor will not respond to data subject requests itself. Furthermore, taking into account the nature of the commissioned processing and the information available to them, the parties shall support each other in complying with their legal obligations regarding data protection. Namely, this applies to the obligation to ensure the security of the processing, to report data protection violations to the supervisory authority as well as to notify the Data Subjects thereof, to conduct a data protection impact assessment, to consult the supervisory authority and to create a directory of the activities during the commissioned processing.

7.2

The Contractor shall support the Customer in complying with the obligations set out in Art. 32-36 of the GDPR, taking into account the nature of the Processing and the information available to it.

8 Control Powers

8.1

The Customer shall have the right to control the Contractor’s compliance with the statutory provisions on data protection and/or compliance with the contractual provisions made between the Parties and/or compliance with the Customer’s instructions at any time to the extent required. The Contractor shall be obligated to provide the Customer with information to the extent necessary to carry out the control.

8.2

The Customer may request an inspection of the data processed by the Contractor for the Customer and of the data processing systems and programs used.

8.3

The Customer may carry out the inspection within the meaning of paragraph 1 at the Contractor’s premises during normal business hours after prior notification with a reasonable period of notice. In doing so, the Customer shall ensure that the inspections are only carried out to the extent necessary in order not to disproportionately disrupt the Contractor’s operating processes as a result of the inspections.

8.4

The Contractor shall be obligated to provide the Customer with the necessary information in the event of measures by the supervisory authority vis-à-vis the Customer within the meaning of Art. 58 of the German Data Protection Regulation (DSGVO), in particular with regard to information and control obligations, and to enable the respective competent supervisory authority to carry out an on-site inspection. The Customer shall be informed of corresponding planned measures by the Contractor.

8.5

The contractor may object to a commissioned auditor who is in competition with him. Prior to the review, the client or auditor shall undertake to maintain confidentiality. The proof of measures which do not only concern the concrete order can also be provided by test certificates or reports of an independent body
(e.g., auditor or data protection auditor). The same applies to
approved or otherwise suitable certifications by an independent body.

9 Subcontracting Relationships

9.1

The Contractor shall be entitled to engage further subcontractors or to replace the subcontractors
subcontractors by other subcontractors. However, the Contractor shall inform the Customer in advance of the intended change with regard to the addition or replacement. This will give the Customer the opportunity to object to intended change. Both the information (e.g. by sending an e-mail) and the objection must be in text form. If the Customer raises an objection to the change without good cause, the Contractor shall be entitled to prematurely terminate both this contract and any existing main contract with six weeks’ notice.

9.2

The Contractor shall specify all subcontracting relationships to this contract. Insofar as a subcontractor processes the data in a third country, this shall be noted. To this extent, the Customer consents to the transfer of data to the third country.

9.3

The Contractor shall carefully select the subcontractor and check prior to the
that the subcontractor can comply with the agreements made between the Customer and the Contractor.

9.4

The Contractor shall conclude an order processing agreement with the subcontractor that complies with the requirements of Art. 28 DSGVO.

9.5

Services which the Contractor uses from third parties as a purely ancillary service in order to carry out the business activity shall not be regarded as subcontracting relationships within the meaning of paragraphs 1 to 4. This includes, for example, cleaning services, pure telecommunication services without concrete reference to services which the Contractor provides for the Customer, postal and courier services, transport services, guarding services.

10 Confidentiality obligation

10.1

When processing data for the Customer, the Contractor shall be obligated to maintain confidentiality about data that it receives or becomes aware of in connection with the order. The Contractor undertakes to observe the same rules of confidentiality as are incumbent upon the Customer. The Customer shall be obliged to inform the Contractor of any special secrecy protection rules.

10.2

The Contractor warrants that it is aware of the applicable data protection regulations and is familiar with their application. The Contractor further warrants that it has familiarized its employees with the data protection provisions applicable to them and has obligated them to maintain confidentiality. The Contractor further warrants that it has obligated in particular the employees engaged in the performance of the work to maintain confidentiality and has informed them of the Customer’s instructions.

11 Safeguarding of data subject rights

11.1

The Customer shall be solely responsible for safeguarding the rights of data subjects. The Contractor shall be obliged to support the Customer in its duty to process requests from data subjects pursuant to Art. 12-23 DSGVO. In this context, the Contractor shall in particular ensure that the information required in this respect is provided to the Customer without undue delay so that the Customer can in particular comply with its obligations under Art. 12 (3) DSGVO.

