ELATEC PDC Pass Deployment Center Terms of Use (Last updated 06/08/2021)

Section 1 – Contract

• This agreement sets out the terms of use of the ELATEC PDC Pass Deployment Center (referred to hereinafter as “ELATEC PDC”) as well as the creation, use and management of near-field communication/NFC-enabled passes by the customer for its users between ELATEC GmbH, Zeppelinstr. 1, 82178 Puchheim, Germany (referred to hereinafter as “ELATEC”) and the customer.
• ELATEC is authorized by APPLE and GOOGLE to enable customers to create, use and manage NFC-enabled passes for their users in APPLE Wallet and GOOGLE Pay. The PDC is a cloud-based operations and control center for creating, using and managing near-field communication/NFC-enabled passes for Apple Wallet and Google Pay on the customer’s part, without requiring the respective customer’s individual users to install and use special apps on their cell phones.
• None of the provisions of these terms of use should be understood or interpreted as establishing a direct contractual relationship on the part of customers or their end users with APPLE or GOOGLE or any responsibility, obligation or liability on the part of APPLE or GOOGLE towards the customers or their end users.
• Customers are exclusively entrepreneurs under the terms of Section 14 of the German Civil Code. In addition to end customers (along with direct customers) that create passes for their users, customers also include resellers, insofar as these use, distribute and market the ELATEC PDC. These terms of use therefore apply to resellers, end customers and direct customers. The resellers, for their part, are bound by the obligations arising from these terms of use when selling and marketing the ELATEC PDC and must inform their own customers (sub-resellers and end customers) of the obligations arising from these terms of use when using the ELATEC PDC and of the contractually, legally and officially permissible purposes of use. While the term end customer also includes the customers of resellers, direct customers refer, in the context of these terms, to customers that use the ELATEC PDC directly via ELATEC, without the involvement of a reseller.
• By agreeing to these terms of use (at the latest when using the ELATEC PDC), each customer agrees to the validity of these terms of use; this does not apply unless expressly agreed otherwise by written agreement between ELATEC and the customer. ELATEC does not recognize any customers’ deviating or conflicting terms of use unless it has expressly agreed to them.
• There are no verbal or written side agreements to these terms of use. Any modifications to these terms of use must be made in writing. This also applies to the modification of this written form clause. However, the qualified written form clause does not apply to the processing contract attached to these terms of use as an annex.
• The only relevant language for this agreement is German. Translations into other languages are for customers’ information only. If there are contradictions between the German text and a translation, the German text always takes precedence. Only the German text is decisive for interpreting individual clauses set out in these terms of use.
• ELATEC is entitled to modify individual clauses set out in these terms of use with due consideration of the customers’ interests; this does not apply to contractual terms that are essential for achieving the purpose of the contract from the customer’s point of view and on whose continuation the customer may reasonably rely. ELATEC shall notify the customer of any modifications or amendments in text form no later than four weeks before they take effect. If the customer does not agree with the modifications or amendments to the terms of use, they can object to the modifications with a notice period of one week to the date on which the modifications or amendments are intended to take effect. The objection must be made in text form. If the customer objects, ELATEC’s terms of use valid until this point in time shall continue to apply. In this case, ELATEC shall have a special right of termination. If the customer does not object, they shall be deemed to have approved the modifications and amendments to the terms of use. ELATEC shall specifically draw the customer’s attention to the intended significance of their conduct with the notification of the modifications and amendments to the terms of use.

