CGV
- Conditions générales
- Serveurs
-
IONOS Cloud
- Conditions générales de IONOS SE
- Service Level Agreement
- Data Protection Package
- Terms and Conditions of Purchase
- Marketing
- Service de conception e-commerce
- Service de conception de site Web
- Noms de Domaine
- Contrat Client Microsoft
- Consignes et conditions pour les fournisseurs
- Clause de confidentialité
- Mentions légales
- Politique d'utilisation des cookies
- Modes de paiement
- Data Processing Agreement (DPA)
- Ox App Suite
- Google Workspace
- Espace IONOS Partner
- Générateur de logo
- Générateur de noms de société
- WebAnalytics
Data Processing Agreement of IONOS Cloud
1. Subject-matter and duration of the processing
1.1. The subject matter of this Data Processing Agreement (hereafter the “Agreement”) is the rights and obligations of the parties in the context of the provision of services in accordance with the Terms of Services and General Terms and Conditions (hereinafter referred to as the “Main Contract”), insofar as IONOS SE (hereinafter referred to as the “Processor”) processes personal data on behalf of the Customer as controller (hereinafter referred to as the ”Customer”) according to Art. 28 GDPR, together referred to as the “Parties”. This includes all activities that the Processor performs to fulfil the Main Contract and that represent a data processing on behalf of the controller. This also applies if the order does not explicitly refer to this Agreement.
1.2. Under this Agreement, the Parties agree that the terms “controller”, “data subject”, “personal data”, “processing”, “processor” and “third party/ies” shall have the meaning assigned to them in Regulation 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and the free movement of such data, and repealing Directive 95/46/EC (the “GDPR”).
1.3. The duration of the processing is dependent on the actual processing of personal data of the Customer by the Processor.
1.4. The duration of the processing corresponds to the term agreed in the Main Contract.
2. Nature and purpose of the processing
2.1. Nature of the processing: The Processor shall provide the Customer with flexible virtualized infrastructure (Infrastructure as a Service, hereinafter referred to as “IaaS”), on servers, storage devices, networks not exclusively usable for the Customer via the internet. The Customer shall configure its own virtual data center (IONOS Cloud Virtual Data Center) as required with the aid of a graphical user interface (Data Center Designer) or the application programming interface provided. The commissioned service components (CPU performance, cores, RAM, server, storage, network cards and Internet connection) are configured and administered by the Customer on its own responsibility. The Customer independently determines which data is stored on the configured servers.
2.2. Purposes of processing: The delivery of cloud and IaaS solutions.
4. Responsibility and processing on documented instructions
4.1. The Customer is solely responsible for complying with the legal requirements of data protection laws, in particular, the legality of the transfer of data to the Processor and the legality of data processing under this Agreement.. This also applies to the purposes and means of processing set out in this Agreement.
4.2. The instructions are initially determined by the Main Contract and can then be changed by the Customer in writing or in an electronic format (text form) by individual instructions (individual instruction). Verbal instructions must be confirmed immediately in writing or in text form. The instructions must be documented by the Customer and kept for at least the duration of the contractual relationship. In the event of proposed changes, the Processor shall inform the Customer of the effects that this will have on the agreed services, in particular, the possibility of providing services, deadlines, and remuneration. If the implementation of the instruction is not reasonable to the Processor, the Processor is entitled to terminate the processing and the contract with immediate effect. Once the Processor ceases to provide the service, the Customer’s obligation to make payments will also cease. Unacceptability exists in particular if the services are provided in an infrastructure that is used by several Customers of the Processor (shared services), and a change in the processing for individual Customers is not possible or is unreasonable. Unacceptability exists in particular if the services are provided in an infrastructure that is used by several Customers of the Processor (shared services), and a change in the processing for individual Customers is not possible or is unreasonable.
4.3. The contractually agreed data processing takes place in a Member State of the European Union or in another contracting state of the Agreement via the European Economic Area, unless the transfer of data to third countries becomes necessary in order to provide the service. In the event that a transfer to a third country takes place, the processor shall ensure that the requirements pursuant to Art. 44 ff. GDPR are fulfilled.
