{"id":3728,"date":"2025-08-26T13:19:50","date_gmt":"2025-08-26T11:19:50","guid":{"rendered":"https:\/\/hr-autopilot.de\/data-processing-agreement\/"},"modified":"2025-11-11T17:24:20","modified_gmt":"2025-11-11T16:24:20","slug":"data-processing-agreement","status":"publish","type":"page","link":"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/","title":{"rendered":"Data Processing Agreement"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"3728\" class=\"elementor elementor-3728 elementor-270\" data-elementor-post-type=\"page\">\n\t\t\t\t<div class=\"elementor-element elementor-element-4cd2d85 e-flex e-con-boxed e-con e-parent\" data-id=\"4cd2d85\" data-element_type=\"container\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;,&quot;jet_parallax_layout_list&quot;:[],&quot;shape_divider_bottom&quot;:&quot;curve&quot;,&quot;shape_divider_bottom_negative&quot;:&quot;yes&quot;}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-shape elementor-shape-bottom\" aria-hidden=\"true\" data-negative=\"true\">\n\t\t\t<svg xmlns=\"http:\/\/www.w3.org\/2000\/svg\" viewBox=\"0 0 1000 100\" preserveAspectRatio=\"none\">\n\t<path class=\"elementor-shape-fill\" d=\"M500,97C126.7,96.3,0.8,19.8,0,0v100l1000,0V1C1000,19.4,873.3,97.8,500,97z\"\/>\n<\/svg>\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-443ce79 e-con-full e-flex e-con e-child\" data-id=\"443ce79\" data-element_type=\"container\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[]}\">\n\t\t<div class=\"elementor-element elementor-element-dba57fa e-con-full e-flex e-con e-child\" data-id=\"dba57fa\" data-element_type=\"container\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[]}\">\n\t\t\t\t<div class=\"elementor-element elementor-element-766437d animated-fast elementor-invisible elementor-widget elementor-widget-heading\" data-id=\"766437d\" data-element_type=\"widget\" data-settings=\"{&quot;_animation&quot;:&quot;fadeInDown&quot;,&quot;_animation_delay&quot;:300}\" data-widget_type=\"heading.default\">\n\t\t\t\t\t<h1 class=\"elementor-heading-title elementor-size-default\">Data Processing Agreement<\/h1>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t<div class=\"elementor-element elementor-element-fa90b63 e-flex e-con-boxed e-con e-parent\" data-id=\"fa90b63\" data-element_type=\"container\" data-settings=\"{&quot;jet_parallax_layout_list&quot;:[]}\">\n\t\t\t\t\t<div class=\"e-con-inner\">\n\t\t\t\t<div class=\"elementor-element elementor-element-0567f2d elementor-widget elementor-widget-text-editor\" data-id=\"0567f2d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t\t\t\t\t\t<div class=\"elementor-element elementor-element-b6b15fd elementor-widget__width-initial elementor-widget elementor-widget-text-editor\" data-id=\"b6b15fd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Controller:<br><br><\/p><p>HR-Autopilot GmbH<br>Im Grasfeld 8<br>50354 H\u00fcrth<\/p><\/div><\/div><div class=\"elementor-element elementor-element-0afdc85 e-con-full e-flex e-con e-child\" data-id=\"0afdc85\" data-element_type=\"container\"><div class=\"elementor-element elementor-element-8147187 elementor-widget elementor-widget-heading\" data-id=\"8147187\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h2 class=\"elementor-heading-title elementor-size-default\">Table of Contents<\/h2><\/div><\/div><div class=\"elementor-element elementor-element-4dbd165 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"4dbd165\" data-element_type=\"widget\" data-widget_type=\"icon-list.default\"><div class=\"elementor-widget-container\"><ul class=\"elementor-icon-list-items\"><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Auftragsverarbeitung\"><span class=\"elementor-icon-list-text\">Data Processing Agreement<\/span><\/a><\/li><\/ul><\/div><\/div><div class=\"elementor-element elementor-element-e40fe23 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"e40fe23\" data-element_type=\"widget\" data-widget_type=\"icon-list.default\"><div class=\"elementor-widget-container\"><ul class=\"elementor-icon-list-items\"><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#auftrag\"><span class=\"elementor-icon-list-text\">\u00a7 1 Mandate and Provisions for Processing<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#verantwortlichkeit\"><span class=\"elementor-icon-list-text\">\u00a7 2 Responsibility and Processing on Instruction<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#sicherheit\"><span class=\"elementor-icon-list-text\">\u00a7 3 Security of Processing<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Unterrichtung\"><span class=\"elementor-icon-list-text\">\u00a7 4 Notification in Case of Data Breaches, Processing Errors, and Insolvency or Similar Proceedings; Further Procedure<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Uebermitlung\"><span class=\"elementor-icon-list-text\">\u00a7 5 Transfer of Data to a Recipient in a Third Country or an International Organization<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Unterbeauftragungen\"><span class=\"elementor-icon-list-text\">\u00a7 6 Sub-processing by the Processor<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#rechte\"><span class=\"elementor-icon-list-text\">\u00a7 7 Rights of Data Subjects and Support for the Controller<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Kontroll\"><span class=\"elementor-icon-list-text\">\u00a7 8 Controller&#8217;s Rights of Control and Information<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Verpflichtungen\"><span class=\"elementor-icon-list-text\">\u00a7 9 Services Beyond Legal Obligations<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Haftung\"><span class=\"elementor-icon-list-text\">\u00a7 10 Liability and Damages<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Zustandekommen\"><span class=\"elementor-icon-list-text\">\u00a7 11 Conclusion, Term<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Schlussbestimmungen\"><span class=\"elementor-icon-list-text\">\u00a7 12 Final Provisions<\/span><\/a><\/li><\/ul><\/div><\/div><div class=\"elementor-element elementor-element-9ad48b2 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"9ad48b2\" data-element_type=\"widget\" data-widget_type=\"icon-list.default\"><div class=\"elementor-widget-container\"><ul class=\"elementor-icon-list-items\"><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#anlage\"><span class=\"elementor-icon-list-text\">Appendix to the Data Processing Agreement<\/span><\/a><\/li><\/ul><\/div><\/div><div class=\"elementor-element elementor-element-0666d64 elementor-icon-list--layout-traditional elementor-list-item-link-full_width elementor-widget elementor-widget-icon-list\" data-id=\"0666d64\" data-element_type=\"widget\" data-widget_type=\"icon-list.default\"><div class=\"elementor-widget-container\"><ul class=\"elementor-icon-list-items\"><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Vertraulichkeit\"><span class=\"elementor-icon-list-text\">\u00a7 