1. The parties

1.1. Redem is a company that develops and operates web software for the quality control and cleaning of market research data for its clients.
1.2. It is noted that the customer is an entrepreneur within the meaning of § 1 of the Austrian Commercial Code (UGB) and that there is no founding transaction within the meaning of § 1 para 3 of the Consumer Protection Act (KSchG).

2. Validity

2.1. These General Terms and Conditions ("GTC") apply to all deliveries and services of Redem GmbH (hereinafter "Redem" or "we") and its customers (hereinafter "customers" or "you") in the area of software (SaaS, development services, service, related services and deliveries).

2.2. The version valid at the time of the conclusion of the contract shall be authoritative. In the case of an ongoing/already established business relationship, these GTC shall also be part of the contract even if they are not expressly mentioned in the individual contract or offer.

2.3. The following contractual components apply to the contractual relationship between Redem and the customer in the order stated:
        a. The offer on which the respective contract is based, including the service description;
        b. The order processing agreement (if required);
        c. Any business, contractual or licensing conditions of third parties, for the respective part of the service, if these are expressly referred to;
            (a - c = individual contract)
       d. These GTC.

2.4. General terms and conditions of third parties only apply in the event of express written confirmation by Redem. This also applies in the event that the customer bases the conclusion of the contract on its own general terms and conditions, even if Redem does not object to these upon knowledge.

2.5. Verbal agreements, collateral agreements, reservations, amendments or supplements to these General Terms and Conditions of Business must be in writing in order to be valid; this also applies to any waiver of the written form requirement.

2.6. You will be notified of any amendments to these GTC and they will be deemed to have been agreed if you do not object to them within 14 days (the significance of your silence will be explicitly pointed out to you in the notification).

2.7. A possible ineffectiveness/invalidity/voidness of individual provisions of these GTC has no influence on the validity and applicability of the remaining provisions. In such a case, Redem and the customer undertake to replace this provision with one that is legally effective and valid and corresponds in its economic effect to the replaced provision - as far as possible and legally permissible.

2.8. The assignment of individual rights and obligations from these GTC and the (individual) contract by the customer are only permitted with the express written consent of Redem.

3. Conclusion of contract

3.1. The basis for the conclusion of the contract is the customer's enquiry based on the respectively valid price list and confirmation by Redem in the form of an invoice, the respective offer from Redem in which the scope of services and the remuneration are set out, or directly by online conclusion of the contract. The offers from Redem are subject to change. No valid contract is concluded until express acceptance of the order by Redem.

3.2. Acceptance must be made in writing (e.g. by order confirmation) unless Redem makes it clear beyond doubt (e.g. by acting on the basis of the order) that it accepts the order.

4. Subject matter of the contract, scope of services

4.1. The scope of the services to be provided results from the offer, the customer's order or the service description or the individual contract. Subsequent changes to the content of the service must be made in writing, whereby e-mail is sufficient for this requirement.

4.2. All services provided by Redem (in particular all preliminary drafts, sketches, workflow descriptions, specifications) must be checked by the customer and approved within three days. If they are not released in time, they are deemed to have been approved by the customer.

4.3. Redem is entitled to partial deliveries and services at any time.

4.4. New features can either become part of existing products, in which case they are included in the price of SaaS, or they become new packages that customers have to order and pay for separately.

4.5. If the software is operated by Redem (SaaS - Software as a Service), the customer receives access to the packages described in the offer. Bug fixing and updates of these packages are part of the service.

4.6. Developments that are carried out individually for customers (e.g. new interfaces) will be foddered separately.

5. Service, Maintenance & Updates

5.1.Redem reserves the right, especially regarding adequate IT-security, to carry out updates in the IT area at its own discretion in order to guarantee adequate IT security. Redem informs its customers in good time about planned update work and about the resulting costs for the customer.

5.2. Details on service and maintenance can be found in the service description.

5.3. In the case of individual developments for customers, service, further development and updates are charged separately according to the current hourly rates. Individual developments can become are part of the (standard) service.

6. Intellectual property, scope of use

6.1 General

6.2. All copyrights and rights of use shall remain with Redem or the respective manufacturer/author in accordance with the latter's licence conditions, unless otherwise agreed in the following or in the individual contract.

