BytePeak Consulting GmbH

As of February 15, 2025

1. Data processing agreement

1.1 This order data processing agreement regulates the data protection obligations of BytePeak Consulting GmbH as contractor or processor and its client as controller within the meaning of the GDPR.

1.2 The agreements in this contract are considered a supplementary agreement to the contract. The duration of this agreement is limited to the main contract, whereas the obligations beyond that apply.

1.3 In the course of providing its services, the contractor may also process data from the client’s customers (hereinafter referred to as “end customers”) and, if applicable, personal data of the client’s employees.

2. Categories of data

2.1 The categories of data processed in this way include all of the following data:

– Personal data: name, address, date of birth

3. Categories of data subjects

3.1 Data subjects are:

– End customers in the pre-contractual and contractual stage

– Employees of the client

4. Rights and obligations of the contracting parties

4.1 The contractor may only process personal data on the basis of documented instructions from the client, unless it is required to do so by Union law or the law of the Member States.

4.2 The contractor shall inform the controller without delay if there is reason to believe that an instruction from the client violates the GDPR or other data protection regulations of the EU or the member states. They shall inform the client immediately of any searches of the contractor’s premises or the location where the contractor stores data.

4.3 Where possible, the contractor shall support the client with appropriate technical and organizational measures to fulfill its obligation to respond to requests for the exercise of the rights of the data subject referred to in Chapter III of the GDPR (rights to information, rectification, erasure, restriction of processing, data portability, objection, and protection against automated decision-making). If a data subject submits a request to the client, this request shall be forwarded to the contractor.

4.4 Taking into account the nature of the processing and the information available, the contractor shall assist the client in complying with the obligations set out in Articles 32 to 36 of the GDPR (security of processing, reporting of data breaches).

4.5 At the request of the client, the contractor shall provide all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR (“Processing by a processor”). Upon request, the contractor shall also allow checks, including inspections, to be carried out by the client. The client is obliged to check at regular intervals whether an adequate level of data protection is ensured by appropriate technical and organizational measures taken by the contractor.

4.6 The contractor undertakes to appoint a data protection officer if the conditions set out in Article 37 GDPR are met.

4.7 The contractor is obliged to treat the personal data and information disclosed, transmitted or otherwise made available as confidential. This obligation of confidentiality also extends to any knowledge gained about the results of the processing.

5. Confidentiality

5.1 The confidentiality obligation agreed in the contractor’s general terms and conditions also extends to the data processing in question and all persons processing data.

6. Technical and organizational measures

6.1 The contractor shall ensure that the following technical and organizational measures are in place in its own operations:

• Access control: Control of access to the premises of the business, including through regulated key management, security doors, and alarm systems.

• Access control: Control of access to data processing systems (e.g., passwords, fingerprint scans, and virtual private networks (VPN)).

• Access control: Control of access to data within the system through an authorization system including logging of accesses.

• Data protection: Protective measures to prevent the destruction or loss of personal data through modern backup and update concepts, firewalls, and virus software.

• Transfer control: No unauthorized reading, copying, modification, or removal during electronic transmission.

• Input control: All entries are logged in a traceable manner based on a documentation policy.

• Availability/recoverability: Lost or destroyed data can be recovered within a very short time thanks to appropriate recovery concepts, e.g., due to technical failures.

• Deletion periods: Deletion periods must be specified for each data transfer. Data is automatically deleted after the specified period has expired.

• Data protection management system (DSMS): The existing data protection system is continuously evaluated and adapted.

7. Subcontracting

7.1 The processor shall inform the controller of any intended change relating to the engagement or replacement of other processors or sub-processors (hereinafter collectively referred to as “sub-processors”), giving the controller the opportunity to object to such changes and to prohibit the engagement or replacement. If the controller does not object within two weeks, the involvement or replacement shall be deemed approved.

7.2 If the processorengages another sub-processor to perform certain processing activities on behalf of the controller, the same data protection obligations shall be imposed on that sub-processor by means of a contract, which shall provide sufficient guarantees to ensure that the appropriate technical and organizational measures are implemented in such a manner that the processing meets the requirements of the applicable data protection law.

7.3 If the sub-processor fails to fulfill its data protection obligations, the processor shall be liable to the controller for the fulfillment of the sub-processor’s obligations.

8. Compliance with the GDPR

8.1 The contractor has implemented all necessary technical and organizational measures to ensure the security of the processing in accordance with Article 32 GDPR and adapts these to technological change or new findings in the sense of a self-learning data protection management system.

8.2 The contractor shall create a record of processing activities in accordance with Article 30 GDPR and a data protection impact assessment and keep these up to date. This record of processing activities shall also include all processing activities covered by this agreement.

9. Review

9.1 The processor shall provide the controller with all information necessary to demonstrate compliance with the obligations laid down in this contract and shall allow for audits, including inspections, to be carried out by the controller or another auditor mandated by the controller. The processor shall not be entitled to any additional remuneration for this.

9.2 If a breach of this contract by the processor is identified during an audit, the processor shall bear the costs incurred by the controller in conducting the audit.

10.

10.1 If personal data is still stored by the contractor after termination of the contract and if there is no legal obligation to retain or process it further, it shall be deleted immediately.