Book a demo

Data Processing Agreement

Controller:

HR-Autopilot GmbH
Im Grasfeld 8
50354 Hürth

Table of Contents

Data Processing Agreement

§ 1 Mandate and Provisions for Processing

  • 1. This Data Processing Agreement (hereinafter DPA) pursuant to Art. 28 GDPR specifies the data protection rights and obligations of the parties for the processing of personal data within the meaning of the GDPR in the context of the respective existing contracts (usually offer and GTC) (hereinafter individually or jointly referred to as Main Agreement).

  • 2. The contractually agreed processing shall take place exclusively in a Member State of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the Controller and may only take place if the special requirements of Art. 44 et seq. GDPR are met.

  • 3. In case of contradictions, this DPA shall take precedence over the Main Agreement, and the appendices of the DPA shall take precedence over this DPA.

§ 2 Responsibility and Processing on Instruction

  • 1. The Controller shall ensure compliance with the applicable legal provisions (Art. 4 No. 7 GDPR) and shall make the sole decision regarding the purposes and essential means of processing.

  • 2. The Processor shall act on instruction, unless an exceptional case pursuant to Art. 28 Para. 3 Sentence 2 lit. a GDPR exists (other legal processing obligation). Oral instructions must be confirmed in text form. The instructions already issued by the Controller result from the applicable Main Agreement in its currently valid version.

  • 3. The Processor shall rectify or erase the data subject to the contract or restrict their processing if the Controller so instructs. Erasure shall not take place insofar as the Processor is legally obliged to further store the personal data.

  • 4. The Processor shall inform the Controller without undue delay if it is of the opinion that an instruction infringes applicable data protection provisions or this DPA. The Processor may suspend the implementation of the instruction until it has been confirmed or amended by the Controller in text form. The Processor may refuse to execute instructions that are obviously unlawful under data protection law.


  • (5) 2.5 The Processor shall ensure that persons authorized by it to process data
    (a) are aware of and comply with the Controller’s instructions, and
    (b) have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The duty of confidentiality shall continue to apply even after the termination of processing within the scope permissible under employment law.

§ 3 Security of Processing

  • 1. The parties shall agree on technical and organizational measures pursuant to Art. 32 GDPR (hereinafter TOM) for the adequate protection of data, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in an appendix to this DPA (hereinafter TOM Appendix).

  • 2. The Processor reserves the right to make changes to the TOM, provided that the contractually agreed level of protection is not compromised overall. New versions of the TOM Appendix shall be communicated to the Controller in text form upon request.

§ 4 Notification in Case of Data Breaches, Processing Errors, and Insolvency or Similar Proceedings; Further Procedure

  • 1. The parties shall inform each other without undue delay,
    • if they become aware of personal data breaches within the meaning
    • of Art. 4 No. 12 GDPR and Art. 33 Para. 2 GDPR or if there is a concrete suspicion of such a data breach;
    • if they identify errors in the processing of personal data by the
    Processor.

  • 2. Upon receiving the information, the Controller shall immediately issue instructions for rectifying the data breach or processing errors. If the Controller does not issue immediate instructions and the Processor may assume that immediate action is necessary to prevent further breaches or the occurrence of further errors, the Processor is entitled to take the necessary measures to rectify the data breach or errors and to mitigate adverse consequences,
    in particular, to cease data processing. It shall then coordinate with the Controller.

  • 3. If the Processor is of the opinion that an agreement or instruction infringes data protection regulations, it shall inform the Controller thereof in writing without undue delay. The Processor is entitled to suspend the implementation of the respective instruction until it is confirmed or amended by the Controller.

  • 4. Oral notifications by both parties pursuant to the aforementioned paragraphs must be submitted in text form without undue delay.

  • 5. Should the Controller’s data held by the Processor be jeopardized by seizure or confiscation, by insolvency or comparable proceedings, or by other events or measures of third parties, the Processor shall inform the Controller thereof in text form without undue delay. The Processor shall inform all third parties thereof.

§ 5 Transfer of Data to a Recipient in a Third Country or an International Organization

The transfer of data to a recipient in a third country outside the EU and EEA is permissible subject to compliance with the conditions set out in Art. 44 et seq. GDPR.

