General terms and conditions and order data processing contract in accordance with Art. 28 GDPR
A. General terms and conditions
Latest update: September 01, 2025
1. Scope and subject matter of contract
1.1 These general terms and conditions apply to the provision and use of the Loady platform (”platform“) from Loady GmbH, Julius-Hatry-Str. 1, 68163 Mannheim, Germany (hereinafter Loady).
1.2 Loady's services are aimed exclusively at customers (”customer (s)“) who are entrepreneurs (Section 14 BGB), a legal entity under public law or a special fund under public law. The provision of services to consumers (§ 13 BGB) is excluded.
1.3 These general terms and conditions apply exclusively; deviating, conflicting or supplementary general terms and conditions of the customer only become part of the contract if and insofar as Loady has expressly agreed to their validity in writing. This consent requirement applies even if, in knowledge of Loady's general terms and conditions, the customer unconditionally accepts the services provided by Loady.
1.4 Loady is entitled to change the service description or the general terms and conditions and other conditions. The provider will only make these changes for valid reasons, in particular due to new technical developments, changes in case law or other equivalent reasons. If the change significantly disrupts the contractual balance between the parties, the change will not be made. Otherwise, changes require the customer's consent.
1.5 The subject of the contract is
(a) Provision of software for use via the Internet and
(b) Allocating storage space on Loady's servers.
1.6 Loady is allowed to involve subcontractors when allocating storage space and ensuring support. The use of subcontractors does not release Loady from its sole obligation to the customer to fully fulfill the contract.
2. Test access and conclusion of contract
2.1 Loady usually provides the customer with a test access/test account for an individually defined period of time. At the end of the test phase, this access will be blocked. There is no need to cancel. It is a voluntary service provided by Loady. Test accounts and free beta version services exclusively for familiarizing yourself with the services, but not for productive work. Loady reserves the right to deactivate test accounts at any time, even without prior notice.
2.2 If a contract is concluded between Loady and the customer, Loady will provide the customer with the latest version of the SOFTWARE via the Internet for the duration of this contract for a fee. For this purpose, Loady sets up the SOFTWARE on a server that is accessible to the customer via the Internet.
2.3 The customer can also select products from the Loadys online offer and collect them in a so-called shopping cart using the “add to shopping cart” button. By clicking on the “Order subject to payment” button, he submits a binding request to purchase the goods in the shopping cart. Before sending the order, the customer can change and view the data at any time. However, the request can only be submitted and transmitted if the customer has accepted these terms and conditions by clicking on the “Accept terms and conditions” button and has thus included them in his request. Loady then sends the customer an automatic confirmation of receipt by e-mail, in which the customer's order is listed again and which the customer can print out using the “Print” function. The automatic confirmation of receipt simply documents that Loady has received the customer's order and does not represent an acceptance of the request. The contract is only concluded when Loady submits the declaration of acceptance, which is sent with a separate e-mail (order confirmation). In this email or in a separate email, the contract text (consisting of order, terms and conditions and order confirmation) is sent to the customer on a durable data carrier (contract confirmation). The text of the contract is stored in compliance with data protection.
2.4 The service description can be found on the website at www.loady.com/de/features be retrieved.
3. Quality of services, test accounts
3.1 Unless otherwise agreed, the quality of the services is based exclusively on Loady's service description. Loady does not guarantee any features or uses of the services that go beyond these specifications. The economic risk of using the services lies with the customer.
3.2 The platform is regularly revised to keep it compatible with current software and hardware environments and to provide new or improved features. Because it is delivered as a platform solution, only the latest version of the platform is usually available. Continuous compatibility with certain browsers, software, or hardware environments cannot therefore be guaranteed. Loady also reserves the right to change, suspend or completely discontinue individual services or functionalities of the platform. Should this result in a significant restriction of the usability of the platform, the customer is entitled to extraordinary termination. In this case, fees for unused periods will be refunded. Further claims by the customer are excluded.
4. Consulting and additional services
4.1 Insofar as Loady provides consulting services in addition to the contractually agreed scope of services, this is done to the best of its knowledge. Information and information about the suitability and use of products and services does not exempt the customer from carrying out his own tests and tests.
