GENERAL TERMS AND CONDITIONS
Law in Practice GmbH, Rather Strasse 25, 40476 Düsseldorf (hereinafter referred to as „LIP“), offers digital and non-digital services and products in the area of Law, Tax and Finance.
- “Online store“ means the online store operated by LIP under the website “https://lawinpractice.eu“.
- “Product“, “Products“, “LIP-Product“, “LIP-Products” or “Services“ means digital services such as e-learning, e-books and other electronically provided products or services offered by LIP in via the online shop. Individual legal and tax services and consulting services are not covered by this definition.
- “Consumer” is a natural person who completes a legal transaction for a purpose that is largely not attributable to his or her commercial or independent professional activity (§ 13 German Commercial Act). “Entrepreneur” means a natural or legal person or a legal entity which, at the conclusion of a legal transaction, acts in the performance of its commercial or independent professional activity
(§ 14 German Commercial Act).
- “Customer” means entrepreneurs who are users of the online shop and buyer or licensee of the digital products offered by LIP in the online store.
- “Entitled (r) users” means another user or other users designated by the customer who is granted a right to use the products after lip consent.
- “GTC” are the following general terms and conditions in the current version at the time of the conclusion of the contract with the customer.
- “Contract” means the legal relationship between LIP and the customer with respect to the purchase or grant of a license to use the Products.
- “LMS” refers to the e-Learning Management System (LMS) used by LIP to run e-learning courses.
- These GTC govern the details of contractual relationship between LIP and the customer regarding the purchase or grant of a license to use Products and Services, including the actual exercise of the use of this License and the Products and Services by the customer and the authorized users and are valid in addition to the contract of use concluded with the customer.
- Individual legal and tax services or consulting services are not covered by the scope of these GTC.
- Contradictory, deviating or supplementary general terms and conditions of the customer or third parties shall not become part of the contract unless LIP expressly agrees to their validity.
III. Conclusion of the contract
- LIP offers and sells the Products only to business customers and entrepreneurs respectively. LIP does not offer and sell the Products to Consumers. With the conclusion of an agreement with LiP, the customer confirms to be a business customer and entrepreneur.
- The presentation of e-learnings, e-books and other Products in the online store or other media and publications is a non-binding offer and gives the customer the opportunity to make a binding offer to conclude a contract of use.
- If the customer wishes purchase a Product in the online store, he must open a customer account and accordingly register himself. The registration can be done during a purchase process.
- The customer can choose from the assortment presented by LIP in the online shop and choose a Product by using the [Add to Cart] button whereas the chosen Product will be collected in a so-called shopping cart. The collection of Products in the shopping cart does not constitute an offer of the customer to purchase these Products and selected Products can be deleted from the shopping cart. In order to continue with the purchase process, the customer has to proceed from the shopping cart via the [checkout] button to the checkout site.
- Prior to the completion of the ordering process, the customer must provide information on the billing address, e-mail address and payment method. The required information is marked with an asterisk (*). If this information is not made by the customer, the order process will not continue.
- Before sending the order, the customer can change and view the data and use the browser function “back” to go back to [Cart] or cancel the order process. The customer makes a binding request for the purchase of the Products in the shopping basket via the button [order payable].
- LIP sends the customer an automated acknowledgement of the opening of a customer account. By clicking the “confirmation link” in this E-mail, the customer confirms the opening of the customer account.
- The contract and purchase or license regarding a Product comes into effect only if LIP expressly or implied agrees and the remuneration applicable at the time of the ordering process in the meaning of Section 4 has been credited to an account of LIP or, in the case of payment by credit card, the customer’s credit card used for the order process could be successfully authorized and charged. LIP will send the customer a respective confirmation E-Mail in which the customer will also be informed about the grant of access to the Product.
- The customer assures that all his information is current and accurate when ordering and is sufficient for the fulfillment of his order by LIP. Additional costs incurred by LIP through incorrect or incomplete information shall be borne by the customer.
IV. Remuneration, payment conditions, taxes
- All prices and remunerations stated in the online shop or are individually agreed with the customer, are net prices in EUR and payable plus the statutory Value Added Tax (VAT) applicable at the relevant time.
- The remuneration must be paid in advance.
- Currency differences are in the responsibility of the customer. Any charges, fees or commissions levied by the customer’s bank, the financial institution used by him or the customer’s credit card company shall be borne by the customer and shall not be a price element.
- In the case of payment by credit card, the customer specifies the data necessary for payment processing (e.g. bank account, owner name, card number, expiration date, check digit) and hereby declares his agreement that his data are processed to the third party (for example Stripe, PayPal) in order to process the payment. If the customer does not agree with this, a different payment method (payment on account) is available to him.