§ 6 Sub-processing by the Processor

  • 1. The Processor may only have the processing of personal data carried out wholly or partly by further processors (hereinafter “Sub-processors”) with the consent of the Controller.

  • 2. The Processor shall inform the Controller in text form in advance of the intended engagement of Sub-processors or intended changes in sub-processing. The Controller may object to the sub-processing if there is an important reason. In the event of a justified objection, the Controller shall grant the Processor two weeks to replace the Sub-processor affected by the objection with another Sub-processor or to otherwise adapt the processing on behalf of the Controller so that it can be carried out without the Sub-processor affected by the objection.

  • 3. The Processor shall impose on the Sub-processor the same data protection obligations, insofar as legally mandatory, as are stipulated for the Processor in this DPA. In particular, the TOM agreed with the Sub-processor must provide an equivalent level of protection.

  • 4. Services that the Processor uses as a mere ancillary service to support its business activities outside of data processing are not sub-processing. However, the Processor is obliged to take appropriate precautions to ensure the protection of data even for such ancillary services.

§ 7 Rights of Data Subjects and Support for the Controller

If a data subject asserts claims against a party pursuant to Chapter III of the GDPR, that party shall inform the other party thereof without undue delay. The Processor shall support the Controller to the best of its abilities in processing such requests and in complying with the obligations mentioned in Art. 32 to 36 GDPR.

§ 8 Controller’s Rights of Control and Information

  • 1. The Processor shall demonstrate to the Controller compliance with its obligations under this DPA by suitable means.
  • 2. Suitable means may include, in particular, appropriate certifications or other suitable audit evidence. Certifications pursuant to Art. 40 GDPR or evidence pursuant to Art. 42 GDPR are particularly appropriate. The Controller’s statutory right of inspection remains unaffected.
  • 3. The Controller is entitled to conduct inspections at the Processor’s premises during normal business hours, without disrupting operations, and after prior notification and with reasonable lead time, to verify compliance with the obligations under this DPA. The Processor may make the inspection conditional on the signing of a confidentiality declaration regarding the data of other HR Autopilot customers and the TOM.
  • 4. If a supervisory authority exercises powers pursuant to Art. 58 GDPR, the parties shall inform each other thereof without undue delay. They shall support each other within their respective areas of responsibility in fulfilling the obligations towards the respective supervisory authority.

§ 9 Services Beyond Legal Obligations

The expenses incurred by the Processor for fulfilling its legal obligations are covered by the remuneration paid under the Main Agreement. With regard to the expenses for personnel services incurred for support in accordance with Section 7 Sentence 2 and for on-site controls in accordance with Sections 8.3 and 8.4 that go beyond an annual control or that arise during ad-hoc controls which do not reveal any data protection irregularities or violations during the control, the Processor reserves the right to charge for its expenses according to
its current rates.

§ 10 Liability and Damages

  • 1. If a data subject asserts claims for damages against a party due to a breach of data protection provisions, the party against whom the claim is asserted shall inform the other party thereof without undue delay.

  • 2. The parties shall be liable to data subjects in accordance with the provisions of Art. 82 GDPR.

§ 11 Conclusion, Term

The term of the DPA corresponds to the term of the Main Agreement, at most as long as the Processor still processes data for the Controller. Upon termination of the Main Agreement, the Processor shall, at the Controller’s discretion, return or erase the data processed on behalf of the Controller in compliance with data protection regulations, and erase any existing copies of the data, unless there is an obligation to store them. After termination of this agreement, the Processor shall, subject to statutory retention obligations or other provisions entitling it to retention, return or destroy or erase the data processed for the Controller under this agreement to the Controller.

§ 12 Final Provisions

  • 1. Amendments, supplements, or termination of the DPA require text form to be effective. This also applies to an amendment of this formal clause. An amendment becomes effective if the Controller is notified of the corresponding amendment in text form and does not object to the amendment within a period of 4 weeks. If the Controller objects to the amendment in text form, the previous DPA remains in force. In this case, the parties shall agree amicably on the necessary adjustments to this DPA. If the parties do not reach an agreement, each party has the right to terminate the DPA with a notice period of four weeks.


