Order processing of personal data according to General Data Protection Regulation of the EU

Contract on the processing of personal data in accordance to the General Data Protection Regulation of the EU

Contract on the processing of personal data by order


see completed form entries
(hereinafter referred to as the Customer or Client)


see information in imprint
(hereinafter referred to as Contractor )

1 Introduction, scope, definitions

(1) This Agreement regulates the rights and obligations of the Customer and the contractor (hereinafter referred to as "Parties") in handling personal data on behalf of the Customer.

(2) This contract applies to all activities in which employees of the contractor or subcontractors (subcontractors) commissioned by the contractor process personal data of the Customer.

(3) Terms used in this contract shall be understood in accordance with their definition in the EU General Data Protection Regulation. Insofar as declarations in the following are to be made "in writing", the written form according to § 126 BGB (German Civil Code) is meant. Otherwise, declarations may also be made in any other form, provided that reasonable verifiability is guaranteed.

2 Subject and duration of processing

2.1 Subject matter

The contractor shall undertake the following processing operations:

• see the form entries made

The processing is based on the service contract existing between the parties (hereinafter referred to as the "main contract").

2.2 Duration

Processing shall commence on 03.06.2023 and shall continue indefinitely until one party terminates this contract or the main contract.

3 Type and purpose of data collection, processing or use:

3.1 Type and purpose of processing

The processing shall take the following forms: collection, recording and storage
The processing serves the following purpose: Establishing contact with the contractor.

3.2 Type of data

The following data is processed:

• see form entries made

3.2.1 Categories of data subjects

Affected by the Processing:

• see form entries made

4 Duties of the contractor

(1) The contractor processes personal data exclusively as contractually agreed or as instructed by the client, unless the contractor is legally obliged to a certain processing. If such obligations exist for the Contractor, the Contractor shall notify the Customer thereof prior to processing, unless such notification is prohibited by law. Furthermore, the Contractor shall not use the data provided for processing for any other purpose, in particular not for its own purposes.

(2) The contractor confirms that he is aware of the relevant, general data protection regulations. He shall observe the principles of proper data processing.

(3) The contractor undertakes to maintain strict confidentiality during processing.

(4) Persons who may gain knowledge of the data processed in the order must undertake in writing to maintain confidentiality, unless they are already legally subject to a relevant confidentiality obligation.

(5) The contractor warrants that the persons employed by him for processing have been made familiar with the relevant provisions of data protection and this contract prior to commencement of processing. Appropriate training and awareness-raising measures shall be repeated appropriately and regularly. The Contractor shall ensure that persons employed for order processing are instructed and monitored appropriately on an ongoing basis with regard to compliance with the data protection requirements.

(6) In connection with the commissioned processing, the Contractor shall support the Client in the preparation and updating of the list of processing activities and in carrying out the data protection impact assessment. All necessary information and documentation shall be kept available and shall be forwarded to the Customer without delay upon request.

(7) If the Customer is subject to inspection by supervisory authorities or other bodies or if affected persons assert rights against him, the Contractor undertakes to support the Customer to the necessary extent insofar as the processing in the order is affected.

(8) The contractor may only provide information to third parties or the affected party with the prior consent of the customer. He shall forward any enquiries directly addressed to him to the Customer without delay.

(9) Insofar as required by law, the Contractor shall appoint a competent and reliable person as data protection officer. It must be ensured that there are no conflicts of interest for the agent. In cases of doubt, the client may contact the data protection officer directly. The contractor shall inform the client immediately of the contact details of the data protection officer or explain why no officer has been appointed. The contractor shall inform the customer immediately of any changes in the person or internal tasks of the data protection officer.

(10) The order processing takes place in principle within the EU or the EEA. Any relocation to a third country may only take place with the consent of the Customer and under the conditions contained in Chapter V of the Basic Data Protection Regulation and in compliance with the provisions of this contract.

(11) If the Contractor is not established in the European Union, he shall appoint a responsible contact person in the European Union in accordance with Art. 27 of the Basic Data Protection Regulation. The contact data of the contact person as well as all changes in the person of the contact person are to be communicated to the client immediately.

