Data Processing Agreement
This contract is part of the contractual agreement between the customer and sipgate GmbH, Gladbacher Str. 74, 40219 Düsseldorf, Germany, represented by its management, at the same location.
The customer as the controller (hereinafter referred to as the „customer“) commissions sipgate GmbH as the data processor (hereinafter referred to as „sipgate“) with the data processing described below. The client and contractor are hereinafter collectively referred to as „the Parties“.
The data processing provisions supplement the general terms and conditions of business of sipgate GmbH. In the event of these provisions and the general terms and conditions of business of sipgate GmbH containing contradictions, these data processing provisions shall take precedence.
The Parties mutually agree for this new Data Processing Agreement to repeal and replace the existing data processing agreement in accordance with Section 11 of the Federal Data Protection Act (Bundesdatenschutzgesetz – BDSG) concluded between the Parties and any other data processing agreements upon it being signed.
1. General information
(1) sipgate processes personal data on behalf of the Customer within the meaning of Art. 4 No. 8 and Art. 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR) This Agreement regulates the rights and obligations of the Parties in connection with the processing of personal data.
(2) Wherever the terms “data processing” and “processing” (of data) are used in this Agreement, they are based on the definition of “processing” within the meaning of Art. 4 No. 2 GDPR.
(3) All references to the GDPR (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation – GDPR)) are made to the GDPR in its current applicable version.
2. Object of the order
The object of the order, type and purpose of the processing, type of personal data and category of data subjects are specified in Appendix 1 to this Agreement.
3. Rights and obligations of the Customer
(1) The Customer is the Controller within the meaning of Art. 4 No. 7 GDPR of the data processing by sipgate. In accordance with Section 4 (5) of this Agreement, sipgate may notify the Customer if it is of the opinion that the data processing order / instruction is illegal.
(2) As the Controller, the Customer is responsible for maintaining the rights of the data subjects. sipgate shall notify the Customer immediately of any rights asserted by data subjects against sipgate.
(3) The Customer may issue additional instructions on the data processing type, scope and method to sipgate at any time. Instructions may be issued in text form (e.g. email).
(4) Provisions on the reimbursement of any additional costs that may be incurred by sipgate due to the Customer’s additional instructions shall not be affected.
(5) The Customer shall notify sipgate immediately of any errors or irregularities found in connection with the processing of personal data by sipgate.
(6) The Customer shall be responsible to ensure compliance with the obligation to provide information to third parties in accordance with Art. 33 and 34 GDPR or any other statutory reporting obligations applicable to the Customer.
4. General obligations of sipgate
(1) sipgate processes personal data exclusively in accordance with the agreements entered into and/or in compliance with any instructions issued by the Customer. Statutory provisions which oblige sipgate to process data in a different manner shall be excluded from this rule. In the event of such statutory provisions prevailing, sipgate shall notify the Customer of such legal requirements prior to processing, unless the respective law prohibits such notification on the grounds of an important public interest. The purpose, type and scope of data processing shall otherwise be exclusively based on this Agreement and/or instructions issued by the customer. sipgate shall refrain from processing data in any other manner, unless such actions have been approved in writing by the Customer.
(2) sipgate shall undertake to process data exclusively on behalf and in member states of the European Union (EU) or the European Economic Area (EEA).
(3) sipgate shall assure that all agreed measures are processed as contractually agreed with regard to the proper processing of personal data.
(4) sipgate shall organise its business and operations so as to ensure that the data processed by sipgate on behalf of the Customer is sufficiently secured and protected against unauthorised third-party access. sipgate shall reconcile changes to the data processing organisation that are crucial to data security in advance with the Customer.
(5) sipgate shall notify the Customer immediately of any instructions issued by the Customer that violate the law in sipgate’s opinion. sipgate may discontinue the implementation of the respective instructions until the Customer approves or changes them. In the event of sipgate being able to show that processing as per Customer order may result in sipgate assuming liability in accordance with Art. 82 GDPR, sipgate may discontinue any further processing until liability has been clarified between the Parties.
(6) The processing of data on behalf of the Customer may only be performed outside the premises of sipgate or a subcontractor with the Customer’s consent in writing or text form. Data may only be processed for the Customer at private dwellings with the Customer’s consent in writing or text form and on an individual basis.
(7) sipgate shall process the data on behalf of the Customer separately from other data. The data does not necessarily have to be physically separated.
5. sipgate data protection officer
(1) sipgate shall confirm that it has appointed a data protection officer in accordance with Art. 37 GDPR. sipgate shall ensure that the data protection officer has the required qualifications and professional knowledge. sipgate shall provide the Customer with the name and contact details of its data protection officer in a separate message in text form.
