Agreement on Commissioned Data Processing (DP) According to the EU General Data Protection Regulation
User of Dlubal Software
- hereinafter referred to as "controller" -
Dlubal Software GmbH, Am Zellweg 2, 93464 Tiefenbach, Germany
- hereinafter referred to as "processor" -
In conjunction with the provision of services through the use of Dlubal software including support and service (hereinafter uniformly referred to as "contract"), the processor has to be granted access to the controller’s or other third parties’ personal data.1.2
All terminology of this DP Agreement shall be used according to and in the understanding of the European General Data Processing Regulation (Regulation (EU) 2016/679 of the European Parliament and Council).1.3
In the event of conflicts between the provisions of this DP Agreement and those of the contract, the provisions of this DP Agreement shall prevail over those of the contract.
Commissioned Data Processing2.1
The processor shall process the personal data exclusively on behalf of and in compliance with the controller’s instructions within the meaning of Art. 28, 29 GDPR (commissioned data processing). From a data protection legislation perspective, the controller shall remain the responsible party ("master of the data") and shall be responsible for the lawful processing of the personal data in accordance with the contract.2.2
The personal data shall be exclusively and entirely processed in a member state of the European Union or any other nation that has ratified the Agreement on the European Economic Area and according to the nature as well as for the purpose finalized in Attachment 1 of this DP Agreement. The processing of personal data shall include the type of personal data stated in Attachment 1 of this DP Agreement as well as the categories of data subjects affected by the processing defined therein.2.3
The processor shall not acquire any rights to the personal data and shall surrender the personal data to the controller at any time upon request. Rights of retention related to the personal data shall be precluded. On the controller’s instruction, the processor shall be obligated to rectify personal data or restrict its processing.2.4
The processor shall be obligated to unconditionally follow the instructions arising from the contract and the written instructions of the controller for the processing of the personal data (hereinafter referred to as "data protection instructions"), issued in individual cases by the executives as well as the controller’s data protection officer. Individual data protection instructions shall be issued in written form or via e-mail. In justified individual cases, it shall also be possible to give verbal data protection instructions. However, such instructions must be confirmed by the controller in writing or via e-mail in a timely manner. If the processor takes the view that a data protection instruction violates legal provisions and/or the contract, the processor shall be obligated to inform the controller of this without undue delay, and shall be entitled to not execute the data protection instruction until such time as the data protection instruction is confirmed by the controller.2.5
The processor shall be obligated to commission a company data protection officer in writing, pursuant to § 38(1) s. 1 BDSG – Federal Data Protection Act. The contact details of the processor’s company data protection officer are published at www.dlubal.com/en/legal-matters/data-protection-basic-information.
Data Security / Technical and Organizational Measures3.1
The processor shall ensure the confidentiality of the agreement pursuant to Art. 28(3) s. 2 lit. b, 29 and 32(4) GDPR by requiring any persons engaged in the processing of personal data to commit to compliance with confidentiality in written form.3.2
The processor shall organize the processes and measures they are responsible for in such a manner that they meet the data protection requirements and while ensuring that the personal data is processed exclusively in compliance with the data protection instructions of the controller (especially by separating the personal data from data of other clients of the processor) and that third parties are unable to gain access to the data.3.3
The processor shall guarantee the security of the data processing pursuant to Art. 28(3) lit. c, 32 GDPR, in particular in combination with Art. 5(1),(2) GDPR, within the scope of responsibilities assigned to them according to the contract. The processor shall be obligated to take appropriate technical and organizational measures required in order to permanently ensure data security and guarantee a level of security appropriate to the risk in regards to confidentiality, integrity, availability, and resilience of the systems and services relating to the processing. To take into account for this are the state of the art, the costs of implementation, and the nature, scope, circumstances, and purpose of processing, as well as the varying likelihood and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32(1) GDPR. Subject to additional data protection instructions of the controller, the technical and organizational measures stated in Attachment 2 of this DP Agreement shall be considered measures within the meaning of section 3.3 of this DP Agreement with the conclusion of the contract and/or this DP Agreement.3.4
The processor shall process no personal data beyond the extent required to fulfill the obligations strictly required by the agreement (especially any unauthorized duplication or transfer to third parties).3.5
The processor shall completely and irrevocably delete or destroy (hereinafter uniformly referred to as "delete") any and all provided and additionally processed personal data in all of the processor’s systems (including any duplications, as well as archiving and backup files) pursuant to the provisions stated in Attachment 2 of this DP Agreement, if the processing of the personal data is no longer required for the fulfillment of the contract processing.3.6
The deletion of personal data shall be documented by the processor and confirmed in written form at the controller’s request. Not included in this obligation of deletion is personal data required by law to be retained or stored. According to legal provisions, this personal data shall be restricted in its processing and deleted after expiration of the obligation to preserve or store data.