6.3. Use by third parties or transfer to third parties beyond the content of the contract is not permitted.

6.4. All services provided by Redem, including those from presentations (e.g. concepts, ideas, ...), including individual parts thereof, remain the property of Redem, as do the individual prototypes and design originals, and can be reclaimed by Redem at any time - in particular upon termination of the contractual relationship - free of charge.

6.5. Changes to Redem's services, such as in particular their further development by the customer or by third parties working for the customer, are only permitted with the express consent of Redem and - insofar as the services are protected by copyright - of the author.

6.6. For the use of Redem's services that goes beyond the originally agreed purpose and scope of use, the express written consent of Redem is required - irrespective of whether this service is protected by copyright. Redem and the author are entitled to a separate, appropriate remuneration for this.

6.7. Redem's express written consent is required after the end of the contract for the use of advertising material or presentation media for which Redem has developed conceptual or design templates, and financial compensation.

6.8. In the event of breaches of this point 6, the customer shall fully indemnify and hold Redem harmless.

6.9. Provision and operation of software (SaaS)
With the defined start of the contract, Redem grants the customer a non-exclusive, non-transferable, non-sublicensable right to use the software on Redem's platform for its own internal purposes for the duration of the corresponding contract.

6.10. Individual developments for customers
After full payment, Redem grants the customer a non-exclusive, non-transferable, non-sublicensable right to use the individual developments for their own internal use for the duration of the underlying contract (e.g. SaaS).

6.11. Third-party components
If third-party components are part of the service (e.g. open source components or commercial software), the respective licence conditions apply to these components. The third-party components used are listed separately.

7. Labelling

7.1. Redem is entitled to use on all system, Software and hardware components and in all advertising measures to Redem and, if applicable, to the author, without the customer being entitled to a claim for payment for this.

7.2. The customer is obliged to retain any marks (trademark, copyright or other notices) and to preserve the right to name Redem.

8. Order processing and cooperation obligations of the customer

8.1. The customer is aware that Redem can only provide its services if it immediately provides Redem with all information and documents that are necessary and expedient for the provision of the respective service. The customer further declares that he will therefore bring Redem in the knowledge of all circumstances that are necessary for the performance of services by Redem. He will inform them of all events that are of importance for the execution of the order, even if these circumstances only become known during the execution of the order.

8.2. The customer shall bear the effort and additional costs incurred by the fact that work has to be repeated or adapted or delayed as a result of his incorrect, incomplete or subsequently changed information from Redem.

8.3. Furthermore, the customer is obliged to check the documents provided by him for the execution of the order (plans, briefing documents, interface descriptions, database, diagrams, logos, photos, texts, etc.) for possible existing copyrights trademark rights or other rights of third parties.

8.4. Redem is not liable for any infringement of such rights. If a claim is made against Redem for such an infringement of rights, the customer shall indemnify Redem and shall indemnify and hold it harmless against any and all disadvantages incurred by it as a result of a third party claim.

9. Third-party services - commissioning of third parties

9.1. Redem is entitled, at its own discretion, to perform the service itself, to use third parties to perform services that are the subject matter of the contract and/or to substitute such services.

9.2. The commissioning of errand assistants shall take place either in the customer's own name or in the name of the customer, but in any case at the customer's expense.

10. Business secrets, confidentiality

10.1. The customer and Redem are obliged to treat as confidential all documents and information that are expressly designated as confidential or are obviously not intended for third parties or contain business or trade secrets (including prices and service descriptions). The customer and Redem will also impose these obligations on their employees and any third parties used.

10.2. Subject to the written revocation of the customer, which is possible at any time, Redem is free to make publications about the services, provided that only the customer's name and the content of the services provided (excluding economic or commercial data) are mentioned. Redem is entitled to refer to the existing business relationship with the customer on its own advertising media and in particular on its internet website with the name and company logo.