Section 2 – Use of the ELATEC PDC

• ELATEC, authorized resellers and sub-resellers shall grant authorized customers non-exclusive and non-transferable usage rights limited in terms of time, locality and content to the respective latest version of the ELATEC PDC via the internet using browser access to create, use and manage NFC-enabled passes for APPLE Wallet and GOOGLE Pay for their users within the scope permissible under these terms of use. If a corresponding license agreement for the ELATEC PDC exists with ELATEC, an authorized reseller or sub-reseller, a customer is entitled to create, use and manage NFC-enabled passes.
• The right of use is limited to varying degrees in terms of time, locality and content for APPLE Wallet and GOOGLE Pay. Any use of the ELATEC PDC for purposes outside of this limitation constitutes a serious violation of these terms of use.
  1. Limitation as regards content to approved applications: ELATEC publishes APPLE Wallet and GOOGLE Pay-specific approved application scenarios for the use of the ELATEC PDC on the following web page: https://pdc.elatec.com/approved_cases_n_regions. The creation, use and management of NFC-enabled passes for APPLE Wallet and GOOGLE Pay is only permitted for these approved application scenarios. Where a customer intends to use NFC-enabled passes in conjunction with or in relation to other application scenarios not approved on this web page, such applications always require the prior written consent of ELATEC. ELATEC performs a general update for the list of approved application scenarios from time to time to include any newly approved application scenarios.
  2. Geographical limitation to approved contractual regions: ELATEC publishes an APPLE Wallet and GOOGLE Pay-specific list of approved contractual regions for the use of the ELATEC PDC on the following web page: https://pdc.elatec.com/approved_cases_n_regions. The creation, use and management of NFC-enabled passes for APPLE Wallet and GOOGLE Pay is only permitted for these approved contractual regions. Where a customer intends to use NFC-enabled passes in conjunction with or in relation to other contractual regions not approved on this web page, new contractual regions always require the prior written consent of ELATEC. ELATEC performs a general update for the list of approved contractual regions from time to time to include any newly approved contractual regions.
  3. Limitation in terms of time: The right to use the ELATEC PDC and to create, use and manage NFC-enabled passes is limited in terms of time and exists as long as the customer holds a corresponding license agreement. On expiry or any other termination of the respective license agreement, the customer’s right of use will expire.
• The parties agree on the router output interface of the data center that ELATEC uses to the internet as the transfer point for ELATEC’s services. ELATEC is entitled to redefine the transfer point if doing so is necessary to enable the customer to use the services smoothly. ELATEC does not owe the establishment and maintenance of the data connection between the customer’s IT system and the transfer point that ELATEC operates on the one hand and between the customer’s user and the transfer point that ELATEC operates on the other.
• Software is not physically transferred to the customer. All patent rights and copyrights, as well as other (industrial) property rights, trade secrets and know-how – whether known or not, whether subject to registration or registrable or not, and whether recognized in whatever legal system – that are used in connection with the performance of the contract and will arise in the future for use of the ELATEC PDC – shall be the exclusive property of ELATEC. No technology, (industrial) property rights or know-how belonging to ELATEC will be transferred or assigned to customers.
• ELATEC may update and further develop the ELATEC PDC software at any time and, in particular, adapt it freely at its own discretion due to a changed legal situation or technical developments, or to improve IT security. ELATEC will be entitled to do this particularly in cases where there is a need to subject the software to adjustments or further developments due to changes to services, interfaces, other components or the APPLE or GOOGLE NFC solution. ELATEC shall give due consideration to the customer’s justified interests.
• ELATEC shall implement state-of-the-art measures to protect the data. However, ELATEC shall not be subject to any custody or safekeeping obligations with regard to any data belonging to the customer and their users. The customer is responsible for adequate data backup. The customer shall be solely responsible for compliance with any obligations and retention periods under commercial and tax law.
• ELATEC shall set up a support service for customers for inquiries concerning the software’s functions. Inquiries can be made using the support hotline indicated on the ELATEC website at the times indicated there or by email. Requests shall be processed during ELATEC’s normal business hours, except on Sundays and public holidays, in each case at ELATEC’s registered office, in the chronological order that they are received in.
• The customer shall inform itself about the essential functional features, characteristics and specifications, as well as the legally, officially and contractually permissible purposes of use of the ELATEC PDC. The customer bears the risk of whether the ELATEC PDC will meet its needs and whether or not it is suitable for its intended purposes relating to the creation, use and management of NFC-enabled passes.
• The customer consents to the provision of NFC passes, at the discretion of ELATEC and in consultation with the customer, directly to users via email, SMS, text messages, websites, storefronts with retail brands, QR codes or other applications and digital distribution methods when using the ELATEC PDC.
• ELATEC reserves the right to adjust in terms of content or scope, suspend or change individual or all functions of the services of the ELATEC PDC for the creation, use and management of NFC-enabled passes for any given duration and any contractual region, regardless of whether this relates to software, hardware or a part of the ELATEC PDC insofar as APPLE or GOOGLE adjusts, suspends or changes the services required for the operation of the ELATEC PDC and the creation, use and management of NFC-enabled passes. ELATEC will notify customers immediately on becoming aware of any disruption, suspension or change to the system by APPLE or GOOGLE.
• For the purposes of invoicing, ELATEC is entitled to keep a detailed list of all customers registered in the ELATEC PDC and to forward this for the purposes of fulfilling existing contracts with APPLE and GOOGLE and for the purposes of invoicing.

