Contract on the processing of personal data on behalf following Art. 28 GDPR for the use of the platform (EU)
Version 4 as of April 18 2024
1. Subject matter of the Contract
1.1 This Contract specifies the obligations for data protection according to Art. 28 GDPR resulting from the Agreement (hereinafter: "Main Contract") concluded between roclub GmbH with its registered office in Berlin (hereinafter: "Contractor" or "roclub GmbH") and its Client (hereinafter: "Customer" or "Client"; both together also referred to as "Parties").
1.2 The Contractor shall provide services to the Client on the basis of the Main Contract concluded between the Parties and the Terms and Conditions included therein. In doing so, the Contractor is going to process personal data within the meaning of Art. 4 No. 1 GDPR for the Client (hereinafter referred to as "Client Data") exclusively on behalf of and in accordance with the instructions of the Client. The framework and scope of the data processing result from the Main Contract. The Client is responsible for assessing the permissibility of the data processing.
2. Duration of the Processing
2.1 The term and termination of this Contract shall be governed by the provisions on the term and termination of the Main Contract. Termination of the Main Contract automatically results in termination of this Contract. An isolated termination of this Contract is excluded.
3. Scope, nature, and purpose of processing, type of personal data, categories of data subjects
3.1 The Contractor shall process the Client Data exclusively on behalf of and in accordance with the documented instructions of the Client. The Client remains the Data Controller within the meaning of Art. 4 No. 7 GDPR.
3.2 The processing of the Client Data within the scope of the commissioned processing shall be carried out in accordance with the specifications of the service description outlined in Annex 1 to this Agreement. It refers to the determined categories and types of Client data, the categories of data subjects, and the purpose of the processing.
3.3 The processing of the Client Data shall take place in the territory of the Federal Republic of Germany, in another member state of the European Union, or in another state party to the Agreement on the European Economic Area. Any transfer to a third country may only take place if the specific requirements of Art. 44 et seq. GDPR are met.
4. Rights and duties as well as authorizations to issue instructions to the Client
4.1 For the permissibility assessment of the processing as well as for the protection of the data subjects' rights following Art. 12 to 22 GDPR, the Client shall be solely responsible.
4.2 The processing of the Client Data by the Contractor under this Agreement shall be carried out exclusively in accordance with the Client's instructions pursuant to Art. 28 para. 3 sentence 2 lit. a GDPR, unless the Contractor has the duty to carry out further processing under the law of the European Union or the law of the Member State to which it is subject. In this a case, the Contractor shall notify the Client of such legal requirements unless the relevant law prohibits such notification due to an important public interest.
4.3 Within the scope of the order description agreed in this Agreement, the Client reserves a comprehensive right to issue instructions regarding the type and purpose of the data processing, which it may specify by means of individual instructions.
4.4 Individual instructions after the conclusion of the Contract must be in text form and must be documented by both the Client and the Contractor.
4.5 The parties shall determine the persons authorized to issue instructions and the recipients of instructions in each case. The person specified as the contact person is the person authorized to issue instructions to the Client. In the event of a change or long-term unavailability of the designated person, the successor or representative must be designated to the contractual partner in text form without undue delay.
4.6 Instructions from the person authorized to issue instructions must be sent to privacy@roclub.com.
4.7 If the Client issues individual instructions regarding the handling of Client data that go beyond the scope of services agreed in the Main Contract, the costs incurred as a result shall be borne by the Client.
4.8 The Contractor shall not be under any obligation to review the Client's instructions in terms of (data protection) law. However, if the Contractor is of the opinion that an instruction of the Client violates data protection provisions, it shall inform the Client thereof. The Contractor shall be entitled to suspend the execution of the relevant instruction until the instruction is confirmed or amended. If, upon being informed of an instruction which, in the opinion of the Contractor, is unlawful, the Client does not dispel the Contractor's concerns, the Contractor may refuse to carry out the instruction in question insofar as it affects its sphere of responsibility.
4.9 The Client shall inform the Contractor immediately and completely if it discovers errors or irregularities in connection with the processing of Client Data by the Contractor or its instructions.