- If third parties are involved in the payment processing (for example Stripe, PayPal), their general terms and conditions apply.
- The customer receives an invoice for the ordered service in electronic form to the e-mail address he has registered in the checkout form.
- If the customer does not comply with his payment obligations or if the amounts paid are refunded or reloaded, LIP, subject to further claims, is entitled to cancel the customer‘s access to the ordered Product. If the account is blocked due to open payment claims and the customer balances these out, the access is unlocked again.
- LIP may understand the specified address as mentioned by the customer in the checkout form as his place of business. LIP uses the VAT Identification Number specified by the customer, even if it is assigned to a state other than the state of the place of business specified by the customer. In this respect, LIP may rely on the customer’s responsibility to ensure that he uses the VAT Identification number applicable in accordance with the relevant legal regulations. If the VAT Identification Number specified by the customer is invalid or if an incorrect VAT identification number has been used, LIP may draw the corresponding VAT consequences (e.g. not concluding the contract, issuing an invoice including German VAT).
- If the customer is obligated to pay or withhold taxes on payments to LIP, LIP shall nevertheless be entitled to the total remuneration as defined in this Section without deductions. The remuneration is increased by the amount of taxes paid or retained by the customer (gross-up). The customer confirms in writing to LIP that all applicable taxes have been paid to the competent tax authority within 30 days of the date of payment of the remuneration and forwards to LIP the respective documentation. For the purposes of this paragraph, taxes shall mean all sales, withholding, use taxes, gross income, trade, retail and other taxes and similar levies levied by a state or government of excluding the VAT levied by members of the European Union.
V. Content of contract, right of use, contract duration
- Under the condition of payment of the owed and due remuneration, the customer receives the simple, non-exclusive, non-transferable and limited right to use the Product during the duration of the contract, as specified in the Product description and the following provisions. The right to use the Product is granted to the customer and to the contractually defined authorized users for their own purposes.
- To exercise the right of use of the Product, the customer has to log into his previously opened customer account.
- The customer and the contractually defined authorized users are not entitled to grant another person access to the Product, to transfer the right to use or to make a copy or extract of the Product or to pass on or to use the Product in any other way.
- Unless individually agreed otherwise by contract, the right of use only refers to the Product or Service at the time of the conclusion of the contract and how it was presented under the respective item number in the online store as confirmed to the customer.
- The right of use does not confer any entitlement towards LIP to update the Products or to provide any information regarding any changes in the law or jurisdiction.
- LIP is entitled to update the Product at any time at its own discretion. The updated Product is not an object of the contract. The customer and authorized users are not entitled to obtain and use the updated Product or Service. Instead, the right to use this updated Product requires a separate, newly concluded contract.
- With regard to E-Learning courses the following shall apply:
a) LIP grants the customer a right of access to the course for the duration of one (1) year in the version and form as set in the Product description at the time of conclusion of the contract. A test phase is not foreseen. The access is granted via the customer account of the customer and /or authorised user. To access the course, the customer has thus to log into his customer account. The access term starts with the grant of access after the receipt of the remuneration. The customer will be informed by e-mail of the date of the grant of access to the course.
b) The customer is aware that the course videos are streamed and that the streaming involves external service providers (e.g. video streaming services such as Vimeo)
c) The right of use entitles the customer or the authorized user to stream the respective training videos and attend a test (if applicable) as described in the product description.
d) The customer is not entitled to an individual supervision of his learning success, respective instructions or guidance, individual learning controls or to answers on individual questions. Particularly, the contract about the right to use the Product does not qualify as a Distance Learning Agreement in the meaning of § 2 of the German “Fernunterrichtsschutzgesetz (FernUSG)” or a similar local regulation on the customer country.
e) The right of use exists for a natural person and requires a respective customer account with LIP. In the event of an intended use by two (2) or more users, an individual order request to LIP is required, specifying the names of the other users and their E-Mail addresses. In this case, LIP sends the customer a user agreement by e-mail or by letter. The customer sends a signed version either by E-Mail or letter by post to LIP. This contract of use is effective according to point 3 after receipt of payment and with the issuance of a user ID and a password to the then authorized users.
f) The right of access of the customer or a legitimate user during a meeting is generally not limited in time, unless otherwise defined by this GTC (see e.g. Paragraph 5. 12).
g) A customer or authorized user can be logged on to the database only once at the same time by one user ID and password. In case of a re-login or using a different browser or device, the previous session will be automatically cancelled.
h) The right of use ends automatically and without prior notification at the end of the term of one (1) year by deletion of access to the Product or course.