Section 3 – The customer’s obligations

• The customer is obligated to provide their identification and contact details in the ELATEC PDC correctly and completely, and to keep them up-to-date at all times.
• If the customer transmits industrial property rights, specifically brands, logos and other know-how or data and contents to ELATEC when using the ELATEC PDC, ELATEC does not acquire any rights of ownership to the same. The customer grants ELATEC and, where necessary, APPLE and Google perpetual, irrevocable, worldwide, royalty-free, sub-licensable and non-exclusive rights to use, exploit, process, display, publish, communicate, transmit and host the same, to the extent and for as long as necessary to use the ELATEC PDC and to create, use and manage NFC-enabled passes for Apple Wallet and Google Pay. ELATEC is entitled to transfer the above-mentioned rights to APPLE and GOOGLE where this is necessary for the creation, use and management of NFC-enabled passes.
• Each customer must ensure that they observe all third-party rights to data, industrial property rights and any other content they use and that they are entitled to use and exploit these. Each customer shall obligate their users to comply with these terms of use on their part. Each customer is responsible for ensuring that user data and information is used in accordance with the applicable law, specifically data protection legislation and the right to protection of the privacy of users. ELATEC is entitled to demand proof of this from each customer.
• The customer is obligated to cease from using the ELATEC PDC in any way that violates applicable law (laws, orders, directives and other requirements), court rulings and official orders in the respective contractual region, these terms of use, third-party rights or agreements with third parties. Each customer is independently responsible for ensuring that the ELATEC PDC and the creation, use and management of NFC-enabled passes for Apple Wallet and Google Pay are not used by the customer themselves or by individual users:
  1. for racist, discriminatory, defamatory, insulting, slanderous, harassing, other threatening, stalking, pornographic, minor-endangering, competition-restricting or other inappropriate purposes;
  2. for illegal gambling, unfair or harassing marketing and purposes that promote commercial messages;
  3. for purposes that infringe third-party copyrights and industrial property rights;
  4. for other dangerous or violent, politically extreme and terrorist purposes;
  5. for purposes that are otherwise unlawful, contrary to official rules and regulations or requirements, as well as contrary to good morals and the principles of good faith;
  6. with the intention of introducing viruses, worms, defects, Trojan horses, backdoors, malware or other elements of a destructive nature into the ELATEC PDC and Apple and Google services;
  7. with the intention of reverse-engineering or attempting to extract the source code of ELATEC, APPLE or GOOGLE software and interfaces, insofar as not expressly permitted by law;
  8. for activities where the use or failure of the services could result in death, personal injury, harm to health and physical integrity or environmental damage (e.g. operation of nuclear facilities, air traffic control or life support systems);
  9. to process or store data that is subject to national and international regulations on trade in arms;
  10. with the intention of removing, obscuring or altering any terms of use, notices, links or other information, as well as any copyright, trademark or other proprietary notices belonging to ELATEC, Apple or Google;
  11. without ELATEC’s prior written consent for purposes or in a manner that involves the transmission of protected health data.