4.2 Services that are provided in addition to the provision of the platform (e.g. installation and configuration services, training, migration support) are only owed if they have been expressly ordered. In this case, the agreed fees apply, which are in addition to the license fees for the services. If no fees have been agreed, Loady's standard hourly rates apply.
5. Types of customers
5.1 Loady offers various license models, which customers can purchase in accordance with their role in logistics — shippers, goods recipients, external warehouse logistics operator, site operator or freight forwarder/transport company.
a) If the customer acquires a license as a “shipper” or “distributor”, he can use the platform primarily to manage information and requirements for loading and unloading products at locations, loading and unloading points at his or his business and logistics partners (“logistics information”) in Loady and thus create data sets that he can use and share along his logistics process.
b) If the customer acquires a license as a “recipient of goods” or “operator” of external warehouse logistics or industrial or chemical parks, he can use the platform to manage his information and requirements for loading and unloading products at his loading points and locations in Loady and share them with his business and logistics partners.
c) If the customer acquires a license as a “freight forwarder” or transport company, he can view and use the data records in Loady to which he is activated and share them with his logistics partners.
5.2 By accepting the local regulations, the customer agrees to Loady, according to which Loady may make its location information and geographical coordinates public on Loady's website. This declaration can be withdrawn by selecting an opt-out on the website.
6. Service fees, prices and payment terms
6.1 The customer usually pays a recurring fee for using the platform (”Platform fee“).
6.2 The customer can choose between three pricing models (free, business, enterprise). The pricing models mentioned include various features, which are available under https://www.loady.com/de/preise are shown.
6.3 The prices agreed between the parties apply. Loady is entitled to adjust the prices at any time with a notice period of at least four (4) weeks by e-mail or via the platform and before the contractually agreed cancellation period expires. The adjusted platform fee comes into force at the time specified in the notification, but is only valid for the current contract period when the term is extended.
6.4 The prices shown are net prices, unless they are expressly stated as gross prices.
6.5 If the general inflation rate according to the German consumer price index rises by more than 5% within a current contract period, Loady is entitled to adjust prices accordingly during this contract period as well.
6.6 Unless otherwise agreed, the platform fee must be paid in advance at the beginning of the agreed contract period and its extensions for the entire term. If payment intervals have been agreed, the platform fee is due at the start of each such payment interval.
6.7 The customer can expand their service package during an ongoing contract period (e.g. by adding products, charging points or transport routes, API connectors or by upgrading to a higher service package). The additional platform fee is calculated on a pro rata basis for the remainder of the current contract period. Downgrades (e.g. by reducing products, charging points or transport routes, API connectors or by downgrading to a lower service package) are only possible when the term is extended.
6.8 If the customer uses the services beyond the contractually agreed scope or makes them available to third parties, Loady is entitled to recalculate the fees based on actual use.
6.9 The customer must raise objections to the billing of the services provided by Loady in writing to the office specified on the invoice within a period of eight weeks after receipt of the invoice. After expiry of the above period, the invoice is considered approved by the customer. Loady will particularly inform the customer of the significance of his conduct when sending the invoice.
7. Support
7.1 The scope of support is set out in the support policy, available at www.loady.com/support-policy.
7.2 Loady will answer the customer's inquiries about the use of the contractual SOFTWARE and other SaaS services within business hours in accordance with the Support Policy upon receipt of the respective question by telephone or in text form.
8. Customer obligations
8.1 The customer undertakes not to store any illegal content that violates laws, official requirements or the rights of third parties on the storage space provided.
8.2 The customer is obliged to prevent unauthorized access by third parties to the protected areas of the SOFTWARE by taking appropriate measures. For this purpose, the customer will, if necessary, inform his employees of compliance with copyright law.
8.3 Notwithstanding Loady's obligation to back up data, the customer himself is responsible for entering and maintaining the data and information required to use the SaaS services.
8.4 The customer is obliged to check his data and information for viruses or other harmful components before entering them and to use state-of-the-art virus protection programs for this purpose.
8.5 In order to access the SaaS services, the customer will generate a “user ID” and a password himself, which are required to continue using the SaaS services. The customer is obliged to keep the “user ID” and password secret and not to make them available to third parties. The use of SaaS services is accessed via an e-mail address provided by the customer and a password chosen by the customer himself. The customer is obliged to keep his access data confidential, to protect it from access by third parties and to change it immediately if misuse is suspected.