5. Rights of the Customer, obligations of the Processor
5.1. The Processor may process data of data subjects only on the documented instructions of the Customer. However, there is no obligation to comply with instructions if an exceptional circumstance, as defined in Article 28 (3) (a) GDPR (obligation under the law of the European Union or of a Member State), arises.. This also refers to transfers of personal data to third countries or international organizations. If there is a processing obligation contrary to an instruction, the Processor shall inform the Customer of the relevant legal requirement prior to the processing. Unless the relevant law prohibits such information due to an important public interest. The Processor shall inform the Customer without delay if it considers that an instruction violates applicable laws. The Processor may suspend the implementation of the instruction until it has been confirmed or modified by the Customer.
5.2. In the light of the nature of the processing, the Processor shall, as far as possible, assist the Customer with appropriate technical and organisational measures in order to fulfil the rights of the data subjects laid down in Chapter III of the GDPR. The Processor is entitled to demand appropriate compensation from the Customer for these services, unless the support was required due to a breach of law or a breach of contract by the Processor. The Processor shall provide the Customer with cost information in advance.
5.3. The Processor shall assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GPDR taking into account the nature of processing and the information available to the Processor. The Processor is entitled to demand appropriate compensation from the Customer for these services, unless the support was required due to a breach of law or a breach of contract by the Processor. The Processor shall provide the Customer with cost information in advance.
5.4. The Processor ensures that the employees involved in the processing of the data of the Customer and other persons acting on behalf of the Processor are prohibited from processing the data outside the instruction issued. Furthermore, the Processor ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. The obligation of confidentiality/secrecy persists even after the order has been completed.
5.5. The Processor shall inform the Customer immediately if it becomes aware of violations of the protection of personal data of the Customer. The Processor shall take the necessary measures to safeguard the data and to mitigate possible adverse consequences for the data subjects.
5.6. The Processor guarantees the written appointment of a Data Protection Officer, who shall carry out his/her activity in accordance with Art. 38 and 39 GDPR. A contact option will be published on the website of the Processor.
5.7. At the end of the provision of the processing services, the Processor will, at the choice of the Customer, either delete or return the personal data, unless there is an obligation under European Union or national law to retain the personal data. If the Customer does not exercise this option, deletion is deemed agreed. If the Customer chooses to return, the Processor can demand a reasonable compensation. The Processor shall provide the Customer with cost information in advance.
5.8. If a data subject asserts claims for compensation according to Art. 82 GDPR, the Processor shall support the Customer in defending the claims within the scope of its possibilities. The Processor may require an appropriate remuneration for this, unless the claims for damages are a result of the Processor's violation of legal or contractual obligations.
6. Obligations of the Customer
6.1. The Customer must immediately and completely inform the Processor if it identifies errors or irregularities with regard to data protection regulations when carrying out the order.
6.2. In the event of termination, the Customer undertakes to delete personal data which it has stored during its service, before the termination of the contract.
6.3. At the request of the Processor, the Customer appoints a contact person for data protection matters.
7. Requests from the data subjects
The Processor shall promptly notify the Customer of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the Customer. The Processor shall assist the Customer in fulfilling its obligations in this clause to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing. In fulfilling its obligations, the Processor shall comply with the Customer’s instructions. The Processor shall not be liable if the request of the data subject is not answered by the Customer, not answered correctly or not answered in due time.
8. Measures for the security of processing according to Art. 32 GDPR
8.1. The Processor will take appropriate technical and organisational measures in its area of responsibility to ensure that the processing is carried out in accordance with the requirements of the GDPR and ensure the protection of the rights and freedoms of the data subjects. In accordance with Art. 32 GDPR, the Processor shall take appropriate technical and organisational measures to ensure the confidentiality, integrity, availability and resilience of the processing systems and services in the long term.
8.2.The current technical and organisational measures of the processor can be found under the following link >>. The processor clarifies that the technical and organisational measures listed under the link are merely descriptions of a technical nature which are not to be regarded as part of this Agreement.
8.3. The Processor will operate a procedure for the regular review of the effectiveness of the technical and organisational measures to ensure the security of processing in accordance with Art. 32 (1) lit. d) GDPR.
8.4. Over time, the Processor will adapt the measures taken to developments in the state of the art and the risk situation. A change in the technical and organisational measures taken is reserved to the Processor, provided that the level of protection under Art. 32 GDPR is not fallen short of.
9. Proof and verification
9.1. The Processor shall provide the Customer with all the information necessary to prove compliance with the obligations laid down in Art. 28 GDPR and shall allow and contribute to audits, including inspections, carried out by the Customer or another inspector appointed by the Customer. The Processor is entitled to demand a declaration of confidentiality from the Customer and its appointed auditor, which, however, should not prevent the Customer from providing evidence itself to its competent supervisory authority. The Processor agrees to the designation of an independent external auditor by the Customer, if the Customer provides the Processor with a copy of the audit report. The Processor may refuse competitors of the Customer or persons working for competitors of the Customer as investigators.