5 Technical and organisational measures

(1) The data security measures described in Annex 1 shall be made mandatory. They define the minimum owed by the Contractor. The description of the measures shall be sufficiently detailed for a competent third party to be able to determine beyond doubt at any time what the minimum owed should be solely on the basis of the description. A reference to information which cannot be taken directly from this agreement or its annexes is not permissible

(2) The data security measures may be adapted to the technical and organisational further development as long as they do not fall below the level agreed here. The Contractor shall immediately implement any changes required to maintain information security. The Customer shall be notified immediately of any changes. Material changes are to be agreed between the parties.

(3) If the security measures taken do not or no longer meet the Customer's requirements, the Contractor shall notify the Customer immediately.

(4) The contractor warrants that the data processed in the order will be strictly separated from other databases.

(5) Copies or duplicates shall not be made without the knowledge of the Customer. Technically necessary, temporary duplications are excluded, as far as an impairment of the data protection level agreed here is excluded.

(6) The processing of data in private homes is only permitted with the prior written consent of the client in individual cases. Insofar as such processing takes place, the contractor shall ensure that a level of data protection and data security corresponding to this contract is maintained and that the control rights of the client specified in this contract can also be exercised without restriction in the private apartments concerned. The processing of data on behalf of the client with private devices is not permitted under any circumstances.

(7) Dedicated data carriers originating from the client or used for the client are specially marked and are subject to ongoing administration. They must be stored appropriately at all times and must not be accessible to unauthorised persons. Inputs and outputs shall be documented.

(8) The contractor shall provide regular proof of the fulfilment of his obligations, in particular the complete implementation of the agreed technical and organisational measures as well as their effectiveness. The proof shall be provided to the Customer at the latest every 12 months without being requested to do so and otherwise at any time upon request. The proof can be provided by approved rules of conduct or an approved certification procedure.

6 Rules for the correction, deletion and blocking of data

(1) The contractor shall correct, delete or block data processed within the scope of the order only in accordance with the contractual agreement reached or in accordance with the instructions of the client.

(2) The Contractor shall follow the corresponding instructions of the Customer at all times and also beyond the termination of this contract.

7 Subcontracting relationships

(1) The commissioning of subcontractors shall only be permitted in individual cases with the written consent of the client.

(2) Such consent shall only be possible if the subcontractor has at least been contractually bound to data protection obligations that are comparable to those agreed in this contract. Upon request, the Principal shall have access to the relevant contracts between the Contractor and the subcontractor.

(3) It must also be possible to exercise the rights of the contracting authority effectively vis-à-vis the subcontractor. In particular, the Client must be entitled to carry out checks at subcontractors or have them carried out by third parties at any time to the extent specified herein.

(4) The responsibilities of the contractor and the subcontractor shall be clearly defined.

(5) Further subcontracting by the subcontractor is not permitted.

(6) The contractor shall carefully select the subcontractor, paying particular attention to the suitability of the technical and organisational measures taken by the subcontractor.

(7) The forwarding of data processed in the order to the subcontractor shall only be permitted if the contractor has satisfied himself in documented form that the subcontractor has fulfilled his obligations in full. The Contractor shall submit the documentation to the Client without being requested to do so.

(8) The commissioning of subcontractors who do not carry out processing on behalf exclusively from the territory of the EU or the EEA is only possible if the conditions stated in Chapters 4 (10) and (11) of this contract are observed. In particular, it shall only be permissible to the extent that and as long as the subcontractor offers appropriate data protection guarantees. The Contractor shall inform the Customer which concrete data protection guarantees the subcontractor offers and how proof of such guarantees can be obtained.

(9) The Contractor shall adequately verify compliance with the subcontractor's obligations on a regular basis, at the latest every 12 months. The inspection and its results shall be documented in a meaningful manner so that they are comprehensible for a competent third party. The documentation shall be submitted to the client without being requested to do so.

(10) If the subcontractor does not comply with his data protection obligations, the contractor shall be liable to the customer for this.

