Note: This English version is provided for convenience only. The legally binding version is the German version.
Agreement on Data Processing on Behalf pursuant to Art. 28 GDPR
Between
Processor:
Gunia UG (haftungsbeschränkt)
Haselhöfer Ring 9
30916 Isernhagen
Commercial Register Number: HRB 206637 (Hanover)
Controller:
The respective customer who uses the booking system of Gunia UG (haftungsbeschränkt) and has concluded a usage agreement with Gunia UG (haftungsbeschränkt) (hereinafter the “Controller”).
1. Introduction, Scope, Definitions
(1) This agreement governs the rights and obligations of the Controller and the Processor (hereinafter jointly the “Parties”) in the context of the processing of personal data on behalf of the Controller.
(2) This agreement applies to all activities and applications in which employees of the Processor or subcontractors engaged by the Processor process personal data of the Controller.
(3) Terms used in this agreement shall have the meaning assigned to them in the EU General Data Protection Regulation. Where declarations are required below to be made “in writing”, this means written form within the meaning of § 126 BGB. Otherwise, declarations may also be made in other forms insofar as appropriate verifiability is ensured.
2. Subject Matter and Duration of the Processing
2.1 Subject Matter
The subject matter of the processing is the following services:
Use of the Processor’s booking system portal, in particular the mobile application “Buchungssystem”.
The processing is based on the usage agreement between the Parties and applies for as long as the Controller uses the Processor’s booking system.
2.2 Duration
The processing begins upon registration for the Processor’s service and is for an indefinite term until this agreement or the usage agreement is terminated by either Party.
3. Nature and Purpose of Data Collection, Processing, or Use
3.1 Nature and Purpose of the Processing
The processing comprises in particular: collection, recording, organization, arranging, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of data.
The processing serves the performance of the main contract.
3.2 Categories of Data
In the course of using the booking system, the Processor processes all personal data that the Controller enters into the system or has generated through use. These may in particular include:
- Master data (e.g., name, first name, address)
- Contact data (e.g., telephone number, email address)
- Booking and contractual data (e.g., appointments, services, notes, contractual interest)
- Communication data (e.g., appointment confirmations, reminders, messages)
- Billing and payment data (where the corresponding functions are used)
- Customer data history (e.g., past bookings, changes, cancellations)
- Other data collected by the Controller via freely definable input fields, free‑text fields, or individually configured forms.
3.3 Categories of Data Subjects
Depending on the configuration and use of the booking system by the Controller, the following categories of data subjects may be affected:
- Customers and end users of the Controller (e.g., persons booking appointments)
- Prospective customers (e.g., persons submitting inquiries or tentative bookings)
- Employees of the Controller (e.g., staff listed in the system as providers of appointments)
- Portal users (e.g., registered users of the booking system)
- Other groups of persons recorded by the Controller via its own input fields, free‑text fields, or individual forms.
4. Obligations of the Processor
(1) The Processor shall process personal data exclusively as contractually agreed or as instructed by the Controller, unless the Processor is legally obliged to carry out a specific processing activity. If such obligations exist, the Processor shall inform the Controller prior to the processing unless such notification is legally prohibited. The Processor shall not use the data provided for processing for any other purposes, in particular not for its own purposes.
(2) The Processor confirms that it is familiar with the relevant general data protection provisions. It observes the principles of proper data processing.
(3) The Processor undertakes to strictly maintain confidentiality in processing.
(4) Persons who may gain knowledge of data processed under this agreement must be bound to confidentiality in writing, insofar as they are not already subject to a corresponding statutory duty of secrecy.
(5) The Processor ensures that persons it deploys for processing are familiarized with the relevant provisions of data protection law and of this agreement before processing begins. Appropriate training and awareness‑raising measures shall be repeated at appropriate intervals. The Processor shall ensure that personnel engaged in processing on behalf of the Controller are continually appropriately instructed and supervised with respect to meeting data protection requirements.
(6) In connection with the commissioned processing, the Processor shall assist the Controller in creating and maintaining the record of processing activities and in conducting data protection impact assessments. All required information and documentation shall be kept available and provided to the Controller without delay upon request.
(7) If the Controller is audited by supervisory authorities or other bodies, or if data subjects assert rights against the Controller, the Processor undertakes to support the Controller to the extent necessary insofar as the commissioned processing is affected.