1 Confidentiality (Art. 32 Para. 1 lit. b GDPR)<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Zugangskontrolle\"><span class=\"elementor-icon-list-text\">\u00a7 2 Physical Access Control<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Zugriffskontrolle%20\"><span class=\"elementor-icon-list-text\">\u00a7 3 System Access Control<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Trennungskontrolle\"><span class=\"elementor-icon-list-text\">\u00a7 4 Separation Control<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Pseudonymisierung\"><span class=\"elementor-icon-list-text\">\u00a7 5 Pseudonymization (Art. 32 Para. 1 lit. a GDPR; Art. 25 Para. 1 GDPR)<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Integritaet\"><span class=\"elementor-icon-list-text\">\u00a7 6 Integrity (Art. 32 Para. 1 lit. b GDPR)<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Eingabekontrolle\"><span class=\"elementor-icon-list-text\">\u00a7 7 Input Control<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Auftragskontrolle\"><span class=\"elementor-icon-list-text\">\u00a7 8 Order Control<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Verfuegbarkeit\"><span class=\"elementor-icon-list-text\">\u00a7 9 Availability, incl. Resilience and Recoverability <\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Verfahren\"><span class=\"elementor-icon-list-text\">\u00a7 10 Procedures for Regular Review, Assessment, and Evaluation (Art. 32 Para. 1 lit. d GDPR)<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Incident\"><span class=\"elementor-icon-list-text\">\u00a7 11 Incident Response Management<\/span><\/a><\/li><li class=\"elementor-icon-list-item\"><a href=\"https:\/\/hr-autopilot.de\/auftragsverarbeitung\/#Technikgestaltung\"><span class=\"elementor-icon-list-text\">\u00a7 12 Data Protection-Friendly Technology Design and Default Settings (Art. 25 GDPR)<\/span><\/a><\/li><\/ul><\/div><\/div><\/div><div id=\"Auftragsverarbeitung\" class=\"elementor-element elementor-element-bc5230e elementor-widget elementor-widget-heading\" data-id=\"bc5230e\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h2 class=\"elementor-heading-title elementor-size-default\">Data Processing Agreement<\/h2><\/div><\/div><div id=\"auftrag\" class=\"elementor-element elementor-element-2801430 elementor-widget elementor-widget-heading\" data-id=\"2801430\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 1 Mandate and Provisions for Processing<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-7bd5a9d elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"7bd5a9d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. This Data Processing Agreement (hereinafter DPA) pursuant to Art. 28 GDPR specifies the data protection rights and obligations of the parties for the processing of personal data within the meaning of the GDPR in the context of the respective existing contracts (usually offer and GTC) (hereinafter individually or jointly referred to as Main Agreement). <br><br><\/li><li>2. The contractually agreed processing shall take place exclusively in a Member State of the European Union or in another contracting state of the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the Controller and may only take place if the special requirements of Art. 44 et seq. GDPR are met. <br><br><\/li><li>3. In case of contradictions, this DPA shall take precedence over the Main Agreement, and the appendices of the DPA shall take precedence over this DPA.<\/li><\/ul><\/div><\/div><div id=\"verantwortlichkeit\" class=\"elementor-element elementor-element-8b9fb7b elementor-widget elementor-widget-heading\" data-id=\"8b9fb7b\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 2 Responsibility and Processing on Instruction<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-f6246e0 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"f6246e0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. The Controller shall ensure compliance with the applicable legal provisions (Art. 4 No. 7 GDPR) and shall make the sole decision regarding the purposes and essential means of processing.  <br><br><\/li><li>2. The Processor shall act on instruction, unless an exceptional case pursuant to Art. 28 Para. 3 Sentence 2 lit. a GDPR exists (other legal processing obligation). Oral instructions must be confirmed in text form. The instructions already issued by the Controller result from the applicable Main Agreement in its currently valid version.   <br><br><\/li><li>3. The Processor shall rectify or erase the data subject to the contract or restrict their processing if the Controller so instructs. Erasure shall not take place insofar as the Processor is legally obliged to further store the personal data. <br><br><\/li><li>4. The Processor shall inform the Controller without undue delay if it is of the opinion that an instruction infringes applicable data protection provisions or this DPA. The Processor may suspend the implementation of the instruction until it has been confirmed or amended by the Controller in text form. The Processor may refuse to execute instructions that are obviously unlawful under data protection law.<br>  <br><br><\/li><li>(5) 2.5 The Processor shall ensure that persons authorized by it to process data<br>(a) are aware of and comply with the Controller&#8217;s instructions, and<br>(b) have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality. The duty of confidentiality shall continue to apply even after the termination of processing within the scope permissible under employment law. <\/li><\/ul><\/div><\/div><div id=\"sicherheit\" class=\"elementor-element elementor-element-cf55016 elementor-widget elementor-widget-heading\" data-id=\"cf55016\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 3 Security of Processing<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-bd08c50 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"bd08c50\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. The parties shall agree on technical and organizational measures pursuant to Art. 32 GDPR (hereinafter TOM) for the adequate protection of data, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing, as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons, in an appendix to this DPA (hereinafter TOM Appendix).