(11) At present, the subcontractors designated in Annex 2 with their names, addresses and order contents are engaged in the processing of personal data to the extent specified therein and are approved by the Customer. The other obligations of the Contractor towards subcontractors set forth herein shall remain unaffected.

(12) Subcontracting relationships within the meaning of this contract are only those services which have a direct connection with the provision of the main service. Ancillary services such as transport, maintenance and cleaning as well as the use of telecommunications services or user services are not covered. The Contractor's obligation to ensure compliance with data protection and data security in these cases remains unaffected.

8 Rights and Duties of the Client

(1) The client alone shall be responsible for assessing the admissibility of the commissioned processing and for safeguarding the rights of data subjects.

(2) The client shall issue all orders, partial orders or instructions in documented form. In urgent cases, instructions may be given verbally. Such instructions will be confirmed by the client immediately and documented.

(3) The Customer shall inform the Contractor without delay if it detects errors or irregularities in the examination of the order results.

(4) The Customer shall be entitled to monitor compliance with the provisions on data protection and the contractual agreements at the Contractor to an appropriate extent itself or by third parties, in particular by obtaining information and inspecting the stored data and data processing programs as well as other on-site inspections. The persons entrusted with the inspection shall be given access and insight by the contractor to the extent necessary. The contractor is obliged to provide necessary information, to demonstrate procedures and to provide evidence which is necessary for the performance of an inspection.

(5) Inspections at the contractor's premises shall be carried out without avoidable disruptions to his business operations. Unless otherwise indicated for urgent reasons to be documented by the customer, inspections shall be carried out after reasonable advance notice and during the contractor's business hours and not more frequently than every 12 months. Insofar as the Contractor provides evidence of the correct implementation of the agreed data protection obligations as provided for in Chapter 5 (8) of this Agreement, a check shall be limited to random samples.

9 Notification obligations

(1) The contractor shall inform the customer immediately of any violations of the protection of personal data. Justified cases of suspicion must also be reported. The notification must be made within 24 hours of the Contractor becoming aware of the relevant event at the latest to an address specified by the Customer. It must contain at least the following information:

a. a description of the nature of the breach of the protection of personal data, indicating where possible the categories and approximate number of persons concerned, the categories concerned and the approximate number of personal data records concerned;

b. the name and contact details of the Data Protection Officer or any other contact point for further information;

c. a description of the likely consequences of the violation of the protection of personal data;

d. a description of the measures taken or proposed by the contractor to remedy the personal data breach and, where appropriate, measures to mitigate its potential adverse effects

(2) Also to be notified without delay are significant disruptions in the execution of the order as well as infringements by the contractor or persons employed by him against data protection regulations or the stipulations made in this contract.

(3) The contractor shall inform the customer without delay of any controls or measures taken by supervisory authorities or other third parties insofar as these have references to order processing

(4) The Contractor assures to support the Customer in his duties according to Art. 33 and 34 of the General Data Protection Regulation to the necessary extent.

10 Directives

(1) The client reserves the right to give comprehensive directives regarding the processing on behalf of the client.

(2) The Customer and the Contractor shall name the persons exclusively authorized to issue and accept instructions in Annex 3.

(3) In the event of a change or a longer-term prevention of the named persons, successors or representatives shall be notified to the other party without delay.

(4) The Contractor shall inform the Customer immediately if, in the Contractor's opinion, an instruction issued by the Customer violates statutory provisions. The Contractor shall be entitled to suspend the execution of the corresponding instruction until it has been confirmed or changed by the responsible person at the Client.

(5) The contractor shall document the instructions given to him and their implementation.

11 Termination of the contract

(1) Upon termination of the contractual relationship or at any time at the request of the Client, the Contractor shall either destroy the data processed in the order or hand them over to the Client at the Client's option. All existing copies of the data shall also be destroyed. The destruction must be carried out in such a way that it is no longer possible to restore residual information at a reasonable cost. Physical destruction shall take place in accordance with DIN 66399.

(2) The contractor shall be obliged to bring about the immediate return or deletion also of subcontractors.