  12. In particular, any use of the ELATEC PDC contrary to the GOOGLE PAY APIs ACCEPTABLE USE POLICY (available at: https://payments.developers.google.com/terms/aup), as amended, shall be prohibited. The customer is independently responsible for compliance with the GOOGLE PAY APIs ACCEPTABLE USE POLICY.
• ELATEC is entitled to monitor the lawful use of the ELATEC PDC by means of technical measures and personal inspection on the customer’s premises. If a customer or one of their users violates essential legal, judicial or official obligations or obligations assumed in these terms of use, ELATEC shall be entitled to block use of the ELATEC PDC with respect to the customer and/or the user. ELATEC is already entitled to this right without prior notice if there is justified suspicion of infringement of rights. In this case, ELATEC must inform the customer immediately of the block and the grounds for the same and lift the block as soon as the suspicion is invalidated. If the customer violates their obligations arising from these terms of use, ELATEC shall be entitled to delete the data or application data affected thereby. In the event of unlawful infringement by a third party, the customer shall, upon request, immediately provide ELATEC with all the information required to assert claims against the third party, particularly the third party’s name and address.
• ELATEC is entitled to review, approve or reject passes provided by customers to their users or already in use by the same at any time during the term of this agreement. Each customer agrees to provide any such pass to ELATEC immediately on request. Customers are forbidden from concealing or misrepresenting the attributes, content, services or functions of a pass before review by ELATEC or in any way obstructing ELATEC from checking a pass. Each customer is obliged to assist ELATEC in the review of passes and to grant it all information necessary for the review.
• The customer and their users shall protect any access credentials (such as passwords, keys and client IDs) from third-party access and keep them safe using state-of-the-art measures. Each customer shall ensure (also and particularly together with and vis-à-vis their users) that any use of the ELATEC PDC and the creation, use and management of NFC-enabled passes, cards and tickets for Apple Wallet and Google Pay only takes place to the contractually agreed extent. ELATEC must be informed immediately of any unauthorized access.
• End customers can and may only include those who possess and have implemented the infrastructure necessary to create, use and manage NFC-enabled passes or those who have contractually undertaken before using the ELATEC PDC to purchase and implement a corresponding infrastructure that supports the use of NFC-enabled passes.
• Use of the ELATEC PDC depends on the hardware and software, etc., that the customer is using and which will be meeting the technical requirements for use of the ELATEC PDC and the customer and the users authorized by the customer to use the ELATEC PDC being familiar with how to use the software. ELATEC is not responsible for the condition of the necessary system requirements concerning hardware and software on the customer’s part, operation of the ELATEC PDC and use by the users.
• Each NFC pass will feature the brand and/or the logo of the customer and contain and/or refer to the privacy statement of the customer and its end user terms associated with this NFC pass. The customer is under obligation, insofar as required by the law and legislation in the respective country, to store its privacy statement and its end user terms for its users in the ELATEC PDC. The customer must also ensure in the ELATEC PDC that all NFC passes contain the necessary notices and information for users as defined under the respective applicable legislation and applicable law.