<br><br><\/li><li>2. The Processor reserves the right to make changes to the TOM, provided that the contractually agreed level of protection is not compromised overall. New versions of the TOM Appendix shall be communicated to the Controller in text form upon request. <\/li><\/ul><\/div><\/div><div id=\"Unterrichtung\" class=\"elementor-element elementor-element-2f753df elementor-widget elementor-widget-heading\" data-id=\"2f753df\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 4 Notification in Case of Data Breaches, Processing Errors, and Insolvency or Similar Proceedings; Further Procedure<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-6b5bc85 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"6b5bc85\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. The parties shall inform each other without undue delay,<br>\u2022 if they become aware of personal data breaches within the meaning<br>\u2022 of Art. 4 No. 12 GDPR and Art. 33 Para. 2 GDPR or if there is a concrete suspicion of such a data breach;<br>\u2022 if they identify errors in the processing of personal data by the<br>Processor. <br><br><\/li><li>2. Upon receiving the information, the Controller shall immediately issue instructions for rectifying the data breach or processing errors. If the Controller does not issue immediate instructions and the Processor may assume that immediate action is necessary to prevent further breaches or the occurrence of further errors, the Processor is entitled to take the necessary measures to rectify the data breach or errors and to mitigate adverse consequences,<br>in particular, to cease data processing. It shall then coordinate with the Controller.  <br><br><\/li><li>3. If the Processor is of the opinion that an agreement or instruction infringes data protection regulations, it shall inform the Controller thereof in writing without undue delay. The Processor is entitled to suspend the implementation of the respective instruction until it is confirmed or amended by the Controller. <br><br><\/li><li>4. Oral notifications by both parties pursuant to the aforementioned paragraphs must be submitted in text form without undue delay.<br><br><\/li><li>5. Should the Controller&#8217;s data held by the Processor be jeopardized by seizure or confiscation, by insolvency or comparable proceedings, or by other events or measures of third parties, the Processor shall inform the Controller thereof in text form without undue delay. The Processor shall inform all third parties thereof. <\/li><\/ul><\/div><\/div><div id=\"Uebermitlung\" class=\"elementor-element elementor-element-0ae0c29 elementor-widget elementor-widget-heading\" data-id=\"0ae0c29\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 5 Transfer of Data to a Recipient in a Third Country or an International Organization<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-936349e elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"936349e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>The transfer of data to a recipient in a third country outside the EU and EEA is permissible subject to compliance with the conditions set out in Art. 44 et seq. GDPR.<\/p><\/div><\/div><div id=\"Unterbeauftragungen\" class=\"elementor-element elementor-element-0d262f2 elementor-widget elementor-widget-heading\" data-id=\"0d262f2\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 6 Sub-processing by the Processor<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-9c690c0 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"9c690c0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. The Processor may only have the processing of personal data carried out wholly or partly by further processors (hereinafter &#8220;Sub-processors&#8221;) with the consent of the Controller.<br><br><\/li><li>2. The Processor shall inform the Controller in text form in advance of the intended engagement of Sub-processors or intended changes in sub-processing. The Controller may object to the sub-processing if there is an important reason. In the event of a justified objection, the Controller shall grant the Processor two weeks to replace the Sub-processor affected by the objection with another Sub-processor or to otherwise adapt the processing on behalf of the Controller so that it can be carried out without the Sub-processor affected by the objection.  <br><br><\/li><li>3. The Processor shall impose on the Sub-processor the same data protection obligations, insofar as legally mandatory, as are stipulated for the Processor in this DPA. In particular, the TOM agreed with the Sub-processor must provide an equivalent level of protection. <br><br><\/li><li>4. Services that the Processor uses as a mere ancillary service to support its business activities outside of data processing are not sub-processing. However, the Processor is obliged to take appropriate precautions to ensure the protection of data even for such ancillary services. <\/li><\/ul><\/div><\/div><div id=\"Rechte\" class=\"elementor-element elementor-element-9ec42c1 elementor-widget elementor-widget-heading\" data-id=\"9ec42c1\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 7 Rights of Data Subjects and Support for the Controller<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-166edc2 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"166edc2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>If a data subject asserts claims against a party pursuant to Chapter III of the GDPR, that party shall inform the other party thereof without undue delay. The Processor shall support the Controller to the best of its abilities in processing such requests and in complying with the obligations mentioned in Art. 32 to 36 GDPR. <\/p><\/div><\/div><div id=\"Kontroll\" class=\"elementor-element elementor-element-cba58c8 elementor-widget elementor-widget-heading\" data-id=\"cba58c8\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 8 Controller&#8217;s Rights of Control and Information<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-e5f4947 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"e5f4947\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. The Processor shall demonstrate to the Controller compliance with its obligations under this DPA by suitable means.<\/li><li>2. Suitable means may include, in particular, appropriate certifications or other suitable audit evidence. Certifications pursuant to Art. 40 GDPR or evidence pursuant to Art. 42 GDPR are particularly appropriate. The Controller&#8217;s statutory right of inspection remains unaffected.  <\/li><li>3. The Controller is entitled to conduct inspections at the Processor&#8217;s premises during normal business hours, without disrupting operations, and after prior notification and with reasonable lead time, to verify compliance with the obligations under this DPA. The Processor may make the inspection conditional on the signing of a confidentiality declaration regarding the data of other HR Autopilot customers and the TOM. <\/li><li>4. If a supervisory authority exercises powers pursuant to Art. 58 GDPR, the parties shall inform each other thereof without undue delay. They shall support each other within their respective areas of responsibility in fulfilling the obligations towards the respective supervisory authority. <\/li><\/ul><\/div><\/div><div id=\"Verpflichtungen\" class=\"elementor-element elementor-element-1d8a766 elementor-widget elementor-widget-heading\" data-id=\"1d8a766\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 9 Services Beyond Legal Obligations<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-b12c889 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"b12c889\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>The expenses incurred by the Processor for fulfilling its legal obligations are covered by the remuneration paid under the Main Agreement. With regard to the expenses for personnel services incurred for support in accordance with Section 7 Sentence 2 and for on-site controls in accordance with Sections 8.3 and 8.4 that go beyond an annual control or that arise during ad-hoc controls which do not reveal any data protection irregularities or violations during the control, the Processor reserves the right to charge for its expenses according to<br>its current rates. <\/p><\/div><\/div><div id=\"Haftung\" class=\"elementor-element elementor-element-bf8bb42 elementor-widget elementor-widget-heading\" data-id=\"bf8bb42\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 10 Liability and Damages<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-b02a757 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"b02a757\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. If a data subject asserts claims for damages against a party due to a breach of data protection provisions, the party against whom the claim is asserted shall inform the other party thereof without undue delay.<br><br><\/li><li>2. The parties shall be liable to data subjects in accordance with the provisions of Art. 82 GDPR.<\/li><\/ul><\/div><\/div><div id=\"Zustandekommen\" class=\"elementor-element elementor-element-f26fb3f elementor-widget elementor-widget-heading\" data-id=\"f26fb3f\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 11 Conclusion, Term<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-5896cc3 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"5896cc3\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>The term of the DPA corresponds to the term of the Main Agreement, at most as long as the Processor still processes data for the Controller. Upon termination of the Main Agreement, the Processor shall, at the Controller&#8217;s discretion, return or erase the data processed on behalf of the Controller in compliance with data protection regulations, and erase any existing copies of the data, unless there is an obligation to store them. After termination of this agreement, the Processor shall, subject to statutory retention obligations or other provisions entitling it to retention, return or destroy or erase the data processed for the Controller under this agreement to the Controller.  <\/p><\/div><\/div><div id=\"Schlussbestimmungen\" class=\"elementor-element elementor-element-d21304f elementor-widget elementor-widget-heading\" data-id=\"d21304f\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 12 Final Provisions<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-544de0b elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"544de0b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. Amendments, supplements, or termination of the DPA require text form to be effective. This also applies to an amendment of this formal clause. An amendment becomes effective if the Controller is notified of the corresponding amendment in text form and does not object to the amendment within a period of 4 weeks. If the Controller objects to the amendment in text form, the previous DPA remains in force. In this case, the parties shall agree amicably on the necessary adjustments to this DPA. If the parties do not reach an agreement, each party has the right to terminate the DPA with a notice period of four weeks.<br>     <br><br><\/li><li>2. Deviating oral agreements between the parties are invalid.<br><br><\/li><li>3. Should any provision of the DPA be or become invalid, the validity of the remainder of the agreement shall remain unaffected.<br><br><\/li><li>4. The law of the Federal Republic of Germany shall apply, to the exclusion of the<br>conflict of laws.<\/li><\/ul><\/div><\/div><div id=\"anlage\" class=\"elementor-element elementor-element-bbf953a elementor-widget elementor-widget-heading\" data-id=\"bbf953a\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h2 class=\"elementor-heading-title elementor-size-default\">Appendix to the Data Processing Agreement &#8211; Technical and Organizational Measures<\/h2><\/div><\/div><div class=\"elementor-element elementor-element-191bd3b elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"191bd3b\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Description of the Processor&#8217;s technical and organizational measures for the adequate protection of customer data pursuant to Art. 32 GDPR \u2013<\/p><p>Through the technical and organizational measures, the resilience, integrity, pseudonymization, availability, encryption, confidentiality, and recoverability of the systems and services of HR Autopilot and its sub-processors in connection with this<br>DPA are ensured.<\/p><p>In addition, the Customer is solely responsible for developing and implementing its own suitable measures pursuant to Art. 24 GDPR. Corresponding guidelines, such as ISO 27002, should be requested and complied with by the Customer from the Federal Office for Information Security. <\/p><\/div><\/div><div id=\"Vertraulichkeit\" class=\"elementor-element elementor-element-30de92e elementor-widget elementor-widget-heading\" data-id=\"30de92e\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 1 Confidentiality (Art. 32 Para. 1 lit. b GDPR)<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-1a33828 elementor-widget elementor-widget-heading\" data-id=\"1a33828\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">1.1 Physical Access Control<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-68b7fa3 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"68b7fa3\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures to prevent unauthorized persons from gaining physical access to data processing facilities where personal data are processed and used.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-44dbae0 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"44dbae0\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. For all relevant locations, security zones and their physical protection are defined and documented in a security zone concept and can be presented upon request. Content points of the concept include, for example:<br>Supervision of external persons within the security zones, controlled access assignment, use of GDPR-compliant server structures according to ISO 27001, etc. <br><br><\/li><li>2. The defined security zone concept is implemented for all relevant locations.