Heeft u vragen?



Agreement on Processing of Personal Data in Orders According to Art. 28 Para.3 General Data Protection Regulation (GDPR) (Order Data Processing)


1. Preamble
The conclusion of this agreement on processing data on behalf of the European General Data Protection Regulation (GDPR), which will enter into force on the 25th of May 2018. Against this background, the parties conclude the following agreement in order to ensure that data processing for the provision of services can continue to take place in a legally compliant manner in the future.
The Client entrusts the Contractor with processing personal data. The provisions of this agreement apply to this order processing within the meaning of Art. 28 of the General Data Protection Regulation (GDPR).

2. Subject and Duration of the Contractual Order

Subject of the Order

The subject of the contractual order for data processing is the performance of the following tasks by the Contractor:
- Execution of performance-oriented email transmissions to the address databases of the order processor

Duration of the Order

The contractual order is not time-limited and can be terminated by either party with 30 days' notice to the end of the month. The possibility of termination without notice shall remain unaffected.

3. Concretisation of the Content of the Contractual Order

Scope, type and purpose of the proposed data processing

Before sending an email, the Client regularly provides blacklists with email addresses. Emails cannot be sent to the email addresses contained therein are by the order processor. It is also possible that before an email campaign is carried out, a customer list supplied by the Client must be compared against the customer base of the order processor, e.g. in order to exclude existing customers from the advertising campaign.

a) Place of data agreement: The contractually agreed service is provided in principle and exclusively within the territory of the Federal Republic of Germany, in a member state of the European Union or in another contracting state to the Agreement on the European Economic Area. Any movement of data to a third country requires the prior consent of the client and is subject to compliance with the special statutory requirements.

b) The blacklists and customer lists are delivered by the Client in accordance with the currently valid data protection regulations and the Client bears full responsibility for the organisational/technical measures for this.

Type of Data
 The subject of the personal data processing is the following types / categories of data
- Personal master data (e.g. title, first name, surname, street, house number, postcode, city)
- Communication data (e.g. email)

Categories of Data Subject
 The categories of data subjects covered by the processing:
- Customers
- Interested parties
- Advertising blocks
- Former complainants

4. Technical and Organisational Measures

a) The Contractor shall document the implementation of required technical and organisational measures set out prior to the placing of an order before the start of processing, particularly with regard to the execution of the specific order as a one-time standard procedure and shall pass this on to the Client for review.

Upon acceptance of the order by the Client, the documented measures become the basis of the order. If the Client's review results in a need for adjustment, this must be implemented by mutual agreement.

b) The Contractor must provide the security according to Art. 28 para. 3 letter c, 32 EU GDPR in particular in conjunction with Art. 5 para. 1, para. 2 EU GDPR, insofar as within their sphere of influence. Overall, the measures to be taken are data security measures, which are taken to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. On this point, the state of the art, the costs of implementation, the nature, scope and purposes of processing, and the varying likelihood and risk severity for the rights and freedoms of natural persons in the sense of Art. 32 para. 1 EU GDPR must be taken into account.

c) Technical and organisational measures are subject to technical progress and further developments. In that regard, the Contractor is permitted to implement adequate alternative measures. The security level of the specified measures must be adequate. Significant changes must be documented once as a standard procedure.

5 Correction, Restriction and Deletion of Data

a) The Contractor may not correct, delete or restrict the data processing of the data which is processed in the order on his own authority, but only in accordance with the documented instructions of the Client. Excluded from this are blacklists, complaint lists, customer lists, etc. which are generally deleted by the Contractor after completion of the order without requiring the instructions of the Client.
If a data subject contacts the Contractor directly in this regard, the Contractor shall immediately forward their request to the Client as soon as the Client provides the Contractor with a communication channel conforming to the requirements of the Data Protection Act (e.g. login with access data).

b) Insofar as it is included in the scope of services, the deletion concept, the right to be forgotten, correction, data portability and information shall be ensured directly by the Contractor in accordance with the documented instructions of the Client.

6. Rights and Obligations as well as the Client's Authority to Issue Instructions
 1. for the assessment of the admissibility of the processing according to Art. 6 para. 1 GDPR as well as for safeguarding the rights of the data subjects in accordance with Art. 12 - 22 GDPR. Nevertheless, the Contractor is obliged to immediately forward all such inquiries to the Client, provided that they are clearly addressed exclusively to the Client.