11. Deadlines

11.1. Deadline and deadline agreements must be recorded or confirmed in writing. The agreed delivery dates and deadlines are only indicative unless they have been expressly designated as binding in writing. The delivery period calculated for the delivery shall commence at the earliest upon receipt of the details finally fixed in all commercial and technical respects and after provision of the services required by the customer for this purpose (e.g. provision of documents or information). Subsequent requests for changes and additions shall extend the delivery time appropriately.

11.2. After exceeding a non-binding delivery date or a non-binding delivery period, the customer can demonstrably request Redem in writing to deliver. Redem shall be in default of delivery at the earliest upon receipt of this request.

11.3. The customer shall accept minor overruns of up to 2 weeks of binding delivery dates or deadlines without the consequences of a delay in delivery occurring as a result.

11.4. After the unsuccessful expiry of the grace period, the customer can withdraw from the contract or adhere to the fulfilment of the contract. If Redem has already provided partial services, the customer is only entitled to withdraw with regard to outstanding partial services.

11.5. If, during an ongoing delay, delivery becomes impossible by chance, Redem is not liable if the damage would also have occurred if delivery had been made on time.

11.6. Deliveries are always made for the account and at the risk of the recipient ex Linz. All costs for transport and transport insurance from Linz to the place of installation shall be borne by the customer.

11.7. In the event of force majeure or an operational disruption for which Redem is not responsible (including at our business partners), which temporarily prevent Redem from meeting the agreed dates and deadlines, these delivery dates and deadlines will be extended by the duration of the disruption to performance caused by these circumstances. Redem will inform the customer of the anticipated delay as soon as possible after becoming aware of such delays.

12. Termination, withdrawal from the contract

12.1. In the case of continuing obligations (recurring services such as SaaS), a term of one year is agreed for these contracts, unless otherwise agreed in the individual contract. The contract term is automatically extended by another year if the customer does not terminate the contract at least 30 days before the end of the contract term.

12.2. The following applies to all contracts:

12.3. Redem is in particular entitled to extraordinary termination if the performance of the service is impossible for reasons for which the customer is responsible or is further delayed despite the setting of a period of grace of at least 7 days; there are justified concerns about the creditworthiness of the customer and the customer does not make advance payments at the request of Redem or provide suitable security before Redem performs.

12.4. Force majeure, strikes, natural disasters, transport blockades and similar events shall release us from the agreed delivery period or delivery obligation. Irrespective of this, we have an unconditional and immediate right of withdrawal in this case.

12.5. Redem can terminate a continuing obligation (SaaS) with immediate effect and withdraw access if the customer is at least 2 months in arrears with the payment of the corresponding fee.

12.6. Redem may terminate the contract with immediate effect and withdraw all access to the software from the customer if the customer infringes Redem's intellectual property or the terms of use of this contract. Advance payments will be refunded, less any costs incurred and claims for damages by Redem.

13. Prices & Quotations

13.1. All prices in individual offers are subject to change. Unless otherwise stated in the offer, all prices are in euros and exclusive of statutory VAT and plus all applicable fees and other taxes.

13.2. Unless otherwise agreed, Redem's claim for payment arises for each individual service as soon as it has been provided. Redem is entitled to demand advance payments from the customer to cover its expenses.

13.3. Recurring services (e.g. software solutions operated for the customer (SaaS)) are invoiced yearly in advance, if not otherwise defined in the individual contract.

13.4. Works and services are usually invoiced in arrears (i.e. after delivery). However, Redem can issue interim invoices; the due date of these interim invoices is immediately without deductions.

13.5. All services provided by Redem that are not expressly covered by the agreed costs are remunerated separately by the customer. All cash expenses and fees incurred by Redem are to be reimbursed by the customer.

13.6. Cost estimates from Redem are always non-binding and subject to a charge. If, in the course of processing the order, it is foreseeable that the actual costs will exceed those estimated by Redem in writing by more than 10 %, Redem will point out the higher costs to the customer.

13.7. Prices for other services (service, adjustments, etc.) are always calculated at those hourly rates which are in force on the day of performance. The same applies to the travel expenses and accommodation costs of our employees.

13.8. It is expressly agreed that the prices and hourly rates quoted by Redem plus additional claims will remain stable in value. The consumer price index 2020 (base year 2020) published monthly by Statistics Austria or an index replacing it serves as a measure for calculating the stability of value.