- Regarding Products made available by downloading (“Download”), the following shall apply:
a) LIP grants a right of use to the customer as an individual or, if the customer is a company or group of companies, the entire company or the entire group of companies.
b) The right of use entitles the customer to download the Product or Service three times within a period of ninety days after purchase by means of the access data in the form of a link, provided to him by LIP, to save and print on his computer. After ninety days, the access data becomes invalid.
- Further duplication or the other revaluation of Products are only permitted with prior written consent from LIP. The systematic automated retrieval of Products , creating systematic collections from retrieved Products or Services as well as the systematic transfer of Products or Services or their systematic making available to third parties are inadmissible.
- The customer and any authorized user is obligated to keep the (respective) password and access data for his customer account, the Product confidential to prevent unauthorized use by third parties; the customer also ensures that authorized users also comply with this obligation.
- Rights of use which may be perceived as a result of legal licenses, in particular in accordance with § § 53, 55a, 87c and 87e German Copyright Act are not acknowledged in the usage contract and in these GTC and are not affected by this.
- LIP is tries to ensure to grant technical access to the Products and Services at any time. However, due to necessary maintenance and service work as well as due to possible unforeseeable technical problems, there may be times when the online store, download links and the LMS are not reachable. LIP reserves the right to switch off the online shop and the LMS for maintenance and service work every day from 3:00 a.m. to 6:00 p.m. CET („Berlin-time“; the “Shutdown Period”). In addition, LIP is entitled to perform maintenance and service work in urgent and non-resolvable cases outside the aforementioned shutdown period, which may temporarily restrict the usability of the online store, the download links and the LMS; LIP will try to take the customer’s concerns into consideration as far as possible.
- LIP is entitled to take technical measures to prevent use beyond the permitted scope, in particular to install appropriate access barriers. This applies in particular if the type, scope and frequency of access to Products or Services gives the impression that the customer or a legitimate user has passed on his access data to third parties. A corresponding presumption is, for example, if a session lasts longer than five (5) hours and/or during the period of use of six (6) months, more than twenty (20) times access to an e-learning or more than fifteen (15) times download of a downloadable The customer or authorized user shall not use any devices, products or other means which are used to circumvent or overcome these technical measures. In particular, the customer or authorized persons must not use web crawler, spider programs, metasearch engines, or similar technologies that automate content retrieval. In the event of abusive use, LIP shall have the right to immediately block the access. Further rights and claims of LIP, in particular the right to extraordinary termination of the contract of use for important reasons as well as claims for damages, remain unaffected.
- The customer is obligated to inform the authorized users of the aforementioned provisions and to ensure compliance with them.
- The right of any party to extraordinary termination for important reasons remains unaffected.
- Upon termination of the contract, LIP shall be entitled to block the customer’s access and authorized users immediately.
- Both parties may terminate the usage agreement with respect to the online store at any time by termination. The cancellation can be made by e-mail or in writing by letter. The contact details can be taken from the imprint of LIP.
- After termination of the user agreement, the customer does no longer have access to the Product.
- The right of withdrawal in accordance with the following section VI shall remain unaffected.
VI. Right of withdrawal for EU consumers
Consumers with a permanent residence in an EU member state (“EU consumers”) have basically a right of withdrawal regarding this contract in accordance with the following cancellation instructions. The right of withdrawal prematurely expires if the contract concerns the supply of digital products, if the execution of the contract has been commenced before the end of the withdrawal period, if the EU consumer has been informed about the extinction of the right of withdrawal before the execution of the contract and if he has given his express consent and at the same time have confirmed his knowledge about his loss of the right of withdrawal.
The right of withdrawal expires prematurely if the execution of the contract has been commenced after the EU consumer has given his express consent and at the same time has confirmed his knowledge that he will lose his right of withdrawal with the commencement of the performance of the contract. We point out that we can make the conclusion of the contract dependent on the aforementioned consent and confirmation.
LIP does not sell the Products to consumers. The above mentioned right therefore does not apply to the customer.
VII. Customer’s assurances and obligations to participate
- The customer is responsible for the maintenance of his customer account and has to immediately update his account data with regard to their correctness and completeness. The customer must keep the password for access to the customer account confidential.
- The customer is obligated to pay all orders made by using his user ID and password. This obligation to pay is not applicable unless the customer can prove that an order was not negligently or intentionally made possible by him using his user ID and his password. Furthermore, the customer does not have to pay any remuneration for a purchase order made using his user ID and password, if the customer has asked LIP to block his user access and password before the corresponding order, and LIP has not blocked the account within a reasonable period of time between the receipt of the customer’s lock request and the receipt of the order.