2. Changes to the subject of processing and changes to procedures shall be agreed jointly between the Client and the Contractor and specified in writing or in a documented electronic format (email is sufficient).

3. The Client shall issue all orders, partial orders and instructions in writing or in a documented electronic format (e-mail is sufficient). Verbal instructions must be confirmed immediately in writing or in electronic text form.

4. Prior to the start of processing, and then regularly and in an appropriate manner, the Client is entitled to satisfy themselves of the compliance with the technical and organisational measures taken by the Contractor and with the obligations laid down in this agreement.

5. The Client shall inform the Contractor immediately if errors or irregularities are noticed during the verification of the order results.

6. The Client is obliged to treat all knowledge of business secrets and data security measures obtained by the Contractor as confidential under the terms of the agreement. This obligation shall continue even after this agreement has been terminated.

7. The Client is responsible for the permissibility of data collection, processing and use. This also applies to the obligations of the Client under the Law against Unfair Competition (in particular to obtain consent in accordance with § 7 UWG) and the Telecommunications Secrecy Act (§ 88 TKG). The Contractor points out that no advertising in violation of legal regulations may be sent by the Client.

8. Responsibility for data processing; the Client bears the responsibility for processing and is responsible to third parties for compliance with the provisions of the data protection laws. The Client is responsible for his own assessment of the admissibility of order data processing and the order under data protection law. If the Client is of the opinion that the processing carried out by the Contractor violates the Client obligations, they must point this out to the Contractor and ensure that the data processing complies with the law by issuing appropriate instructions.

9. The Client is solely responsible for the lawful data collection (consent by double opt-in procedure or according to §7 para. 3 UWG etc.) and the secure transmission of data to the Contractor for the purpose of data processing within the scope of this agreement. The Client assures that they shall only collect and provide to the Contractor such data from their customers and users who have explicitly consented to such collection, processing and, if applicable, evaluation. In particular, the Client is aware that an evaluation of personal data (e.g. response data such as opening emails and clicks) of a recipient within the scope of 'tracking' is only possible if the Client confirms to the Contractor that they have the consent of the respective recipient for the evaluation of their personal data.

10. Notification and instruction obligations: In the event of a direct request for information, notification, warning or instruction from the supervisory authority in accordance with Art. 58 GDPR, the Client must support the Contractor and ensure that the official request can be complied with in accordance with this agreement.

7. Quality Assurance and Other Obligations of the Contractor

The Contractor has additional legal obligations under Art. 28 to 33 EU GDPR to comply with the provisions of this order; in this respect, they guarantee particular compliance with the following requirements:

a) Written appointment of a data protection officer who shall perform their duties in accordance with Art. 38 and 39 of the EU GDPR if obliged to do so.
- Whose details will be communicated to the Client for the purpose of direct contact. The Client must be informed immediately of any change to the data protection officer.
- Details of appointed data protection officer(s) must be provided to the Client with full name and contact details [title, first name, surname, organisational unit, telephone, e-mail]. A change in data protection officer must be communicated to the Client immediately.
The Contractor's current contact details are easily accessible on the Contractor's homepage.

b) If the Contractor is not obliged to appoint a data protection officer, the Client shall be informed of a contact person with full name and contact details [title, first name, surname, organisational unit, telephone, e-mail] by the Contractor.

c) The maintenance of confidentiality in accordance with Art. 28 para. 3 clause 2 letter b, 29, 32 para. 4 EU GDPR.
In carrying out work, the Contractor shall exclusively use employees who are bound to confidentiality, and who have previously been familiarised with the relevant data protection provisions. The Contractor and any person under their authority who has access to personal data may only process such data exclusively in accordance with the instructions of the Client, including the powers granted in this Contract, unless they are legally obliged to process it.

d) The implementation and observance of all technical and organisational measures required for this contract in accordance with Art. 28 para. 3 clause 2 letter c, 32 EU GDPR

e) The Client and the Contractor shall, upon request, cooperate with the supervisory authority in the performance of their tasks.

