Agreement on order data processing

These documents have been independently translated and can therefore not be used for legal purposes. In all legal matters, please always refer to the original German documents.

Preamble The contractor offers its customers various data center services (so-called cloud IT services), in particular the operation of virtual server, network and data storage infrastructures (IaaS). These Cloud IT services are provided by the contractor on the basis of the terms of use and service descriptions agreed with the client.
Insofar as the parties establish an order data processing relationship pursuant to Section 11 of the German Federal Data Protection Act (BDSG) or - from the date of application of the new version of the BDSG (hereinafter "BDSG new") in accordance with the provisions of the Basic Data Protection Ordinance (EU Regulation 2016/679, hereinafter "DSGVO") - pursuant to Art. 28 DSGVO, this agreement on order data processing specifies the data protection obligations of the contracting parties resulting from the individual services booked by the principal with the contractor (hereinafter summarised as "main contract"). It applies to all activities in connection with the main contract in which employees of the contractor or third parties commissioned by the contractor may come into contact with personal data of the client. The term of this agreement depends on the term of the main contract. Termination of the main contract automatically results in termination of this ADV agreement. Isolated termination of this ADV agreement is excluded. Termination for good cause remains unaffected.
In other words, we offer you different services from the cloud. For this purpose, you have entered into a contractual relationship with us. Should you now collect, process and store personal data yourself with our services, we would like to offer you this "agreement for order data processing". This agreement governs important rights and obligations between us so that you can prove that you are acting in accordance with the law.
1. Scope and responsibility 1.1. The agreement applies to all activities which are the subject of the service agreement and during the performance of which employees of the contractor or third parties commissioned by the contractor in accordance with this agreement come into contact with personal data for which the client is the body responsible in accordance with § 3 paragraph 7 BDSG or the person responsible in the sense of Art. 4 No. 7 DSGVO.
1.2. In the event of any conflict between the Service Agreement and the Agreement on order data processing, the provisions of the Agreement on order data processing shall prevail.
In other words, this agreement shall apply in addition to our concluded contractual relationship whenever we perform any activity for you or have it performed by a contractor and it is possible that we or someone else may come into contact with personal data.
2. Definition of terms 2.1. This agreement relates only to the performance of the technical collection, processing and use of personal data within the meaning of § 3 Paragraph 1 BDSG or processing in accordance with Art. 4 No. 2 DSGVO (hereinafter referred to as "data") by the contractor on behalf of the client within the scope of the performance agreement (order data processing or order processing). This agreement does not include any further assignment of tasks in terms of content. In other words, this agreement only covers certain transactions in connection with personal data for which you explicitly instruct us.
3. Specification of the content of the order, the type, scope and purpose of the order data processing.
3.1. The subject matter and duration of the processing of order data as well as the extent, type and purpose of the intended collection, processing or use of data are regulated in the main contract.
3.2. The subject matter of the collection, processing and/or use by the contractor are individual details of personal or material circumstances of a specific or identifiable natural person.
3.3. The following data types or categories are the subject of the collection, processing and/or use by the contractor:
Person master data, for example
  • Name, address, date of birth, employer, position
  • Customer master data, e.g:
  • Name, address, date of birth
  • Communication data, e.g:
  • Phone numbers, e-mail addresses
  • Company data, e.g:
  • Employees, addresses, bank details, business areas
  • Vendor master data, e.g:
  • Employees, addresses, bank details, ratings
  • Contract master data, e.g: Contact person, contractual relationships Contract-related documents, e.g:
  • GTC, contracts, purchase orders, invoices
  • Log data, e.g.: Change history, order history, logon history, credentials Communication data, e.g:
  • Chats, notes on conversations and phone calls, e-mail, other correspondence
  • In other words The duration of the validity of this Agreement depends on the term of our contractual relationship. Our contractual relationship and the cloud services you have booked determine in detail for what purpose and for what use personal data is stored.
    In addition to personal data that you store or process with the help of our services, we collect personal data about yourself and about any person you instruct to work with us.
    4. Responsibility and instructions of the client 4.1. The customer is responsible for compliance with data protection regulations, in particular for the legality of data transfer to the contractor and for the legality of data processing. He may at any time demand the surrender, correction, deletion and blocking of the data. If a data subject contacts the contractor directly for the purpose of deleting or reporting his data, the contractor will forward this request to the customer as quickly as possible.