- The responsibility of LIP with regard to the usability of the Products and Services extends only to the transfer point of the online store or the LMS to the Internet, but not to the systems of the customer and data transmission lines beyond the transfer point. It falls within the customer’s area of responsibility to arrange for the technical requirements of access to the Products or Services. This especially applies to the hardware and operating system software used by the customer, the connection to the Internet and the current browser.
- The proper usability of the LMS used by LIP requires that the time and time zone set by the customer are current and correct. Furthermore, the customer’s system must accept cookies, which are transmitted by the server of the online store and the LMS, in order to perform the performance and identify the computer used by the customer. It is the customer’s responsibility to make the appropriate settings.
- The customer is obligated to take the precautions necessary to secure his systems, in particular to use the usual security settings of the browser and to employ up-to-date protection mechanisms for the prevention of malicious software.
- As far as the right of use concerning the Products or Services require the approval or license of a government or other authority, it is the customer’s responsibility to obtain this permit or license at his own expense and to prove LIP upon request. The non-solicitation does not entitle the customer to withhold or delay the remuneration for the Products or Services towards LIP. All costs and expenses of LIP due to such non-solicitation or incorrect solicitation are to be borne by the customer.
- It is the customer’s responsibility to immediately notified LIP by e-mail or in text form (§ 126 German Commercial Act) about any defects, malfunction or damage to the Products or Services or the usability of the online store and the LMS, which do not fall within his sphere of responsibility.
- The customer is not entitled to make changes to the Products or Services.
VIII. Scope and limitations of performance; warranties
- Statements and explanations of LIP in Advertising materials, websites, social networks, documentation or other sources are intended solely as a description of the nature of the Products and Services and not be understood as a guarantee or assurance of the property of a Product or Service.
- The customer is aware that the grant of the use of the Products or Services or the performance of the Products or Services does not constitute legal or tax advice. If the customer wishes a legal and tax consulting service, a separate contract is to be concluded in compliance with the legal regulations applicable to these services.
- For LIP, the quality of the Products and Services as well as the accuracy of the content contained herein is of high relevance. However, LIP cannot guarantee completeness, correctness and topicality of the content. Furthermore, the customer himself is obliged to undergo the contents of a plausibility check corresponding to their intended use. This particularly applies to the legal and tax issues presented in the Products and Services and their application to a specific case of the customer.
- LIP does not warrant and is not obligated to update the Products and Services and/or to accordingly inform the customer, particularly not due to legal changes. The customer is obliged to inform himself about relevant changes and to keep them informed.
- With regard to technical deficiencies in connection with the download of Products or services or the use of the online store or the LMS, LIP expressly refers to the customers duties as described in Section VII. .
- It is the responsibility of the customer to immediately indicate any faults or damage occurring.
IX. Protection Rights; Copyrights
- The Products and Services are products in the meaning of § 2 German Copyright Act which are protected by copyrights. The LMS is a database in the meaning of § 4 para. 2, 87a para 1 German Copyright Act. Associated computer programs are subject to the protection of § 2, § § 69a ff. German Copyright Act, manuals and documentation as well as provided Products Subject to the protection of § 2 German Copyright Act. Rights of third parties in the protected works remain unaffected.
- All content published in e-mail, newsletters and similar documents is protected by copyright. This also applies to published court decisions and their guidelines.
- Trademarks, company logos, other identifiers or protection notices, copyright notices, serial numbers as well as other features serving the identification may not be removed or altered in electronic format or in printouts.
X. Liability for damages
- LIP shall be liable within the scope of the legal provisions only in accordance with the Following:
a) LIP shall be liable without limitation for damages arising from injury to life, body or health, as well as for damages based on intent or gross negligence of LIP or one of its owner or vicarious agents, as well as for damages due to the failure to comply with a warranty or warranted by LIP or due to fraudulently concealed defects.
b) LIP is liable under limitation for compensation of the foreseeable damage typical of the contract for such damages, which are based on a slightly negligent breach of essential contractual obligations by its owner or vicarious agents. Contractual obligations are obligations, the fulfilment of which enables the proper implementation of the contract in the first place and on whose adherence the contractual partner may trust regularly.
c) LIP is not liable for the completeness, accuracy and topicality of the contents of the Products and Services or the technical usability of the LMS.
d) The Products or services do not represent legal and tax advice, but only provide general basic knowledge of the respective legal area. LIP therefore expressly points out that the assessment of a specific case must be examined individually and that a legal or tax adviser or a person with comparable knowledge and advisory powers should be consulted in this regard. The assessment of whether and to what extent an application of the knowledge provided together with the Products or services, is the sole responsibility of the customer. LIP’s liability for any damages or other adverse consequences is expressly excluded.
e) A fault-independent liability for defects already existing at the conclusion of the contract according to § 536a para 1 half-sentence 1 German Commercial Code is excluded.