8.6 The content stored by the customer in the storage space intended for him may be protected by copyright and data protection law. The customer hereby grants Loady the right to make the content stored on the server available to the customer via the Internet when making inquiries and, in particular, to reproduce and transmit it and to be able to reproduce it for the purpose of data backup.
9. Interruption/impairment of accessibility
9.1 Adjustments, changes and additions to the contractual SaaS services as well as measures aimed at identifying and correcting functional disorders will only lead to a temporary interruption or impairment of availability if this is absolutely necessary for technical reasons.
9.2 Loady provides the software with an annual availability of 99%. Excluded are times when the server is unavailable due to other technical problems that are beyond Loady's control (e.g. force majeure). Scheduled maintenance work (e.g. software updates) that take place outside Monday to Friday between 9:00 and 17:00 BST/CEST/CET (“normal business hours”) is also excluded.
9.3 If error messages are received outside support hours, troubleshooting begins no later than the following working day.
10. Rights of use
10.1 Loady grants the customer the non-exclusive and non-transferable right to use the SOFTWARE referred to in this contract as intended within the scope of the SaaS services for the duration of the contract.
10.2 The customer may only process the SOFTWARE to the extent that this is covered by the intended use of the SOFTWARE in accordance with the current service description.
10.3 The customer may only reproduce the SOFTWARE to the extent that this is covered by the intended use of the software in accordance with the current service description. The necessary duplication includes loading the SOFTWARE into the main memory on the Loadys server, but not the installation or storage of the SOFTWARE on data carriers (such as hard drives, etc.) of the hardware used by the customer.
10.4 The customer is not entitled to make the SOFTWARE available to third parties for use in return or free of charge. The customer is therefore expressly prohibited from renting out the SOFTWARE.
11. User accounts and administration
11.1 The customer can set up user accounts for his employees to use the platform. Unless otherwise agreed, the number of user accounts is not limited.
11.2 Unless otherwise agreed, user accounts can only be set up for the customer's employees. In the case of the Loady Enterprise Company service type, user accounts can also be set up for employees of the customer's affiliated companies. For other types of services, user accounts for the customer's subsidiaries are excluded and require a separate license from the subsidiary or a license for the customer's entire group of companies.
11.3 The customer is responsible for managing user accounts. This includes deactivating user accounts in the event that a user is no longer an employee of the customer.
11.4 The customer ensures that all users comply with this agreement. Employees of the customer or other persons for whom the customer creates user accounts are considered vicarious agents of the customer for the purposes of this agreement (§ 278 BGB).
12. late payment
12.1 If payment deadlines are exceeded by more than fourteen (14) days, the customer is in default without the need for a separate reminder.
12.2 Failure to pay remuneration when due constitutes a significant breach of contractual obligations.
12.3 If the customer defaults on payment, Loady is entitled to charge default interest, namely when invoiced in euro in the amount of 9 percentage points above the base interest rate announced by the Deutsche Bundesbank at the time the default occurred. The assertion of further damage caused by Loady by Loady remains unaffected.
13. Liability for defects and liability
13.1 Loady guarantees the functionality and operational readiness of the SaaS services in accordance with the terms of this contract.
13.2 In the event that services are claimed by unauthorised third parties using the customer's login details, the customer is liable for resulting charges within the scope of civil liability until receipt of the customer order to change the access data or report the loss or theft, provided that the customer is at fault for access by the unauthorised third party.
13.3 Loady is entitled to immediately block storage space if there is reasonable suspicion that the stored data is illegal and/or infringes the rights of third parties. There is a reasonable suspicion of illegality and/or an infringement of law in particular when courts, authorities and/or other third parties inform Loady of this. Loady must immediately inform the customer of the suspension and the reason for it. The suspension must be lifted as soon as the suspicion is dispelled.
13.4 Claims for damages against Loady are excluded regardless of the legal basis, unless Loady, its legal representatives or vicarious agents have acted intentionally or grossly negligently. Loady is only liable for slight negligence if one of the essential contractual obligations has been breached by Loady, its legal representatives or senior employees or vicarious agents. Loady is only liable for foreseeable damage, which must typically be expected to occur. Significant contractual obligations are obligations which form the basis of the contract, which were decisive for the conclusion of the contract and on whose fulfilment the customer may rely.