f) Immediate information from the Client as to control procedures and measures taken by the supervisory authority in so far as they relate to this order. This also applies insofar as a competent authority is conducting an investigation in the context of an administrative offence or criminal procedure with regard to the processing of personal data in the processing of orders with the Contractor.

g) If the Client is subject to an inspection by the supervisory authority, administrative or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with the processing of the order with the Contractor, the Contractor must support them to the best of their ability.

h) If the Contractor is subject to an inspection by the supervisory authority, an administrative offence or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with an order with the Client, the Client must provide services without restriction and free of charge.

i) The Contractor shall regularly monitor internal processes and technical and organisational measures to ensure that processing within their area of responsibility is carried out in accordance with the requirements of the applicable data protection legislation and that the rights of the data subject are protected.

j) Verifiability of the technical and organisational measures taken by the Client within the framework of their controlling authority.

k) The Contractor shall process personal data only under this agreement and under the instructions of the Client, unless they are required to do so by the law of the Union or the Member States to which the order processor is subject (e.g. investigations by law enforcement or state protection authorities), in which case the order processor shall inform the controller of these legal requirements before processing, unless the law in question prohibits such communication on grounds of an important public interest (Art. 28 para. 3 clause 2 letter a GDPR).

l) The Contractor shall not use the data provided for processing for any other purposes, in particular not for their own purposes. Copies and duplicates shall not be created without knowledge of the Client.

m) The Contractor guarantees that they will undertake all measures agreed for contractual processing in the field of the processing of personal data in line with the order. The Contractor also guarantees that the data processed will be kept separate from other data in their possession.

n) Dedicated data carriers that originate from the Client or are used for the Client shall be specially marked. Input and output as well as the current use are documented.

The Contractor must cooperate to the extent necessary in fulfilling the rights of the data subjects in accordance with Art. 12 - 22 GDPR by the Client, in the creation of the processing directory, as well as in required data protection impact assessments carried out by the Client, and assist the Client appropriately, as far as possible (Art. 28 para. 3 clause 2 letter a GDPR).

6. The Contractor shall draw the Client's attention to the fact that an instruction issued by the Client violate legal requirements (Art. 28 para. 3 clause 3 GDPR). The Contractor is authorised to suspend implementation of the corresponding instruction until it is confirmed or modified by the responsible personnel of the Client following examination.

q) The Contractor must correct or delete personal data from the order, or restrict its processing if the client demands this by means of instructions and if the legitimate interests of the Contractor do not oppose this.

r) If a data subject addresses the Contractor with claims for correction, deletion or information, the Contractor shall refer the data subject to the Client, provided that it is possible to allocate the data subject to the Client according to their data. The Contractor shall immediately forward the request of the data subject to the Client. The Contractor shall support the Client within the scope of his possibilities and upon instruction, to the extent agreed upon. The Contractor shall not be liable if the Client does not respond to the request of the data subject, does not respond correctly or does not respond in due time.

s) Should inspections be necessary in individual cases by the Client or an auditor commissioned by the Client, they shall be carried out during normal business hours without disrupting operations after notification, taking into account an appropriate lead time. The Contractor may make them subject to prior notification with a reasonable lead time and to the signing of a confidentiality agreement with regard to the data of other customers and the technical and organisational measures set up. If the inspector commissioned by the Client is in a competitive relationship with the Contractor, the Contractor has a right of objection against them.

t) Costs incurred by the Contractor as a result of their active support shall be reimbursed to them to an appropriate extent. The cost of an inspection is generally limited to one day per calendar year for the Contractor.

u) The Contractor confirms that they are aware of the relevant data protection regulations of the GDPR for order processing. The Contractor further assures that they familiarise the employees employed during the execution of the work with the relevant provisions of data protection before starting the work and obliges them to maintain secrecy for the time of their work as well as after termination of the employment relationship in an appropriate manner (Art. 28 para. 3 clause 2 letter b and Art. 29 GDPR). The Contractor monitors compliance with the data protection regulations in their company.

8. Authorised Representatives of the Client and the Contractor
a. Both the Client and the Contractor provide the respective authorised person or recipient of the instructions with complete contact data.
b. If the contact person changes or is unable to work for a longer period of time, the contractual partners must be informed immediately and in principle in writing (email is sufficient) of the successor or representative.