In case of events specified in Art. 33 and 34 GDPR, as well as in case of violations by the processor or persons employed by the processor against regulations for the protection of personal data or the provisions stipulated in this DP Agreement including its attachments, the processor shall be obligated to take measures to preclude resulting dangers to the integrity and confidentiality of the personal data without undue delay. In such cases, the processor shall also be obligated to notify the controller and the controller’s data protection officer of the precise circumstances without undue delay, including causes, the exact point of time, as well as the extent of the event, and to coordinate further processing of the personal data with the controller.
Third Party Requests, Audits by Supervisory Authorities6.1
If the processor should receive third party requests (especially from data subjects) for information regarding the processing of personal data or events that elicit the notification obligation according to clause 4 of this DP Agreement, the processor shall be obligated to inform the controller and the controller’s data protection officer of the request without undue delay. The processor shall refrain from giving information pursuant to sentence 1 of this clause 6.1 to third parties, unless the processor is mandated by law to provide such information. Clause 6.1 of this DP Agreement shall apply correspondingly, if supervisory authorities announce audits of the processor or perform them unannounced.6.2
If the controller is on their part subjected to an audit by the supervisory authority, the processor shall support the controller to the best of their abilities.
Controlling and Information Rights7.1
The processor shall provide the controller with any information required to prove adherence to the obligations stated in Art. 28 GDPR, and shall enable audits performed by the controller or an auditor they commissioned to the extent required. If in the process there is a possibility to acquire confidential information, the processor shall be entitled to demand a declaration of confidentiality from the controller or the commissioned auditor.
If the controller claims reasonable doubts based on factual indications, the controller’s data protection officer and/or the auditor commissioned by them shall have the right to enter the premises of the processor following written notice of generally 14 calendar days prior, to convince themselves that the relevant lawful and contractual data protection regulations are complied with. In this regard, the processor shall provide the required access rights, rights to information, and rights of inspection to the controller’s data protection officer and/or third parties commissioned by them.
To enable audits by the controller, the processor shall be entitled to make an appropriate claim for remuneration.7.2
Before beginning the processing, the processor shall inform the controller in writing if and how they have implemented the measures stipulated in clauses 3.2 to 3.6 of this DP Agreement.
Support of the Controller8.1
The processor shall support the controller in the latter’s obligation to respond to requests to exercise the rights of data subjects stated in Art. 16 - 21 GDPR and on request provide all relevant information in this regard without undue delay.8.2
The processor shall furthermore support the controller with the implementation of the latter’s data protection impact assessments pursuant to Art. 35 GDPR as well as in conjunction with prior consultations with the supervisory authority pursuant to Art. 36 GDPR on request.8.3
The processor shall on request provide the controller with the information required for the controller’s compilation of a record of processing activities without undue delay.8.4
The processor shall provide the controller with all documentation necessary to comply with the accountability pursuant to Art. 5(2) GDPR.
Unless otherwise agreed by the contractual parties, this DP Agreement shall be effective for an unlimited period of time. If the processor should seriously violate any provision of this DP Agreement, fail to implement a data protection instruction pursuant to clause 2.4 of this DP Agreement, or refuse to allow audits pursuant to clause 7.1 of this DP Agreement, the controller shall have the right to terminate the contract and/or this DP Agreement at any time without a need to observe an advance notice period, any other provisions of the contract notwithstanding.