  • 2. Deviating oral agreements between the parties are invalid.

  • 3. Should any provision of the DPA be or become invalid, the validity of the remainder of the agreement shall remain unaffected.

  • 4. The law of the Federal Republic of Germany shall apply, to the exclusion of the
    conflict of laws.

Appendix to the Data Processing Agreement – Technical and Organizational Measures

Description of the Processor’s technical and organizational measures for the adequate protection of customer data pursuant to Art. 32 GDPR –

Through the technical and organizational measures, the resilience, integrity, pseudonymization, availability, encryption, confidentiality, and recoverability of the systems and services of HR Autopilot and its sub-processors in connection with this
DPA are ensured.

In addition, the Customer is solely responsible for developing and implementing its own suitable measures pursuant to Art. 24 GDPR. Corresponding guidelines, such as ISO 27002, should be requested and complied with by the Customer from the Federal Office for Information Security.

§ 1 Confidentiality (Art. 32 Para. 1 lit. b GDPR)

1.1 Physical Access Control

Measures to prevent unauthorized persons from gaining physical access to data processing facilities where personal data are processed and used.

  • 1. For all relevant locations, security zones and their physical protection are defined and documented in a security zone concept and can be presented upon request. Content points of the concept include, for example:
    Supervision of external persons within the security zones, controlled access assignment, use of GDPR-compliant server structures according to ISO 27001, etc.

  • 2. The defined security zone concept is implemented for all relevant locations.

  • 3. The security zone concept is reviewed at least once a year.

  • 4. The security zones for all relevant locations are protected by physical barriers (fence, solid walls, doors, physical access control system, intruder alarm system, etc.) to ensure access only for authorized persons. Visitors in security zones are accompanied by authorized personnel.

  • 5. A documented and effective procedure exists for the assignment, modification, and revocation of physical access rights, including the return of access media. This assignment is carried out according to the “Need-to-Know” principle.

§ 2 System Access Control

Measures to prevent unauthorized persons from using data processing systems.

  • 1. A documented and effective system access control concept exists, including:

  • 2. Network security zones and network segmentation.

  • 3. The system access control concept defines the assignment, modification, and revocation of access rights, as well as their approval for internal and external employees.

  • 4. Every connection is established exclusively via encrypted protocols such as HTTPS, SSL/TLS, SSH, or protocols of a similar or higher security standard.

  • 5. The processes for the assignment, modification, and revocation of access rights, as well as their approval, are logged in a traceable manner.

  • 6. The system access control concept is reviewed by the Processor at least twice a year.

  • 7. Each user ID is uniquely assigned to a natural person at all times and may not be passed on or shared.

  • 8. Secure passwords are used. Their structure and handling comply with a documented password policy that exclusively provides for 2-factor authentication for all employees across all systems. The self-chosen password must comply with the recommendations of the Federal Office for Information Security (min. 8 characters, use of all available characters including upper and lower case, digits, and special characters).

  • 9. Default passwords for systems and applications (e.g., Oracle, SAP) are always changed.

  • 10. It is ensured that initial passwords for users become unusable after a short period if they have not been changed immediately.

  • 11. Passwords may only be reset or changed by authorized persons according to a defined process.

  • 12. Administrators use separate access credentials for system management, and their privileged activities are logged.

  • 13. The delegation of rights (deputy arrangement) is carried out exclusively according to defined specifications.

  • 14. All employees are instructed to lock their workstations when they leave them.

  • 15. Workstations are configured with automatic locking by default.

  • 16. All system accesses (applications, operating systems, BIOS, boot devices, etc.) are password-protected or locked.

  • 17. Employee devices are automatically locked after 10 minutes of inactivity or non-use. All employees are instructed to lock all devices immediately when leaving their workstation. Further details can be found in the data protection training.

  • 18. External access (Remote Access) is secured via a firewall, using strong encryption and 2-factor authentication.

§ 3 Access Control

Measures that ensure that authorized persons can only access data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and storage.

  • 1. It is ensured that only the access rights required to fulfill the respective task are assigned.

  • 2. The assignment and release of access rights is documented in a comprehensible manner so that it can be determined who has access to the data.