<br><br><\/li><li>3. The security zone concept is reviewed at least once a year. <br><br><\/li><li>4. The security zones for all relevant locations are protected by physical barriers (fence, solid walls, doors, physical access control system, intruder alarm system, etc.) to ensure access only for authorized persons. Visitors in security zones are accompanied by authorized personnel. <br><br><\/li><li>5. A documented and effective procedure exists for the assignment, modification, and revocation of physical access rights, including the return of access media. This assignment is carried out according to the &#8220;Need-to-Know&#8221; principle.  <\/li><\/ul><\/div><\/div><div id=\"Zugangskontrolle\" class=\"elementor-element elementor-element-70395e5 elementor-widget elementor-widget-heading\" data-id=\"70395e5\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 2 System Access Control<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-46486f2 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"46486f2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures to prevent unauthorized persons from using data processing systems.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-49b7c8a elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"49b7c8a\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. A documented and effective system access control concept exists, including:<br><br><\/li><li>2. Network security zones and network segmentation.<br><br><\/li><li>3. The system access control concept defines the assignment, modification, and revocation of access rights, as well as their approval for internal and external employees.<br><br><\/li><li>4. Every connection is established exclusively via encrypted protocols such as HTTPS, SSL\/TLS, SSH, or protocols of a similar or higher security standard.<br><br><\/li><li>5. The processes for the assignment, modification, and revocation of access rights, as well as their approval, are logged in a traceable manner.<br><br><\/li><li>6. The system access control concept is reviewed by the Processor at least twice a year.<br><br><\/li><li>7. Each user ID is uniquely assigned to a natural person at all times and may not be passed on or shared.<br><br><\/li><li>8. Secure passwords are used. Their structure and handling comply with a documented password policy that exclusively provides for 2-factor authentication for all employees across all systems. The self-chosen password must comply with the recommendations of the Federal Office for Information Security (min. 8 characters, use of all available characters including upper and lower case, digits, and special characters).  <br><br><\/li><li>9. Default passwords for systems and applications (e.g., Oracle, SAP) are always changed.<br><br><\/li><li>10. It is ensured that initial passwords for users become unusable after a short period if they have not been changed immediately.<br><br><\/li><li>11. Passwords may only be reset or changed by authorized persons according to a defined process.<br><br><\/li><li>12. Administrators use separate access credentials for system management, and their privileged activities are logged.<br><br><\/li><li>13. The delegation of rights (deputy arrangement) is carried out exclusively according to defined specifications.<br><br><\/li><li>14. All employees are instructed to lock their workstations when they leave them.<br><br><\/li><li>15. Workstations are configured with automatic locking by default.<br><br><\/li><li>16. All system accesses (applications, operating systems, BIOS, boot devices, etc.) are password-protected or locked.<br><br><\/li><li>17. Employee devices are automatically locked after 10 minutes of inactivity or non-use. All employees are instructed to lock all devices immediately when leaving their workstation. Further details can be found in the data protection training.  <br><br><\/li><li>18. External access (Remote Access) is secured via a firewall, using strong encryption and 2-factor authentication.<\/li><\/ul><\/div><\/div><div id=\"Zugriffskontrolle\" class=\"elementor-element elementor-element-421940f elementor-widget elementor-widget-heading\" data-id=\"421940f\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 3 Access Control<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-bdab6b6 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"bdab6b6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures that ensure that authorized persons can only access data subject to their access authorization, and that personal data cannot be read, copied, modified or removed without authorization during processing, use and storage.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-a83c03d elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"a83c03d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. It is ensured that only the access rights required to fulfill the respective task are assigned.<br><br><\/li><li>2. The assignment and release of access rights is documented in a comprehensible manner so that it can be determined who has access to the data.<br><br><\/li><li>3. The assignment procedure and the access rights are regularly checked and confirmed. Access rights are revoked immediately if they are no longer required. <br><br><\/li><li>4. A responsible person is defined for each data item, who decides who may receive which access.<br><br><\/li><li>5. Access rights are adjusted when the tasks in the business processes change.<br><br><\/li><li>6. It is ensured in the applications that the assigned access rights are technically implemented.<br><br><\/li><li>7. Unauthorized access is excluded in all environments that contain production data (including development, testing, etc.).<\/li><\/ul><\/div><\/div><div id=\"Trennungskontrolle\" class=\"elementor-element elementor-element-c477ce7 elementor-widget elementor-widget-heading\" data-id=\"c477ce7\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 4 Separation of duties<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-94cd2dd elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"94cd2dd\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures that ensure that data collected for different purposes can be processed separately.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-da36b51 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"da36b51\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. Data collected for different purposes is separated (physically or logically) in such a way that it can be processed, stored and deleted separately in accordance with the purpose (roles and authorization concept). This applies to all systems used by the contractor. <br><br><\/li><li>2. Development, test and production environments are separate.<\/li><\/ul><\/div><\/div><div id=\"Pseudonymisierung\" class=\"elementor-element elementor-element-db04f4a elementor-widget elementor-widget-heading\" data-id=\"db04f4a\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 5 Pseudonymization (Art. 32 Para. 1 lit. a GDPR; Art. 25 Para. 1 GDPR)<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-3fabc2e elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"3fabc2e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. If appropriate, processing is carried out with pseudonymized data.