- If a customer or authorized user has
a) performed a culpable conduct resulting in a damage of LIP (e.g. by causing a technical malfunction and/or failure of the online store or the LMS or other disturbances of the business operation of LIP), the customer or authorized user is obliged to immediately stop the damaging the act and to compensate LIP the related damage.
b) disclosed the access data to a Product or Service or a Product or Service itself without prior approval of LIP, not compiled with the provisions as stated in Section V or any copyrights relating to the Products or services infringed, he is liable to LIP for the damage resulting therefrom, including a loss of profit.
- LIP adheres to the applicable provisions of the general data Protection Regulation (GDPR), the Federal Privacy Act (BDSG), the Telemedia Act (TMG) and the Telecommunications Act (TKG).
- The customer is advised that LIP retain its data in accordance with the legal and tax regulations.
- In case of the purchase of an E-Learning, the Parties conclude the Data Processing agreement as state in Annex 1.
XII. General provisions
- The place of performance of the contract is Düsseldorf, Germany.
- The contract language is German, if the parties do not exceptionally agree to English as the contract language in the user agreement.
- The exclusive place of jurisdiction for disputes with entrepreneurs and/or legal persons under private law or public law contracts is also Düsseldorf, Germany.
- All disputes in connection with the use of the Products or Services covered by the customer’s right of to use a Product or Services shall apply, irrespective of the legal reason, exclusively the law of the Federal Republic of Germany, excluding all provisions of the conflict of law rules which refer to another legal order. The application of the U.N. purchase right is excluded.
- Should any provision of these GTC or a provision under other agreements with the customer be or become ineffective, the validity of all other agreements or provisions shall not be affected. Instead of the ineffective provisions, the legally effective regulation shall apply.
December 2019, Law in Practice GmbH. Subject to changes.
Annex 1: Data Processing Agreement in accordance with Art. 28 GDP
the customer of Law in Practice GmbH – hereinafter referred to as the “Controller”
Law in Practice GmbH, Rather Strasse 25, 40476 Düsseldorf, Germany – hereinafter referred to as the “Processor”
„Controller“ and „Processor“ hereinafter referred to as „the Parties“
There is a contractual relationship between the parties within the meaning of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter referred to as “GDPR “
This data processing agreement (hereinafter referred to as “the Agreement”) governs the data protection obligations of the parties under the underlying contract for the use of e-learnings in the context of an e-learning management system as provided by the Processor (hereinafter referred to as the “Principal Contract”). If reference is made to the provisions of the Federal Data Protection Act (hereinafter referred to as the ” BDSG “), this refers to the law on the adaptation of data protection law to Regulation (EU) 2016/679 and the implementation of Directive (EU) 2016/680 as amended from 25 May 2018.
Individual agreements in this Agreement have priority over the Processor’s General Terms and Conditions (GTC).
Processor undertakes to perform the Principal Contract and this Agreement in accordance with the following provisions:
Section 1 Definitions and scope
- The following provisions apply to all services of data processing within the meaning of Article 28 GDPR, which the processor provides to the controller on the basis of the Principal Contract.
- In accordance with Article 4(1) GDPR, ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
- If this Agreement uses the term “data processing” or “processing” of data, this shall be generally understood to mean the use of personal data. Data processing or the processing of data shall mean any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction..
- Reference is made to further definitions set forth in Art. 4 GDP
Section 2 Subject matter, nature and duration of data processing
- The Processor processes personal data on behalf of and in accordance with the instructions of the controller.
- The object of the contract is the training of the responsible person and/or his employees according to the Principal Contract agreed with the Processor. For this purpose, the controller shall transmit the data referred to in Section 3 of this Agreement. The Processor uses this data to provide and document the e-learning referred to in the Principal Contract.
- The duration of this agreement shall be the term of the Principal Contract.
Section 3 Categories of data subjects and type of personal data
Categories of data affected by the handling of personal data under this Agreement:
- the person in charge
- Employees authorized by the Controller to use the e-learning in accordance with the Principal Contract
Personal data affected by order processing
- First name, last name and e-mail address of the person responsible
- Master data of the employees as agreed by the controller, usually first name, last name and e-mail address
- Time, title and language of the completed training
- Connection data when using the e-learning management system
- Test results in case of a quiz or final test
Section 4 Obligations of the Processor
- Data processing
The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying Principal Contract and in accordance with the Controller’s instructions.
