§ 1 Introduction

With reference to the main contract on which this agreement is based, the parties regulate their rights and obligations within the framework of the data protection-compliant processing of personal data on behalf of.

1. For the terms used in this agreement, the definitions of the General Data Protection Regulation (GDPR) apply.
   
   

2. With regard to all personal data, the customer is the data controller and Immodio UG is the processor. Notwithstanding Articles (Art.) 28 (10), 82, 83, and 84 of the GDPR, the processor is considered the data controller for this processing if it determines the purposes and means of processing in violation of the General Data Protection Regulation.
   
   

3. Tenants, rental applicants, and candidates are collectively referred to as Tenants.

§ 2 Agreement

1. Subject and Duration of the Order

1. The processor provides services to the controller based on the main contract. The processor receives personal data from the controller. This agreement is made on the basis of the General Data Protection Regulation (GDPR). It refers to all agreed services and considerations between the contracting parties and to the award and execution of subcontracting agreements.
   
   

2. Purpose of Data Processing (Subject of the Order)

   The processor takes on the provision as well as maintenance and support of the software for handling the business processes of the controller. It is a software solution for landlords, property managers, and agents with which they can organize their rentals and management of their properties. For example, through Immodio, they can plan viewings, request documents and data from tenants, create rental agreements and handover protocols, and send these to their respective tenants. For the tenants, there exists a tenant portal where the viewings planned by the landlord are coordinated, tenants can provide data and documents to the landlord, the rental contract draft can be viewed and signed by the tenant, or tenants and landlords can communicate via chat.
   
   

3. Type of Data

   The type of data is described in the main contract.
   
   

4. Categories of Data Subjects

   The processing only concerns the types of personal data and categories of affected persons specified in the main contract:

   • Data controller

   • Tenants of the controller
     
     

5. Duration of the Contract

   The duration of this contract corresponds to the duration of the main contract. The controller may terminate the contract at any time if there is a serious breach by the processor of the provisions of this contract or the GDPR, if the processor cannot or will not execute an instruction from the controller, or if the processor illegally refuses contractual or legally required control measures of the controller.

2. Type and Purpose of Processing; Type of Data; Categories of Affected Persons

1. The data processing is carried out as specified in the service description of the main contract.
   
   

2. The data processing serves the purpose agreed upon in the main contract.
   
   

3. The processor may only use the personal data provided by the controller for the contractual services. Any further use of the data, especially for the processor's own purposes or for the purposes of third parties, is prohibited.
   
   

4. Type of Data

   The data of the controller consists of tenant data, including data regarding the rental object.

   Data fields include:

   • IP addresses

   • personal contact details

   • personal data

   • addresses

   • tenant keystrokes

   • credit assessments

   • proof of creditworthiness (voluntary submission)

   • identity proofs (voluntary submission)

   • All other data and documents voluntarily provided by the tenant

     
     

     
     

5. The circle of persons affected by the processing of these data includes the controller and the tenants of the controller.

§ 3 Obligations of the Processor

1. If the processor collects, processes, and/or uses data from the controller, this is done exclusively on behalf and according to the instructions of the controller. The controller remains the data controller in the data protection sense (Art. 4 No. 7 GDPR) and is particularly responsible for the legality of the contractually compliant collection, processing, and/or use of its data. This does not affect the processor's obligation to comply with applicable data protection regulations. According to Art. 28 (10) GDPR, the processor, without prejudice to Art. 82, 83, and 84 GDPR, is considered to be the data controller for violations of data protection provisions in its area of responsibility.
   
   

2. Any collection, processing, and/or use of data from the controller is exclusively carried out within the European Union (EU) or the European Economic Area (EEA).
   
   

3. The processor may only process data of data subjects within the scope of the order and the instructions of the controller unless there is an exceptional case within the meaning of Art. 28 (3 a) GDPR. The processor is obliged to fully comply with the data protection instructions from the main contract and the specific data protection instructions issued by the controller for the collection, processing, and/or use of its data. Instructions must be in writing. Verbally given instructions must be confirmed in writing immediately.
   
   

4. If the processor believes that an instruction violates statutory provisions and/or the main contract, the processor is obliged to inform the controller of this immediately and is entitled to suspend the execution of the instruction until the instruction has been confirmed by the controller.
   
   

5. Requests from data subjects or third parties regarding the agreed data processing must be forwarded to the controller immediately.
   
   

6. The processor must inform the controller immediately about
   
   

   • disruptions and violations by the processor or persons employed by it against data protection provisions or the provisions made in the order,
     
     

   • suspicions of data protection violations or irregularities in the processing of personal data as well as
     
     

   • control actions and measures taken by competent supervisory authorities, insofar as they relate to the contractual services.

   
   

7. The processor supports the controller in fulfilling its obligations under Art. 32 to 36 GDPR. Notifications under these provisions are made exclusively by the controller.
   