<br><br><\/li><li>2. Personal data is then processed in such a way that the data can no longer be assigned to a specific data subject without the use of additional information.<\/li><\/ul><\/div><\/div><div id=\"Integritaet\" class=\"elementor-element elementor-element-815405e elementor-widget elementor-widget-heading\" data-id=\"815405e\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 6 Integrity (Art. 32 Para. 1 lit. b GDPR)<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-59c5337 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"59c5337\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p><strong>Transport and transfer control<\/strong><br>Measures that ensure that personal data cannot be read, copied or modified without authorization during electronic transmission, its<br>storage on data carriers or during its transport<br>or can be removed, and that it can be determined to which locations a transmission<br>of personal data is intended by data transmission facilities.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-f821c13 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"f821c13\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. The data is secured during transport, storage, transmission and processing outside the protected area of the company using methods such as strong encryption,<br><br><\/li><li>2. Two-factor authentication (e.g. hard disk encryption).<br><br><\/li><li>3. Instructions for handling information are defined and employees are trained to prevent misuse of the data (e.g. certified disposal of paper and data carriers, selection of transmission methods, encryption of all data carriers before official use). In particular, there are guidelines on teleworking in the remote office and on the data protection-compliant use of the Internet, IT and communication media. The corresponding instructions and training courses are carried out before the official start of work, but no later than on the first day of work. The obligation to comply with all instructions is confirmed in writing by the employees. The same applies to cooperation with external employees (e.g. freelancers), who also sign a non-disclosure agreement.    <br><br><\/li><li>4. Cryptographic keys to protect the data are securely managed in a corresponding management system.<br><br><\/li><li>5. The contractor uses a REST API to implement an exchange of data. We secure all communication between the systems of our partners and us via two encryptions: RSA (2048 bit) and AES-256.  <br>We assign different roles to always limit access to a minimum. This applies to the transmission of all data mentioned in this document. <\/li><\/ul><\/div><\/div><div id=\"Eingabekontrolle\" class=\"elementor-element elementor-element-2af6b08 elementor-widget elementor-widget-heading\" data-id=\"2af6b08\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 7 Input control<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-4eaf7b1 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"4eaf7b1\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures that ensure that it can be subsequently determined whether and by whom personal data has been entered, changed or removed in systems.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-6656ad6 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"6656ad6\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. The following events are logged (on the system side or otherwise):<br>a. General personal data: name, first name, gender, age, audio, video, documents<br>b. Login and logout<br>c. Configuration changes<br>d. Password changes<br>e. Creation, modification and deletion of accounts and groups<br>f. Changes in the log configuration<br>g. Activation and deactivation of security software such as virus scanners or local firewalls<br>h. Changes to personal data in applications<br><br><\/li><li>2. The degree of monitoring of system and network resources is determined according to the risk. Relevant legal aspects are taken into account. <br><br><\/li><li>3. Log systems and logging information are protected against unauthorized access, modification and deletion and are regularly evaluated.<br><br><\/li><li>4. The clocks of all critical systems are synchronized with a reliable and agreed time server.<\/li><\/ul><\/div><\/div><div id=\"Auftragskontrolle\" class=\"elementor-element elementor-element-e74e665 elementor-widget elementor-widget-heading\" data-id=\"e74e665\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 8 Order control<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-7bb5594 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"7bb5594\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures that ensure that personal data processed on behalf can only be processed in accordance with the customer&#8217;s instructions:<br>No order data processing within the meaning of Art. 28 GDPR without corresponding instruction from the customer, e.g.: Clear contract design, formalized order management, strict selection of the service provider, prior conviction obligation, follow-up checks.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-18b6dd2 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"18b6dd2\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. There are formal agreements on the exchange of information between the above-mentioned<br><br><\/li><li>2. Contracting parties that take into account the security of the data.<br><br><\/li><li>3. Before commencing order processing, a legally binding agreement is made with each service provider within the framework of an AV on how information \/ data is to be handled.<br><br><\/li><li>4. Before commissioning external service providers, an assessment is carried out with regard to their reputation, qualification, software, hardware, personnel and financial resources and security aspects in relation to their future tasks.<br><br><\/li><li>5. Compliance with the contracts is monitored through regular monitoring of contract execution. In the event of deviations, the defined contact persons for information security \/ data protection are involved and, if necessary, the contract or the execution of the contract is adjusted. <br><br><\/li><li>6. In the event of termination without notice, additional measures are taken to prevent the intentional misuse of infrastructure or data by the external service provider (e.g. by blocking access).<br><br><\/li><li>7. The instructing party on the customer&#8217;s side or the instruction recipient on the contractor&#8217;s side are known by name (or as a role).