- Data subjects’ rights
- The Processor shall, within its capabilities, assist the Controller in complying with the rights of data subjects, particularly with respect to rectification, restriction of processing, deletion of data, notification and information. If the Processor processes the personal data specified under Sect. 5 of this Agreement on behalf of the Controller and these data are the subject of a data portability request under Art. 20 GDPR, the Processor shall, upon request, make the dataset in question available to the Controller within a reasonably set time frame, in a structured, commonly used and machine-readable format.
- If so instructed by the Controller, the Processor shall rectify, delete or restrict the processing of personal data specified under Sect. 5 of this Agreement. The same applies if this Agreement stipulates the rectification, deletion or restriction of the processing of data.
- If a data subject contacts the Processor directly to have his or her personal data specified under Sect. 5 of this Agreement rectified, deleted or the processing restricted, the Processor shall forward this request to the Controller immediately upon receipt.
- Monitoring duties
- The Processor shall ensure, by means of appropriate controls, that the personal data processed on behalf of the Controller are processed solely in accordance with this Agreement and/or the Principal Contract and/or the relevant instructions.
- The Processor shall organize its business and operations in such way that the data processed on behalf of the Controller are secured to the extent necessary in each case and protected from unauthorized access by third parties.
- The Processor confirms that it has appointed a Data Protection Officer in accordance with Art. 37 GDPR and, if applicable, in accordance with Sect. 38 FDPA, and that the Processor shall monitor compliance with data protection and security laws.
- Information duties
- The Processor shall inform the Controller immediately if, in its opinion, an instruction issued by the Controller violates legal regulations. In such cases, the Processor shall be entitled to suspend execution of the relevant instruction until it is confirmed or changed by the Controller.
- The Processor shall assist the Controller in complying with the obligations set out in Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor.
The processing of the data shall in principle take place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled.
5. Location of processing
The processing of the data shall in principle take place in the territory of the Federal Republic of Germany, in a member state of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country may only take place if the special requirements of Art. 44 et seqq. GDPR are fulfilled.
- Deletion of personal data after order completion
After termination of the Principal Contract, the Processor shall delete or return all the personal data processed on behalf of the Controller to the Controller after the end of the provision of services relating to processing and delete existing copies, provided that the deletion of these data does not conflict with any statutory storage obligations of the Processor. The deletion in accordance with data protection and data security regulations must be documented and confirmed upon request to the Controller.
- The Processor is obliged to maintain confidentiality when processing data for the Controller.
- In fulfilling its obligations under this Agreement, the Processor undertakes to employ only employees or other agents who are committed to confidentiality in the handling of personal data provided and who have been appropriately familiarized with the requirements of data. Upon request, the Processor shall provide the Controller with evidence of the confidentiality commitments.
- Insofar as the Controller is subject to other confidentiality provisions, it shall inform the Processor accordingly. The Processor shall oblige its employees to observe these confidentiality rules in accordance with the requirements of the Controller.
Section 5 Rights and duties of the Controller
- The Controller is solely responsible for assessing the lawfulness of the data processing and for safeguarding the rights of data subjects and is hence a controller within the meaning of Article 4 (7) GDPR.
- The Controller is entitled to issue instructions concerning the nature, scale and method of data processing. Upon request by the Processor, the Controller shall confirm verbal instructions immediately in writing or in text form (e.g. by email) to the Processor.
- Insofar as the Controller deems it necessary, persons authorized to issue instructions may be. The Processor shall be notified of such in writing or in text form. In the event that the persons authorized to issue instructions change, the Controller shall notify the Processor of this change in writing or in text form, naming the new person in each case.
- The Controller shall notify the Processor immediately of any errors or irregularities detected in relation to the processing of personal data by the Processor
- The Controller shall be entitled, after prior notification in good time and during normal business hours, to carry out an inspection of compliance with the provisions on data protection and the contractual agreements to the extent required, either himself or through third parties, without disrupting the Processor’s business operations or endangering the security measures for other Controller and at his own expense. Controls can also be carried out by accessing existing industry-standard certifications of the Processor, current attestations or reports from an independent body (such as auditors, external data protection officers or external data protection auditors) or self-assessments. The Processor shall offer the necessary support to carry out the checks. The Processor shall inform the Controller of the execution of inspection measures by the supervisory authority to the extent that such measures or requests may concern data processing operations carried out by the Processor on behalf of the Controller.