Attachment 1 to DP Agreement: Nature and Purpose
Nature and purpose of the data processing, nature of the personal data, and categories of data subjects affected by the processing
1 Nature of the data processing
Subject matter of the order is the performance of maintenance work and technical service by the processor via e-mail, phone, or remote servicing, i.a. on IT systems of the controller. This includes all activities required for the provision of the service contractually agreed on with the controller.
2 Purpose(s) of the data processing
- Technical service in case of application questions regarding Dlubal software
- Maintenance and care of Dlubal software used by the controller
- Troubleshooting of the Dlubal product in which personal data is stored, if required
- Quality control for the Dlubal product in which the data is stored or for a later version of it
- Further development of existing or development of new Dlubal products
3 Nature of the personal data processed by the processor
- Personal master data
- Contact data (e.g. phone, e-mail)
- Key contract data (contractual relationship, contractual or product interest)
- Customer history
- Contract billing and payment data
- Model files, other data relevant for the technical service (e.g. crash reports)
4 Categories of data subjects affected by the processing
- Employees of the customer
- Employees of the customer's IT service provider, if applicable
- Interested parties
- Other persons, even consumers, as the case may be, provided they are users of a Dlubal service
Attachment 2 to DP Agreement: Technical and Organizational Measures
Hereinafter, a description of the principal measures of Dlubal for the adherence to the data protection regulations pursuant to Art. 32 GDPR will follow. However, it must be pointed out that not all security measures can be disclosed; rather, particularly in the interest of data protection and data security, forgoing confidential and detailed descriptions is indispensable.
1 Confidentiality (Art. 32(1) lit. b GDPR)
1.1 Physical access control
Measures, which are suitable to deny unauthorized persons access to data processing systems with which personal data is processed or used:
- The office premises are only accessible via a central entrance. Access areas are monitored with a camera and occupied by reception staff. In case no reception staff is present, the access doors are closed and secured with an alarm system.
- The server rooms are additionally under permanent lock and only accessible by authorized personnel.
- Troubleshooting of the Dlubal product in which personal data is stored, if required
- Important server systems outside the office premises are secured in a datacenter via multi-factor person authorization, video surveillance linked to the police, and against terror attacks.
1.2 Electronic access control
Measures, which are suitable to prevent unauthorized persons from using data processing systems:
- The data is only available to Dlubal employees to the extent necessary via a role-based CRM system, manageable with configurable rights.
- The employees have role-based access rights.
- The computers are secured via authentication with user name and password (Active Directory).
- Passwords with increased security (structure, length, expiration date).
- External systems are connected via VPN tunnels. Only known addresses are permitted access via an IP whitelist. All external communication is encrypted.
- The computer systems are centrally provided with anti-virus software.
- The data networks are secured with firewalls.
- Only specifically authorized persons have access to the server systems.
1.3 Internal access control
Measures, which ensure that the persons authorized for the use of a data processing system can only access the data within their access privilege, and that personal data cannot be read, copied, altered, or deleted without authorization during processing, utilization, and after storage:
- Rights: All services use the "deny by default" access model. Only authorized persons and groups have appropriate access. The rights matrix of each individual service is monitored and can be exported into the admin panel for every service. All rights are managed by system administrators. The number of system administrators is reduced to a minimum.
- Log files: The network storage servers possess Audit logs including version history of the files (CRUD). The Active Directory server logs every authorization query to services in the network.
- Version control system: All data in the network is secured via VSS and BTRFS snapshots. Databases are secured via hourly snapshots.