Section 4 – Warranty

• Subject to express warranties and other provisions set out in these terms of use, ELATEC warrants the functionality and availability of the ELATEC PDC for the duration of the contractual relationship.
• The customer shall notify ELATEC of any defects without delay.
• The warranty for only insignificant reductions and impairments of the service’s suitability is excluded. Any strict liability for defects that already existed at the time the contract was concluded is excluded.
• ELATEC assumes no warranty or liability for the operation, infrastructure and functional scope of the API interfaces granted and maintained by Apple or Google, which are required for the creation, use and management of NFC-enabled passes for Apple Wallet and Google Pay by the customer and their users.
• The customer is informed that both Apple and Google do not make any promises and do not give any guarantee as to the contents, the specific functions and the availability of the infrastructure, hardware and software and, in particular, the interfaces necessary for use of the ELATEC PDC. For this reason, ELATEC also assumes no warranty and no liability for modifications made by Apple or Google, which change, impair or completely exclude use of the ELATEC PDC and the ability to create, use and manage NFC-enabled passes.
• The customer is informed that APPLE and GOOGLE are entitled to discontinue, restrict and change the creation, use and management of NFC-enabled passes in individual cases and to revoke individual passes for any reason whatsoever at their own discretion at any time and to refuse the transfer of these to users. The customer acknowledges and agrees that passes may not and cannot be transferred to users in such cases. The customer shall support ELATEC free of charge in any necessary error analysis and defect rectification processes, particularly by specifically describing any problems that occur and by providing ELATEC with comprehensive information about them.

Section 5 - Liability and Indemnification

• ELATEC shall be liable without limitation in the event of intent or gross negligence, for injury to life and limb or harm to health, pursuant to the provisions set out in the German Product Liability Act and to the extent of any guarantee assumed by ELATEC.
• In the event of a slightly negligent breach of an obligation that is essential for the achievement of the purpose of the contract (i.e. an obligation, the fulfillment of which makes the proper execution of the contract possible in the first place, or the breach of which jeopardizes the achievement of the purpose of the contract, and on the observance of which the other Party may regularly rely), ELATEC’s liability shall be limited in amount to the damage that is foreseeable and typical according to the nature of the transaction in question.
• In the event of a slightly negligent breach of an obligation, ELATEC shall not be liable for indirect damage and for consequential damage (particularly not for pure economic loss, lost profits, reduction in goodwill and similar damage).
• ELATEC shall have no further liability.
• This limitation of liability shall also apply in favor of ELATEC’s employees, representatives and bodies. 
• ELATEC assumes no liability for the function, operation and use of the ELATEC PDC and the creation, use and management of NFC-enabled passes for Apple Wallet and Google Pay in connection with and in interaction with third-party providers, such as third-party apps.
• Each customer is under obligation to indemnify ELATEC, its affiliated companies within the meaning of section 15 of the German Stock Corporation Act (AktG) and the shareholders, employees, executive staff and managing directors of ELATEC from any third-party claims and defend these against and bear liability for any damage associated with any use of the ELATEC PDC or creation, use or management of NFC-enabled passes for APPLE Wallet and GOOGLE Pay in breach of contract, the law or in a way which is otherwise unlawful by the customer and/or its users, unless the damage is attributable to a breach of obligation by ELATEC, its affiliated companies within the meaning of section 15 of the German Stock Corporation Act (AktG) and/or the shareholders, employees, executive staff and managing directors of ELATEC. This obligation of indemnification of ELATEC on the part of the customer applies in particular, but not limited to, to damage resulting from
  1. any unauthorized use of user data and information;
  2. copyright or other (property) right disputes caused by the customer relating to industrial property rights and/or competition law; or
  3. any use of the ELATEC PDC to create, use or manage NFC-enabled passes in breach of these terms of use, in particular against the content-related limitation to approved application scenarios, against the geographical limitation to approved contractual regions or against the time limitation.

Section 6 – Contractual term and termination

• The customer’s right of use may be temporarily or permanently suspended or terminated with immediate effect by ELATEC with written notice to the users if the customer violates its material obligations arising from this agreement or if a security breach occurs which entails considerable detrimental implications for the creation, use and management of NFC-enabled passes.
• ELATEC shall have a special right of termination set out in these terms of use at any time if Apple or Google terminates, suspends or restricts ELATEC’s right to create, use and manage NFC-enabled passes or cancels the interface required to operate the ELATEC PDC or discontinues, modifies or otherwise restricts the operation of the interfaces so that the creation, use and management of NFC-enabled passes for Apple and Google in the ELATEC PDC is impaired, impeded or excluded.
• Under no circumstances shall the special right of termination lead to any liability on ELATEC’s part or establish any other obligations to ELATEC’s detriment.
• ELATEC is entitled to delete all data belonging to the customers, the (sub-)resellers and the individual users remaining on its servers in a non-recoverable way six months after termination of the contractual relationship.

