General terms and conditions of business

11. Order processing contract In accordance with Art. 28 Para. 3 Sentence 1 GDPR – hereinafter referred to as the AV contract – between (the) DIt Deutsche Informationstechnologie EK Sternstrasse 35 in 60318 Frankfurt am Main – hereinafter referred to as the client – and (the) client – hereinafter referred to as contractor –– contractor and client are also referred to below as contracting parties. – Subject of the order, data categories, data subjects, type, scope and purpose of the processing (Art. 28 Para. 3, 30 Para. 2 GDPR) The subject of the AV contract, the personal data processed within the scope of the order (Art. 4 No . 1 GDPR; hereinafter referred to as “data”), the persons affected by the processing (hereinafter referred to as “data subjects”) as well as the type, scope and purposes of the processing are determined by the following legal relationship(s) between the contractual parties (hereinafter referred to as the main contract ):Contract dated February 11, 2022The contracting parties work together on the basis of individual orders that the client places with the contractor or within the framework of individual contracts that the client concludes with the contractor. The provisions of this AV contract take precedence over the main contract .Type of data:Inventory data (e.g., names, addresses).Contact data (e.g., email, telephone numbers).Content data (e.g., text entries, photographs, videos).Contract data (e.g., subject matter of the contract, term).Payment data (e.g., bank details , payment history).Usage data (e.g., interests, websites visited, purchasing behavior, access times, log data).Meta/communication data (e.g., device IDs, IP addresses, location data).Employee master data (e.g., names, addresses, pay group, tax characteristics) .Applicant data (e.g. names, contact details, qualifications, application documents).Processing of special categories of data (Art. 9 Paragraph 1 GDPR): No special categories of data are processed. In principle, no special categories of data are processed, unless these are submitted for processing by the client/his customers, users or employees, etc. The following special ones are used Categories of data processed:Categories of those affectedCustomers / interested parties / users of the client.Employees of the client.Suppliers of the client.< Free input >.Purpose of processing:Storage space (web hosting).Software as a Service services (computing capacities, databases, software) .Telecommunications services (e-mails).Registration of domains.Software and design development/consulting or maintenance.Server administration/hardware maintenance.Data analysis/consulting services.Advertising/marketing.Responsibility and right to issue instructionsThe client is the responsible party in accordance with Article 4 No. 7 GDPR for compliance with data protection regulations, in particular for the selection of the contractor, responsible for the data transmitted to them and the instructions given (Art. 28 para. 3 lit. a, 29 and 32 para. 4 GDPR). The contractor may only process data within the framework of the main contract and the instructions of the client (which in particular also applies to whose rectification, deletion or restriction of processing applies) and only to the extent that the processing is necessary for this purpose, unless the contractor is obliged to process it by Union or Member State law to which the contractor is subject; In such a case, the contractor will inform the client of these legal requirements before processing, unless the law in question prohibits such communication due to an important public interest (Article 28 (3) sentence 2 lit. a GDPR). The client has the right to issue additional instructions at any time with regard to the processing of data and security measures. If the contractor is of the opinion that an instruction from the client violates applicable data protection law, it will immediately inform the client of this. In this case, the contractor is entitled to suspend the execution of the instructions until the instructions are confirmed by the client and to reject them in the case of obviously illegal instructions. If additional instructions from the client go beyond the contractor’s obligation to perform under the main contract and are not based on misconduct of the contractor, then the client must reimburse the contractor separately for the resulting additional effort. The contracting parties can name persons authorized to issue and receive instructions (particularly if these do not already arise from the main contract) and are obliged to notify them of any changes immediately. Security concept and related obligationsThe contractor will design the internal organization in his area of ​​responsibility in accordance with the legal requirements and will in particular take technical and organizational measures (hereinafter referred to as “TOMs”) to adequately secure, in particular the confidentiality, integrity and availability of the client’s data the state of the technology, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of those affected and ensure their maintenance (Art. 28 Paragraph 3 and 32 – 39 in conjunction with Art 5 GDPR). The TOMs include, in particular, access control, access control, access control, forwarding control, input control, order control, availability control, separation control and securing the rights of those affected. The TOMs on which this AV contract is based can be found in Appendix 1 “Security Concept”. They may be further developed in line with technical progress and replaced by adequate protective measures, provided that they do not fall short of the security level of the specified measures and that any significant changes are communicated to the client. The contractor ensures that the persons authorized to process the client’s data adhere to confidentiality and confidentiality (Art. 28 para. 3 sentence 2 lit. b and 29, 32 para. 4 GDPR) are