9. Subcontracts

a) Subcontractual relationships within the meaning of this provision are understood as those services which relate directly to the provision of the main service.
Such services, which the Contractor makes use of with third parties as an ancillary service to assist in the execution of the order, should not be understood as a subcontractual relationship for the purposes of this regulation. These include, for example, telecommunications services, maintenance and user services, cleaning staff, inspectors or the disposal of data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems.
However, the Contractor shall be obliged to undertake appropriate and legally binding contractual agreements and control measures to ensure the data protection and the data security of the Client's data, including in the case of outsourced ancillary services.

b) The Contractor may only commission subcontractors with prior explicit written or documented consent of the Client. Excluded from this are technical service providers based within the EU.

c) The transfer of the Client's personal data to the subcontractor and commencement of their initial activities are only permitted if all requirements for subcontracting are met.

d) If the subcontractor performs the agreed service outside the EU/EEA, the Contractor shall take appropriate measures to ensure the admissibility under data protection law.

e) Further outsourcing by the subcontractor is not permitted; all contractual provisions in the contractual chain must also be imposed on the other subcontractors.

f) At present, the subcontractors specified in Appendix 2 with name, address and order content, are engaged in processing personal data for the Contractor to the extent specified therein. The Client has agreed to their appointment.

The Contractor shall always inform the person responsible of any intended change in regard to the addition of new or the replacement of existing subcontractors, giving the customer the opportunity to appeal such changes (§ 28 para. 2 clause 2 GDPR).


10. Control Rights of the Client

a) The Client is entitled to carry out inspections in consultation with the Contractor or to have them carried out by inspectors to be appointed in individual cases. They have the right to conduct periodic random checks, which, as a rule, must be notified in good time, to ensure compliance with this agreement by the Contractor in their business operations.

b) The Contractor shall ensure that the Client can satisfy themselves of the Contractor's compliance with the obligations in accordance with Art. 28 of the GDPR. The Contractor is required to provide the necessary information to the Client on request and to demonstrate in particular the implementation of the technical and organisational measures.

c) Proof of such measures, which do not only relate to the specific order, may be provided by:
compliance with approved rules of conduct in accordance with Art. 40 EU GDPR;
certification according to an approved certification procedure according to Art. 42 EU GDPR;
Current certificates, reports or report extracts from independent bodies (e.g. data protection officer, IT security department)
a suitable certification by IT security or data protection audit (e.g. according to BSI Basic Protection)
or other appropriate measures as decided by the Contractor


11. Supporting the Client in Fulfilling their Obligations

a) The Contractor shall assist the Client in complying with the obligations set out in Articles 32 to 36 of the GDPR concerning the security of personal data, notification obligations in the event of data breaches, data protection impact assessments and prior consultations. In particular this includes:

- ensuring an adequate level of protection through technical and organisational measures which take into account the circumstances and purposes of processing as well as the predicted probability and severity of a possible infringement of rights due to security gaps, and which enable an immediate determination of relevant infringement events
- the obligation to report violations of personal data to the Client without delay,
- the obligation to support the Client in the scope of their duty to inform the data subject and to make all relevant information available to them in this connection without delay,
- supporting the Client in their data protection impact assessment and
- supporting the Client in the scope of prior consultations with the supervisory authority.

b) The Contractor shall claim remuneration for support services.


12. The Client's Authority to Issue Instructions

a) The Client shall immediately confirm verbal instructions in text form.

b) The Client must inform the Contractor without delay if they are of the opinion that an instruction violates data protection regulations. The Client shall be entitled to suspend the execution of the relevant instruction until it has been confirmed or changed by the person responsible.

13. Deletion of Data and Return of Data Media

a) Copies and duplicates shall not be created without knowledge of the Client. This excludes backups, if they are necessary to ensure proper data processing, as well as data that is required in order to comply with legal retention requirements.

b) Upon completion of the contractual work, or earlier, if requested by the Client – but no later than termination of the Service Agreement – the Contractor shall destroy all documents of the Client which have come into their possession, drafted processing and user results and all data resources that are related to the contractual relationship or destroy them in line with data protection regulations. The same applies to testing and excess material.