(3) The Contractor shall provide evidence of proper destruction and submit such evidence to the Customer without undue delay.

(4) Documentation which serves as proof of proper data processing shall be stored by the contractor in accordance with the respective retention periods even after the end of the contract. He may hand them over to the Customer at the end of the contract for his relief.

12 Remuneration

The remuneration of the contractor is conclusively regulated in the main contract. There shall be no separate remuneration or reimbursement of costs within the framework of this contract.

13 Liability

(1) The client and the contractor shall be jointly and severally liable for the compensation of damages suffered by a person due to inadmissible or incorrect data processing within the scope of the contractual relationship.

(2) The Contractor shall bear the burden of proof that a damage is not the result of a circumstance for which he is responsible, insofar as he has processed the relevant data under this agreement. As long as this proof has not been furnished, the Contractor shall indemnify the Client upon first request against all claims asserted against the Client in connection with the processing of the order. Under these conditions, the Contractor shall also reimburse the Client for all legal defence costs incurred.

(3) The Contractor shall be liable to the Customer for any damage culpably caused by the Contractor, its employees or its agents or subcontractors in connection with the performance of the contractual services.

(4) Numbers (2) and (3) shall not apply if the damage was caused by the correct implementation of the commissioned service or an instruction issued by the client.

14 Contractual penalty

(1) In the event of a breach of the provisions of this contract, a strict contractual penalty of € 5000 per individual case shall be agreed. The contractual penalty shall be forfeited in particular in the event of defects in the implementation of the agreed technical and organisational measures. In the case of permanent infringements, each calendar month in which the infringement occurs in whole or in part shall be regarded as an individual case. The plea of continuation is excluded.

(2) The contractual penalty has no influence on other claims of the client.

15 Special right of termination

(1) The customer may terminate the main contract and this agreement at any time without notice ("extraordinary termination") if there is a serious breach by the contractor of data protection regulations or the provisions of this agreement, if the contractor is unable or unwilling to carry out a lawful instruction of the customer or if the contractor refuses control rights of the customer contrary to contract.

(2) A serious breach shall be deemed to have occurred in particular if the Contractor fails to fulfil or has failed to fulfil to a considerable extent the obligations specified in this Agreement, in particular the agreed technical and organisational measures.

(3) In the case of minor infringements, the Customer shall set the Contractor a reasonable deadline for remedy. If the remedy is not provided in good time, the Customer shall be entitled to extraordinary termination as described in this section.

(4) The Contractor shall reimburse the Customer for all costs incurred as a result of the premature termination of the main contract or of this contract as a result of extraordinary termination by the Customer.

16 Miscellaneous

(1) Both parties are obliged to treat confidentially all knowledge of business secrets and data security measures of the respective other party acquired within the scope of the contractual relationship, even upon termination of the contract. If there are doubts as to whether information is subject to confidentiality, it shall be treated as confidential until it is released in writing by the other party.

(2) Should the Customer's ownership of the Contractor be endangered by measures taken by third parties (e.g. by seizure or confiscation), by insolvency or composition proceedings or by other events, the Contractor shall notify the Customer immediately.

(3) Ancillary agreements must be made in writing.

(4) The defence of a right of retention within the meaning of § 273 BGB is excluded with regard to the data processed in the order and the associated data carriers.

(5) Should individual parts of this agreement be invalid, this shall not affect the validity of the remainder of the agreement.

Annex 1 - technical and organisational measures

In the following, the technical and organisational measures to guarantee data protection and data security are specified, which the contractor must at least set up and continuously maintain. The aim is to guarantee in particular the confidentiality, integrity and availability of the information processed in the order.

Protection class 1 applies to destruction in accordance with DIN 66399.

1. organisation of information security
2. personnel safety
3. management of values
4. access control
5. cryptography
6. physical and environmental security
7. operational safety
8. communication security
9. acquisition, development and maintenance of systems
10. supplier relations
11. handling information security incidents
12. information security aspects in business continuity management
13. compliance

Annex 2 - Approved subcontractors

see details in imprint

Annex 3 - Persons entitled to issue instruction

The following persons are authorized to issue and receive instructions

see details in imprint

© by activemind.de (Free Privacy Policy Samples and Templates) - Adapted from kontaktformular.com - Translated with www.DeepL.com/Translator - In case of any inconsistencies the german version shall prevail.