(8) The Processor may provide information to third parties or to the data subject only with the prior consent of the Controller. It shall forward any requests received directly to the Controller without delay.
(9) Where legally required, the Processor shall appoint a competent and reliable person as Data Protection Officer. It shall ensure that no conflicts of interest exist for the Data Protection Officer. In cases of doubt, the Controller may contact the Data Protection Officer directly. The Processor shall inform the Controller without delay of the contact details of the Data Protection Officer or explain why no officer has been appointed. Changes to the person or internal responsibilities of the officer shall be communicated to the Controller without delay.
(10) The commissioned processing shall as a rule take place within the EU or the EEA. Any transfer to a third country is permitted only under the conditions set out in Chapter V of the GDPR and subject to compliance with the provisions of this agreement.
(11) If the Processor is not established in the European Union, it shall appoint a responsible representative in the European Union pursuant to Art. 27 GDPR. The contact details of the representative and any changes thereto must be communicated to the Controller without delay.
5. Technical and Organizational Measures
(1) The data security measures described in Annex 1 are agreed as binding. They define the minimum owed by the Processor. The description of the measures must be sufficiently detailed that a knowledgeable third party can at any time, on the basis of the description alone, unambiguously determine what the owed minimum is. A reference to information that cannot be taken directly from this agreement or its annexes is not permitted.
(2) The data security measures may be adapted in line with technical and organizational developments, provided that the level agreed here is not undercut. Changes required to maintain information security must be implemented by the Processor without delay. Changes shall be communicated to the Controller without delay. Material changes must be agreed between the Parties.
(3) Where the measures implemented no longer meet the Controller’s requirements, the Processor shall notify the Controller without delay.
(4) The Processor ensures that data processed under this agreement are strictly separated from other data sets.
(5) Copies or duplicates shall not be made without the knowledge of the Controller. Exempted are technically necessary, temporary reproductions insofar as impairment of the agreed level of data protection is excluded.
(6) Processing of data in private residences is permitted only with the prior written consent of the Controller. If such processing occurs, the Processor must ensure that a level of data protection and data security in line with this agreement is maintained and that the control rights specified in this agreement can, in sufficiently justified cases, also be exercised in the affected private residences. Processing of data under this agreement using private devices is under no circumstances permitted.
(7) Dedicated data media originating from the Controller or used for the Controller shall be specially labeled and be subject to ongoing administration. They must be properly stored at all times and not be accessible to unauthorized persons. Inbound and outbound movements shall be documented.
(8) The Processor shall provide regular evidence of its fulfillment of duties, in particular the complete implementation and effectiveness of the agreed technical and organizational measures. Evidence shall be made available to the Controller at any time upon request. Evidence may be provided by approved codes of conduct or an approved certification mechanism.
6. Provisions on Rectification, Erasure, and Blocking of Data
(1) Data processed under the agreement shall be rectified, erased, or blocked by the Processor only in accordance with the contractual arrangements made or on instruction of the Controller.
(2) The Processor shall comply with the Controller’s instructions at any time, including after termination of this agreement.
7. Subprocessing
(1) The engagement of subcontractors is permitted only if there are no legitimate interests of the Controller opposing such engagement.
(2) Subcontractors must be subjected to data protection obligations at least comparable to those agreed in this agreement. The Controller shall, upon request, be granted access to the relevant contracts between the Processor and the subcontractor.
(3) The Controller’s rights must be enforceable effectively against the subcontractor as well. In particular, the Controller must be entitled to carry out controls at any time, to the extent set out herein, also at subcontractors or to have such controls carried out by third parties.
(4) The responsibilities of the Processor and the subcontractor must be clearly delimited from one another.
(5) Any further sub‑subcontracting by the subcontractor is not permitted.
(6) The Processor shall select the subcontractor with particular care, especially with regard to the suitability of the technical and organizational measures implemented by the subcontractor.
(7) The forwarding of data processed under this agreement to the subcontractor is permissible only after the Processor has documented that the subcontractor has fully met its obligations. The Processor shall provide the documentation to the Controller without being asked.
(8) The engagement of subcontractors who do not provide the commissioned processing exclusively from within the territory of the EU or EEA is possible only in compliance with the conditions set out in Section 4 (10) and (11) of this agreement. In particular, it is permitted only insofar as and as long as the subcontractor offers appropriate data protection safeguards. The Processor shall inform the Controller which specific safeguards the subcontractor provides and how proof thereof can be obtained.