4.10 The instructions shall be retained for their period of validity and subsequently for three full calendar years.
5. Duties of the Contractor
5.1 The Contractor shall ensure that the processing of the Client Data within the scope of the provision of services under the Main Contract in its area of responsibility, which includes the subcontractors under item 9 of this Contract, is carried out in accordance with the provisions of this Contract.
5.2 The Contractor shall provide the Client, upon request, with the necessary information, including certifications as well as testing and review results, which serve to prove compliance with the obligations set forth in this Agreement.
5.3 The Contractor shall impose a written confidentiality obligation on the persons authorized to process Client Data pursuant to Art. 28 (3) lit. b GDPR, unless they are already subject to an appropriate statutory confidentiality obligation.
5.4 The Contractor shall appoint a competent and reliable data protection officer in writing, who shall carry out his activities in accordance with Art. 37, 38, and 39 GDPR, as well as Section 38 of the German Federal Data Protection Act (BDSG), provided as long as the legal requirements for an appointment obligation are met. The Contractor shall make the current contact details of the Data Protection Officer easily accessible on its website (Art. 37 (7) GDPR).
5.5 The Contractor and, if applicable, its representative shall keep a register of all categories of processing activities carried out on behalf of the Client, which shall contain all the information pursuant to Art. 30 (2) GDPR. This obligation does not exist if the conditions of Art. 30 (5) of the GDPR are fulfilled.
5.6 The Contractor must not make copies or duplicates of the Client Data within the scope of the processing without the prior consent of the Client. However, copies are exempt from this insofar as they are required to ensure proper data processing and the proper provision of services in accordance with the Main Contract (including data backup), as well as copies that are required to comply with statutory retention obligations.
5.7 The Contractor shall provide all necessary support to the Client in the fulfillment of his obligations following Art. 12 to 22 and Art. 32 to 36 GDPR within a reasonable scope in return for reimbursement of the expenses and costs incurred by the Contractor as a result. The support measures shall be provided while taking into account the nature of the processing and the information available to the Contractor and, where possible, using appropriate technical and organizational measures, in particular when responding to requests to exercise the data subject rights set forth accordingly in Art. 12 to 22 GDPR (item 10).
6. Technical and organizational measures
6.1 The Contractor shall take the necessary technical and organizational measures to adequately protect the Client's Data pursuant to Art. 32 GDPR, in particular, the digital and physical access control, transfer control, input control, order control, availability control, and separation control measures listed in Annex TOM.
6.2 As the technical and organizational measures are subject to technical progress and technological development, the Contractor is permitted to implement alternative and adequate measures, provided that this does not fall below the security level of the measures specified in Annex TOM. The Contractor shall document such changes. The Contractor shall inform the Client immediately of any intended significant changes beyond this with regard to the technical and organizational measures. The Client may object to such changes for good cause to be proven to the Contractor. The objection must be made in writing within a period of two weeks from receipt of a corresponding notification from the Contractor.
7. Contractor's violations to be reported
7.1 The Contractor shall inform the Client without undue delay if it discovers that it or an employee has violated data protection regulations or stipulations from this Agreement processing Client Data, provided that there is a risk of a breach of the protection of personal data of the Client within the meaning of Art. 4 No. 12 GDPR.
7.2 Insofar as the Client is subject to statutory duties to provide information due to unlawful acquisition of Client Data (in particular pursuant to Art. 33 and 34 GDPR) as a result of an incident pursuant to paragraph (1), the Contractor shall support the Client in fulfilling the duties to provide information at the Client's request within the scope of what is reasonable and necessary against reimbursement of the expenses and costs incurred by the Contractor as a result.
7.3 The Contractor shall take the necessary measures to secure the data and to mitigate possible adverse consequences of the data subjects, inform the Client thereof and request further instructions without undue delay.
7.4 Notifications according to Art. 33 or 34 GDPR to the Client may only be carried out by the Contractor after prior instruction by the Client.
