Regulations on the commissioned processing of personal data
1. scope of application
This contract regulates the rights and obligations of the parties in the context of the processing of personal data on behalf of Art. 28 GDPR.
The contract applies to all activities in which the contractor processes the client's personal data.
Terms used in this contract are to be understood in accordance with their definition in the EU General Data Protection Regulation. In this sense, the client is the "controller" and the contractor is the "processor". Insofar as declarations are to be made "in writing" in the following, the written form pursuant to Section 126 BGB is meant. Otherwise, declarations may also be made in another form, provided that appropriate verifiability is guaranteed.
2. object and duration of the processing
Purpose: The contractor provides services in the area of the provision and operation of AI-supported telephone assistants. The processing takes place exclusively for the provision of the contractually agreed services.
Duration: This contract is valid for the duration of the business relationship between the parties and ends automatically upon termination of the cooperation, unless otherwise agreed.
3. type, purpose and data concerned
Type of processing: Storage, retrieval, organization, adaptation, transmission and deletion of personal data.
Purpose of processing: Provision of a telephone assistant to support the client's communication processes.
Categories of data concerned:
Contact details (e.g. name, telephone number, e-mail address).
Conversation content (e.g. messages, recordings, minutes).
Affected persons: Customers, interested parties, suppliers and employees of the client as well as callers who interact with the AI telephone assistant.
4. obligations of the contractor
The Contractor shall process personal data exclusively as contractually agreed or as instructed by the Client, unless the Contractor is legally obliged to carry out specific processing. If such obligations exist for the Contractor, the Contractor shall inform the Client of these prior to processing, unless the notification is prohibited by law.
The Contractor shall ensure that all persons employed for processing are bound to confidentiality.
The Contractor may only provide information to third parties or the data subject with the prior consent of the Client. The Contractor shall forward any requests addressed directly to it to the Client without delay.
Technical and organizational measures (TOMs) are implemented in accordance with Art. 32 GDPR to ensure an adequate level of protection.
The contractor undertakes to support the controller in complying with the obligations set out in the GDPR. This includes in particular
support in the fulfillment of data subject rights (e.g. information, correction, deletion);
Support in carrying out data protection impact assessments in accordance with Art. 35 GDPR;
support in reporting data breaches to the competent supervisory authority in accordance with Art. 33 GDPR
the implementation of necessary and appropriate technical and support in the implementation of necessary and appropriate technical and organizational measures for the security of data processing in accordance with Art. 32 GDPR;
supporting the notification of data subjects in the event of data breaches in accordance with Art. 34 GDPR
support in the prior consultation of the supervisory authority if a data protection impact assessment reveals a high risk for data processing, in accordance with Art. 36 GDPR
The Contractor undertakes to provide the Client with all information necessary to demonstrate compliance with the obligations under this contract and the GDPR. The Contractor shall facilitate and contribute to audits, including inspections, carried out by the Controller or an auditor commissioned by the Controller.
The Contractor undertakes to use the personal data processed within the scope of this contract exclusively for the provision of the contractually agreed services. Any processing of this data for other purposes, in particular for the training, development or optimization of AI models, is expressly excluded.
5. subcontractors
The contractor is entitled to use or change subcontractors for the processing of personal data without the prior consent of the client being required.
However, the Contractor undertakes to inform the Client of any changes or new subcontractors in text form no later than 30 days before the subcontractor starts processing the data.
The client has the right to object to the commissioning of a subcontractor if there is a legitimate interest (e.g. inadequate data protection measures). Such an objection must be declared in writing within 14 days of notification.
If no objection is raised, the commissioning of the subcontractor shall be deemed approved.
The Contractor shall ensure that subcontractors are subject to the same data protection obligations.
The processing of personal data by subcontractors in third countries takes place exclusively on the basis of suitable guarantees in accordance with Art. 46 GDPR, in particular through the conclusion of standard contractual clauses (SCC) of the EU Commission. The contractor shall ensure that the transfer takes place on a legal basis and that an adequate level of data protection is guaranteed.
6. technical and organizational measures (TOMs)
FlowLyne is committed to ensuring an adequate level of protection for the processing of personal data. To this end, FlowLyne implements the following measures:
Encryption: All data transmissions are TLS-encrypted to ensure the confidentiality and integrity of the data during transmission.
Authentication: API accesses are authenticated by cryptographic keys to ensure that only authorized systems or persons have access to the data.
Securing sensitive data: Sensitive configuration data (e.g. access data, tokens) is securely stored in the Google Secret Manager to prevent unauthorized access. access data, tokens) are securely stored in the Google Secret Manager to prevent unauthorized access.
Access control: Access to systems and data is restricted by role-based permissions so that only authorized persons have access to the required information.
Logging: Access to personal data is logged to make potential incidents traceable and to detect unauthorized access.Changes to the technical and organizational measures that do not impair the level of protection may be made as part of technical development. The Contractor shall inform the Client of any significant changes.
7 Rights and obligations of the customer
The client is responsible for the legality of the processing.
The client shall issue all orders, partial orders or instructions in writing. In urgent cases, instructions may be issued verbally. The client shall confirm such instructions in writing without delay.
The client is entitled to exercise control rights, e.g. through audits or reports.
8 Notification obligations
The Contractor shall report data protection violations immediately, at the latest within 24 hours.
In the event of inquiries from data subjects, the Contractor shall forward these to the Client without delay.
9. termination of the processing
After termination of the main contract, the Contractor shall either delete or return all personal data at the Client's discretion.
The contractor shall document the proper deletion or return.
10. liability
The Contractor shall only be liable for damages caused by a breach of this contract or applicable data protection laws.
The Contractor's liability for damages arising in the context of commissioned processing shall be limited to the amount of the remuneration paid to the Contractor in the respective contract year. This limitation of liability shall not apply in cases of intent or gross negligence.
11. final provisions
These regulations are an integral part of FlowLyne's General Terms and Conditions. Amendments shall be made in accordance with the provisions set out in the General Terms and Conditions.
German law shall apply. The place of jurisdiction is Berlin.
Status: 30.10.2024