13.9. The index figure calculated for the month of conclusion of the contract serves as the reference figure for this contract. Fluctuations of the index figure upwards or downwards up to and excluding 2% shall be disregarded. This margin shall be recalculated each time it is exceeded upwards or downwards, whereby the first index figure outside the respective applicable margin shall always form the basis both for the recalculation of the claim amount and for the calculation of the new margin. All rates of change shall be calculated to one decimal place. Failure to assert the value adjustment does not constitute a waiver thereof; rather, Redem is entitled to assert this price adjustment up to three years after the date from which a price adjustment would have had to be made for the first time.

14. Payment

14.1. Redem's invoices are due without any deductions from the date of the invoice and are payable within 10 calendar days of receipt of the invoice, unless otherwise agreed. Compliance with the agreed payment dates constitutes an essential condition for the fulfilment of the contract by Redem.

14.2. Delivered goods remain the property of Redem until full payment has been made. The retention of title also serves as security for our claims from the ongoing business relationship until settlement of any claim to which we are entitled in connection with the purchase.

14.3. Bank transfers shall only be deemed to be payment upon receipt of the amount in the account designated by us. Bills of exchange and cheques shall only be accepted after written agreement, only on account of payment and shall exclude any discount deduction. Discount interest as well as all bank charges and the like shall be borne exclusively by the customer.

14.4. In the event of a delay in payment by the customer, Redem is entitled, at its own discretion, to demand compensation for the actual damage incurred or interest on arrears at the statutory rate. For entrepreneurs, this is 9.2% p.a. above the base interest rate. This claim also includes compound interest. In addition, the customer undertakes to reimburse the court and out-of-court costs as well as the dunning and collection expenses necessary for the appropriate legal prosecution in the event of default in payment. This shall in any case include a lump sum of EUR 40 as compensation for collection costs in accordance with § 458 UGB. The assertion of further rights and claims remains unaffected by this. In the event of a delay in payment by the customer, Redem is not obliged to provide its own service for as long as this delay continues. Furthermore, in the event of default, Redem is entitled to demand immediate payment of all outstanding claims and/or advance payment or the provision of security.

14.5. The customer is not permitted to offset any disputed counterclaims or counterclaims that have not been legally established without our express consent. Likewise, the customer is not permitted to exercise a right of retention without a legally binding title or on the basis of claims from other legal transactions.

15. Warranty

15.1. The customer must check deliveries immediately for any obvious defects. If the customer expressly or tacitly waives the inspection, it is to be assumed that the goods have been properly delivered by Redem. Complaints about the quality of our deliveries will only be accepted if they are made in writing to Redem within 14 days of receipt of the goods at the place of delivery. The complaint must be sufficiently substantiated and supported by appropriate evidence. Hidden defects are to be reported immediately after discovery in the manner stated above.

15.2. Minor technical changes as well as deviations from drawings and catalogues shall be deemed approved in advance.

15.3. Any warranty period shall be a maximum of 12 months from acceptance. The existence of defects at the time of handover must be proven by the customer. § 924 ABGB and § 933b ABGB shall not apply.

15.4. In the event of a justified notice of defect, the defects shall be remedied by Redem within a reasonable period of time, whereby the customer shall enable Redem to take all measures necessary for the investigation and remedying of the defect. Redem is entitled to refuse to improve the service if this is impossible or involves a disproportionately high effort for Redem, in which case Redem may choose to rescind the contract or reduce the price.

15.5. In the event of a justified complaint, the defects will be rectified by Redem within a reasonable period of time, whereby the customer will enable Redem to take all measures necessary for the investigation and rectification of the defect. Redem is entitled to refuse to improve the service if this is impossible or involves a disproportionately high effort for Redem, in which case Redem may choose to cancel the contract or reduce the price.

16. Liability and compensation

16.1. Unless otherwise agreed in the respective offer or individual contract, or elsewhere in these GTC or the order processing agreement, the parties shall be liable for compensation for damage culpably caused. The parties shall not be liable for slight negligence. In the event of gross negligence, the amount of liability shall be limited to the value of the delivery/service concerned (excl. taxes and fees), in the case of recurring services to the remuneration of the previous year. Limitations of liability do not apply to compensation for personal injury. Claims for damages shall in any case only include the mere repair of damage, but not consequential damages, loss of profit or claims by third parties.