(9) The Processor shall regularly verify the subcontractor’s compliance with its duties. The audit and its result must be documented with sufficient probative value to be comprehensible to a knowledgeable third party.
(10) If the subcontractor fails to meet its data protection obligations, the Processor shall be liable for this vis‑à‑vis the Controller.
(11) Subprocessing within the meaning of this agreement covers only those services that have a direct connection with the provision of the main service. Ancillary services such as transport, maintenance and cleaning, or the use of telecommunications services or user support are not included. The Processor’s duty to ensure compliance with data protection and data security also in these cases remains unaffected.
8. Rights and Obligations of the Controller
(1) The Controller alone is responsible for assessing the lawfulness of the commissioned processing and for protecting the rights of data subjects.
(2) The Controller shall issue all orders, partial orders, or instructions in documented form. In urgent cases, instructions may be given orally. Such instructions shall be confirmed by the Controller without delay in documented form.
(3) The Controller shall inform the Processor without delay if it identifies errors or irregularities when reviewing the results of the commissioned work.
(4) The Controller is entitled to monitor compliance with data protection provisions and the contractual arrangements at the Processor to a reasonable extent, either itself or through third parties, in particular by obtaining information, inspecting stored data and data processing programs, and conducting other on‑site checks. Persons charged with the inspection shall be granted access and insight by the Processor where required. The Processor is obliged to provide necessary information, demonstrate procedures, and furnish evidence required to conduct an inspection.
(5) Inspections at the Processor shall be carried out without avoidable disruption to its business operations. Unless otherwise indicated for urgent reasons to be documented by the Controller, inspections shall be conducted after reasonable prior notice, during the Processor’s business hours, and not more frequently than every 12 months. Where the Processor provides evidence of correct implementation of the agreed data protection obligations as provided in Section 5 (8) of this agreement, an inspection should be limited to spot checks.
9. Notification Duties
(1) The Processor shall inform the Controller without undue delay of any personal data breach. Reasonable suspicions thereof must also be reported. Notification must be made no later than within 24 hours from the time the Processor becomes aware of the relevant event, to an address designated by the Controller. It must include at least the following:
a. a description of the nature of the personal data breach, where possible indicating the categories and approximate number of data subjects concerned, the categories affected and the approximate number of personal data records concerned;
b. the name and contact details of the Data Protection Officer or another point of contact for further information;
c. a description of the likely consequences of the personal data breach;
d. a description of the measures taken or proposed by the Processor to address the personal data breach and, where appropriate, measures to mitigate its possible adverse effects.
(2) Significant disruptions in the performance of the commissioned work as well as breaches by the Processor or its staff of data protection provisions or of the stipulations made in this agreement must also be reported without delay.
(3) The Processor shall inform the Controller without delay of inspections or measures by supervisory authorities or other third parties insofar as they relate to the commissioned processing.
(4) The Processor undertakes to support the Controller to the extent necessary in its duties under Articles 33 and 34 GDPR.
10. Instructions
(1) The Controller retains a comprehensive right to issue instructions with regard to the commissioned processing.
(2) The Processor shall inform the Controller without delay if, in its opinion, an instruction issued by the Controller infringes statutory provisions. The Processor is entitled to suspend implementation of the corresponding instruction until it is confirmed or amended by the Controller’s responsible person.
(3) The Processor shall document the instructions it has received and their implementation.
11. Termination of the Commission
(1) Upon termination of the commissioned relationship, or at any time upon request of the Controller, the Processor shall, at the Controller’s choice, either destroy or hand over to the Controller the data processed under the agreement. All existing copies of the data shall also be destroyed. Destruction must be carried out so that recovery, even of residual information, is no longer possible with reasonable effort.
(2) The Processor is obliged to ensure immediate return or deletion also at subcontractors.
(3) The Processor shall furnish proof of proper destruction and, upon request, provide evidence to the Controller.
(4) Documentation serving to evidence proper data processing shall be retained by the Processor for the applicable retention periods even beyond the end of the contract. For its discharge, the Processor may hand them over to the Controller upon termination of the contract.
12. Remuneration
The Processor’s remuneration is conclusively governed in the main contract. No separate remuneration or cost reimbursement is made under this agreement.