   

8. The processor undertakes to maintain confidentiality when processing the personal data of the controller as stipulated in the contract. This obligation also continues after the termination of the contract. Information regarding personal data from the contractual relationship to third parties or data subjects may only be provided by the processor after prior instruction or consent from the controller.
   
   

9. The processor confirms that it is aware of the applicable data protection regulations of the GDPR relevant to the processing.

§ 4 Technical and Organizational Measures under Art. 32 GDPR

1. The processor undertakes to implement technical and organizational measures to ensure the confidentiality, availability, integrity, and authenticity of the personal data provided by the controller, to the extent prescribed by the relevant data protection regulations (in particular Art. 24 and 32 GDPR) (see list of technical and organizational measures (Annex 1).
   
   

2. The measures taken by the processor must be continuously further developed in coordination with the controller during the contract term and adapted to changing circumstances. Significant changes must be documented in writing and approved by the controller.
   
   

3. The processor is required to conduct a review, assessment, and evaluation of the effectiveness of the technical and organizational measures to ensure the security of the processing at least annually (Art. 32 (1) lit. d GDPR). If its annual data protection audit or internal audit reveals that there have been no data protection-relevant changes, the processor must inform the controller. In the event of data protection-relevant changes, it must provide the controller with a brief audit report detailing what data protection-relevant changes were made.
   
   

4. The data processed for the controller must be separated from other data records. Copies or duplicates thereof may not be made without the knowledge of the controller.
   
   

5. Data carriers that originate from or are used for the controller must be clearly marked. They must be appropriately stored at all times and must not be accessible to unauthorized persons. Inputs and outputs must be documented.

§ 5 Transfer to Third Countries

1. The processor undertakes to process and use the personal data provided by the controller exclusively within the territory of the Federal Republic of Germany, in another member state of the European Union, or in another contracting state of the Agreement on the European Economic Area.
   
   

2. Any transfer of data to third countries requires the prior consent of the controller and is additionally subject to the specific requirements of Articles 44 ff. GDPR (e.g., adequacy decision by the Commission, standard data protection clauses, approved codes of conduct).

§ 6 Regulations Regarding the Correction, Deletion and Blocking of Data; Data Return

1. The processor undertakes to correct, delete, or block data that have been processed within the framework of the order with the controller only in accordance with the contractual agreement or upon explicit instruction from the controller.
   
   

2. After the completion of the contractual services or at the request of the controller, the processor must hand over the provided data in a format to be agreed upon.
   
   

3. After written approval by the controller, the provided data must then be deleted in accordance with data protection regulations, provided that there are no legal retention obligations to the contrary. At the request of the controller, the processor must present the deletion protocol.

§ 7 Quality Assurance and Other Obligations of the Processor

In addition to complying with the regulations of this order, the processor has legal obligations in accordance with Articles 28 to 33 GDPR; in this respect, it ensures, in particular, compliance with the following requirements:

1. Maintaining a record of processing activities in accordance with Art. 30 (2) GDPR for the processing activities it carries out on behalf of the controller.
   
   

2. Appointment of a data protection officer: If Art. 37 GDPR provides for the appointment of a data protection officer, the processor will appoint a data protection officer who will perform their duties in accordance with Art. 38 and 39 GDPR. The current contact details of the data protection officer will be communicated to the controller for direct contact purposes. Any change of the data protection officer will be communicated to the controller without delay.
   
   

3. Confidentiality: The processor is also obliged to treat all knowledge obtained in the course of the contractual relationship concerning business secrets and data security measures of the controller as confidential, in particular according to the Business Secrets Directive RL 2016/943/EU. This obligation also remains in force after the termination of this contract.
   
   

4. Use of suitable personnel: The processor undertakes to employ only those persons for the provision of the contractual services who are subordinate to it and have been familiarized with the legal provisions on data protection and the specific data protection requirements of this contract by appropriate measures. These persons must be comprehensively committed in writing to maintain confidentiality and to safeguard the operational and business secrets of the controller. The processor ensures that the personnel subordinate to it process the personal data of the controller only on instructions from the processor. The controller has the right to prove this in an appropriate form upon request.
   
   

5. Implementation and compliance with all technical and organizational measures necessary for this order in accordance with Art. 28 (3) sentence 2 lit. c, 32 GDPR (details in Annex 1 TOMs).
   
   

6. Assistance to the controller by the processor in all inquiries from the supervisory authority and in complying with the obligations under Articles 32 to 36 GDPR.
   
   

7. Immediate notification of the controller regarding control actions and measures taken by the supervisory authority, insofar as they relate to this order. This also applies if a competent authority is investigating the processor in the context of an administrative offense or criminal proceedings regarding the contractually agreed processing of personal data.
   
   

8. Support for the controller if it is subjected to a supervisory authority control, an administrative offense or criminal proceeding, a liability claim from a data subject or a third party, or another claim related to the processing by the processor.
   