8. Control rights of the Client
8.1 The Client shall review the technical and organizational measures taken by the Contractor at its own expense prior to the commencement of data processing and thereafter on a regular basis and shall document the result. This is done by obtaining a self-disclosure from the Contractor, which the Contractor can also fulfill by submitting a suitable certificate from an expert.
8.2 The Contractor shall provide the Client, upon written request, with all necessary information and details regarding its obligations under this Agreement and, in particular, to provide evidence of the implementation of the technical and organizational measures within the meaning of item 6. The proof of such measures, which do not only concern the particular order, can be provided by compliance with approved rules of conduct according to Art. 40 or certifications according to Art. 42 GDPR; current test certificates, reports, or report excerpts of independent bodies (e.g., auditors, revision, data protection officer, IT security department, data protection auditors, quality auditors); a suitable certification by IT security or data protection audit (e.g., according to BSI Basic Protection).
8.3 The Client or a duly authorized representative shall have the right to carry out the aforementioned inspections during normal business hours. These inspections shall be announced timely (in general, at least two weeks in advance) and shall interfere as little as possible with the Contractor's operations.
8.4 If the Client commissions a third party to carry out the inspection, the Client shall oblige the third Party in writing in the same way as the Client is obliged under this Agreement. In addition, he must oblige the third Party to maintain secrecy and confidentiality unless the third Party is subject to a professional confidentiality obligation. Upon the Contractor's request, the Client shall submit to the Contractor the binding agreements with the third Party. The Client may not commission a competitor of the Contractor with the inspection.
9. Subcontracting relationships
9.1 The Client expressly consents to the engagement of the subcontractors already listed prior to the conclusion of the Contract under the condition of a contractual agreement in accordance with Art. 28 (1) to (4) GDPR. A list of these subcontractors can be found in the Annex Subcontractors. The Contractor shall be permitted to engage further subcontractors (further Processors).
9.2 The Contractor shall inform the Client without undue delay of any intended change with regard to the use or substitution of other subcontractors. The Client may object to such changes for good cause, presenting sufficient evidence to the Contractor. The objection must be made in writing within a period of two weeks from receipt of a corresponding notification from the Contractor.
9.3 No notification shall be required for the involvement of subcontractors where the subcontractor merely makes use of an ancillary service to support the provision of services under the Main Contract, e.g., as telecommunications services, postal/transport services, maintenance, and user service or for the disposal of data carriers as well as for other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems, even if access to Client Data cannot be excluded in the process. The Contractor shall also select them with requisite care and make arrangements to the extent necessary to ensure adequate protection of the Client Data.
9.4 In the case of the engagement of a subcontractor, the Contractor shall impose on the subcontractor, by way of Contract or other legal instruments under Union law or the law of the Member State concerned, the same data protection obligations as those stipulated in that Contract. The Contract shall be designed in such a way that it is possible for the Client to carry out appropriate checks and inspections at the subcontractor's premises, including on-site, if necessary, or to have them carried out by third parties commissioned by the Client.
9.5 If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed at the subcontractor (e.g., by concluding an agreement based on EU standard data protection clauses).
9.6 Upon request, the Contractor shall provide the Client with evidence of the conclusion of the aforementioned agreements with its subcontractors.
10. Data Subjects Rights
10.1 The data subject rights shall be asserted vis-à-vis the Client.
10.2 Insofar as a data subject contacts the Contractor directly in order to exercise his/her rights pursuant to Art. 12 to 22 GDPR of the data concerning him/her, the Contractor shall refer the data subject to the Client.
10.3 In all other respects, item 5 para. 7 of this Agreement shall apply.
11. Liability
11.1 The Client and the Contractor shall be jointly and severally liable for compensation of damages suffered by a person due to unauthorized or incorrect data processing within the scope of the contractual relationship.
11.2 In the internal relationship with the Contractor, the Client alone shall be responsible for compensation of damages suffered by a data subject due to inadmissible or incorrect processing of Client data within the scope of commissioned processing in accordance with the applicable data protection law.