13. Liability
(1) For damage suffered by a person due to unlawful or incorrect data processing within the scope of the commissioned relationship, the Controller and Processor shall be liable as joint and several debtors.
(2) The Processor shall be liable to the Controller for damage culpably caused by the Processor, its employees, those engaged by it to perform the contract, or subcontracted service providers in connection with the commissioned contractual performance.
(3) Number (2) shall not apply where the damage arose from correct implementation of the commissioned service or from an instruction issued by the Controller.
14. Special Right of Termination
(1) The Controller may terminate the main contract and this agreement at any time without notice (“extraordinary termination”) if there is a serious breach by the Processor of data protection provisions or the provisions of this agreement, if the Processor cannot or will not comply with a lawful instruction of the Controller, or if the Processor unlawfully refuses the Controller’s inspection rights.
(2) A serious breach exists in particular if the Processor has not fulfilled, or has not fulfilled to a significant extent, the obligations specified in this agreement, especially the agreed technical and organizational measures.
(3) In the case of minor breaches, the Controller shall grant the Processor a reasonable period to remedy the situation. If remediation does not occur in time, the Controller is entitled to extraordinary termination as described in this section.
15. Miscellaneous
(1) Both Parties are obliged to treat as confidential all knowledge of business secrets and data security measures of the other Party obtained in the course of the contractual relationship, including after the end of the contract. If there is doubt as to whether information is subject to the duty of confidentiality, it shall be treated as confidential until written release by the other Party.
(2) If property of the Controller at the Processor is endangered by measures of third parties (e.g., seizure or confiscation), by insolvency or composition proceedings, or by other events, the Processor shall inform the Controller without delay.
(3) Side agreements require written form.
(4) The defense of a right of retention within the meaning of § 273 BGB is excluded with regard to the data processed under the agreement and the associated data carriers.
(5) Should individual parts of this agreement be invalid, the validity of the remainder of the agreement shall not be affected.
Annex 1 – Technical and Organizational Measures
The following technical and organizational measures to ensure data protection and data security are established as the minimum to be implemented and continuously maintained by the Processor. The objective is to ensure, in particular, the confidentiality, integrity, and availability of information processed under the agreement.
Physical Access Control (Zutrittskontrolle)
a. Access control via a manual locking system
b. Doors with knobs on the exterior sides
c. Key list
d. Visitors accompanied by employees
System Access Control (Zugangskontrolle)
a. Login with username and password
b. Use of VPN for remote access to the office network
Data Access Control (Zugriffskontrolle)
a. Document shredder
Anonymization and Pseudonymization
a. Internal instruction to anonymize/pseudonymize personal data as far as possible in the event of disclosure
Transfer Control (Weitergabekontrolle)
a. Provision via encrypted connections such as SFTP and HTTPS
Data Protection Management
a. Employees trained and bound to confidentiality / data secrecy
Incident Response Management
a. Documentation of security incidents and data breaches via a ticket system
Data Protection by Default (Privacy by Default)
a. No more personal data are collected than are necessary for the respective purpose
Order Control (Auftragskontrolle)
a. Selection of the Processor with due care (especially with regard to data protection and data security)
b. Conclusion of the necessary agreement on commissioned processing and/or EU Standard Contractual Clauses
c. Commitment of the Processor’s employees to data secrecy
List of Sub-processors (Subcontractors)
| Service Provider | Location | Purpose of Processing | Safeguards for third-country transfers (§ 7 (8)) |
|---|---|---|---|
| Hetzner Online GmbH | DE | Hosting the infrastructure & email dispatch | Not required (located in EU) |
| Strato AG | DE | Server infrastructure & backups | Not required (located in EU) |
| Scaleway S.A.S. | FR | Encrypted backups storage | Not required (located in EU) |
| Google Cloud (Firebase) | USA | Push notifications & technical synchronization (optional) | EU-U.S. Data Privacy Framework (DPF) |
| BulkGate / Prelude | EU | Sending SMS verifications to end customers (optional) | Not required (located in EU) |
| Stripe / PayPal | USA / EU | Payment processing for end customers (optional) | EU-U.S. Data Privacy Framework (DPF) |
| Google Inc. (Calendar) | USA | Calendar synchronization for appointment data (optional) | EU-U.S. Data Privacy Framework (DPF) |