(2) The obligation to appoint a data protection officer in accordance with paragraph 1 may be omitted at the discretion of the Customer if sipgate can prove that it is not legally obliged to appoint a data protection officer and that there are company rules in place that ensure that personal data is processed in compliance with the legal requirements, the provisions of this Agreement and any other instructions issued by the Customer.
6. Reporting obligation of sipgate
(1) sipgate shall notify the Customer immediately of any violation of data protection regulations or the contractual agreements and/or the instructions issued by the Customer which occurred during the processing of data by sipgate or other persons engaged with such processing. The same shall apply to any security breach with regard to personal data processed by sipgate on behalf of the customer.
(2) sipgate shall further notify the Customer immediately in the event of a supervisory authority in accordance with Art. 58 GDPR taking action against sipgate and this may also affect the control of processing performed by sipgate on behalf of the Customer.
(3) sipgate is aware that the Customer may be subject to a reporting obligation in accordance with Art. 33 and 34 GDPR, which intends for a report to the supervisory authorities to be submitted within 72 hours from discovery. sipgate shall support the Customer in the implementation of such reporting obligation. sipgate shall, in particular, notify the Customer immediately, but no later than within 48 hours from discovery, of any unauthorised access to personal data which is being processed on behalf of the Customer. The report sent by sipgate to the Customer shall primarily contain the following information:
– Description of the type of personal data security breach, if possible including the category and approximate number of affected persons, affected categories and approximate number of affected personal data sets;
– Description of the measures implemented or proposed by sipgate to rectify the personal data security breach and potential measures to lessen potential negative effects.
7. Obligations to cooperate by sipgate
(1) sipgate shall support the Customer in the fulfilment of its obligation to respond to applications to assert the rights of data subjects in accordance with Art. 12-23 GDPR. The provisions of Section 11 of this Agreement shall apply in this respect.
(2) sipgate shall participate in the preparation of the processing activities lists by the Customer. sipgate shall provide the Customer with any required information in a suitable manner.
(3) sipgate shall support the Customer in its compliance with the obligations stated in Art. 32-36 GDPR, taking into consideration the type of processing and information available to sipgate.
(4) sipgate may request reasonable expenses-based remuneration for such services from the Customer.
8. Authorisations to perform audits
(1) The Customer may audit sipgate’s compliance with legal data protection requirements and/or the contractual provisions agreed between the Parties and/or instructions issued by the Customer at any time and within the required scope.
Proof of compliance with the obligations of a data processor in accordance with the GDPR shall be primarily provided in the form of independent audit reports and certifications.
In the event of the Customer voicing justified doubts regarding the deficiency or inapplicability of the audit reports and/or certifications on the basis of actual leads, or in the event of special circumstances within the meaning of Art. 33 (1) GDPR justifying this in connection with the implementation of the data processing requested by the Customer, the Customer may perform audits in accordance with Section 8 (2).
(2) So as to enable the Customer to audit the order and, in particular, audit the technical and organisational measures implemented by sipgate prior to the start and at regular intervals during data processing, sipgate shall permit audits by a neutral third party engaged by the Customer (auditor under oath). sipgate may grant appointments for an audit according as and when permitting with regards to its operations. The audit shall be permitted within a reasonable period of time from receipt of request. Alternatively, sipgate may also fulfil the Customer’s audit right by providing an audit report prepared by an independent auditor under oath on behalf of sipgate GmbH. The execution of the audit right shall not unreasonably disrupt or negatively affect sipgate’s daily operations.
(3) sipgate may request reasonable remuneration from the Customer for audits within the meaning of Section 8 (2).
9. Subcontractors
(1) The contractually agreed services or the partial services described below will be performed with the involvement of subcontractors listed in Appendix 2. sipgate is authorized, within the framework of its contractual obligations, to establish further subcontracting relationships with subcontractors. sipgate shall promptly inform the client thereof. sipgate is obligated to carefully select subcontractors based on their suitability and reliability. sipgate must obligate subcontractors in accordance with the provisions of this agreement and ensure that the client can also directly exercise its rights under this agreement (in particular its audit and control rights) against subcontractors. If subcontractors in a third country are to be involved, sipgate must ensure that an adequate level of data protection is ensured at the respective subcontractor (e.g. by concluding an agreement based on the EU standard contractual clauses). Upon request, sipgate will provide the client with evidence of the conclusion of the aforementioned agreements with its subcontractors.
sipgate may only engage subcontractors with consent from the Customer in text form. sipgate shall disclose all subcontractors engaged at the time of the conclusion of this Agreement in Appendix 2 to this Agreement.