11.2

Insofar as the Contractor’s cooperation is required for the protection of data subject rights – in particular to information, correction, blocking or deletion – by the Customer, the Contractor shall take the measures required in each case in accordance with the Customer’s instructions. The Contractor shall support the Customer as far as possible with suitable technical and organizational measures in fulfilling its obligation to respond to requests for the exercise of data subject rights.

12 Confidentiality obligations

12.1

Both parties undertake to treat all information received in connection with the performance of this Agreement as confidential for an unlimited period of time and to use it only for the performance of the Agreement. Neither party shall be entitled to use this information in whole or in part for purposes other than those just mentioned or to make this information available to third parties.

12.2

The above obligation shall not apply to information which one of the parties has demonstrably received from third parties without being obliged to maintain secrecy or which is
is publicly known.

13 Remuneration

13.1

The Contractor shall provide the implementation of the instructions stipulated by a possibly existing main contract or order and shall ensure compliance with the general and technical and organizational measures without charging the Customer any costs for this under this Agreement.

13.2

In contrast, the costs for the implementation of individual instructions and other requests shall be borne by the Customer. This shall apply in particular to support in responding to requests from data subjects and in complying with other obligations incumbent on the Customer, for the return and destruction of data, insofar as this is required via a
deletion in the Contractor’s system, for the provision of information, insofar as this is not predominantly in the interest of the Contractor, and for enabling and contributing to audits, including inspections. Likewise, the costs for measures, the necessity of which was culpably caused by one party, shall be borne by this party. However, contributory negligence of the respective other party shall be taken into account.

13.3

Upon request, the Contractor shall provide the Customer with a cost estimate in advance. The costs shall also include reasonable remuneration for the work involved.

14 Technical and Organizational Measures for Data Security

14.1

The Contractor undertakes vis-à-vis the Customer to comply with the technical and organizational measures required to comply with the applicable
data protection regulations. This includes in particular the requirements of Art. 32 DSGVO.

14.2

The Customer acknowledges these measures as sufficient according to the state of the art. The parties agree that changes to the technical and organizational measures may be necessary in order to adapt to technical and legal circumstances. The Contractor shall agree with the Customer in advance on any significant changes that may affect the integrity, confidentiality or availability of the personal data. Measures that involve only minor technical or organizational changes and do not negatively affect the integrity, confidentiality or availability of the personal data may be implemented by the Contractor without coordination with the Customer. The Customer may request an up-to-date version of the technical and organizational measures taken by the Contractor at any time.

14.3

The Contractor shall check the effectiveness of the technical and organizational measures taken by it on a regular basis and also on an ad hoc basis. In the event that there is a need for optimization and/or change, the Contractor shall inform the Customer.

15 Liability

Art. 82 DSGVO shall apply.

16 Duration of the order

16.1

The duration of the order (term) shall correspond to the term of the main contract, if this has been defined. Otherwise, the following shall apply: The contract shall commence upon signing and shall be concluded for an indefinite period. It may be terminated with three months’ notice to the end of a quarter.

16.2

The Customer may terminate the contract at any time without notice if there is a serious breach by the Contractor of the applicable data protection regulations or of obligations under this contract, if the Contractor is unable or unwilling to carry out an instruction from the Customer or if the Contractor refuses access by the Customer or the responsible supervisory authority in breach of the contract.

17 Final Provisions

17.1

If the property of the Customer with the Contractor should be endangered by measures of third parties (for example by seizure or attachment), by insolvency proceedings or by other events, the Contractor shall inform the Customer without delay. The Contractor shall inform the creditors without undue delay of the fact that data processed on behalf is involved.

17.2

Amendments and supplements to this Annex on Data Protection and all its components shall require a written agreement, which may also be in an electronic format, and the express indication that it is an amendment or supplement to the conditions from this Annex on Data Protection. For the provisions on subcontractors, the written form shall remain necessary in any case with regard to Article 28 (2) sentence 1 of the GDPR.

17.3

In the event of any contradictions, the provisions of this Annex on Data Protection shall take precedence over the provisions of the Agreement. Should individual parts of this Annex be invalid, this shall not affect the validity of the rest of this Annex on Data Protection.

17.4

German law shall apply.

18 Annex 1 – Subject Matter of the Order

18.1 Subject Matter and Purpose of the Processing

The Customer’s order to the Contractor includes the following work and/or services:

Digital Control operates software for processes in media planning and digital marketing. Digital Control provides its customers with a platform for its campaign management as well as this software on a cloud-based “as a service” basis.

In essence, this is access to and use of a campaign management platform as described in the main agreement.

18.2 Type(s) of personal data

The following types of data are regularly subject to processing:

Names, email addresses, passwords, dates of birth, IP addresses.

18.3 Categories of data subject

Group of persons affected by the data processing:

Customers of DC