Last updated on 11.12.2024

imc Express Processor Agreement

imc Express Processor Agreement

Processor Agreement
for imc Express

 (hereinafter referred to as the “Agreement”)

between
the client designated as the principal in the offer
(hereinafter referred to as the “Controller”)

and

imc information multimedia communication GmbH,
St. Peter Hauptstraße 27,
8042 Graz,
Austria
(hereinafter referred to as the “Processor”)

 

1. Objective of the Agreement

The Processor has undertaken to provide the data processing operations described in Annex 1 in connection with the imc Express product to the Controller. For the purposes of this Agreement, the definitions of terms in the General Data Protection Regulation (Regulation (EU) 2016/679, hereinafter “GDPR”) apply, to the extent that the Controller is subject to Swiss data protection law, references to the GDPR in these agreements shall be deemed to be references to the Swiss Federal Data Protection Act ("FADP") and the implementing Data Protection Ordinance ("DPA").

2. Right to issue instructions

2.1 The Processor shall process personal data only on the documented instructions of the Controller - including in relation to the transfer of personal data to a third country or an international organisation - unless it is obliged to do so by the law of the European Union or the Member States to which the Processor is subject.

2.2 The Processor shall inform the Controller without undue delay if it considers, without conducting a legal review by a lawyer, that an instruction manifestly infringes the GDPR or other EU or Member State data protection provisions. The Processor shall not be obliged to obtain legal advice in connection with the performance of this Agreement and shall not provide any legal services in performance of this Agreement.

2.3 The Processor shall inform the Controller without undue delay if it is required under EU or Member State law to carry out any data processing contrary to the Controller's instructions or without the Controller's instructions (to the extent that such notification is permitted).

2.4 The Controller’s instructions shall be in accordance with the subject matter of this Agreement. Should the Processor incur expenses in the amount of more than one working hour as a result of complying with the instruction, the entire expense shall be remunerated by the Controller.

3. Confidentiality

The Processor shall ensure that the persons authorised to process the personal data are obligated to confidentiality or are subject to an appropriate legal duty of confidentiality. 

4. Data security

4.1 The Processor shall take all mandatory measures in accordance with Article 32 of the GDPR.

4.2 The Processor shall fulfil its obligation under item 4.1 by implementing the security measures described in Annex 2. It is clarified that a level of data protection and security corresponding to this contract also applies if data is processed in private homes.

4.3 The Processor shall inform the Controller of any personal data breach insofar as it concerns data processed by the Processor on behalf of the Controller and the breach creates a risk to the rights and freedoms of natural persons. Such information shall be provided without undue delay as soon as the Processor becomes aware of such a breach and shall be addressed to the contact point notified in writing by the Controller.

4.4 The information of the Controller referred to in item 4.3 shall, as far as possible under the circumstances, include the following:

a. the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects concerned and the categories and approximate number of data sets concerned;

b. the likely consequences of the personal data breach; and

c. the measures taken or proposed by the Processor to address the personal data breach.

5. Sub-processing

5.1 Annex 3 contains an up-to-date list of the Sub-Processors used by the Processor. The Processor shall inform the Controller of any intended change in relation to the involvement or replacement of other Processors or Sub-Processors (hereinafter referred to collectively as "Sub-Processors"), which shall enable the Controller to object to such changes and to prohibit the involvement or replacement. If the Controller does not raise an objection within two weeks, the involvement or replacement shall be deemed approved. Any processing in a third country may only be carried out under the conditions contained in Chapter V of the General Data Protection Regulation1 and in compliance with the provisions of this contract.

5.2 If an objection is raised in accordance with item 5.1, the Processor shall be entitled to terminate the Agreement with two weeks' notice to the last day of the month.

5.3 Where the Processor uses another Sub-Processor to carry out certain processing activities on behalf of the Controller, the same data protection obligations shall be imposed on that Sub-Processor by way of a contract, in particular providing sufficient guarantees that appropriate technical and organisational measures will be implemented in such a way that the processing will be carried out in accordance with the requirements of the applicable data protection law.

5.4 If the Sub-Processor fails to comply with its data protection obligations, the Processor shall be liable to the Controller for compliance with the obligations of the Sub-Processor.

1 Insofar as the controller is subject to Swiss data protection law: Art. 17 and 18 FADP and Annex 1 FADP

6. Support

6.1 To the extent possible, the Processor shall support the Controller by taking appropriate technical and organisational measures to fulfil the Controller's obligations in relation to requests to exercise data subject rights under applicable data protection law, including Chapter III of the GDPR.