Section 7 – Data protection; confidentiality

• The parties shall observe the applicable data protection legislation and the principles of data security.
• If ELATEC gains access to personal data belonging to its direct customer or a reseller in the context of providing services and processes personal data belonging to users on behalf of a direct customer or reseller (e.g. belonging to a customer’s employees), the direct customer or the reseller is the data controller under the GDPR. In this case, processing is performed as contract-based processing pursuant to Art. 28 of the GDPR. In this case, the processing agreement at the end of these terms of use shall apply and ELATEC shall process the relevant personal data solely pursuant to these provisions and pursuant to the customer’s instructions. By accepting these terms of use, the parties are already agreeing to the applicability of the processing agreement attached to these terms of use as an annex.
• The parties shall keep confidential all confidential information belong to ELATEC, APPLE and GOOGLE that has come to their knowledge in the context of use of the ELATEC PDC and the creation, use and management of NFC-enabled passes for Apple Wallet and Google Pay, and shall only use such information vis-à-vis third parties – for whatever purpose – with the prior written consent of the respective other contracting party. Confidential information is information expressly designated as confidential by the party providing the information and such information, the confidentiality of which is clearly evident from the circumstances of its disclosure, whether it is communicated in writing, electronically, embodied or verbally. No information is to be treated as confidential if the party receiving the information proves that the information (a) was known or generally accessible to it before the date of receipt; (b) was known or generally accessible to the public before the date of receipt; (c) became known or generally accessible to the public after the date of receipt without the party receiving the information being responsible for the same and without any violation of official orders; (d) must be disclosed due to contractual agreement, due to legal obligations or due to an order of a court or an authority; or (e) was developed by a party independently without using the other party’s trade secrets.

Section 8 – Final provisions

• Should any provision set out in these terms of use be or become invalid, or contain an impermissible deadline or a loophole, this shall not affect the legal validity of the remaining provisions. Insofar as the invalidity does not result from a violation of Section 305 et seqq. of the German Civil Code (concerning the validity of general terms and conditions), a valid provision that reflects as closely as possible the parties’ economic intentions shall be deemed to have been agreed in place of the invalid provision. The same shall apply in the event of a loophole. The legally permissible measure shall apply in the event of an impermissible deadline.
• These terms of use concluded between ELATEC, resellers, sub-resellers and the customers shall be governed by German substantive law to the exclusion of the provisions set out in international private law and the UN Convention on Contracts for the International Sale of Goods dated April 11, 1980.
• The exclusive place of jurisdiction for all disputes arising from or in connection with this contract shall be the court that has jurisdiction for ELATEC, unless a standard mandatorily orders a different place of jurisdiction. If ELATEC files a suit, it shall also be entitled to choose the place of jurisdiction at the customer’s registered office.

 

Processing contract pursuant to Art. 28 of the GDPR

concluded with ELATEC GmbH, Zeppelinstr. 1, 82178 Puchheim, represented by Robert Helgerth and Gerhard Burits – hereinafter referred to as “the Contractor” –

 

Section 1 – Subject matter and term of the contract

• The subject matter of the contract under the agreement is derived from the main contract as formulated by the ELATEC PDC Pass Deployment Center Terms of Use. The nature and purpose of personal data processing by the Contractor for the Client are specifically described in the main contract. Any relocation to a third country requires the Client’s prior consent and may only take place if the particular prerequisites set out in Art. 44 et seqq. of the GDPR are met. The subject matter of personal data processing operations are the types/categories of data that may become known to the Contractor in the context of service provision. End customers, customers and resellers are particularly, but not necessarily, affected by processing. The specific circumstances arise from the main contract. The contractually agreed data processing operations shall be provided exclusively in a member state of the European Union or in another state that is party to the Agreement on the European Economic Area.
• The term of this agreement corresponds to the term of the main contract. The opportunities for termination without notice remain unaffected.