obliged and have been instructed in the protective provisions of the GDPR or are subject to an appropriate legal obligation of confidentiality. The data and data carriers provided within the framework of the AV contract and all copies made thereof remain the property of the client, must be carefully stored by the contractor, protected from access by unauthorized third parties and may only be destroyed with the consent of the client and then only in accordance with data protection regulations. Copies of data may only be created if they are necessary to fulfill the contractor’s main and secondary obligations to the contractor (e.g. backups). If specified by the GDPR or supplementary, especially national, regulations, the contractor will name a legal one Data protection officer(s) corresponding to the requirements and informs the client accordingly (Articles 37 to 39 GDPR). Data protection officer of the contractor: Obligations to provide information and obligations to cooperate The rights of those affected must be exercised towards the client, whereby the contractor informs the client in accordance with Article 28 Paragraph 3 Sentence 2 Letter e. DSGVO and in particular informs him about the inquiries he receives from those affected. The client must inform the contractor immediately and completely if there are errors or irregularities with regard to the processing of the data with regard to compliance with the provisions of this AV contract or relevant ones data protection regulations. In the event that the contractor discovers facts that give rise to the assumption that the protection of the data processed for the client has been violated, the contractor must inform the client immediately and completely, immediately take the necessary protective measures, and to support the fulfillment of the obligations incumbent on the client in accordance with Articles 33 and 34 of the GDPR. Should the security of the client’s data be endangered by measures taken by third parties (e.g. creditors, authorities, courts, etc.) (garnishment, confiscation, insolvency proceedings, etc. ) the contractor will immediately inform the third parties that the sovereignty and ownership of the data lies exclusively with the client and, after consultation with the client, will, if necessary, take appropriate protective measures (e.g. submit objections, applications, etc.). The contractor will inform the client immediately if a supervisory authority takes action against the contractor and whose activities may affect the data processed for the contractor. The contractor supports the client in carrying out his obligations (in particular to provide information and to tolerate controls) towards supervisory authorities (Art. 31 GDPR). The contractor provides the client with information regarding the processing of data within the scope of this AV contract, which is necessary for it Fulfillment of legal obligations (which may include, in particular, inquiries from those affected or authorities and compliance with his accountability obligations in accordance with Art. 5 Para. 2 GDPR, as well as the implementation of a data protection impact assessment in accordance with Art. 35 GDPR) are necessary, unless the client cannot obtain this information himself. The information must be available to the contractor and does not have to be obtained from third parties, whereby the client’s employees, agents and subcontractors are not considered third parties. If the provision of the necessary information and cooperation goes beyond the contractor’s obligation to perform under the main contract and is not based on this In the event of misconduct by the contractor, the client must reimburse the contractor separately for the resulting additional effort. Control powers The client has the right to monitor the contractor’s compliance with the legal requirements and the regulations of this AV contract, in particular the TOMs, at any time to the extent necessary ( Art. 28 Para. 3 lit. h GDPR).On-site inspections are carried out within normal business hours, must be reported by the client with a reasonable period of notice (at least 14 days, except in emergencies) and supported by the contractor (e.g. by providing Personnel).The controls are limited to the necessary framework and must take into account the contractor’s trade and business secrets as well as the protection of personal data of third parties (e.g. other customers or employees of the contractor). Only qualified persons who can identify themselves and are obliged to maintain confidentiality with regard to the contractor’s operational and business secrets as well as processes and third-party personal data are permitted to carry out the inspection. Instead of inspections and on-site inspections, the contractor may refer the client to an equivalent control by independent third parties (e.g. neutral data protection auditors), compliance with approved rules of conduct (Art. 40 GDPR) or suitable data protection or IT security certifications in accordance with Art. 42 GDPR. This applies in particular if the contractor’s operational and business secrets or personal data of third parties would be endangered by the controls. If the client’s tolerance and cooperation in the inspections or appropriate alternative measures go beyond the contractor’s obligation to perform under the main contract and are not based on misconduct on the part of the contractor, then the client must reimburse the contractor separately for the resulting additional effort If the Contractor uses the services of a sub-processor (i.e. subcontractor or subcontractor) to carry out certain processing activities on behalf of the Client, then the Contractor must provide to the Sub-processor, by means of a contract or other legal instrument permitted by the GDPR, the same data protection obligations to which the Contractor undertakes in this DPA contract (particularly with regard to following instructions, complying with the TOMs, providing