Documentation that serves as proof of order-compliant and proper data processing must be kept by the Contractor in accordance with the respective retention periods beyond the term of the Agreement.




14. Liability

The Contractor is only liable to the Client within the scope of Art. 82 para.2 clause 2 GDPR and only if the Contractor culpably violates an obligation imposed on the by the GDPR.

The liability of the Contractor is further excluded if the violation was caused by the Client. In particular, the Contractor shall not be liable in cases in which the technical and organisational measures of the Contractor which were agreed with the Client do not comply with the requirements of Art. 32 GDPR because the Client fails to fulfil his information obligations according to 3.3.2 or does not do so on time.

Insofar as the Contractor's liability under the above paragraphs is excluded in whole or in part, the Client shall indemnify the Contractor upon the first inquiry against all claims raised by third parties against the Contractor due to data processing on behalf of the Client and shall bear the costs of the necessary legal defence including all court and legal costs to the statutory amount. In addition, facultative costs of the Contractor shall be borne in this context.

The same applies if a claim is made by third parties on the basis of the collection or transmission of their data to the Contractor or on the basis of the evaluation of the data within the scope of tracking, or if a claim by third parties exceeds the share of fault attributable to the Contractor in the case of joint and several liability. The Client is obliged to support the Contractor in an appropriate manner in the defence against claims raised by third parties, to provide without delay, truthfully and completely all information which could be necessary for the examination of the claims and the defence against them, and to make all appropriate evidence available to the Contractor.

The liability of the Client and the Contractor is determined externally and internally in accordance with the provisions of Art. 82 EU GDPR.

The corresponding regulation of the general terms and conditions of the Contractor applies to liability.

15. Signature

This Agreement shall be deemed expressly accepted if an order is placed without signature between the Client and the Contractor.



APPENDIX I: Subcontractors

The contractually agreed services are carried out with the involvement of subcontractors who are involved in this processing.

Below are listed all the subcontractors who are directly involved in the provision of services for the Client, and who may have or may have had access to the Client's data. This also includes external IT service providers with corresponding access rights.


1.       Webanizer AG Schulgasse 5 84359 Simbach am Inn, Germany
Email: Telephone: +49 (0) 8571 - 97 39 69-0 Internet:

Service description: Email dispatch solution


2.       Beyond Relationship Marketing GmbH, Wendenstrasse 21B 20097 Hamburg, Germany
Email: Telephone: +49 (0)40 3600 68 48 Internet:
Service description: Email dispatch solution


3.       Ongage LTD, 575 S. Broadway, 4th floor, White Plains, NY, 10601

Telephone: 1-866-593-2980 Email:

Service description: Email dispatch solution


4.       1&1 Internet SE, Elgendorfer Str. 57, 56410 Montabaur, Germany
Telephone: +49 (0) 721 96 00 Email: Internet:

Service description: Hosting

5.       Host Europe GmbH Hansestr. 111; 51149 Cologne Germany; Fax +49 2203 9934 1042; Telephone: 0800 467 8387; Email:; Internet:; Service description: Hosting


6.       Microsoft Deutschland GmbH. Walter-Gropius-Strasse 5; 80807 Munich; Germany. Telephone: +49 89 31 76 0; Fax: +49 89 31 76 1000

7.       OVH HISPANO S.L.U.. C/ Alcalá 21, 5ª planta, 28014 Madrid Spain. Telephone: +34 91 758 34 77;; Email:

Service description: Hosting

8.       Episerver GmbH. Wallstraße 16, 10179 Berlin Germany. Tel: +49 (0)30 76 80 78 0;; Email:


 9. ApS. Flæsketorvet 75, 1711 Copenhagen, Denmark. Tel: +45 33 19 32 00;;


 10.     Sparkpost (Messagebird). 9160 Guilford Road; Columbia, MD 21046; Tel +1 415-578-5222;;


APPENDIX II: Technical and organisational measures by the Contractor

The Contractor does not operate their own data centre. All personal data is stored and processed in the infrastructures of subcontractors and their specialised IT service providers based within the European Union (see APPENDIX I).

The Contractor takes the following technical and organisational measures for data security in their office building in the meaning of Art. 32 GDPR.