Section 6 Sub-processors
- The Controller authorizes the Processor to make use of other processors in accordance with the following subsections in Sect. 9 of this Agreement. This authorization shall constitute a general written authorization within the meaning of Art. 28 (2) GDPR.
- The Processor currently works with the subcontractors specified in Annex 1 and the Controller hereby agrees to their appointment.
- The Processor shall be entitled to appoint or replace other processors. The Processor shall inform the Controller in advance of any intended change regarding the appointment or replacement of other processors. The Controller may object to an intended change.
- The objection to the intended change must be notified to the Processor within two weeks after receipt of the information on the change. In the event of an objection, the Processor may, at his own discretion, either provide the service without the intended change or propose an alternative subcontractor and coordinate it with the Controller. Insofar as the provision of the service is unreasonable for the Processor without the intended modification for example, due to the associated disproportionate costs for the Processor – or the agreement on an alternative subcontractor fails, the Controller and the Processor may terminate this Agreement as well as the Principal Contract with a notice period of one month to the end of the month.
- A level of protection comparable to that of this Agreement must always be guaranteed when other processors are involved. The Processor is liable to the Controller for all acts and omissions of other processors it appoints.
Section 7 Technical and organizational measures
- The technical and organisational measures described in Annex 2 are agreed between the Parties upon as appropriate. The Processor may update and amend these measures provided that the level of protection is not significantly reduced by such updates and/or changes.
- The Processor shall observe the principles of due and proper data processing in accordance with Art. 32 in connection with Art. 5 (1) GDPR. It guarantees the contractually agreed and legally prescribed data security measures. It will take all necessary measures to safeguard the data and the security of the processing, in particular taking into account the state of the art, as well as to reduce possible adverse consequences for the affected parties. Measures to be taken include measures to protect the confidentiality, integrity, availability and resilience of systems and measures to ensure continuity of processing after incidents. In order to ensure an appropriate level of processing security always, the Processor will regularly evaluate the measures implemented and make any necessary adjustments.
Section 8 Liability/Indemnification
- The Processor shall be liable to the Controller for any and all loss or damage culpably caused in the performance of the services under the Principal Contract or by a breach of applicable statutory data protection obligations on the part of the Processor, its employees or parties commissioned by it to implement the Principal Contract. The Processor shall not be obliged to pay compensation if the Processor proves that it has processed the data provided by the Controller solely in accordance with the instructions of the Controller and that it has complied with its obligations arising from the GDPR specifically directed to.
- The Controller shall indemnify the Processor against any and all claims for damages asserted against the Processor based on the Controller’s culpable breach of its own obligations under this Agreement or under applicable data protection and security regulations.
Section 9 Miscealleanous
- This agreement is governed by German law.
- Amendments and additions to this Agreement shall require the mutual consent of the Parties, with a specific reference to the amended provisions of this Agreement.
- Oral ancillary agreements to this Agreement do not exist and are excluded for future amendments to this Agreement.
- In the event that access to the data which the Controller has transmitted to the Processor for data processing is jeopardized by third-party measures (measures taken by an insolvency administrator, seizure by revenue authorities, etc.), the Processor shall notify the Controller of such without undue delay
Annex 1: Subprocessors
- Hostingleistung Website and E-Learning-Management-System
Mittwald CM Service GmbH & Co. KG Königsberger Straße 4-6 32339 Espelkamp, Germany
Vimeo, Inc., 555 West 18th Street, New York, New York 10011, USA
CleverReach GmbH & Co. KG, Schafjückenweg 2, 26180 Rastede, Germany
Annex 2: Technical and organizational measures to ensure the security of processing
The Processor guarantees that the following technical and organizational measures have been taken:
I. Security and confidentiality measures
- Physical Access Control
Measures that physically deny unauthorized persons access to IT systems and data processing equipment used to process personal data, as well as to confidential files and data carriers:
Unauthorized persons are denied access to the technical equipment used by the Processor for the purpose of processing. Law in Practice GmbH only grants access by means of a controlled key allocation. At present, only the management has access.
- Logical Access Control
Measures to prevent unauthorized persons from processing or using data protected by data protection law.
Measures implemented by the Processor:
- Access to the data processing equipment is provided exclusively by authorized and professionally qualified personnel.
- The processor has set up a password procedure consisting of an individual user name and password. Through these procedures, each user receives a personal and individual log-in to the system. The passwords must have a minimum length and contain special characters. Accounts are also automatically blocked and can only be reached again via the password. The number of online training is limited by the number of authorized employees and determines which employee has access to which data. Disks are encrypted.