(2) sipgate shall diligently select a subcontractor and check that the latter is able to comply with the agreements concluded between sipgate and the Customer prior to engaging the subcontractor. In particular, sipgate shall check that the subcontractor has implemented the technical and organisational measures for the protection of personal data required in accordance with Art. 32 GDPR before and at regular intervals during the term of the subcontracting agreement. sipgate shall document the results of such checks and provide them to the Customer upon request.
(3) sipgate shall obtain confirmation from the subcontractor that the latter has appointed a data protection officer in accordance with Art. 37 GDPR. In the event of no data protection officer having been appointed by the subcontractor, sipgate shall notify the Customer of such fact and provide information that proves that the subcontractor is not obliged by law to appoint a data protection officer.
(4) Services purchased by sipgate from third parties as pure ancillary services in order to perform its business activities shall not be classed as subcontracting relationships within the meaning of Paragraphs 1 to 6. These include, for example, cleaning services, pure telecommunication services without specific relation to services provided by sipgate for the Customer, postal and courier services, transport services and security services. However, sipgate shall ensure that adequate precautions and technical and organisational measures have been implemented to ensure the protection of personal data, even for ancillary third-party services. The maintenance and servicing of IT systems or applications constitutes a subcontracting relationship requiring approval within the meaning of Art. 28 GDPR if such maintenance and servicing pertains to IT systems that are also used in connection with the provision of services for the Customer and personal data that is being processed on behalf of the Customer can be accessed during maintenance.
10. Non-disclosure obligation
(1) sipgate is obliged to maintain secrecy about data which it receives and/or obtains knowledge of in connection with the processing of data on behalf of the Customer. sipgate shall undertake to comply with the same non-disclosure obligations that apply to the Customer. The Customer shall notify sipgate of any special non-disclosure provisions.
(2) sipgate shall assure that it is aware of the respective applicable data protection regulations and familiar with their application. sipgate shall further assure that it has introduced its employees to the relevant data protection regulations and obliged them to maintain secrecy.
(3) Proof of the obligation of the employees in accordance with Paragraph 2 shall be provided to the Customer upon request.
11. Maintaining the rights of data subjects
(1) The Customer shall be solely responsible for maintaining the rights of data subjects. sipgate shall support the Customer in its obligation to process applications submitted by data subjects in accordance with Art. 12-23 GDPR. sipgate shall, in particular, ensure that the information required for this purpose is provided to the Customer without delay so that the latter is able to meet its obligations in accordance with Art. 12 (3) GDPR, in particular.
(2) In the event of sipgate’s cooperation being required by the customer for maintaining the rights of data subjects, particularly to information, correction, blocking and deletion, sipgate shall implement the respective measures according to the instructions of the Customer. sipgate shall support the Customer to the best of its ability with suitable technical and organisational measures in responding to applications for the assertion of the rights of data subjects. sipgate may request reasonable remuneration for such services from the Customer.
(3) This shall not affect any provisions regarding potential remuneration of additional costs incurred by sipgate from such cooperative services in connection with the assertion of the rights of data subjects.
12. Obligations to maintain secrecy
(1) Both Parties shall undertake to treat all of the information they receive in connection with the performance of this Agreement as confidential for an unlimited period of time and to solely use it for the performance of this Agreement. Neither Party may use this information, in whole or part thereof, for any other purposes but the ones stated above or make such information available to third parties.
(2) The above obligation shall not apply to information which one of the Parties has evidently received from a third party without having been obliged to maintain secrecy or information which is public knowledge.
13. Remuneration
sipgate shall not receive any separate remuneration for this Agreement, unless explicitly and otherwise stated.
14. Technical and organisational data security measures
(1) sipgate shall undertake to the Customer to implement the technical and organisational measures required for compliance with the applicable data protection regulations. These include, in particular, the provisions of Art. 32 GDPR.
(2) The status of the technical and organisational measures at the time of the conclusion of the Agreement is attached as Appendix 3 to this Agreement. The Parties shall agree that it may become necessary to change the technical and organisational measures in order to adjust them to technical and legal circumstances. sipgate shall agree material changes which may impair the integrity, confidentiality or availability of the personal data with the Customer in advance. sipgate may implement measures which create only immaterial technical or organisational measures which do not impair the integrity, confidentiality and availability of the personal data without first agreeing them with the Customer. The Customer may request for sipgate to provide the current status of the technical and organisational measures implemented at any time.