   

9. Self-control: The processor regularly checks its internal processes as well as the technical and organizational measures to ensure that processing in its area of responsibility complies with the requirements of applicable data protection law and that the rights of the data subjects are protected.
   
   

10. Documentability of the technical and organizational measures taken to the controller within the scope of its control powers under this contract (the list of TOMs can be found in Annex 1 to this contract).

§ 8 Subcontractual Relationship

1. Subcontractual relationships in the sense of this regulation are those services that directly relate to the provision of the main service. This does not include ancillary services that the processor uses, such as telecommunications services, mail/transport services, maintenance and user service, or the disposal of data carriers and other measures to ensure the confidentiality, availability, integrity, and resilience of the hardware and software of data processing systems if access to personal data can be excluded. However, the processor is obliged to make appropriate and legally compliant contractual agreements and control measures to ensure the protection of data and data security of the controller even in outsourced ancillary services.
   
   

2. The controller hereby agrees to the engagement of the subcontractors listed in Annex 2 upon signing this contract.
   
   

3. The processor is authorized, within the framework of its contractual obligations, to establish further subcontractual relationships. It must inform the controller in advance and set a reasonable deadline for the controller to oppose the engagement of the subcontractor. If no objection is raised, consent is deemed to have been granted.
   
   

4. The processor undertakes to select the subcontractor carefully, taking into account the suitability of the technical and organizational measures taken by them to protect the personal data, and to oblige them to comply with the relevant data protection provisions in accordance with the stipulations of this contract. This obligation must also include the right of the processor to directly check the compliance with the data protection regulations to the same extent with the subcontractor as is allowed for the controller with the processor under this contract.
   
   

5. The contract with the subcontractors must be formulated in writing or in an electronic format. It must clearly delineate the responsibilities of the processor and the subcontractor. If multiple subcontractors are employed, this also applies to the responsibilities among these subcontractors.
   
   

6. The engagement of subcontractors in third countries may only take place if the special requirements of Articles 44 ff. GDPR are met (e.g., adequacy decision of the Commission, standard data protection clauses, approved codes of conduct).
   
   

7. The forwarding of data to the subcontractor is only permissible after the subcontractor has fulfilled and proven compliance with all requirements of Articles 28 to 36 GDPR and this contract. The processor checks and documents this.
   
   

8. The processor is to regularly, at least annually, adequately verify compliance with the obligations of the subcontractors. The verification and its result must be documented in such a way that they are understandable to a knowledgeable third party. The documentation must be presented to the controller upon request.
   
   

9. The processor is liable to the controller for the compliance of the subcontractor with the statutory and contractual data protection obligations imposed on them by the processor in accordance with this contract.

§ 9 Control Rights of the Controller

1. The controller has the right to conduct reviews in coordination with the processor or have them conducted by designated auditors. They have the right to convince themselves of the compliance of this agreement by the processor in its business operations through random checks, which are usually to be announced in advance.
   
   

2. The processor ensures that the controller can verify the compliance of the processor's obligations under Art. 28 GDPR. The processor is obliged to provide the controller with the necessary information at the controller's request and in particular to demonstrate the implementation of the technical and organizational measures.
   
   

3. Proof of such measures that do not only concern the specific order can be provided through current certifications, reports, or report excerpts from independent instances (e.g., auditors, internal audits, data protection officer, IT security department, data protection auditors, quality auditors).

§ 10 Instruction Authority of the Controller

1. Oral instructions must be confirmed by the controller immediately (at least in writing).
   
   

2. The processor must immediately inform the controller if it believes an instruction violates data protection regulations. The processor is entitled to suspend the execution of the corresponding instruction until it is confirmed or modified by the controller.
   
   

3. For support services not included in the service description and/or not attributable to a fault of the processor, the processor may claim reasonable compensation.

§ 11 Liability and Compensation for Damages

Controller and processor are liable to the affected persons according to the provisions set forth in Article 82 GDPR. Otherwise, the provisions of the GDPR shall apply to liability.

§ 12 Information Obligations, Written Form Clause, Choice of Law

1. If the data of the controller is at risk at the processor due to seizure or confiscation, due to insolvency or settlement proceedings, or due to other events or actions of third parties, the processor must inform the controller immediately. The processor will promptly inform all controllers in this context that the sovereignty and ownership of the data lies solely with the controller as "controller" in the sense of the General Data Protection Regulation.
   
   

2. Changes and additions to this contract and all of its components — including any assurances from the processor — require a written agreement, which may also be in an electronic format (in writing), and express reference to the fact that it constitutes a change or addition to these terms. This also applies to the waiver of this form requirement.
   
   

3. In the event of any contradictions, the provisions of this contract relating to data protection take precedence over the provisions of the main contract. Should individual parts of this contract be ineffective, this shall not affect the validity of the remaining provisions of the contract.
   
   

4. German law applies.
   
   

   
   

Annexes

• Annex 1 Technical and Organizational Measures

• Annex 2 Approved Subcontractors