16.2. Claims for damages must be asserted in court at the latest within six months after knowledge of the damage and the damaging party, otherwise they will be forfeited.

16.3. The injured party must provide evidence that any damage he has suffered is due to our fault. The injured party must also prove that he/she is not (partly) at fault for the damage incurred. This applies to all forms of fault (slight/gross negligence, intent).

16.4. In the case of contracts for work and services, Redem is not liable if the customer insists on a certain implementation despite the fulfilment of the warning obligations.

16.5. The customer is obliged to ensure an appropriate backup of the data.

16.6. Insofar as online services of Redem offer the possibility of accessing websites, database services etc. of third parties, for example through links, Redem is not liable in any way for the accessibility or security of these databases or services. Redem is in no way liable for the accessibility, existence or security of these databases or services, nor for their content. Liability, if applicable, only comes into consideration within the framework of the E-Commerce Act (ECG) under the restrictions agreed in this point.

17. Data protection

17.1. Both Redem and the customer are obliged to comply with the provisions of the Data Protection Act (DSG), the General Data Protection Regulation (GDPR) and any other statutory confidentiality obligations.

17.2. Any liability provisions in an order processing agreement shall take precedence over the provisions in these GTC.

17.3. Redem processes the necessary personal data for the purpose of fulfilling the contract. The detailed data protection information in accordance with Art. 13 ff GDPR has been enclosed with these GTC or the offer.

17.4. If Redem is a processor within the meaning of the GDPR for a specific contractual relationship, a processor agreement will be concluded, which is an integral part of these GTC.

18. Place of performance, place of jurisdiction, choice of law and contractual language

18.1. The place of performance for the delivery/service and payment is the registered office of Redem.

18.2. The place of jurisdiction for all disputes between Redem and the customer arising directly or indirectly from the contract itself or from the contractual relationship is agreed to be the competent court in Linz.

18.3. This contract shall be governed by Austrian substantive law to the exclusion of the conflict of laws rules of private international law (e.g. IPRG, Rome I Regulation) and the UN Convention on Contracts for the International Sale of Goods.

18.4. The contractual language is German.

Data Processing Agreement

Redem GmbH, Hafenstraße 47-51, 4020 Linz, FN 530708 d
(hereinafter: Processor)


and customers who carry out an analysis of market research surveys in connection with the data cleaning platform app.redem.io.
(hereinafter: Controller)

PREAMBLE

This Agreement shall form an integral part of the General Terms and Conditions (GTC) between the Processor and the Controller (“main agreement”), shall take effect upon the conclusion of the Main Agreement and shall supersede all existing contracts for the processing of Data between the Parties.

1. SCOPE, DEFINITIONS

1.1. This contract regulates the rights and obligations of the controller and processor (hereinafter referred to as the "Parties") in the context of a processing of personal data.

1.2. This contract shall apply to all activities in which employees of the Processor or sub-processors engaged by the Processor process Personal Data of the Controller.

1.3. Terms used in this Agreement shall be understood in accordance with their definition in the EU General Data Protection Regulation (Regulation [EU] 2016/679 - GDPR).

2. OBJECT AND DURATION OF THE PROCESSING

2.1. Tasks
The subject matter of this Agreement is the performance of the following tasks by the Processor:

  • Analysis of data quality of imported data files with subsequent cleaning and export of data.

2.2. Processing object
The agreement concerns the processing of the following categories of personal data by the processor:

  • Imported/uploaded content and data of the responsible person
    The following categories of persons are affected by the data processing:
  • Clients of the responsible person

2.3. Purpose of processing
Personal data shall be processed by the processor for the following purposes:

  • Analysis of the data quality of market research data
  • Cleaning the data

2.4. Place of processing
The Processor shall generally carry out the processing of personal data within the EU/EEA. In case of transfer to third countries, these are only processed on the basis of Art 44 ff GDPR.