<\/li><\/ul><\/div><\/div><div id=\"Verfuegbarkeit\" class=\"elementor-element elementor-element-48fb0ba elementor-widget elementor-widget-heading\" data-id=\"48fb0ba\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 9 Availability, incl. resilience and recoverability <\/h3><\/div><\/div><div class=\"elementor-element elementor-element-2169025 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"2169025\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>(Art. 32 Para. 1 lit. b+c GDPR) Measures that ensure that personal data is protected against accidental destruction or loss. <\/p><\/div><\/div><div class=\"elementor-element elementor-element-ef134d5 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"ef134d5\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. There are protective measures (UPS, emergency power system, fire extinguishers, fire detection, etc.) against elementary hazards &#8211; in particular fire, water, failure of supply networks, denial of service. <br><br><\/li><li>2. The data is processed in physically protected areas, the measures to secure the area are documented and are regularly checked.<br><br><\/li><li>3. Systems for supplying the data processing systems are regularly maintained.<br><br><\/li><li>4. The utilization of (system) resources is monitored and adjusted if necessary to ensure sufficient system capacity.<br><br><\/li><li>5. Up-to-date protection against malware, zero-day exploits or malicious behavior of software is installed on all information systems, is managed centrally and kept up to date.<br><br><\/li><li>6. Server systems are operated in secure environments (e.g. server rooms or data centers) and installation in offices is prevented.<br><br><\/li><li>7. Data is backed up in such a way that it can be restored in a defined time, separated according to the purpose.<br><br><\/li><li>8. The scope, frequency, type (full, differential, incremental), time frame, encryption and physically separate storage are taken into account in the data backup and documented in a comprehensible manner.<br><br><\/li><li>9. Whenever the data backup procedure is changed, the recoverability of the data from the data backup is checked.<br><br><\/li><li>10. Established redundancies (e.g. RAID, cluster, load balancer) are regularly checked for function, unless they are continuously in operation. Carried out checks are documented. <\/li><\/ul><\/div><\/div><div id=\"Verfahren\" class=\"elementor-element elementor-element-155bbe1 elementor-widget elementor-widget-heading\" data-id=\"155bbe1\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 10 Procedures for regular review, assessment and evaluation (Art. 32 Para. 1 lit. d GDPR)<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-389ea80 elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"389ea80\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures that ensure that data protection requirements are implemented and that these are also verifiable (data protection management).<\/p><\/div><\/div><div class=\"elementor-element elementor-element-8416ceb elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"8416ceb\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. Relevant internal and external employees are instructed in data protection and committed to it.<br><br><\/li><li>2. Internal and external employees are trained for processing activities \/ applications and informed about the consequences of data protection violations.<br><br><\/li><li>3. The exit procedures for employees ensure that security breaches are avoided and equipment provided is returned.<br><br><\/li><li>4. Devices are disposed of in such a way that no data can be reconstructed.<br><br><\/li><li>5. The IT operating procedures (e.g. user management, backup, network management) are documented in a comprehensible manner, are regularly checked and adjusted if necessary.<br><br><\/li><li>6. All changes are processed as part of a comprehensibly documented change management process.<br><br><\/li><li>7. The risk of data breaches is reduced by separating responsibilities (e.g. system administration separate from data administration).<br><br><\/li><li>8. Identification, provision and testing of updates are part of regular operations.<br><br><\/li><li>9. Security functions of systems and applications are configured and activated.<br><br><\/li><li>10. There is a set of rules for information security and data protection.<br><br><\/li><li>11. The set of rules for information security and data protection and the security measures are regularly checked for compliance and effectiveness.<br><br><\/li><li>12. There is a system and software development guideline that includes aspects of data protection.<\/li><\/ul><\/div><\/div><div id=\"Incident\" class=\"elementor-element elementor-element-b584afa elementor-widget elementor-widget-heading\" data-id=\"b584afa\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 11 Incident Response Management<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-e85b89c elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"e85b89c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures that ensure that data breaches are quickly detected and reported.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-c61623c elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"c61623c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. A process (ITIL) aligned with &#8220;best practices&#8221; is set up to ensure that security incidents are identified, assessed and handled appropriately.<br><br><\/li><li>2. Escalation procedures and organizational interfaces are defined with all relevant parties and the data protection officer is involved immediately.<br><br><\/li><li>3. All information security incidents that go beyond a typical minor disruption in day-to-day business are reported immediately to defined locations without further review.<br><br><\/li><li>4. Employees who are responsible for the administration of IT systems \/ applications are trained to recognize, classify and report security incidents.<br><br><\/li><li>5. A process is established that ensures information security for all critical business processes, even during a crisis or disaster.<br><br><\/li><li>6. Processes and responsibilities are defined for an emergency \/ crisis and corresponding exercises take place.<\/li><\/ul><\/div><\/div><div id=\"Technikgestaltung\" class=\"elementor-element elementor-element-d3c4f10 elementor-widget elementor-widget-heading\" data-id=\"d3c4f10\" data-element_type=\"widget\" data-widget_type=\"heading.default\"><div class=\"elementor-widget-container\"><h3 class=\"elementor-heading-title elementor-size-default\">\u00a7 12 Data protection-friendly technology design and default settings (Art. 25 GDPR)<\/h3><\/div><\/div><div class=\"elementor-element elementor-element-c3f405e elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"c3f405e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><p>Measures that ensure that Privacy by Design and by Default are taken into account.