DON’T PANIC Towel Shop - Allgemeine Geschäftsbedingungen (AGB) / Terms and conditions (in German)

Angebote, Lieferungen und Leistungen erfolgen ausschliesslich auf Grund der nachfolgenden Allgemeinen Geschäftsbedingungen.

Qualität und Preis
Die Handtücher bestehen zu 100% aus Baumwolle. Produziert wurden die Badehandtücher im Namen einer deutschen Firma in der Türkei. Verkaufsform: Direktvertrieb. Im Preis ist die gesetzlichen Mehrwertsteuer enthalten. Hinzu kommen die Kosten für den Versand.

Die abgebildeten Beispiele sind Fotografien einer Auswahl Originale. Die digitale Darstellung kann im Vergleich mit den Originalen kleine Abweichungen in Grösse und Farbe enthalten. Die angegebenen Maße sind Richtwerte.

Für die Handtücher selber sind die Pflegehinweise der Herstellers zu beachten.

Jede Art der Anfertigung von Kopien sowie der Handel mit den Handtüchern ist verboten.

Der Preis für ein Handtuch beträgt 37,90 Euro (inklusive 19% MwSt = 6,05 Euro). Dies ist der Abholpreis in 10999 Berlin.
Versand innerhalb von Deutschland, 1-3 Towels: 7,00 Euro, 4-8 Towels: 9,00 Euro.
Versand innerhalb der EU: 1-3 Towels: 16,00 Euro.
Versand Schweiz + Rest Europa: 1-3 Towels: 21,00 Euro.
Alle anderen Länder: 1-3 Towels: 29,00 Euro.
Versandpreise für andere Bestellmengen: auf Anfrage

Der entsprechende Betrag (Produkt + Versandkosten) ist in der vollen Höhe, als Vorauszahlung via Überweisung zu leisten. Alternativ kann gegen einen Aufpreis von 3,00 Euro auch via PayPal bezahlt werden. Das Angebot gilt nur solange der Artikel vorrätig ist.

Wirksamkeit der Bestellung
Mit dem abschicken der online Bestellung kommt ein rechtswirksamer Vertrag zwischen dem DON’T PANIC Towel Shop / Uli Schuster und dem Käufer zustande. Der Käufer ist somit verpflichtet den angegebenen Betrag zu bezahlen. Die Bestellung wird von uns per email bestätigt. Erst mit dem Eingang des Rechnungsbetrages wird der Auftrag bearbeitet.

Die Lieferung erfolgt in Deutschland im Regelfall innerhalb von 7 Werktagen, in Länder der Europäischen Gemeinschaft im Regelfall innerhalb von 12 Werktagen. Der Käufer kann aus verspäteter Lieferung oder aus Nichtlieferung keinen Schadensersatzanspruch herleiten. Bei erheblicher Überschreitung der Lieferzeit [ Regelzeit + 30 Tage ] kann der Käufer vom Vertrag zurücktreten. Hierbei muss die Verantwortung der Verzögerung jedoch nachweislich im Produktionsbereich liegen. Aus Lieferungen die vom beauftragten Zusteller verspätet ausgeliefert werden, ergeben sich keinerlei rechtlichen Ansprüche gegenüber dem Towel Shop.

Der Kunde erklärt sein Einverständnis damit, dass wir seine im Rahmen der Geschäftsbeziehungen zugehenden personenbezogenen Daten in dem für die Vertragsdurchführung erforderlichen Umfang speichern und automatisch verarbeiten. Die Daten werden nicht an Dritte weiergegeben.

Die Bezahlung erfolgt vorab per Überweisung oder via PayPal.

Ulrich Schuster
IBAN: DE86 1007 0024 0282 5008 00
Deutsche Bank
Verwendungszweck: Towel + Rechn-Nr.