13.5 Loady is not liable for loss of data insofar as the damage is due to the customer's failure to carry out data backups and thus ensure that lost data can be recovered with reasonable effort.
13.6 Loady is liable without limitation for damage caused intentionally or negligently as a result of injury to life, limb or health by Loady, its legal representatives or vicarious agents.
13.7 Loady guarantees the functionality and operational readiness of the SaaS services in accordance with the terms of this contract.
14. limitation period
14.1 The limitation period for claims arising from defects in services, including legal defects, is one year from delivery or performance. Insofar as acceptance has been agreed, the limitation period begins with acceptance.
14.2 The limitation period for contractual and tort claims for damages is one year from the start of the statutory limitation period.
14.3. By way of derogation from the above paragraphs, the statutory limitation periods apply, insofar as they are mandatory by law, in cases of intent and gross negligence and in the cases referred to in Section 14.2.
15. Right to offsetting, right of retention
15.1 The customer is only entitled to offset or assert retention rights if his counterclaims are undisputed or have been legally established.
15.2 If there are reasonable doubts about the customer's solvency, in particular in the event of late payment, Loady may revoke payment terms granted without affecting further claims and make further deliveries and services dependent on the provision of other securities or advance payments.
16. Duration and termination
16.1 The contractual relationship begins at the time the contract is concluded, unless the parties have agreed otherwise. The contract may be terminated by both parties at the end of the minimum contract period of one year with a notice period of three (3) months. Otherwise, the contract is automatically extended by the duration of the agreed minimum contract period, although the notice period of 3 months to the end of the contract period also applies for extended contractual relationships.
16.2 The right of each contracting party to terminate the contract without notice for good cause remains unaffected. In particular, the provider is entitled to terminate without notice if the customer fails to make payments due despite a reminder and a grace period or breaches the contractual provisions for the use of the SaaS services. In any case, termination without notice requires that the other party is warned in writing and asked to provide the alleged reason without notice to remove the notice within a reasonable period of time.
16.3 Loady is entitled to terminate the contract extraordinarily if the platform is discontinued altogether. Loady will inform the customer of this in advance with a reasonable period of time. In this case, Loady will refund the customer any fees received for unused subscription periods.
16.4 After termination of this contract, the customer is obliged to stop using the services and return or destroy them to Loady at the request of Loady and the user documentation received.
16.5 After termination of this contract, Loady gives the customer the opportunity to export the data stored on the platform into a general data format for a period of one (1) month. Any support from Loady is chargeable and requires a separate agreement between the parties.
16.6 In the event of termination of the contract, those provisions shall continue to apply which, in accordance with their meaning and purpose, are intended to survive the contract. This applies in particular to the provisions on property rights and licenses, warranty, liability, confidentiality, data protection and final provisions.
17. Force majeure
17.1 Should events and circumstances whose occurrence is beyond Loady's sphere of influence (such as natural disasters, epidemics, war, industrial disputes, lack of raw materials and energy, traffic and operational disruptions, fire and explosion damage, public law orders) restrict the ability to provide services in such a way that Loady is unable to fulfill its contractual obligations (sub-partial consideration of other internal or external performance obligations), Loady (i) is of the disorder and to the extent of its effect from exempts from contractual obligations and (ii) is not obliged to procure the services from third parties.
17.2 Sentence 1 also applies insofar as the events and circumstances make the execution of the affected transaction sustainably uneconomical for Loady or exists with Loady's upstream suppliers. If these events last longer than three (3) months, Loady is entitled to withdraw from or terminate the contract.
18. place of performance
Regardless of the place of delivery of the goods or documents or the place where the services are provided, the place of fulfilment for the customer's payment obligation is the registered office of Loady.
19. Jurisdiction
If the contracting parties are merchants, legal entities under public law or special funds under public law, the exclusive place of jurisdiction is the registered office of Loady. However, Loady is also entitled to sue at the customer's general place of jurisdiction.
20. Applicable Law
The contractual relationship is subject to the laws of the Federal Republic of Germany, excluding the UN Sales Convention.