2.5. Duration
Unless expressly agreed otherwise, the term of this contract is based on the term of the main agreement.

3. OBLIGATIONS OF THE PROCESSOR

3.1. The Processor confirms that it is aware of the relevant data protection regulations. It shall observe the principles of proper data processing.

3.2. The processor undertakes to process personal data exclusively on the basis of instructions from the controller and the present contract and to comply with all data protection regulations.

3.3. If the Processor deems an instruction of the Controller to be unlawful, it shall immediately inform the Controller thereof in writing.

3.4. The Processor shall implement all appropriate technical and organisational measures provided for in Article 32 of the GDPR for the purpose of data processing security.

3.5. The Processor shall assist the Controller in responding to requests from data subjects for the protection of their rights. If such a request is addressed to the Processor, the Processor shall promptly forward it to the Controller.

3.6. The Processor shall support the Controller in the performance of the obligations incumbent upon it pursuant to Articles 32 to 36 of the GDPR, which shall include, but not be limited to, the implementation of security measures, the notification of data protection breaches and the preparation of a data protection impact assessment.

3.7. Upon termination of the processing and at the request of the controller, the processor shall delete the personal data in its possession. If the controller so requests, the personal data shall be returned to him.

3.8. The Processor undertakes to inform the Controller of all details required to prove compliance with the obligations pursuant to Article 28 of the GDPR. In addition, the processor undertakes to support the controller in the audits to be carried out by him and to grant him access at any time.

3.9. The processor shall keep a written or electronic register of all categories of processing activities carried out on behalf of the controller pursuant to Article 30(2) of the GDPR.

3.10. The Processor undertakes to appoint a competent and reliable person as Data Protection Officer if the conditions pursuant to Article 37 of the GDPR are met.

3.11. The processor is obliged to treat as confidential the personal data and information disclosed to him or transmitted to him or otherwise made available to him. The knowledge of the processing results obtained shall also be covered by this duty of confidentiality.

3.12. The Processor shall impose a duty of confidentiality on all persons attributable to it who are involved in the Processing of Personal Data, unless they are already subject to a statutory duty of confidentiality. The obligation of compatibility or confidentiality shall continue to exist after the termination of the activity for the Processor.

3.13. The processor shall oblige all persons entrusted with the processing of personal data to transmit such data only on the basis of instructions, unless such an obligation already exists by operation of law. In addition, the processor shall inform its employees of the transfer orders applicable to them and of the consequences of a breach of data secrecy.

3.14. The Processor shall process Personal Data only as contractually agreed or as instructed by the Controller, unless the Processor is required by law to carry out a specific processing operation. Furthermore, the processor shall not use the personal data provided for processing for any other purposes, in particular for its own purposes.

3.15. The Processor shall make available to the Controller, if required, all necessary information, in particular protocols drawn up, to prove compliance with its obligations.

3.16. If the controller is subject to inspection by supervisory authorities or other bodies or if data subjects assert rights against it, the processor undertakes to assist the controller to the extent necessary insofar as the processing on behalf is concerned.

3.17. The processor shall only provide information to third parties or the data subject with the prior consent of the controller, unless he is under a legal or statutory obligation to do so. Requests addressed directly to him/her shall be forwarded to the controller without delay.

3.18. The Controller shall be entitled, after giving at least 7 days' notice and in relation to the processing activities on which this Agreement is based, to monitor the Processor's compliance with the provisions on data protection and the contractual agreements to a reasonable extent itself or through third parties, in particular by obtaining information and inspecting the stored data and the data processing programmes as well as other on-site checks during the Processor's business hours. The persons entrusted with the control shall be given access and insight by the Processor as far as necessary. The Processor shall be obliged to provide the necessary information, demonstrate processes and provide evidence required to carry out a control.

4. DUTIES OF THE CONTROLLER

4.1. The controller shall be responsible for the lawful collection and processing of the data concerned as well as the lawful transfer to the processor and shall fully indemnify and hold the processor harmless in this respect.

5. TECHNICAL AND ORGANISATIONAL MEASURES

5.1. The data security measures described in Annex 1 are set out as mandatory. They define the minimum owed by the Processor.