Section 2 – Technical and organizational measures

• The Contractor shall establish security pursuant to Art. 28 (3) (c) and Art. 32 of the GDPR, particularly in connection with Art. 5 (1) and (2) of the GDPR. Overall, the measures to be taken are data security measures and are designed to ensure a level of protection appropriate to the risk in terms of confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of processing operations, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons under Article 32 (1) of the GDPR shall be taken into account.
• The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. In doing so, the security level of the defined measures must not fall below a certain level. Significant modifications shall be documented.
• The Client and the Processor agree that the defined TOMs were adequate within the meaning of the GDPR at the time the contract processing agreement was concluded. An up-to-date version of the TOMs are available at https://pdc.elatec.com/toms

Section 3 – Rectification, restriction and erasure of data

• The Contractor may not rectify, erase or restrict the processing of data processed under the contract on their own authority, but only pursuant to documented instructions from the Client. Insofar as a data subject contacts the Contractor directly in this regard, the Contractor shall forward this request to the Client without delay.
• Insofar as included in the scope of services, the erasure concept, the right to be forgotten, the right to rectification, the right to data portability and the right of access are to be ensured directly by the Contractor according to the Client’s documented instructions.
• No additional costs are incurred for minor requests. The Client shall compensate the Contractor for any additional expenses by paying an appropriate fee pursuant to the actual expenses that the Contractor incurs.

Section 4 – Quality assurance and the Contractor’s other obligations

In addition to compliance with the provisions set out in this contract, the Contractor shall have legal obligations pursuant to Arts. 28 to 33 of the GDPR; in this respect, the Contractor shall in particular ensure compliance with the following requirements:

• Written appointment of a data protection officer who carries out their activities pursuant to Arts. 38 and 39 of the GDPR. For the contact details of the data protection officer, visit https://pdc.elatec.com/dsb
• The maintenance of confidentiality pursuant to Art. 28 (3), sentence (2), (b), Art. 29 and Art. 32 (4) of the GDPR. When carrying out the work, the Contractor shall only use employees who have undertaken to maintain confidentiality and who have previously been familiarized with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may process such data only pursuant to the Client’s instructions, including the powers granted in this agreement, unless they are required by law to process such data.
• The implementation of and compliance with all technical and organizational measures required for this contract pursuant to Art. 28 (3), sentence (2), (c) and Art. 32 of the GDPR.
• The Client and the Contractor shall cooperate with the supervisory authority in the performance of their duties on request.
• The Client shall be immediately informed of supervisory actions and measures implemented by the supervisory authority, insofar as they relate to this contract. This shall also apply to the extent that a competent authority is investigating the Contractor in the context of administrative or criminal proceedings relating to personal data processing in the course of processing.
• The Contractor shall support the Client to the best of their ability insofar as the Client is exposed to supervision by the supervisory authority, administrative offense or criminal proceedings, a data subject’s or a third party’s liability claim or any other claim in connection with processing on the Contractor’s premises.
• The Contractor shall regularly monitor the internal processes and the technical and organizational measures to ensure that processing in their area of responsibility is carried out pursuant to the requirements set out in the applicable data protection legislation and that the protection of the data subject’s rights is guaranteed.
• Taking into account the nature of the processing operations and the information available to them, the Contractor shall assist the controller in complying with the obligations referred to in Arts. 32 to 36.