  • 3. The assignment procedure and the access rights are regularly checked and confirmed. Access rights are revoked immediately if they are no longer required.

  • 4. A responsible person is defined for each data item, who decides who may receive which access.

  • 5. Access rights are adjusted when the tasks in the business processes change.

  • 6. It is ensured in the applications that the assigned access rights are technically implemented.

  • 7. Unauthorized access is excluded in all environments that contain production data (including development, testing, etc.).

§ 4 Separation of duties

Measures that ensure that data collected for different purposes can be processed separately.

  • 1. Data collected for different purposes is separated (physically or logically) in such a way that it can be processed, stored and deleted separately in accordance with the purpose (roles and authorization concept). This applies to all systems used by the contractor.

  • 2. Development, test and production environments are separate.

§ 5 Pseudonymization (Art. 32 Para. 1 lit. a GDPR; Art. 25 Para. 1 GDPR)

  • 1. If appropriate, processing is carried out with pseudonymized data.

  • 2. Personal data is then processed in such a way that the data can no longer be assigned to a specific data subject without the use of additional information.

§ 6 Integrity (Art. 32 Para. 1 lit. b GDPR)

Transport and transfer control
Measures that ensure that personal data cannot be read, copied or modified without authorization during electronic transmission, its
storage on data carriers or during its transport
or can be removed, and that it can be determined to which locations a transmission
of personal data is intended by data transmission facilities.

  • 1. The data is secured during transport, storage, transmission and processing outside the protected area of the company using methods such as strong encryption,

  • 2. Two-factor authentication (e.g. hard disk encryption).

  • 3. Instructions for handling information are defined and employees are trained to prevent misuse of the data (e.g. certified disposal of paper and data carriers, selection of transmission methods, encryption of all data carriers before official use). In particular, there are guidelines on teleworking in the remote office and on the data protection-compliant use of the Internet, IT and communication media. The corresponding instructions and training courses are carried out before the official start of work, but no later than on the first day of work. The obligation to comply with all instructions is confirmed in writing by the employees. The same applies to cooperation with external employees (e.g. freelancers), who also sign a non-disclosure agreement.

  • 4. Cryptographic keys to protect the data are securely managed in a corresponding management system.

  • 5. The contractor uses a REST API to implement an exchange of data. We secure all communication between the systems of our partners and us via two encryptions: RSA (2048 bit) and AES-256.
    We assign different roles to always limit access to a minimum. This applies to the transmission of all data mentioned in this document.

§ 7 Input control

Measures that ensure that it can be subsequently determined whether and by whom personal data has been entered, changed or removed in systems.

  • 1. The following events are logged (on the system side or otherwise):
    a. General personal data: name, first name, gender, age, audio, video, documents
    b. Login and logout
    c. Configuration changes
    d. Password changes
    e. Creation, modification and deletion of accounts and groups
    f. Changes in the log configuration
    g. Activation and deactivation of security software such as virus scanners or local firewalls
    h. Changes to personal data in applications

  • 2. The degree of monitoring of system and network resources is determined according to the risk. Relevant legal aspects are taken into account.

  • 3. Log systems and logging information are protected against unauthorized access, modification and deletion and are regularly evaluated.

  • 4. The clocks of all critical systems are synchronized with a reliable and agreed time server.

§ 8 Order control

Measures that ensure that personal data processed on behalf can only be processed in accordance with the customer’s instructions:
No order data processing within the meaning of Art. 28 GDPR without corresponding instruction from the customer, e.g.: Clear contract design, formalized order management, strict selection of the service provider, prior conviction obligation, follow-up checks.

  • 1. There are formal agreements on the exchange of information between the above-mentioned

  • 2. Contracting parties that take into account the security of the data.

  • 3. Before commencing order processing, a legally binding agreement is made with each service provider within the framework of an AV on how information / data is to be handled.

  • 4. Before commissioning external service providers, an assessment is carried out with regard to their reputation, qualification, software, hardware, personnel and financial resources and security aspects in relation to their future tasks.

  • 5. Compliance with the contracts is monitored through regular monitoring of contract execution. In the event of deviations, the defined contact persons for information security / data protection are involved and, if necessary, the contract or the execution of the contract is adjusted.