<\/p><\/div><\/div><div class=\"elementor-element elementor-element-442256d elementor-widget__width-inherit elementor-widget elementor-widget-text-editor\" data-id=\"442256d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\"><div class=\"elementor-widget-container\"><ul><li>1. Part of a new or to be changed data processing operation is an assessment of the risks of the data subjects and, depending on this, the identification and realization of technical and organizational security measures. Early consideration is given to ensuring that the principles of data protection such as data minimization, integrity, accuracy of data processing, storage limitation, transparency, processing in good faith and purpose limitation are complied with. <br><br><\/li><li>2. Before a new or modified data processing operation is put into production, it is checked as part of an acceptance test whether data protection is ensured by appropriate default settings. This is carried out by the technical manager. <\/li><\/ul><\/div><\/div>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Data Processing Agreement Controller: HR-Autopilot GmbHIm Grasfeld 850354 H\u00fcrth Table of Contents Data Processing Agreement \u00a7 1 Mandate and Provisions for Processing \u00a7 2 Responsibility and Processing on Instruction \u00a7 3 Security of Processing \u00a7 4 Notification in Case of Data Breaches, Processing Errors, and Insolvency or Similar Proceedings; Further Procedure \u00a7 5 Transfer of [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-3728","page","type-page","status-publish","hentry"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Data Processing Agreement | HR-Autopilot<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Data Processing Agreement | HR-Autopilot\" \/>\n<meta property=\"og:description\" content=\"Data Processing Agreement Controller: HR-Autopilot GmbHIm Grasfeld 850354 H\u00fcrth Table of Contents Data Processing Agreement \u00a7 1 Mandate and Provisions for Processing \u00a7 2 Responsibility and Processing on Instruction \u00a7 3 Security of Processing \u00a7 4 Notification in Case of Data Breaches, Processing Errors, and Insolvency or Similar Proceedings; Further Procedure \u00a7 5 Transfer of [&hellip;]\" \/>\n<meta property=\"og:url\" content=\"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/\" \/>\n<meta property=\"og:site_name\" content=\"HR-Autopilot\" \/>\n<meta property=\"article:modified_time\" content=\"2025-11-11T16:24:20+00:00\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data1\" content=\"20 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/\",\"url\":\"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/\",\"name\":\"Data Processing Agreement | HR-Autopilot\",\"isPartOf\":{\"@id\":\"https:\/\/hr-autopilot.de\/en\/#website\"},\"datePublished\":\"2025-08-26T11:19:50+00:00\",\"dateModified\":\"2025-11-11T16:24:20+00:00\",\"breadcrumb\":{\"@id\":\"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Startseite\",\"item\":\"https:\/\/hr-autopilot.de\/en\/home\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Data Processing Agreement\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/hr-autopilot.de\/en\/#website\",\"url\":\"https:\/\/hr-autopilot.de\/en\/\",\"name\":\"HR-Autopilot\",\"description\":\"Your HR on autopilot\",\"publisher\":{\"@id\":\"https:\/\/hr-autopilot.de\/en\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/hr-autopilot.de\/en\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/hr-autopilot.de\/en\/#organization\",\"name\":\"HR-Autopilot\",\"url\":\"https:\/\/hr-autopilot.de\/en\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/hr-autopilot.de\/en\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/hr-autopilot.de\/wp-content\/uploads\/682f5aa81f810299abfb111c_HR-Autopilot-logo_webp-p-500.webp\",\"contentUrl\":\"https:\/\/hr-autopilot.de\/wp-content\/uploads\/682f5aa81f810299abfb111c_HR-Autopilot-logo_webp-p-500.webp\",\"width\":500,\"height\":89,\"caption\":\"HR-Autopilot\"},\"image\":{\"@id\":\"https:\/\/hr-autopilot.de\/en\/#\/schema\/logo\/image\/\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Data Processing Agreement | HR-Autopilot","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/","og_locale":"en_US","og_type":"article","og_title":"Data Processing Agreement | HR-Autopilot","og_description":"Data Processing Agreement Controller: HR-Autopilot GmbHIm Grasfeld 850354 H\u00fcrth Table of Contents Data Processing Agreement \u00a7 1 Mandate and Provisions for Processing \u00a7 2 Responsibility and Processing on Instruction \u00a7 3 Security of Processing \u00a7 4 Notification in Case of Data Breaches, Processing Errors, and Insolvency or Similar Proceedings; Further Procedure \u00a7 5 Transfer of [&hellip;]","og_url":"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/","og_site_name":"HR-Autopilot","article_modified_time":"2025-11-11T16:24:20+00:00","twitter_card":"summary_large_image","twitter_misc":{"Est. reading time":"20 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/","url":"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/","name":"Data Processing Agreement | HR-Autopilot","isPartOf":{"@id":"https:\/\/hr-autopilot.de\/en\/#website"},"datePublished":"2025-08-26T11:19:50+00:00","dateModified":"2025-11-11T16:24:20+00:00","breadcrumb":{"@id":"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/hr-autopilot.de\/en\/data-processing-agreement\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Startseite","item":"https:\/\/hr-autopilot.de\/en\/home\/"},{"@type":"ListItem","position":2,"name":"Data Processing Agreement"}]},{"@type":"WebSite","@id":"https:\/\/hr-autopilot.de\/en\/#website","url":"https:\/\/hr-autopilot.de\/en\/","name":"HR-Autopilot","description":"Your HR on autopilot","publisher":{"@id":"https:\/\/hr-autopilot.de\/en\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/hr-autopilot.de\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/hr-autopilot.de\/en\/#organization","name":"HR-Autopilot","url":"https:\/\/hr-autopilot.de\/en\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/hr-autopilot.de\/en\/#\/schema\/logo\/image\/","url":"https:\/\/hr-autopilot.de\/wp-content\/uploads\/682f5aa81f810299abfb111c_HR-Autopilot-logo_webp-p-500.webp","contentUrl":"https:\/\/hr-autopilot.de\/wp-content\/uploads\/682f5aa81f810299abfb111c_HR-Autopilot-logo_webp-p-500.webp","width":500,"height":89,"caption":"HR-Autopilot"},"image":{"@id":"https:\/\/hr-autopilot.de\/en\/#\/schema\/logo\/image\/"}}]}},"publishpress_future_workflow_manual_trigger":{"enabledWorkflows":[]},"_links":{"self":[{"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/pages\/3728","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/comments?post=3728"}],"version-history":[{"count":1,"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/pages\/3728\/revisions"}],"predecessor-version":[{"id":3731,"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/pages\/3728\/revisions\/3731"}],"wp:attachment":[{"href":"https:\/\/hr-autopilot.de\/en\/wp-json\/wp\/v2\/media?parent=3728"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}