Section 5 – Subcontracting relationships

• Subcontracting relationships under this provision are those services that relate directly to the provision of the main service. A list of the other processors currently being used by the Contractor is available at https://pdc.elatec.com/avn The Client authorizes the Contractor to use the companies listed therein. The involvement or replacement of another data processor shall be deemed to have been approved if the Contractor has informed the Client of the same and if the Client does not raise any objections to this in writing or electronically within 3 months of receiving this information.
• If the additional processor does not comply with their data protection obligations, the Contractor shall be liable vis-à-vis the Client for compliance with the additional processor’s obligations.
• If the Contractor involves another processor in a third country (outside the EU/EEA), the processor shall in particular comply with the requirements pursuant to Art. 44 et seqq. of the GDPR. The Contractor shall provide sufficient guarantees that the appropriate technical and organizational measures are being implemented in such a way that processing is carried out pursuant to the requirements set out in the GDPR, enforceable rights and effective remedies are available to the data subjects, and transfers to a third country and safeguards are documented pursuant to Art. 30 (2) of the GDPR.

Section 6 – Audit

• The Client shall have the right to audit the Contractor’s compliance with the legal provisions on data protection and/or compliance with the contractual provisions agreed between the Parties and/or compliance with the Client’s instructions to the extent required. The need for this arises if the Processor has created concrete grounds for this. This shall be the case in particular where data privacy incidents or comparable cases of misconduct have occurred.
• Unless indicated otherwise for compelling grounds to be documented by the Client, auditing shall take place following reasonable advance notice and during the Contractor’s business hours, and not more frequently than every 12 months. Insofar as the Contractor provides evidence of the correct implementation of the agreed data protection obligations as provided for in this agreement, any auditing shall be limited to spot checks.
• The Contractor shall be obligated to provide the Client with information, insofar as doing so is necessary to carry out auditing under (1). (3) The Client may carry out auditing under (1) on the Contractor’s premises during normal business hours following prior notification with a reasonable notice period. The Client shall ensure that such audit is only carried out to the extent necessary, insofar as the Contractor’s operations are disrupted by auditing. The Client shall compensate the Contractor for any expenses it incurs by paying an appropriate fee pursuant to the actual expenses that the Contractor incurs.
• The Contractor shall have the right to object to the selection of third parties insofar as the third party is one of the Contractor’s competitors.
• If the supervisory authority takes measures vis-à-vis the Client under Section 38 of the German Federal Data Protection Act or (as of 05/25/2018) pursuant to Art. 58 of the GDPR in conjunction with Section 40 of the German Federal Data Protection Act, the Contractor is obligated to provide the necessary information to the Client particularly with respect to the information and auditing obligations.

Section 7 – The Client’s rights and obligations

The Client alone is responsible for assessing the permissibility of the commissioned processing and for safeguarding data subjects’ rights. The Client shall issue all orders, partial orders or instructions in documented form. The Client shall inform the Contractor without delay if it discovers errors or irregularities in examining the work results. The Client shall be entitled to monitor the Contractor’s compliance with the regulations on data protection and the contractual agreements to a reasonable extent itself or through third parties, as well as to request evidence of compliance with the obligations set out in this contract. The individuals entrusted with such monitoring shall be given access and insight by the Contractor insofar as is necessary. The Contractor is obligated to provide necessary information, demonstrate procedures and provide evidence required to carry out monitoring.

Section 8 – Liability

The Client and the Contractor shall be liable vis-à-vis data subjects pursuant to the rules set out in Art. 82 of the GDPR.

Section 9 – Termination

• Following termination of the contract, the Contractor shall either delete or return all documents, data and created processing or usage results that have come into their possession in connection with the contractual relationship, at the Client’s discretion, and delete the existing copies, unless there is an obligation to store the personal data under European Union or member state law. The erasure or block shall be documented in an appropriate manner.
• The Client has the right to monitor the complete and contractual return, erasure or blockage of the data on the Contractor’s premises. This can also be done by inspecting the data processing equipment on the Contractor’s premises. On-site monitoring shall be announced by the Client with reasonable notice and carried out in analogous application of the limits set out in Section 8.

Section 10 – Final provisions

• The law of the Federal Republic of Germany applies. The venue of jurisdiction for disputes arising from the processing contract is Munich.
• Should individual parts of this agreement be invalid, this shall not affect the validity of the remaining provisions of the contract.