5.2. The processor shall implement appropriate technical and organisational measures to ensure an adequate level of data protection.

5.3. The controller shall be informed of the measures taken in each case prior to the start of the processor's processing activity.

5.4. The processor shall be obliged to check at regular intervals whether an adequate level of data protection is ensured by appropriate technical and organisational measures taken by the processor.

5.5. The processor is obliged to support the controller in establishing appropriate technical and organisational measures.

5.6. The data security measures may be adapted in accordance with the technical and organisational further development as long as the level agreed here is not undercut. The Processor shall implement any changes required to maintain information security without delay. The responsible party shall be notified of changes without delay. Significant changes shall be agreed between the parties. 

5.7. Insofar as the security measures taken do not or no longer meet the requirements notified by the controller, the processor shall notify the controller without delay.

5.8. Copies or duplicates are not made without the knowledge of the data controller. Technically necessary, temporary duplications are excepted, insofar as an impairment of the level of data protection agreed here is excluded.

5.9. Data carriers originating from or used for the responsible person shall be specially marked and shall be subject to ongoing administration. They shall be stored appropriately at all times and shall not be accessible to unauthorised persons. Entries and exits shall be documented.

6. RULES ON THE CORRECTION, DELETION AND BLOCKING OF DATA

6.1. The processor shall only correct, delete or block data processed within the scope of the order in accordance with the agreement reached or in accordance with the instructions of the controller.

6.2. The Processor shall comply with the relevant instructions of the Controller at all times and also beyond the termination of this Agreement.

7. SUB-PROCESSORS

7.1. If the Processor intends to use another sub-processor, the Processor shall notify the Controller in writing. The notification shall be made in good time in advance so that the controller can exercise the possibility of objecting to the intended change.

7.2. The sub-processor shall act exclusively on the basis of the contract to be concluded between it and the processor pursuant to Article 28 (4) of the GDPR.

7.3. The Processor shall be liable to the Controller in the event that the Sub-Processor fails to comply with its data protection obligations.

7.4. Sub-processors shall be contractually bound to at least data protection obligations equivalent to those agreed in this contract. The Controller shall be given access to the relevant contracts between Processor and Sub-Processor upon request.

7.5. The responsibilities of the processor and the sub-processor shall be clearly delineated.

7.6. The Processor shall carefully select the Sub-Processor with particular regard to the suitability of the technical and organisational measures taken by the Sub-Processor. 

7.7. The onward transfer of data processed under the contract to the sub-processor shall only be permitted after the processor has satisfied itself in a documented manner that the sub-processor has fully complied with its obligations. The Processor shall provide the documentation to the Controller upon request.

7.8. At present, the sub-processors specified in Annex 2 with their name, address and contract content are entrusted with the processing of personal data to the extent specified therein and are approved by the controller. The other obligations of the Processor towards sub-processors set forth herein shall remain unaffected.

7.9. Sub-processor relationships within the meaning of this contract are only those services that have a direct connection with the provision of the main service. Ancillary services, such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not covered. The obligation of the Processor to ensure compliance with data protection and data security in these cases shall remain unaffected.

8. NOTIFICATION REQUIREMENTS

8.1. The processor shall notify the controller without delay of any breaches of the protection of personal data. Reasonable suspicions must also be notified. The notification shall contain at least the information pursuant to Article 33 (3) of the GDPR.

8.2. Significant disruptions in the execution of the order as well as violations of data protection provisions or the stipulations made in this contract by the Processor or the persons employed by the Processor shall also be notified without delay.

8.3. The Processor shall inform the Controller without undue delay of inspections or measures taken by supervisory authorities or other third parties, insofar as they relate to the processing.

8.4. The Processor warrants to support the Controller in its obligations under Articles 33 and 34 of the GDPR to the extent necessary.

9. INSTRUCTIONS

9.1. The controller has a comprehensive right of instruction with regard to processing on behalf.

9.2. The controller and processor shall designate the persons exclusively authorised to issue and accept instructions.

9.3. In the event of a change or long-term prevention of the appointed persons, the other party shall be informed immediately of their successors or representatives.