1. Confidentiality

Entry control
 Denial of access to processing facilities to unauthorised persons carrying out the processing.
- Definition of authorised persons: there is a clear regulation on authorised persons.
- Reception with visitor regulation: Access to offices only by authorised persons. Access and visit checks until leaving the premises.
- Key regulation and current key list
- Office doors and windows are locked when not in use. The main entrance is electronically secured and locked.
- Property security and secured entrance for delivery and collection: access on the 2nd floor. 2 locked main doors.
- Closed shop operation: no public traffic in the data processing department.

Authorisation control
 The intrusion of unauthorised persons into the data processing systems is prevented by technical (code and password protection) and organisational (user administration) measures regarding user identification and authentication
- Password procedures (including password complexity, minimum length, regular checking and change of password)
- Automatic locking (e.g. password or pause)
- Setting up a user master record for each user
- Encryption of data carriers
- Authorisations for access to data or systems are assigned by a central office
Mobile IT systems and mobile data carriers are not permitted
- IT systems are protected against viruses and malware by 2 programmes
- Unauthorised access to IT systems by third parties is detected and prevented by firewall

Access control
 Measures are taken to ensure that only authorised persons have access to data of the Client at the Contractor's ofice and that personal data cannot be read, copied, changed or removed without authorisation during processing, use and after storage.

Requirements-oriented design of the authorisation concept and access rights as well as their monitoring and logging.
- Differentiated authorisations (profiles, roles, transactions and objects)
- Regulation on password use (regular checks and changes, secrecy)
- User roles and authorisations are checked regularly every 6 months
- Access rights are withdrawn when leaving the company or when changing tasks in the company
- The number of administrators is limited to the minimum
- Access to external applications is logged
- Paper documents with personal data are securely destroyed by shredder

 Separation checks
 Separate processing of data collected for different purposes, e.g. through multi-client capability; Measures for separate processing (storage, modification, deletion, transmission) of data with different purposes:
- Multi-client capability with earmarking
- Data from different customers is processed separately and customers cannot access the data of other customers

- Pseudonymisation & encryption
 The pseudonymisation of personal data is not possible, as the core of the service is the use of the email address. Further personal data is not necessary (optional).
Encryption of the recipient data is not possible if the data is actively in use. Archived recipient data is stored in encrypted form.

2. Integrity

Input control
 Measures to retrospectively check whether and by whom data was entered, changed or deleted:
- Logging systems of external applications

Forwarding control
 Measures are taken to ensure that personal data cannot be read, copied, altered or removed without authorisation during electronic transmission or during transport or storage on data carriers, and that it is possible to verify and determine where personal data should be transmitted by data transmission equipment.
- Encryption and tunnel connection via VPN
- Obligatory transport security
- Obligation given by the Contractor to the Client that the transfer of personal data between Client and Contractor can only take place via login or if it is encrypted.
- Data is irretrievably deleted immediately after completion of the order

3. Availability and Loading Capacity
 It is ensured that personal information on the Contractor's systems is protected against accidental destruction or loss.
Availability control and isolation measures:
- Regular backup in the cloud ensures rapid data recovery
- Virus protection and firewall in use
- Emergency plan
- Intrusion detection systems and use of current encryption methods in external systems

4. Procedures for Periodic Review, Assessment and Evaluation
- The company management takes responsibility for data protection and information security
- Employees are regularly trained in data protection ( 1 training email every 6 months)
- Employees are under obligation to treat personal data confidentially (confidentiality agreement)
- A data protection officer is not obligatory due to company size but instead a permanent contact person for data protection has been appointed
- Regular employee training ensures that data protection violations are detected and reported immediately
- By daily examination of the inquiries and by permanently responsible persons, it is ensured that inquiries of data subjects are processed in a timely manner
- Analysis of the further requirements of the GDPR in order to improve and expand the existing principles, especially in the implementation and documentation of better processes
- Data protection management available

Order Control
No order data processing takes place without corresponding instructions from the Client.
- Clear contract design
- Formalised order placement
- Criteria for the selection of the Contractor
- Checks on the execution of the contract


Contact | afdruk | Gegevensbescherming | Privacybeleid | AVG