9.2. As evidence of compliance with the obligations set out in Art. 28 GDPR, the Customer is in general satisfied with the provided ISO27001 certifications. The current certificate is provided by the Processor on its website.
9.3. Insofar as the Customer asserts legitimate doubts on the basis of factual indications that these certifications are sufficient or appropriate, or if special incidents within the meaning of Art. 33 (1) GDPR in connection with the execution of the data processing on behalf of the Customer justify this for the Customer, it may perform inspections. These can be carried out during normal business hours without undue disruption of business, usually by notification (unless it appears necessary to carry out an inspection without notification, because otherwise the purpose of the inspection would be jeopardized).. The Customer's inspection right has the objective of verifying compliance with the obligations incumbent on a Processor in accordance with the GDPR and this Agreement. The Processor will actively participate in the realisation of the control.
9.4. The Processor may require reasonable compensation for information and assistance, unless the control was required due to a breach of law or a breach of contract by the Processor. The Processor shall provide the Customer with cost information in advance. The Processor shall provide the Customer with cost information in advance.
10. Subprocessors
10.1. The Customer grants the Processor the general permission to use other processors within the meaning of Art. 28 GDPR for the fulfilment of the Main Contract (hereinafter the “Subprocessors").
10.2. The Subprocessors currently used are described in the Attachment “Approved Subprocessors” under the following link >>. The Customer agrees to their use.
10.3. The Processor shall inform the Customer if it intends to withdraw or replace other Processors. The Customer may object to such changes.
10.4. The objection to the intended change can only be raised against the Processor for an objective reason within 14 days after receiving the information about the change. In the event of an objection, the Processor, may choose to provide the service without the intended change or, if the performance of the service without the intended change is not reasonable to the Processor, discontinue the service affected by the change to the Customer within a reasonable time (at least 14 days) after receiving the objection. The Customer's payment obligation will cease when the Processor discontinues its services.
10.5. If the Processor commissions further processors, it is the Processor's responsibility to impose its data protection obligations under this Agreement to the other processor. The Processor shall ensure, in particular through regular checks, that the other processors comply with the technical and organizational measures.
11. Liability and compensation
11.1. In the case of assertion of a claim for compensation by a data subject pursuant to Art. 82 GDPR, the Parties undertake to support each other and to contribute to the clarification of the underlying facts.
11.2. The liability regulation agreed between the Parties in the Main Contract for the provision of services shall also apply to claims arising from this Agreement and in the internal relationship between the Parties for claims of third parties under Art. 82 GDPR, unless expressly agreed otherwise.
12. Contract period, miscellaneous
12.1. The agreement begins with the conclusion by the Customer. It ends with the end of the last contract under the respective Customer number. If any data processing on behalf of the Customer still takes place after termination of this Agreement, the regulations of these agreements are valid until the actual end of the processing.
12.2. The Customer acknowledges this Agreement as part of the Main Contract concerning the product(s) booked by him. In the event of any contradictions, the provisions of this Agreement shall prevail to the provisions of the Main Contract. Should individual parts of this Agreement be ineffective, this does not affect the validity of the remaining agreements.
12.3. The exclusive place of jurisdiction for all disputes arising from and in connection with this Agreement is the registered office of the Processor. This applies subject to any exclusively legal place of jurisdiction. This Agreement is subject to the statutory provisions of French law.
12.4. If the data of the Customer is endangered by seizure or confiscation, by a bankruptcy or settlement procedure, or by other events or measures of third parties, the Processor shall inform the Customer immediately. The Processor will inform all persons responsible in this connection without delay that the sovereignty and the ownership of the data lie exclusively with the Customer qualifying as the controller.
Version 7.1
Date: 06/2023
Contenu
- 1. Subject-matter and duration of the processing
- 2. Nature and purpose of the processing
- 3. Type of personal data and categories of data subjects
- 4. Responsibility and processing on documented instructions
- 5. Rights of the Customer, obligations of the Processor
- 6. Obligations of the Customer
- 7. Requests from the data subjects
- 8. Measures for the security of processing according to Art. 32 GDPR
- 9. Proof and verification
- 10. Subprocessors
- 11. Liability and compensation
- 12. Contract period, miscellaneous
- Haut de page