Ulrich Schuster Steuernummer: 14/527/61105 USt-IdNr.: DE257532976 Finanzamt: Berlin - Kreuzberg

Sie haben ein Widerrufsrecht, wenn der Vertrag unter ausschließlicher Benutzung von Fernkommunikationsmitteln abgeschlossen wird. Dies gilt nur, wenn Sie den Vertrag als Verbraucher abschließen. Verbraucher ist jede natürliche Person, die ein Rechtsgeschäft zu einem Zwecke abschließt, der weder ihrer gewerblichen noch ihrer selbständigen beruflichen Tätigkeit zugerechnet werden kann. Sofern Sie Verbraucher im Sinne des § 13 BGB sind, können Sie IhreVertragserklärung innerhalb von zwei Wochen ohne Angabe von Gründen in Textform (z. B. Brief, Fax, E-Mail) oder durch Rücksendung der Sache widerrufen (Postadresse: DON’T PANIC Towel Shop, Uli Schuster, Reichenberger Str. 28, 10999 Berlin). Wird Ihnen die Belehrung erst nach Vertragsschluss in Textform übergeben, beträgt die Frist einen Monat. Die Frist beginnt frühestens am Tag nach Erhalt der Ware und am Tag nach dem Erhalt einer in Textform noch gesondert mitzuteilenden Widerrufsbelehrung. Zur Wahrung der Widerrufsfrist genügt die rechtzeitige Absendung des Widerrufs oder der Sache.

Können Sie uns die empfangene Leistung ganz oder teilweise nicht oder nur in verschlechtertem Zustand zurückgewähren, müssen Sie uns insoweit ggf. Wertersatz leisten. Bei der Überlassung von Sachen gilt dies nicht, wenn die Verschlechterung der Sache ausschließlich auf deren Prüfung - wie sie Ihnen etwa im Ladengeschäft möglich gewesen wäre -zurückzuführen ist. Im Übrigen können Sie die Wertersatzpflicht vermeiden, indem Sie die Sache nicht wie ein Eigentümer in Gebrauch nehmen und alles unterlassen, was deren Wert beeinträchtigt. Paketversandfähige Sachen sind auf unsere Kosten und Gefahr zurückzusenden. Bei einer Rücksendung aus einer Warenlieferung, deren Bestellwert insgesamt bis zu 40 Euro beträgt, haben Sie die Kosten der Rücksendung zu tragen, wenn die gelieferte Ware der bestellten entspricht. Anderenfalls ist die Rücksendung für Sie kostenfrei. Der Verbraucher trägt die Rücksendekosten auch dann, wenn der Preis über 40,00 € liegt. Allerdings gilt dies nur dann, wenn die Gegenleistung oder eine Teilzahlung zum Zeitpunkt des Widerrufs noch nicht erbracht wurde. Widerrufsrecht gemäß § 312d Abs.1 BGB: Ihr Widerrufsrecht erlischt vorzeitig, wenn Ihr Vertragspartner mit der Ausführung der Dienstleistung mit Ihrer ausdrücklichen Zustimmung vor Ende der Widerrufsfrist begonnen hat oder Sie diese selbst veranlasst haben (z.B. durch Download etc.).

Sollten einzelne der vorstehenden Bestimmungen ganz oder teilweise unwirksam sein oder werden, so bleiben die übrigen Bestimmungen davon unberührt. Dies gilt auch für die Aufhebung dieses Schriftformerfordernisses. Von den vorstehenden Geschäftsbedingungen abweichende Vereinbarungen bedürfen zu ihrer Gültigkeit der schriftlichen Bestätigung. Auf alle Ansprüche aus oder im Zusammenhang mit Verträgen, die unter Geltung der vorstehenden Allgemeinen Geschäftsbedingungen geschlossen werden, findet ausschliesslich deutsches Recht Anwendung. Diese AGB [Version 16] treten ab dem 01. Juli 2022 in Kraft und können nur seitens des DON’T PANIC Towel Shops durch eine neuere Version ersetzt werden. Ältere Versionen verlieren gleichzeitig ihre Gültigkeit.