6.2 The Processor shall fulfil its obligation under item 6.1 fundamentally by forwarding requests received from data subjects to the Controller. To the extent that the Controller deems additional support of the Processor necessary and the Processor agrees to provide such support service, the Processor shall be entitled to claim additional reasonable remuneration therefor.

6.3 In addition, the Processor shall assist the Controller in complying with its obligations under applicable data protection law, including Articles 32 to 36 of the GDPR. The Processor shall do so by (i) taking the measures set out in item 3 ("Confidentiality") and 4 ("Data Security") of this Agreement; (ii) notifying the Controller of a personal data breach in accordance with item 4.3; and (iii) providing the information set out in Annex 1 to this Agreement.

7. Return of personal data

As elected by the Controller, the Processor shall erase or return all personal data within a reasonable period of time after the completion of the processing services, unless there is an obligation to retain the personal data under EU or Member State law. The Processor shall be entitled to an appropriate fee for the return of the data.

8. Audit

8.1 The Processor shall provide the Controller with all information necessary to demonstrate compliance with the obligations set out in this Contract.

8.2 The Processor shall allow for pre-announced audits during business hours by an independent third party. Such audits shall be carried out at reasonable intervals and in a manner that does not disrupt the business of the Processor. Costs incurred by such audits shall be borne by the Controller. The Processor shall be entitled to reasonable remuneration for any services provided in connection with the support of audits.

8.3 The Processor may also fulfil its obligations under item 8.2 by having an audit carried out by an independent third party at least every three years and providing the summary audit results to the Controller.

9. Liability

9.1 The liability of both parties is limited to gross negligence. Liability for mere financial loss is excluded.

9.2 Notwithstanding the foregoing, the Controller shall be liable to the Processor for the lawfulness of all instructions given and shall indemnify and hold the Processor harmless from and against any and all damages and disadvantages resulting from compliance with an instruction.

10. Other

10.1 Amendments to this Agreement shall only be made in writing. This also applies to this written form requirement.

10.2 If any provision of this Agreement is invalid or ineffective, it shall, to the extent permitted by law, be replaced by that provision which economically comes closest to the invalid or ineffective provision.

Annex 1: Details of the data processing performed

Annex 2: Technical and organisational measures for the protection of personal data

Annex 3: Sub-Processors

 

Annex 1: Details of the data processing performed

Data subjects

The personal data transferred concern the following categories of data subjects: Persons whose personal data is stored in imc Express by the Controller or its employees (e.g. employees or customers of the Controller).

Categories of data

The personal data transmitted belong to the following categories of data: 

  • Photos / Videos
  • Other data stored by the Controller in imc Express (e.g. contact data of data subjects required for the creation of a company presentation).

Categories of sensitive data (if applicable)

The personal data transferred includes the following sensitive data:

 None.

Subject and duration of the processing and processing measures

The personal data transferred will be subject to the following basic processing operations:

Processing according to Art. 4 No. 2 DSGVO for the provision of the product imc Express from the processor to the controller.

The duration of the processing and this agreement is based on the duration of the contract for the provision of the product imc Express from the processor to the controller.

 

Purposes of the processing

The personal data provided will be processed for the following purposes of the Controller:

Use of the product imc Express to create digital documents.

As a matter of principle, no further processing for other purposes takes place.

 

Annex 2: Technical and organisational measures for the protection of personal data

The Processor shall take the following technical and organisational measures for data security within the meaning of Art. 32 GDPR.

1

1.1 Access control (premises/equipment)

The following technical and organisational measures are used to deny unauthorised parties access to the Processor's data processing facilities.

  • Locking concept for the premises
  • Key regulations and lists
  • Establishment/employment of a reception
  • Keeping visitor logs
  • Staff members accompanying visitors
  • Cleaning services and other service providers are selected with care

1.2 Access control (use of system)

The Processor uses the following technical and organisational measures to ensure that data processing systems cannot be used by unauthorised persons. The following measures have been set up to authenticate users.

  • Login with username and password
  • Anti-virus software server
  • Anti-virus software clients
  • Firewalls
  • Use of VPN with remote access
  • Automatic desktop locks and manual desktop lock guide
  • Administration of user rights
  • Creation of user profiles
  • “Secure password” policy
  • “Clean desk” policy
  • General guidelines regarding data protection and data security 

1.3 Access controls (specific data)

The following technical and organisational measures ensure that the authorised users of our data processing systems can only access the data corresponding to their access authorisation and that personal data during processing, use and after storage cannot be read, copied, changed or removed without authorisation.