1.4 Isolation control
Measures, which ensure that data compiled for different purposes can be processed separately:
- Physically separate storage on separate systems or data mediums
- Creation of an authorization concept
- Encryption of datasets, which are processed for the same purpose
- Assignment of purpose attributes/data fields to datasets
- Establishment of database rights
- Logical separation of customer data according to competency and function
1.5 Pseudonymization and encryption (Art. 32(1) lit. a GDPR; Art. 25(1) GDPR)
The processing of personal data in such a way that the data cannot be attributed to a specific data subject without the consultation of additional information, as long as this additional information is stored separately and is subject to appropriate technical and organizational measures:
If possible for the respective data processing, the primary identifying features of the personal data are removed from the respective data application and stored separately.
2 Integrity (Art. 32(1) lit. b GDPR)
2.1 Data entry control
Measures, which ensure that it is possible to retroactively check and determine, whether personal data has been entered, altered, or deleted in data processing systems, and by whom:
- Logging of input, alteration, and deletion of data
- Traceability of input, alteration, and deletion of data via individual user names
- Allocation of rights for the input, alteration, and deletion of data based on an authorization concept
- Document management
2.2 Data transfer control
Measures, which ensure that personal data cannot be copied, altered, or deleted without authorization in the course of electronic transmission, or during their transport or storage on data mediums:
- The e-mail server uses the Sender Policy Framework (SPF) to prevent unauthorized use of our domains. This way, the e-mail recipient can check whether the e-mail originates from an authorized server.
- E-mails are signed with DKIM signatures to ensure authenticity.
- Sensitive e-mails may additionally be encrypted via end-to-end encryption.
- FTP and VPN services operate with SSL/TLS encryption.
3 Availability and Resilience (Art. 32(1) lit. b GDPR)
3.1 Availability control
Measures, which ensure that personal data is protected from accidental destruction or loss:
- Backup & recovery concept • Uninterruptible power supply (UPS)
- Hard disk mirroring
- Utilization of RAID systems
- BTRFS and ReFS data systems for error detection and correction, and for prevention of concealed loss of data
- High-availability clusters and mirroring of data and services across several locations
- Backup of internet connections and routers to prevent lengthy downtimes
- ECC memory on all servers to detect memory errors, data modifications, and data loss
- Microsoft System Data Protection Manager agent installed on every server
- Backup via DPM Storage at least once per day
- Windows Backup + iSCSI LUNs
- Important services are monitored by network tools and report failing services, downtimes, DoS and DDoS attacks
- Secure server room
- Protection socket boards in the server room
- Periodic inspection of the electrical equipment by a specialist company
- Fire and smoke alarms, fire-extinguishing equipment
- Emergency plans and crisis management
- Firewall with antivirus and intruder detection, protection, and prevention (AV/IDS/IDP, Zywall Security Gateway)
- ESET Mail Security for Exchange to safeguard the e-mail server against spam, viruses, ransomware, scams, etc.
- ESET Security Antivirus on all computers as endpoint user protection with ESET Remote Administration Console
- ClamAV open source Antivirus for the protection of the network servers and storage
- Periodic system updates managed via WSUS
- Active Directory Group Policy for all computers
Measures, which allow for the availability of personal data and the access to it to be quickly restored after a physical or technical incident:All data is protected against loss via periodic backups. Different tools allow for this data to be recovered with minimal effort in the event of physical or technical incidents. Specific measures are:
- Backup & recovery conceptBackup via DPM Storage at least once per day
- Windows Backup + iSCSI LUNs
4 Procedures for Regular Testing, Assessment, and Evaluation (Art. 32(1) lit. d GDPR; Art. 25(1) GDPR)
4.1 Data protection management:
- Employee training courses in data protection
- Obligation of the employees to the confidential handling of personal data
- Nomination of a data protection officer
- Employee guidelines for the handling of personal data
- Maintaining a record of processing activities within the meaning of Art. 30(1)(2) GDPR
- Implementation of a data protection management system
4.2 Order control
Measures, which ensure that personal data that is processed in the order can only be processed according to the instructions of the controller within the meaning of Art. 28 GDPR:
- Clear contract design
- Formalized order management
- Selection of the processor under careful consideration
- Written instructions to the processor via contract regarding the processing of order data
- Obligation of the processor to confidentiality
- Continuous supervision of the processor and their activities