    4.2. The contractor may only collect, process or use data in accordance with the instructions of the client. An instruction is the written order of the client in accordance with the law directed to a certain handling of personal data by the contractor. The instructions are first defined in the main contract and can then be amended, supplemented or replaced by the client in writing by a single instruction (individual instruction). Instructions that go beyond the contractually agreed performance are treated as a request for a change in performance.
    4.3. The contractor must inform the client immediately if he is of the opinion that an instruction violates data protection regulations. The contractor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed in writing by the person responsible at the client.
    4.4. Changes to the object of processing with procedural changes must be agreed and documented jointly. The contractor may only provide information to third parties or the parties concerned with the prior written consent of the customer. The contractor does not use the data for any other purposes and is not entitled to pass them on to third parties. Copies will not be made without the knowledge of the client.
    4.5. The client shall keep a list of procedures in accordance with § 4g Paragraph 2 Sentence 2 BDSG or Art. 30 DSGVO. The contractor shall, at the request of the contracting authority, provide the necessary information for inclusion in the register of procedures.
    4.6. The persons of the client who are entitled to issue instructions in accordance with this regulation shall be determined by the client. If one of the aforementioned persons is prevented for a longer period of time, leaves the company or is no longer available for other reasons, a replacement person must be appointed in good time and notified to the other contractual party immediately in text form.
    4.7. Instructions in accordance with this regulation are reported to
    In other words, you are responsible for what you do in detail with our offers, which personal data you collect, process or store. We provide you with APIs and tools that give you full control over all the data you have stored on our services.
    We will never collect, process or change data for you without your explicit order.
    We will never use your data (whether confidential, personal or not) for purposes for which you did not instruct us or hand them over to any third party.
    5. Duties of the contractor 5.1 In addition to the contractual provisions of this agreement and the main contract, the contractor shall comply with all relevant statutory obligations within the framework of order data processing and order processing.
    5.2 The contractor is obliged to maintain data secrecy. Furthermore, he shall ensure that his employees involved in the processing of the Client's data are obliged to maintain confidentiality, in particular data secrecy and compliance with the rights and obligations of this ADV, or are subject to an appropriate statutory duty of confidentiality and have been instructed in the protective provisions of the BDSG or BDSG new. This also includes the instruction on the instruction and purpose binding existing in this order data processing relationship. At the request of the client, the contractor shall submit an explicit declaration in accordance with § 5 BDSG or Art. 28 para. 3 sentence 2 lit. b) DSGVO (e.g. by explicit confirmation that employment contract regulations have been concluded).
    5.3 The contractor must appoint a data protection officer in accordance with § 4f BDSG or Art. 37 DSGVO, who performs his duties in accordance with §§ 4f and 4g BDSG or Art. 39 DSGVO, provided a legal obligation exists. If the contractor has not appointed a data protection officer, he shall appoint an employee responsible for data protection. The contact details of an appointed data protection officer or the employee responsible for data protection will be provided to the client upon request.
    5.4 The contractor shall immediately inform the principal about inspections, investigations and measures by the supervisory authorities. The contractor is obliged to forward inquiries from the data protection supervisory authorities immediately to the data protection officer of the principal or to the principal. The contractor shall support the client in preparing the necessary data protection documentation and in responding to enquiries from data protection supervisory authorities in accordance with his possibilities for a fee after prior offer and commissioning by the client.
    5.5 Subject to a legal or official obligation, the contractor is not authorised to disclose information about the processed data to third parties or to the data subject without corresponding instructions from the client. The Contractor shall immediately forward requests for information to the Customer. The client is responsible for the protection of the rights of the persons concerned. However, in view of the type of processing, the contractor shall, if possible, support the contracting entity with appropriate technical and organisational measures to meet its obligation to respond to requests for the exercise of the rights of data subjects in Chapter III of the DSGVO.
    5.6 After the date of application of the DSGVO or the BDSG, the contractor shall support the principal, taking into account the type of processing and the information available to him, in complying with the obligations for the security of personal data specified in Articles 32 to 36 DSGVO in accordance with his possibilities for a fee after prior offer and commissioning by the principal.
    In other words, we obey the law. We are committed to maintaining data secrecy and ensure that all our employees are trained and particularly sensitized. If required by law, we will appoint a data protection officer. Otherwise, we will appoint an employee responsible for data protection. Should we ever get into an investigation by the responsible supervisory authorities, we will inform you immediately. We will help you if you have to provide information yourself (e.g. to an authority). Should we incur expenses as a result, we will discuss the costs with you beforehand.