information and tolerating controls). Furthermore, the contractor must carefully select the sub-processor, check their reliability and monitor them as well as their compliance with the contractual and legal requirements (Art. 28 Para. 2 and 4 GDPR). The client declares that they are without prejudice to any restrictions imposed by the Main contract expressly agrees that the contractor may use sub-processors as part of the order processing. The sub-contract relationships that already existed at the time of conclusion of this AV contract are stated by the contractor in Appendix 2 “Sub-contract relationships” and are deemed to be approved by the contractor. The contractor informs the client in With regard to changes to the sub-processors that are relevant for order processing. The client only exercises his right to object to the changes or new sub-processors in compliance with the principles of good faith and fairness and fairness. Contractual relationships in which the contractor uses the services of third parties as a purely ancillary service in order to fulfill his obligations Carrying out business activities (e.g. cleaning, security or transport services) does not constitute subcontracted processing within the meaning of the above provisions of this AV contract. However, the processor must ensure, for example through contractual agreements or notices and instructions, that the security of the data is ensured is not endangered and the requirements of this AV contract and the data protection regulations are adhered to.Processing in third countriesThe contractually agreed data processing is carried out exclusively in a member state of the European Union or in another contracting state to the Agreement on the European Economic Area (EEA).The order processing in a third country, including through sub-processors, requires the prior consent of the client and may only take place if the special requirements of Article 44 ff. GDPR are met, unless the contractor is obliged to process the data in a third country by the law of the Union or the Member States to which the contractor is subject ; In such a case, the contractor will inform the client of these legal requirements before processing, provided that the law in question does not prohibit such communication due to important public interest (Art. 28 para. 3 sentence 2 lit. a GDPR). The consent of the of the client for processing in a third country, is deemed to have been granted with regard to the processing specified in Annex 2 “Subcontract relationships”. Duration of the order, contract termination and data deletion This AV contract becomes valid upon its conclusion, is concluded for an indefinite period of time and ends at the latest with the term of the contract Main contract. The right to extraordinary termination is reserved by the contracting parties, particularly in the event of a serious breach of the provisions of this AV contract and applicable data protection law. The extraordinary termination must generally be preceded by a warning of the violations with a reasonable period of time, although this is not necessary if it is not expected that the complained violations will be remedied or if they are so serious that it is not possible to adhere to the AV contract of the terminating contracting party is reasonable.After completion of the provision of the processing services within the scope of this AV contract, the contractor will, at his discretion, receive all personal data and their copies (as well as all documents, processing and usage results and data sets that came into his possession in connection with the contractual relationship). of the client either delete or return it, unless there is an obligation to store the personal data under Union law or the law of the Member States (Art. 28 para. 1 sentence 2 lit. g GDPR). The objection of a right of retention is excluded with regard to the processed data and the associated data carriers. With regard to deletion or return, the client’s rights to information, proof and control apply in accordance with this AV contract. Otherwise, the obligations from this AV contract with regard to the data processed in the order remain in effect even after termination of the AV contract .If the deletion or return of the data goes beyond the contractor’s obligation to perform under the main contract and is not based on misconduct on the part of the contractor, then the client must reimburse the contractor separately for the resulting additional effort. Remuneration According to this AV contract The agreed remuneration also includes compensation for the working hours of the staff employed by the contractor as well as necessary expenses (e.g travel or material costs). If possible, foreseeable and reasonable, the contractor will inform the client of the amount of the remuneration by means of an appropriate estimate. The amount of the remuneration is determined according to the main contract. If the main contract does not contain any remuneration regulations relevant to the AV contract or correspondingly applicable rates for services, the usual rates of the contractor apply, or if these cannot be determined, the rates customary in the industry apply. Liability for compensation for damages suffered by a person affected due to a If the data processing or use in the context of order processing is inadmissible or incorrect according to data protection laws, the client alone is responsible for the data subject in relation to the contractor. The contracting parties release themselves from liability if one of the contracting parties proves that they are responsible for the circumstance through which the damage occurred to a person affected, is in no way responsible. Final provisions, ranking, changes, form of communication, choice of law, place of jurisdiction. Changes, additional agreements and additions to this AV contract and its appendices require a written agreement and the express reference to the fact that it