  • File shredder
  • Physical deletion of data media
  • Logging of access to applications when entering as , well as changing and deleting data
  • Use of authorisation concepts
  • Minimum number of administrators
  • User rights management by administrators

1.4 Separation

The following technical and organisational measures ensure that data that has been collected for different purposes is also processed separately.

  • Provision of dedicated services per customer scenario
  • Logical data separation
  • Authorisation concept for separate processing of data from different customers
  • Provision of dedicated services per customer scenario
  • Separation of development, test and productive systems
  • Segregation of Duties (SoD or separation of functions) between positions in the business process
  • Work instructions to employees to process data collected for different purposes separately from each other

1.5 Pseudonymisation & encryption

The following technical and organisational measures ensure that data can no longer be assigned to specific data subjects without the use of additional information and prevent unauthorised access by third parties:

  • Possibility of pseudonymisation in the productive system
  • Possibility of pseudonymising test data
  • Possibility to pseudonymise individual users in the productive system
  • Internal instruction that personal data in accordance with Art. 32 (1) (a) of the GDPR and Art. 25 (1) of the GDPR, in the event of a transfer or after expiry of the statutory deletion periods, should be anonymised or pseudonymised if possible.

2

2.1 Input controls

Technical and organisational measures are available with the Processor so that the entry, modification and removal of personal data can be checked and identified subsequently. The following measures have been implemented in this regard.

  • Technical logging of the entry, modification and deletion of data
  • Traceability of the entry, modification and deletion through individual user names
  • Manual or automated control of the logs
  • Allocation of rights regarding the entry, modification and deletion of data based on an
  • authorisation concept
  • Clear responsibilities for the deletion of data

2.2 Transfer control

The following technical and organisational measures undertaken by the Processor ensure that unauthorised parties cannot read, copy, change or remove personal data during electronic transmission or during its transport or storage on data carriers.

  • Use of VPN
  • Provision of data via encrypted connections
  • Forwarding of the data in anonymous or pseudonymised form
  • Care in the selection of transport personnel and vehicles

3

The technical and organisational measures below ensure adequate protection against accidental destruction and loss, as well as rapid restoration of the availability of personal data within the company. 

  • Fire and smoke detection systems
  • Fire extinguisher
  • Monitoring of temperature and humidity in the server room
  • Redundant air conditioning of the server room
  • Redundant UPS
  • Protective sockets in the server room
  • Security of cabling
  • Redundant power supply
  • Data storage on RAID systems
  • Backup & recovery concept
  • Capacity measurements
  • Regular data recovery tests and logging of results
  • Storage of backup media in a safe place outside the server room
  • System hardening (deactivation of unnecessary services and components)
  • Immediate and regular activation of available software and firmware updates
  • Identification of IT devices, assets and network systems in the company's internal infrastructure
  • Maintenance list

4

4.1 Data protection management

The Processor fulfils its documentation and accountability obligations under the GDPR in the context of data protection management through the following technical and organisational measures.

  • Use of data protection management software
  • Central documentation of all procedures and data protection regulations with access for staff members as needed and in accordance with authorisation
  • At least an annual review of the technical protective measures
  • Regular training and sensitisation of employees for data protection and information security
  • The company meets its information obligations in accordance with Art. 13 and 14 of the GDPR
  • Formalised processes for the protection of data protection rights 

4.2 Incident response management

The following technical and organisational measures are used within the company to ensure the proper handling and avoidance of security incidents as far as possible.

  • Use and regular updating of firewalls
  • Use and regular updating of spam filters
  • Use and regular updating of virus scanners
  • Documented process for the detection and reporting of security incidents and data breaches
  • Documented procedure for dealing with data breaches
  • Formal process and responsibilities for post-processing of security incidents and data breaches 

4.3 Privacy-friendly presets

The data protection principles "privacy by design" and "privacy by default" are maintained by the following technical and organisational measures.

  • No more personal data is collected than is necessary for the respective processing purpose.
  • The simple exercise of the right of withdrawal of those affected is ensured by technical measures. 

4.4 Job control

The Processor ensures proper order data processing by Sub-Processors with the technical and organisational measures below.

  • Prior checking of the security measures taken by the Processor and their documentation
  • Selection of Processors with due care
  • Conclusion of the necessary agreements for order processing
  • Instructions to the Processor in writing
  • Obligation of the employee to maintain confidentiality
  • Agreement on effective control rights vis-à-vis the Processor
  • Regulation for the use of further Sub-Processors
  • Ensuring the destruction of data after completion of the order

 

Annex 3: Sub-Processors

At the current time, the Processor uses the following Sub-Processors:

3 Services from OpenAI are only used if the "Express GPT" package is activated.