(3) sipgate shall check the effectiveness of the technical and organisational measures it has implemented at regular intervals as well as on an ad hoc basis. sipgate shall notify the Customer of any need for optimisation and/or change.
15. Term of the order
(1) The Agreement starts upon the order being placed and has an indefinite term.
(2) The Agreement shall expire upon termination of the main agreement (telecommunications agreement, e.g. sipgate team or sipgate basic) without requiring separate termination.
Section 16 regulates any obligations to delete or return items upon expiry of this Agreement.
(3) The Customer may terminate the Agreement at any time and without notice in the event of sipgate severely violating the applicable data protection regulations or obligations arising from this Agreement, sipgate being unable, or unwilling, to execute an instruction issued by the Customer or sipgate denying the Customer or responsible supervisory authority access in contravention of this Agreement.
16. Termination
(1) Upon termination of the Agreement, sipgate shall return or delete all documents, data as well as all results of processing and use relating to the contractual relationship to the Customer, as instructed by the Customer. The deletion of data shall be suitably documented. This shall not affect any statutory retention periods or other data storage obligations. Data carriers shall be destroyed at a minimum security level 3 in accordance with DIN 66399 if the Customer requests the deletion of data. Proof of the destruction of the data carriers shall be provided to the Customer with reference to the security level in accordance with DIN 66399.
(2) The Customer may check that sipgate has returned and deleted all of the data in accordance with the contractual agreements. Such check may also be performed by inspecting the data processing systems in sipgate’s business premises. The Customer shall give reasonable notice of such on-site inspection.
17. Right of retention
The Parties shall agree to exclude sipgate’s right to object against the right of retention within the meaning of Section 273 of the German Civil Code (Bürgerliches Gesetzbuch – BGB) with regard to the processed data and related data carriers.
18. Final provisions
(1) sipgate shall notify the Customer immediately in the event of the Customer’s property stored at sipgate’s premises being endangered through third-party measures (such as seizure or confiscation), insolvency proceedings or other events. sipgate shall inform the creditors immediately of the fact that the data is being processed by on behalf.
(2) Any additional agreements shall be placed in writing to become effective.
(3) Should individual provisions of this Agreement be ineffective, this shall not affect the effectiveness of the remaining provisions of the Agreement.
Appendix 1 – Object of the data processing agreement
1. Processing objective and purpose
The order issued by the Customer to sipgate comprises the following work and/or services: Provision of telecommunication services (described in greater detail in the respective specifications of services).
2. Type(s) of personal data
The following types of data get processed on a regular basis:
Traffic data, content data, contact data, personal master data and communication data (name, address, phone number, fax number and email address).
3. Group of data subjects
Group of data subjects:
Account users, participants contacting and contacted by phone and/or senders / recipients of SMS / fax, employees, customers, business partners, stakeholders and service providers of the Customer.
If the customer is a sipgate partner:
Contact data, personal master data and communication data (name, address, phone number, fax number, email address) of the business persons / companies referred by the sipgate partner.
The Customer shall undertake to notify the account users and, if required, also the works council or similar representations of the processing of the data listed in Section 2.
4. Data processing location:
All of the data is processed on servers located in Germany.
Appendix 2 – Subcontractors
sipgate purchases services from third parties which process data on behalf of sipgate (“subcontractors”) for the processing of data on behalf of the Customer.
sipgate GmbH engages various subcontractors for the provision of its services.
These subcontractors initially are the following affiliated companies of sipgate GmbH and provide advance services for the realisation of sipgate GmbH’s services. The companies have concluded amongst each other the contractual agreements required for processing such data.
These companies are:
Name, Address | Scope of data processing | Purpose of data processing | Data affected | Categories of affected individuals |
Myloc managed IT AG, Am Gatherhof 44
40472 Düsseldorf Deutschland; |
data center | Implementation of sipgates services | traffic-, content-data | customers of sipgate GmbH |
argon networks UG (limited liability), Gladbacher Str. 74, 40219 Düsseldorf | Provision of telecommunications services | Implementation of sipgates services | traffic-, content-data | customers of sipgate GmbH |
netzquadrat GmbH, Gladbacher Str. 74, 40219 Düsseldorf | Provision of telecommunications services | Implementation of sipgates services | traffic-, content-data | customers of sipgate GmbH |
sipgate Wireless GmbH, Gladbacher Str. 74, 40219 Düsseldorf | Provision of telecommunications services | Implementation of sipgates services | traffic-, content-data | customers of sipgate GmbH |
Tel-inform customer-solutions GmbH, Siemensstr. 32, 47533 Kleve | call center | Ensuring accessibility of customer service outside of office hours | Inventory-, contact-, content- and contract data | Customers, prospects, and employees of sipgate GmbH |
OpenAI OpCo LLC, 3180 18th St., Suite 100 San Francisco, California 94110, United States | Through the gpt service provided by OpenAI, various productivity features (automatic conversation summarization with tagging) are implemented based on a transcription of the conversation. | Implementation of sipgates AI-Features | content data |
Only customers of sipgate GmbH who utilize the AI features and have given corresponding consent; conversational partners of these customers. Note: |
Appendix 3
sipgate’s Technical and organisational measures
sipgate implements the following technical and organisational data security measures within the meaning of Art. 32 GDPR.