This is a change or addition to this AV contract. This also applies to the waiver of this formal requirement. This AV contract only obliges the contractor to the extent that this is necessary to fulfill the legal obligations, in particular according to Art. 28 ff. GDPR, and does not impose any further obligations on the contractor. Subject to an obligation to use written form in this AV contract and in the main contract, communication between the contractor and client within the framework of this AV contract (particularly with regard to instructions and the provision of information) takes place at least in text form (eg email). A lesser form (eg oral) may be permissible instead of text form depending on the circumstances (eg in an emergency situation), but must be confirmed immediately at least in text form. If the written form is required, the written form is meant within the meaning of the GDPR. The law of the Federal Republic of Germany applies. The exclusive place of jurisdiction for all disputes arising from or in connection with this AV contract is the registered office of the contractor, provided that the client is a merchant, a legal entity under public law or a special fund under public law or the client does not have a place of jurisdiction in the Federal Republic of Germany. The contractor reserves the right to assert his claims at the legal place of jurisdiction.Order to process personal dataAppendix 1 – Security conceptTechnical and organizational measures in accordance with Art. 32 GDPRBasic measures to protect the rights of those affected, immediate response in emergencies,serve the specifications of technology design and data protection at employee level: There is an internal data protection management system, compliance with which is constantly monitored and evaluated on an event-related basis and at least every six months. There is a concept that ensures the protection of the rights of those affected (information, correction, deletion or restriction of processing, data transfer, revocations & objections) within the legal deadlines. It includes forms, instructions and implemented implementation procedures as well as the designation of the persons responsible for implementation. There is a concept that ensures an immediate response to breaches of personal data protection (checking, documentation, reporting) in accordance with legal requirements. It includes forms, instructions and implemented implementation procedures as well as the designation of the persons responsible for implementation. The protection of personal data is carried out taking into account the state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and The seriousness of the risks associated with processing for the rights and freedoms of natural persons is taken into account during the development or selection of hardware, software and procedures, in accordance with the principle of data protection through technical design and through data protection-friendly default settings (Art. 25 GDPR).The used Software is always kept up to date, as are virus scanners and firewalls. Employees are obliged to maintain confidentiality with regard to data protection, are informed and instructed, and are also made aware of possible liability consequences. If employees work outside company premises or use private devices for company activities, there are special regulations to protect data in these situations and to secure the rights of clients of order processing. The keys, access cards or codes issued to employees as well as with regard to the processing of personal data Authorizations granted to data will be confiscated or revoked after they leave the company or change responsibilities. The cleaning staff, security guards and other service providers who are used to carry out non-business tasks are carefully selected and it is ensured that they observe protection of personal data.Access controlSecurity locks.Access regulations for non-company personsChip card/transponder locking system.Window security.Video surveillance.Supervision of assistants.Access control / access controlFirewalls (hardware/software).Always up-to-date virus protection.Always up-to-date software versions.

12. We also carefully exclude any liability for warnings. No matter what form they express themselves in. We do not guarantee any legal certainty about the technologies used and are not liable for their processing of personal data. As explained in the data protection declaration, you can find the information provided by the providers on their website.

If you have commissioned us to implement the data protection text and the cookies policy, we have drawn it up with the greatest care and checked it using effective control measures. However, we expressly exclude any warranty for the data protection text and the cookies policy product. The data protection text and cookies policy product is provided to the client “as is”, without warranty of any kind, either express or implied. The entire risk arising from the performance of the data protection text and the cookies policy remains with the client.

We do not guarantee that the data protection text and the cookies policy will meet the requirements and purposes of the client or that it will work together with other data protection text and the cookies policy or hosting that he has selected.

13.

Additional disclaimer:

We exclude any liability for third-party services, plugins, themes, shop systems, registration forms, SEO tools, payment services, booking systems, ordering systems, email relocation, domains, SSL and the WordPress core. The functionality of these elements is the responsibility of the provider. If failures, deletion, malfunctions or settings occur, we are not liable for any damage that may arise.

Our trademark is protected by both copyright and other intellectual property laws and agreements.

It is expressly forbidden to change our brand in any way.

Terms and conditions as of February 1, 2023