    You are responsible for the so-called rights of those affected. This refers to the rights of the person whose data you store or process. If a person concerned contacts us, we cannot provide information or accept instructions. Instead, we will forward the request to you immediately.
    6.Technical-organizational measures and their control 6.1. The Contracting Parties shall agree on the specific technical and organisational security measures set out in the Annex "Technical-organisational measures" for such processing.
    6.2 The contractor shall provide the security pursuant to Art. 28 para. 3 lit. c, 32 DSGVO, in particular in connection with Art. 5 para. 1, para. 2 DSGVO. Overall, the measures to be taken are measures of data security and to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of technology, the implementation costs and the type, scope and purposes of processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Art. 32 para. 1 DSGVO must be taken into account. Details can be found in the appendix "Technical-organizational measures".
    6.3 Technical and organisational measures are subject to technical progress. In this respect, the contractor is permitted to implement alternative adequate measures. The safety level of the measures specified in the appendix "Technical-organizational measures" must not be undershot. Significant changes must be documented.
    6.4 Upon request, the contractor shall provide the customer with the information necessary to fulfil his obligation to check the order and confirm the implementation of the agreed technical and organisational measures.
    6.5 The customer has the right to carry out inspections in consultation with the contractor or to have them carried out by inspectors to be appointed in individual cases. He has the right to check the contractor's compliance with this agreement in his business operations by means of spot checks which must be registered in good time (usually with at least 20 working days' notice). An inspection must be carried out during normal business hours without disrupting operations. This also applies to the inspection of subcontractors who have been commissioned (in whole or in part) to provide the services owed by the contractor. In doing so, the customer must take appropriate account of the operating procedures and maintain secrecy regarding the contractor's trade and business secrets. The Contractor shall adequately support the Customer in checking the order and shall provide the information required for this purpose upon request. An inspection by third parties for the customer requires the prior written consent of the contractor. If the client commissions a third party to carry out the inspection with the contractor's consent, the client must oblige the third party in writing to maintain confidentiality, unless the third party is subject to a professional confidentiality obligation. At the request of the contractor, the contracting authority shall submit the commitment agreements with the third party to the contractor without delay, prior to the commencement of the inspection. The contracting authority may not appoint a competitor of the contractor to carry out the inspection.
    In other words , we agree with you on so-called technical-organizational measures, which specify our precautions for the protection of your data. We orientate ourselves with our technical-organizational measures at the current state of the technology and guarantee a very high level of protection of your data stored with us. To ensure that our measures remain effective, we adapt them from time to time and continue to develop them further. You have the right to control the measures installed with us. For this we ask you for some time in advance for the planning of your review.
    7. Notification of violations by the contractor 7.1. In case of data protection relevant disturbances or suspicion of data protection violations during the processing of personal data, the contractor is obliged to inform the customer or the data protection officer of the customer without delay. The customer shall issue the necessary instructions in writing upon notification to this effect by the contractor.
    7.2 In consultation with the principal, the contractor shall take appropriate measures to secure the data and to reduce possible adverse consequences for those affected. If, in connection with the data to be processed in this Agreement, the Client is subject to information or notification obligations pursuant to § 42a BDSG or Art. 33, 34 DSGVO, the Contractor shall support the Client to the extent possible for a fee after separate assignment.
    7.3 The persons of the principal who are to be informed in the event of such a violation shall be notified separately to the contractor. If one of the persons named therein is prevented for a longer period of time, leaves the company or is no longer available for other reasons, a replacement person must be ordered in good time and the contractor must be notified immediately by e-mail to
    In other words, if an incident occurs in which we violate our agreement on order data processing, we undertake to inform you immediately.
    Should such an incident occur, we will do everything in our power to minimize the consequences for those affected and to protect your data.
    8. Deletion and return of data 8.1. Copies or duplicates of data carriers or data records provided under the contract will not be made without the knowledge of the client. Excluded from this are backup copies, insofar as they are necessary to guarantee proper data processing, as well as data which are necessary with regard to compliance with legal storage obligations.
    8.2 After completion of the contractually agreed services or earlier upon request by the principal - at the latest upon termination of the main contract - the contractor must hand over to the principal all documents in his possession, processing and usage results created and data stocks in connection with the contractual relationship or, with the prior consent of the principal, destroy them in accordance with data protection law. The same applies to test and scrap material. Destruction in accordance with data protection regulations must be confirmed to the customer on request. The Contractor shall provide the Customer with a record of the deletion upon request and for a fee after a separate order has been placed prior to the start of the deletion process.