9.4. The Processor shall immediately draw the attention of the Controller to any instruction given by the Controller which, in the Processor's opinion, is in breach of the law. The Processor shall be entitled to suspend the implementation of the relevant instruction until it is confirmed or amended by the Controller.

9.5. The processor shall document instructions given to it and their implementation.

10. TERMINATION OF THE ORDER

10.1. Upon termination of the contractual relationship or at any time at the request of the data controller, the data processor shall, at the choice of the data controller, either destroy the data processed on behalf of the data controller or hand it over to the data controller and then destroy it. All existing copies of the data shall also be destroyed. The destruction shall be carried out in such a way that a recovery of even residual information is no longer possible with reasonable effort.

10.2. The Processor shall be obliged to bring about the immediate return or deletion also in the case of sub-processors.

10.3. The processor shall keep proof of proper destruction and present it to the controller upon request.

10.4. Documentation which serves as proof of proper data processing shall be kept by the processor in accordance with the respective retention periods even beyond the end of the contract. The processor may hand them over to the controller at the end of the contract to relieve the controller.

11. REMUNERATION

11.1. The Processor shall have the right to charge separately for services in connection with this Agreement at the applicable hourly rate.

12. CONFIDENTIALITY

12.1. Both parties are obliged to treat all knowledge of business secrets and data security measures of the other party obtained within the framework of the contractual relationship as confidential, even after the termination of the contract. If there is any doubt as to whether information is subject to the obligation of confidentiality, it shall be treated as confidential until it has been released in writing by the other party.

13. OTHER

13.1. In the event that property of the Processor held by the Controller is endangered by measures of third parties (such as attachment or seizure), by insolvency or composition proceedings or by other events, the Processor shall notify the Controller without undue delay.

13.2. The written form is required for ancillary agreements. This also applies to the waiver of the written form.

13.3. Should individual parts of this agreement be invalid, this shall not affect the validity of the rest of the agreement.

13.4. This contract shall be governed by Austrian law to the exclusion of its non-mandatory rules of reference. The provisions of the UN Convention on Contracts for the International Sale of Goods shall not apply.

13.5. It is agreed that the exclusive place of jurisdiction for all disputes arising directly or indirectly from or in connection with this contract - including its existence or non-existence - shall be the court with subject-matter jurisdiction for the Processor.

ANNEX 1 - TECHNICAL AND ORGANISATIONAL MEASURES

The Processor shall in particular implement the following technical and organisational measures:

  • Information and IT systems should be available in such a way that processes dependent on them can be operated without significant impairment and, if necessary, can be resumed at short notice;
  • The freedom from interference of IT systems and the integrity of data shall be ensured at all times as far as possible;
  • Confidential information must always be protected from unauthorised access
  • Control access to data processing facilities, e.g. through regulated key management, security doors or security personnel;
  • Control of access to data processing systems, e.g. through passwords, automatic locking mechanisms, two-factor authentication, encryption of data carriers, Virtual Private Network (VPN) or logging of user logins;
  • Control access to data within the system, e.g. through standard authorisation profiles on a "need to know basis", network segmentation, partial access authorisations or logging of accesses;
  • Pseudonymisation of personal data;
  • Protective measures to prevent the destruction or loss of personal data, e.g. safekeeping in safes or security cabinets, storage networks, software and hardware protection;
  • Protection against unauthorised reading, copying, modification or removal during data transmissions, e.g. through encryption, virtual private networks (VPN), ISDN wall, content filter for incoming and outgoing data or electronic signature as well as lockable transport containers;
  • Checking whether and by whom personal data have been entered, changed or deleted in data processing systems, e.g. by logging, using electronic signatures, regulating access authorisations;
  • Separation of data processing for different purposes, e.g. by using separate databases, client separation, separation of client servers;
  • Current processing overviews or procedure directories are available;
  • Where required by law, procedures are identified before they are put into operation on the basis of predefined risk criteria and levels and compared with the protective measures. The data protection assessments made in this way are incorporated into the implementation of the measures and are documented;
  • Employees are regularly trained and sensitised on data protection and data security issues.
ANNEX 2 - APPROVED SUB-PROCESSORS

Status: Linz, 07.09.2023