1. Confidentiality
Entry control
sipgate has implemented comprehensive formal entry control processes in order to prevent unauthorised persons from entering data processing systems used for processing or using data.
The location at Gladbacher Str. 74 contains sipgate’s offices as well as a server and server technology room. Electronic keys are issued to selected employees for entering the offices. The keys entitle each employee to open and close individually permitted doors only. All of the opening and closing processes of one key are electronically logged, including a unique key ID. Only employees directly authorised by management are responsible for managing the keys.
The server room is locked at all times and can only be entered by selected employees.
Within the building, the entry authorisations of employees, including those in possession of a key, are limited to the minimum required to fulfil their specific tasks.
During business hours, persons are checked at the permanently manned reception desk upon entering the building. Outside of business hours, all entrances to the building are locked and secured with an alarm. Security services also patrol the premises. All alarms and alarm systems are reported directly to security services.
Standard security measures are implemented in all computer centres. These measures are all state of the art and include electronic entry control systems with logging function with only authorised persons being permitted to enter the building, alarm systems, internal / external video monitoring, security personnel present 24/7, alarm systems, building secured with barbed wire, patrols by external security service which are automatically informed via a dedicated alarm line should an alarm be triggered.
The keys to the individual rooms and cages in the computer centre always have to be collected from the security personnel.
Admission control
sipgate uses a central entry authorisation management system to ensure that data processing systems are only used by authorised persons. The entry authorisations are issued by sipgate’s technical manager. Authorised administrators manage these entry authorisations.
Remote access to sipgate’s servers for administration purposes, such as system maintenance, is only possible via an encrypted connection upon prior authentication.
Access control
sipgate uses a central access authorisation management system to ensure that authorised users of a data processing system can only access data covered by their access authorisation and that stored data or data which is currently being processed cannot be read, copied, modified or deleted by unauthorised persons. All access is stored locally and on the log server. Administrative rights can only be executed via a central management programme.
Access to all data is limited to the minimum required for fulfilling the specific tasks of the authorised users. Compliance with the statutory data protection requirements, particularly those of the General Data Protection Regulation (GDPR) and the German telecommunications Act (Telekommunikationsgesetz – TKG) is ensured in this respect.
Separation
sipgate processes the data on server systems which are logically separated within the network through a system of logical and physical access controls.
2. Integrity
Data entry control
All access to the Customer’s stored data is logged locally and on the central log server to ensure that sipgate is able to check and determine subsequently if and who has entered, modified or deleted data.
Transfer control
Access to all systems which process Customer data are subject to effective access controls to ensure that data cannot be read, copied, modified or deleted by unauthorised persons during electronic transfer, transport or storage and that it can be checked which interfaces are intended for data transfer by data processing systems. These access control mechanisms have already been described in greater detail above in Section 3.
3. Availability and capacity
sipgate uses a combination of redundant systems and backup solutions in all systems to ensure that the stored data can be protected and recovered, if necessary. These systems are operated exclusively in premises secured and fitted with state-of-the-art technology as well as the necessary air conditioning, fire and smoke detection systems for which detailed contingency plans are in place.
4. Methods for regular checks, assessments and evaluations
All employees receive regular data protection training. All of these training events are held in-house, thus making it possible to reconcile them with sipgate’s main concerns. Individual questions are dealt with comprehensively during these training sessions.
All sipgate employees who come into contact with the processing of personal data as part of their professional activities have been obliged to maintain confidentiality about personal data. New employees are usually obliged immediately upon starting their positions by making them sign a non-disclosure agreement, which is compulsory for every employee.
sipgate has appointed a data protection officer who together with their deputy ensures that queries by data subjects are answered promptly.
sipgate maintains a list of processing activities within the meaning of Art. 30 (1) and (2) GDPR. This processing activities list is not available to the public.