21. Miscellaneous
21.1 No additional oral agreements have been made. Amendments or additions to this contract must be made in writing (§ 126 BGB). This also applies to the waiver of the written form requirement.
21.2 Should one or more provisions of the contract prove to be ineffective, void or incomplete, this does not affect the effectiveness of the remaining provisions of the contract. The parties will — where appropriate in the appropriate form — replace the invalid or void provision with such a provision or fill the gap in the contract with such a provision with which the economic purpose pursued by them can best be achieved. If the invalidity or invalidity of a provision is based on a measure of performance or time (deadline or deadline), a legally permissible measure takes the place of the ineffective or invalid provision of performance or time.
B. Order data processing contract in accordance with Art. 28 GDPR
preamble
The client would like to commission the contractor for the services specified in § 2. The processing of personal data is part of the execution of the contract. In particular, Article 28 GDPR imposes certain requirements on such order processing. To meet these requirements, the parties conclude the following agreement.
1. Definitions
For terms used in this agreement, for which Article 4 GDPR provides a definition, this legal definition in the version valid at the time the contract is concluded also applies to this contract.
2. Subject matter of the contract
2.1 The contractor provides the client with services in the area of the Loady platform. In doing so, the contractor and his employees or agents commissioned by the contractor have access to personal data and process them exclusively on behalf of and in accordance with the instructions of the client. The scope and purpose of data processing by the contractor result from the main contract (and, if available, from the associated service description) and from the Appendix 1 about this contract. The client is responsible for assessing the admissibility of data processing.
2.2 In order to specify the mutual data protection rights and obligations, the parties conclude this agreement. In case of doubt, the provisions of this contract take precedence over the provisions of the main contract.
2.3 The term of this contract depends on the duration of the main contract, unless the following provisions result in obligations beyond the term of the main contract. Cancellation rights arising from this contract remain unaffected by the above provision.
2.4 The present agreement remains valid beyond the end of the main contract as long as the contractor has personal data that was provided to him by the client or that he has collected for him.
2.5 The contractually agreed data processing is provided exclusively in a member state of the European Union or another state party to the Agreement on the European Economic Area. Any transfer to a third country requires the prior consent of the client and may only take place if the special requirements of Art. 44 et seq. of the GDPR are met.
3. Right to issue instructions
3.1 The contractor may only process data within the framework of the main contract and in accordance with the client's instructions. If the contractor is required to carry out further processing under the law of the European Union or the Member States to which he is subject, he shall inform the client of these legal requirements before processing, provided that he is legally permitted to do so.
3.2 The client's instructions are initially defined by this contract and can then be amended, supplemented or replaced by individual instructions in writing or in text form (individual instruction). The client is entitled to issue appropriate instructions at any time. This includes instructions regarding the correction and deletion of data and the restriction of processing. The persons entitled to issue instructions are set out in Appendix 4. In the event of a change or a longer-term prevention of the named persons, the successor or representative must be named to the contractual partner immediately in text form.
3.3 All instructions issued by both the client and the contractor must be documented. Instructions that go beyond the service agreed in the main contract will be treated as a request for a change in performance. Rules on any remuneration for additional expenses arising from supplementary instructions from the client to the contractor remain unaffected.
3.4 If the contractor is of the opinion that an instruction from the client violates data protection regulations, he must immediately inform the client of this. The contractor is entitled to suspend execution of the relevant instruction until it is confirmed or amended by the client. The contractor may refuse to carry out a manifestly unlawful instruction.
4. Type of data processed, group of data subjects
As part of the execution of the main contract, the contractor receives access to the Appendix 1 More specifically specified personal data of the data subjects also specified in more detail in Appendix 1.
5. Contractor's protective measures
5.1 The contractor is obliged to comply with the legal provisions on data protection and not to pass on the information obtained from the client's area to third parties without appropriate instructions or to suspend their access. Paper documents and data must be protected against access by unauthorised persons, taking into account the state of the art.
5.2 In his area of responsibility, the contractor will design the internal organization in such a way that it meets the specific requirements of data protection. The contractor guarantees that it has taken all necessary technical and organizational measures to adequately protect the client's data in accordance with Article 32 GDPR, in particular at least the measures listed in Appendix 2. If special categories of personal data are also processed, the contractor will also take the appropriate and specific measures resulting from Section 22 (2) BDSG, which are specified in more detail in Appendix 2. At the client's request, the contractor shall disclose the detailed circumstances of determining which measures are being taken and the implementation of the measures.