  • 6. In the event of termination without notice, additional measures are taken to prevent the intentional misuse of infrastructure or data by the external service provider (e.g. by blocking access).

  • 7. The instructing party on the customer’s side or the instruction recipient on the contractor’s side are known by name (or as a role).

§ 9 Availability, incl. resilience and recoverability

(Art. 32 Para. 1 lit. b+c GDPR) Measures that ensure that personal data is protected against accidental destruction or loss.

  • 1. There are protective measures (UPS, emergency power system, fire extinguishers, fire detection, etc.) against elementary hazards – in particular fire, water, failure of supply networks, denial of service.

  • 2. The data is processed in physically protected areas, the measures to secure the area are documented and are regularly checked.

  • 3. Systems for supplying the data processing systems are regularly maintained.

  • 4. The utilization of (system) resources is monitored and adjusted if necessary to ensure sufficient system capacity.

  • 5. Up-to-date protection against malware, zero-day exploits or malicious behavior of software is installed on all information systems, is managed centrally and kept up to date.

  • 6. Server systems are operated in secure environments (e.g. server rooms or data centers) and installation in offices is prevented.

  • 7. Data is backed up in such a way that it can be restored in a defined time, separated according to the purpose.

  • 8. The scope, frequency, type (full, differential, incremental), time frame, encryption and physically separate storage are taken into account in the data backup and documented in a comprehensible manner.

  • 9. Whenever the data backup procedure is changed, the recoverability of the data from the data backup is checked.

  • 10. Established redundancies (e.g. RAID, cluster, load balancer) are regularly checked for function, unless they are continuously in operation. Carried out checks are documented.

§ 10 Procedures for regular review, assessment and evaluation (Art. 32 Para. 1 lit. d GDPR)

Measures that ensure that data protection requirements are implemented and that these are also verifiable (data protection management).

  • 1. Relevant internal and external employees are instructed in data protection and committed to it.

  • 2. Internal and external employees are trained for processing activities / applications and informed about the consequences of data protection violations.

  • 3. The exit procedures for employees ensure that security breaches are avoided and equipment provided is returned.

  • 4. Devices are disposed of in such a way that no data can be reconstructed.

  • 5. The IT operating procedures (e.g. user management, backup, network management) are documented in a comprehensible manner, are regularly checked and adjusted if necessary.

  • 6. All changes are processed as part of a comprehensibly documented change management process.

  • 7. The risk of data breaches is reduced by separating responsibilities (e.g. system administration separate from data administration).

  • 8. Identification, provision and testing of updates are part of regular operations.

  • 9. Security functions of systems and applications are configured and activated.

  • 10. There is a set of rules for information security and data protection.

  • 11. The set of rules for information security and data protection and the security measures are regularly checked for compliance and effectiveness.

  • 12. There is a system and software development guideline that includes aspects of data protection.

§ 11 Incident Response Management

Measures that ensure that data breaches are quickly detected and reported.

  • 1. A process (ITIL) aligned with “best practices” is set up to ensure that security incidents are identified, assessed and handled appropriately.

  • 2. Escalation procedures and organizational interfaces are defined with all relevant parties and the data protection officer is involved immediately.

  • 3. All information security incidents that go beyond a typical minor disruption in day-to-day business are reported immediately to defined locations without further review.

  • 4. Employees who are responsible for the administration of IT systems / applications are trained to recognize, classify and report security incidents.

  • 5. A process is established that ensures information security for all critical business processes, even during a crisis or disaster.

  • 6. Processes and responsibilities are defined for an emergency / crisis and corresponding exercises take place.

§ 12 Data protection-friendly technology design and default settings (Art. 25 GDPR)

Measures that ensure that Privacy by Design and by Default are taken into account.

  • 1. Part of a new or to be changed data processing operation is an assessment of the risks of the data subjects and, depending on this, the identification and realization of technical and organizational security measures. Early consideration is given to ensuring that the principles of data protection such as data minimization, integrity, accuracy of data processing, storage limitation, transparency, processing in good faith and purpose limitation are complied with.

  • 2. Before a new or modified data processing operation is put into production, it is checked as part of an acceptance test whether data protection is ensured by appropriate default settings. This is carried out by the technical manager.