    8.3 Documentation that serves as proof of orderly and proper data processing must be kept by the contractor after the end of the contract in accordance with the respective retention periods. He can hand them over to the client at the end of the contract.
    In other words, Data that you store on cloud services of gridscale will never be duplicated without your knowledge and will be irrevocably deleted at the latest after termination of our contract or if you request us to do so.
    9. Subcontracting relationships 9.1. Sub-contractual relationships within the meaning of this provision shall be understood to mean those services which relate directly to the provision of the main contract. This does not include ancillary services which the contractor uses e.g. as telecommunication services, postal/transport services, maintenance and user services or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems. However, in order to ensure data protection and data security of the client's data, the contractor is obliged to take appropriate and legally compliant contractual agreements and control measures, even in the case of outsourced ancillary services.
    9.2 The contractor is only entitled to commission third parties with the (complete or partial) performance of the services owed by him (sub-contractual relationships) with the prior written consent of the principal. The client will not refuse the consent for unreasonable reasons. Consent shall be deemed to have been given unless the contracting authority, within a period of three working days following notification by the contractor of the intended subcontracting, declares its reasoned rejection of the consent, at least in writing.
    9.3 If subcontractors are engaged by the contractor, the contractor shall ensure that his contractual agreements with the subcontractor are such that the level of data protection at least corresponds to the agreement between the principal and the contractor and that all legal and contractual obligations are observed. From the date of application of the DSGVO, the contractor shall comply with the conditions described in Art. 28 para. 2 and 4 DSGVO for the use of the services of another contract processor. If the subcontractor does not comply with his data protection obligations, the contractor shall be liable to the customer for compliance with the obligations of that subcontractor as for his own actions.
    9.4 If the subcontractor performs the agreed service outside the EU/EEA, the contractor shall take appropriate measures to ensure the admissibility under data protection law. The same applies if service providers within the meaning of para. 1 sentence 2 are to be used.
    In other words, in everyday life, we use various service providers whom we commission with so-called ancillary services - for example, the cleaning of our office or postal services. We carefully select secondary service providers and commit them to data protection and confidentiality. In addition to ancillary service providers, it may be appropriate in individual cases to commission service providers to perform part of the services that you order from us. So-called subcontracting relationships. In this case we will inform you about the assignment of such a service provider, so that you can agree to the assignment.
    In any case, we shall ensure that a subcontractor guarantees at least one level of safety that complies with this agreement. We ensure through control and contractual agreement that the subcontractor complies with legal regulations and protects your interests. If a subcontractor wishes to provide the services ordered outside Europe, we ensure compliance with data protection law.
    10. Inspection obligations 10.1. The client shall check the technical and organisational measures of the contractor and document the result regularly before starting data processing. For this purpose, he may obtain information from the contractor himself, have expert reports or test certificates obtained from the contractor submitted or have an examination carried out at his own expense by an expert bound to professional secrecy. Such an inspection must be carried out during normal business hours without disrupting the course of operations and requires an appropriate advance notice.
    10.2 Upon request, the contractor undertakes to provide the customer with all information required to carry out an inspection in text form (§ 126b BGB) within a reasonable period of time.
    In other words, before starting data processing on gridscale, you should conscientiously check us for suitability for your project. For example, start by going through our technical-organisational measures and contact us if you have any questions. Check our data center certificates and make sure we are the best provider for your project. We will be happy to support you in all this at any time.
    11. Written form clause, choice of law, final provisions 11.1 The place of jurisdiction for all disputes arising from this Agreement on order data processing is Cologne.
    11.2 This Agreement shall be governed by German law to the exclusion of private international law.
    11.3. Amendments and supplements to this appendix and all its components - including any warranties of the Contractor - require a written agreement and an express indication that these terms and conditions are to be changed or supplemented. This also applies to the waiver of this formal requirement.
    11.4 The customer as well as every user agrees that the contractor may send information relevant to the system or product by e-mail. This consent can be revoked at any time.
    11.5 Should individual provisions of this Agreement be or become invalid in whole or in part, this shall not affect the validity of the remaining provisions. In this case, the contracting parties undertake to replace the invalid provision with an effective provision that comes as close as possible to the economic purpose of the invalid provision. The same applies to any gaps in the agreement on order data processing.
    11.6 The appendix "Technical-organizational measures" is an integral part of this agreement.
    In other words, we live in Cologne. This agreement shall be governed by German law. Any changes to this agreement must be agreed with us in writing. The appendix "Technical-organizational measures" is an important part of this agreement.