The contractor reserves the right to improve the security measures taken, ensuring that the level of protection does not fall below the contractually agreed level and that the client is immediately informed of significant changes.
5.3 Data protection officer or — if a data protection officer does not have to be appointed in accordance with Article 37 (1) GDPR or Section 38 BDSG or a state data protection law: The contractor publishes the contact details of the data protection officer on his website and communicates them to the data protection supervisory authority. At the client's request, the contractor provides appropriate evidence of publication and notification. The client must be notified immediately of any change in the person of the data protection officer/contact person for data protection.
5.4 Persons employed during data processing by the contractor are prohibited from processing personal data without authorization. The contractor will oblige all persons who are entrusted by him with the processing and performance of this contract (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 para. 3, paragraph 1 p. 2 lit. b GDPR), of the special data protection obligations arising from this contract and the existing instruction or purpose obligation and ensure compliance with the above obligation with due care. These obligations must be formulated in such a way that they remain in place even after the termination of this contract or the employment relationship between the employee and the contractor. Upon request, the client must prove the obligations of the employees in an appropriate manner.
6. Information obligations of the contractor
6.1 In the event of disruptions in processing activities, suspicion of data breaches or breaches of contractual obligations on the part of the contractor, or suspicion of other security-related incidents at the contractor, persons employed by him as part of the order or by third parties, the contractor will immediately inform the client in writing or text form. The same applies to inspections of the contractor by the data protection supervisory authority concerning processing or facts relevant to the client. The report of a personal data breach includes, as far as possible, the following information:
a) a description of the nature of the personal data breach, including, as far as possible, the categories and number of data subjects, the categories concerned and the number of personal data sets affected
b) a description of the likely consequences of the injury
c) a description of the measures taken or proposed by the contractor to remedy the breach and, where appropriate, measures to mitigate its potential adverse effects
6.2 The contractor shall immediately take the necessary measures to secure the affected data and to reduce possible adverse consequences for the person (s) concerned, shall inform the client of this, ask him for further instructions and provide the client with further information at any time, insofar as his data is affected by a breach in accordance with paragraph 1.
6.3 Should the client's data be endangered by the contractor as a result of seizure or seizure, insolvency or settlement proceedings or other events or measures taken by third parties, the contractor must immediately inform the client of this, unless he is prohibited from doing so by a court or official order. In this context, the contractor will immediately inform all competent authorities that the decision-making authority over the data lies exclusively with the client.
6.4 The contractor must immediately inform the client of significant changes to the security measures in accordance with Section 6 (2).
6.5 The contractor keeps a list of all categories of processing activities carried out on behalf of the client, which contains all information in accordance with Article 30 (2) GDPR. The list must be made available to the client upon request.
6.6 The contractor must participate to an appropriate extent in drawing up the list of procedures by the client and in preparing a data protection impact assessment in accordance with Article 35 GDPR and, where applicable, in prior consultation with data protection supervisory authorities in accordance with Article 36 GDPR. He must provide the client with the required information in an appropriate manner.
7. Client's control rights
7.1 Before starting data processing and then regularly, the client is convinced of the contractor's technical and organizational measures. For this purpose, he may, for example, obtain information from the contractor, have existing certificates presented to him by experts, certifications or internal audits, or, if possible, personally check the contractor's technical and organizational measures after timely coordination during normal business hours or have them checked by an expert third party, provided that the contractor is not in a competitive relationship with the contractor. The client will only carry out checks to the extent necessary and will not disproportionately disrupt the contractor's operations.
7.2 The contractor undertakes, at the client's oral or written request, within a reasonable period of time, to provide the client with all information and evidence necessary to carry out an inspection of the contractor's technical and organizational measures in accordance with Appendix 2 are required.
7.3 The client documents the results of the checks carried out by him and communicates them to the contractor. In the event of errors or irregularities, which the client discovers, in particular when examining order results, he must immediately inform the contractor. If, during the inspection, facts are identified whose future prevention requires changes to the ordered procedural flow, the client shall immediately inform the contractor of the necessary procedural changes.