11.3 The Client undertakes to indemnify the Contractor internally against all claims of third parties as long as and to the extent that the Client does not prove that the Contractor has not complied with its obligations under the GDPR specifically incumbent on the Contractor or has acted in non-compliance with a lawfully issued instruction of the Client or against a lawfully issued instruction.
11.4 If a data protection authority or a court imposes a fine on the Contractor based on data processing by the Contractor that is based on an instruction from the Client, the Client shall reimburse the Contractor the corresponding amount in full upon written notice within 30 days of the written notice.
11.5 The Client shall reimburse the Contractor for all costs resulting from the infringement of rights for which it is responsible in accordance with paragraphs 3 and 4, including the costs of legal action.
11.6 Unlimited Liability: The Contractor shall be liable without limitation for intent and gross negligence in the event of a breach of a contractually granted warranty and in accordance with the Product Liability Act. The Contractor shall be liable for slight negligence in the event of damage resulting from injury to the life, body, and health of persons.
Otherwise, the following limited liability applies: In case of slight negligence, the Contractor shall only be liable in the event of a breach of an essential contractual obligation of the Main Contract, the fulfillment of which makes the proper execution of the Main Contract possible in the first place and on the observance of which the Client may regularly rely (cardinal obligation). The liability for slight negligence is limited to the amount of damages foreseeable at the time of conclusion of the Contract, the occurrence of which must typically be expected.
12. Return and deletion of provided Client Data
12.1 The Contractor shall return or delete all Client Data after termination of the contractual provision of services (in particular in the event of termination or other termination of the Main Contract), at the discretion of the Client, and destroy existing copies unless there is an obligation to store the data under EU law or the law of the Member States.
12.2 The Contractor shall document the deletion or destruction of Client Data and provide proof of this to the Client upon request.
12.3 Documentation that serves as proof of orderly and proper data processing or legal retention periods shall be retained by the Contractor beyond the end of the Contract in accordance with the respective retention periods.
13. Miscellaneous
13.1 Insofar as no special provisions are contained in this Contract, the provisions of the Main Contract shall apply. In case of contradictions between this Contract and regulations from other agreements, in particular from the Main Contract, the regulations from this Contract take precedence.
13.2 The contracting parties shall make amendments and additions to this Agreement for the purpose of comprehensibility only by means of text form. This also applies to changes to this formal requirement.
13.3 roclub may modify or amend this Agreement at any time. The customer shall be notified via e-mail about the changes and amendments at least six weeks before they take effect. If the customer does not agree to the changes, he may object to the changes in text form with a notice period of one week from the date on which the changes or additions are intended to take effect. If the customer does not object, the changes or amendments to the terms of use shall be deemed approved by the customer. This will be pointed out by roclub in the announcement.
13.4 The Client and the Contractor and, if applicable, their representatives shall cooperate with the Supervisory Authority in the performance of their duties upon request.
13.5 This Contract is subject to German law. The place of jurisdiction is Berlin.
Annex 1: Purpose and nature of data processing, type of data, and categories of data subjects
The Contractor shall provide the services agreed upon in accordance with this Annex to the Client exclusively in accordance with the Client's instructions and on the basis of the Agreement concluded between the Parties on the processing of personal data on behalf of the Client.
The Contractor shall process the following personal data on behalf of the Client for the aforementioned purposes:
| Type of data | Nature and purpose of data processing | Categories of data subjects |
|---|---|---|
| Video signal of connected medical device (e.g. MRI or CT scanner) | Encryption of the video stream on the hardware device (connector) at the contractor's site for transmission to remote | Patient data |
| Contact Information | Collection, management to provide the services | Employees, other authorized users |
| User profile data | Collection, management to provide the services | Employees, other authorized users |
| Roles, authorizations, departmental affiliations | Collection, management to provide the services | Employees, other authorized users |
| Calendar entries (availabilities, session assignment) | Collection, management to provide the services | Employees, other authorized users |
| Session data | Collection, management to provide the services | Employees, other authorized users |
| Chatlogs | Collection, management to provide the services | Employees, other authorized users |
| Log files (user activities) | Collection, management to provide the services | Employees, other authorized users |