- Registrations and logins are documented
- Data Access Control
Measures to ensure that persons authorized to use data processing systems can only access personal data according to their access rights, so that data cannot be read, copied, changed or removed without authorization during processing, use and storage
Measures implemented by the Processor:
- Access to the data processing systems is secured by user and rights management. It is only possible for the individual employee of the Processor to view, use, process or delete the data required for his tasks.
- Access to the data processing systems is logged.
- When leaving the workstation, a screen saver locks you, a release is only done by entering the password.
- Every employee of the Processoris accordingly obliged to maintain confidentiality and to comply with the data protection upon commencement of his/her activities. A violation would result in the termination without notice, as well as a criminal complaint. Affected clients would of course be informed of the incident in such a case.
- Separation rule
Measures to ensure that data collected for different purposes are processed separately and separated from other data and systems in such a way as to preclude the unplanned use of such data for other purposes.
Description of the separation control process:
- Separate processing of data collected for different purposes via an authorization concept
- a software-based customer separation and a separation of test and production systems.
- Transmission control
It is necessary to ensure that personal data cannot be read, copied, modified or removed without authorisation during electronic transmission or during their transport or storage on data carriers, and that it is verified and established that they are not where the transfer of personal data by data transmission facilities is provided for.
Measures implemented by the Processor:
- The Processor transfers personal data exclusively electronically via encrypted data connections, so that it cannot be read, copied, modified or removed without authorization.
- An electronic transfer of personal data takes place exclusively within the scope of the ordering process, the retrieval of customer data in the event of service, within the dunning procedure, and for data protection of the customer environments.
- Data carriers that are no longer needed or defective are disposed of by a certified company.
- Availability control
Measures to ensure that personal data are protected against accidental destruction or loss.
Description of the availability control system:
Proper server hosting and data backup procedure.
II. Measures for encryption
Measures or processes in which a clearly legible text /information is converted into an illegible, i.e. not easy to interpret string (secret text) by means of an encryption method (cryptosystem):
- Encrypted data transmission (encrypted Internet connections via TLS/SSL).
- Passwords are encrypted and are not interpretable or readable.
III. Measures to ensure data integrity
- Data integrity
Measures to ensure that stored personal data is not damaged by system malfunctions:
- Updates are pre-tested with their functionality.
- On the part of Mittwald GmbH & Co. KG, it is ensured that
- all data processing systems of the underlying data are protected from accidental loss or destruction as part of the resilience
- RAID systems, replacement hardware, surge protection, UPS systems, emergency generator, extinguishing gas system are in place
- at least one backup of the previous day is provided
- Transfer and transport control
Measures to ensure that it is possible to verify and determine where personal data may or may be transmitted or made available by means of data transmission facilities: data from the system is only transmitted over encrypted connections. Transport processes are the individual responsibility of the processor employees. Data from the system is transmitted over secured and/or encrypted connections.
- Access control
Measures to ensure that it is possible to verify and determine whether and by whom personal data has been entered, modified or removed into computer systems.
Description of the input control process: The activities in the e-learning management system are stored, logged and archived for the duration of the Principal Contract.
IV. Measures to ensure availability and resilience
- Data recovery
Measures to ensure that personal data is protected against accidental destruction or loss:
Description of the availability control system: The data of the e-learning management system are stored on servers of Mittwald CM Service GmbH & Co. KG in Germany and secured via the data center.
- Rapid recoverability
Measures to ensure the ability to quickly restore the availability and access to personal data in the event of a physical or technical incident
Description of the measures of rapid recoverability: The data of the e-learning management system are stored on servers of Mittwald CM Service GmbH & Co. KG in Germany and secured via the data center. In particular, data backups are created on a regular basis, which can be applied if required. IT contingency plans and restart plans have been developed.
- Availability of data
Measures to ensure that all functions of the system are available and malfunctions are reported:
Description of Reliability Measures: The Processor has set up processes to address the malfunctions reported by the controller or employees. These processes are regularly evaluated and adjusted as needed.
V. Measures for the regular evaluation of the security of data processing
Measures to ensure data protection-compliant and secure processing.
Description of verification procedures: The Processor has implemented a data protection management, which is regularly reviewed. In the event of data protection incidents, they are mapped in formalized processes.
VI. Measures for pseudonymisation
The Processor has set up processes that reduce the immediate personal reference during processing in such a way that it is only possible to assign to a specific data subject by using additional information. This additional information shall be kept separate from the pseudonym by appropriate technical and organisational measures.