7.4 At the client's request, the contractor shall provide the client with a comprehensive and up-to-date data protection and security concept for order processing and for persons authorized to access it.
7.5 The contractor shall prove to the client the obligation of employees in accordance with Section 6 (4) upon request.
8. Use of subcontractors
8.1 The contractually agreed services or the partial services described below are carried out with the involvement of the subcontractors listed in Appendix 3. As part of its contractual obligations, the contractor is authorized to establish further subcontracting relationships with subcontractors (“subcontractor relationship”). He shall immediately inform the client of this. The contractor is obliged to carefully select subcontractors based on their suitability and reliability. When engaging subcontractors, the contractor must oblige them in accordance with the provisions of this agreement and ensure that the client can also exercise its rights under this agreement (in particular its testing and control rights) directly vis-à-vis the subcontractors. If subcontractors are to be involved in a third country, the contractor must ensure that the respective subcontractor guarantees an appropriate level of data protection (e.g. by concluding an agreement based on EU standard data protection clauses). On request, the contractor will prove to the client that the above agreements have been concluded with its subcontractors
8.2 A subcontractor relationship within the meaning of these provisions does not exist if the contractor engages third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunications services without specific reference to services provided by the contractor for the client, and security services. Maintenance and testing services represent subcontractor relationships within the meaning of paragraph 1, insofar as these are provided for IT systems that are also used in connection with the provision of services to the client.
9. Requests and rights of data subjects
9.1 The contractor supports the client with appropriate technical and organizational measures in fulfilling the client's obligations under Articles 12—22 and 32 and 36 GDPR.
9.2 If a data subject asserts rights, for example to provide information, correct or delete their data, directly against the contractor, the contractor does not react independently, but immediately refers the data subject to the client and awaits his instructions.
10. Liability
10.1 Clients and contractors are liable to affected persons in accordance with the provision set out in Article 82 of the GDPR. The contractor agrees with the client on any fulfilment of liability claims.
10.2 The contractor releases the client from all claims that data subjects assert against the client due to the breach of an obligation imposed on the contractor by the GDPR or due to failure to comply with or breach of an obligation set out in this agreement or an instruction issued separately by the client.
10.3 The parties release themselves from liability if/insofar as a party proves that it is in no way responsible for the fact that the damage occurred to an affected person. Otherwise, Article 82 (5) of the GDPR applies.
10.4 Unless otherwise stated above, liability under this contract is equal to that of the main contract.
11. Extraordinary right of termination
The client may terminate the main contract in whole or in part without notice if the contractor fails to fulfill its obligations under this contract, violates the provisions of the GDPR intentionally or grossly negligently, or cannot or does not want to carry out an instruction from the client. In the case of simple — i.e. neither intentional nor grossly negligent — violations, the client shall set the contractor a reasonable period within which the contractor can remedy the infringement.
12. Termination of the main contract
12.1 After termination of the main contract or at any time at the client's request, the contractor will return all documents provided to him in paper form, data and data carriers or — at the client's request, unless there is an obligation to store personal data under Union law or the law of the Federal Republic of Germany. The obligation to surrender or destroy also applies to any data backups made by the contractor. The contractor must provide documented proof of proper deletion.
12.2 The client has the right to check the complete return or deletion of data from the contractor in an appropriate manner or to have it checked by an expert third party, provided that the latter is not in a competitive relationship with the contractor.
12.3 The contractor is obliged to keep confidential the information that has become known to him in connection with the main contract even after the end of the main contract.
13. Final provisions
13.1 The parties agree that the contractor has no right of retention with regard to the data to be processed and the associated data carriers.
13.2 Amendments and additions to this contract, the declaration of termination and the amendment of this clause must be made in writing in order to be effective (Section 126 (1), 2 BGB). The replacement of written form by electronic form (§§ 126 para. 3, 126 a BGB) or text form (§ 126 b BGB) is excluded. The primacy of individual contract agreements remains unaffected by this.
13.3 Should individual provisions of this agreement be or become invalid or unenforceable in whole or in part, this shall not affect the validity of the remaining provisions.
13.4 This agreement is subject to German law. The sole place of jurisdiction is the registered office of the contractor.
plants
Appendix 2: Technical and organizational measures taken by the contractor
Appendix 3: List of subcontractors