Terms of use
copperdot (grow platform GmbH)
Status 08/2024
1. Scope, provider
1.1 These Terms of Use ("Terms of Use") shall apply to access to the online shop of grow platform GmbH, Grönerstraße 9, 71636 Ludwigsburg ("provider") and the ordering of products by registered customers ("customer"). Detailed information on the provider can be found in the corporate information.
1.2 Terms and conditions of the customer or third parties that deviate from or conflict with these Terms of Use shall not apply, even if the provider does not expressly object to such terms and conditions.
1.3 Individual agreements with the customer (including ancillary agreements, amendments, and changes) shall in any case take precedence over these Terms of Use.
2. Business customers
2.1 Provider operates the online shop for businesses only and does not accept consumers according to § 13 German Civil Code as customers.
2.2 The provider reserves the right to demand that the customer provides sufficient proof of its commercial status, e. g., by stating the customer's VAT identification number during the registration process or by providing other suitable proof. The data required for the proof shall be provided by the customer completely and correctly.
3. Registration, customer account
3.1 The customer may order products in the online shop after opening a customer account.
3.2 Registration of a customer account may require the use of an authentication service (e. g., Bosch ID, SingleKey ID, Apple ID, Google account). Separate terms and conditions may apply here, which the customer must accept during registration for the authentication service.
3.3 During the registration process, the customer is asked, if required, to provide personal information, e. g. name, address, contact persons and VAT ("registration data"). These registration data must be provided in full and correctly and the customer is obliged to always keep the registration data up to date. Registration of a legal entity may be carried out only by an authorized natural person, who must be named.
3.4 In order to complete the registration process and submit the registration data, the customer is required to agree to the application of these Terms of Use.
3.5 By providing the registration data, the customer submits an offer to the provider to enter into a customer agreement on the basis of these Terms of Use ("customer agreement"). Acceptance of the customer's offer by the provider is effected by means of activation of the customer account.
3.6 The provider reserves the right to verify the identity of the customer immediately after submission of the registration data or at a later point in time, for example by requiring a customer to click on an activation link sent to the customer's e-mail address or to enter a code sent to a mobile phone number of the customer. Until the customer has provided the required verification, the customer account remains blocked. If the registration is not completed, the Provider reserves the right to delete the incompletely registered customer account.
3.7 There shall be no entitlement to registration. The provider is entitled to not accept a registration without reason.
3.8 Each natural person is only permitted to register once with a customer account. Customer accounts are not transferable.
3.9 To the extent available, the customer shall be entitled to create multiple users under its customer account. Each user shall be provided with individual access credentials, which may be linked to an authentication service. The customer warrants that all users will comply with these Terms of Use as amended from time to time and that all users will act on behalf of the customer and in accordance with applicable laws. Upon establishment of a user, all actions of the user will be attributed to the customer. In addition to the customer, provider is also entitled to create a separate technical support user and e. g. use this user to create or modify RfQs within the customer’s account based on customer wishes.
3.10 The customer is obliged to handle his/her login data with care, not to disclose them to third parties and/or not to allow third parties to access the customer account by circumventing the login data. The customer is liable for all activities that take place using his/her customer account and for which the customer is responsible. The customer shall immediately change his/her password for his/her customer account if he/she has reason to believe that the login data may have become known to unauthorized persons.
3.11 Alternatively to the registration as described in this Section 3, the provider may also create a customer account to optimize provider’s services and enhance customer experience. In this case, such a customer account is activated by the customer with setting a password upon request from provider. Also in such a case, provider is entitled to create a separate technical support user and e. g. use this user to create or modify RfQs within the customer’s account based on customer wishes.
4. Ordering of products
4.1 Customer can order products in the online shop. This may require customer to provide further data, e. g., credit card information, company name, VAT number, to set up a billing profile. The ordering of products is subject to general terms and conditions of sale and delivery of grow platform GmbH ("delivery conditions"), provided during the checkout process or individual contract agreements in case in place.
4.2 As part of the ordering process, the customer shall be informed of the essential features of the product, the prices, the terms of payment and delivery, terms, periods of notice and other details provided in individual offers ("product information").
4.3 A presentation of a product within the online shop shall not constitute a binding offer by the provider, but merely an invitation to make orderings (invitatio ad offerendum). The contractual relationship for a product comes into effect as soon as provider accepts customer's offer. The acceptance can be made explicitly, e. g., by a contract confirmation by e-mail, or by implication, e. g., by delivering the product.
4.4 The following general obligations in electronic commerce do not apply to the ordering of products:
a) The provision of adequate, effective and accessible technical means by which the customer can identify and correct input errors before placing his order,
b) the clear and comprehensible communication of the information specified in Article 246c of the Introductory Act to the German Civil Code (Einführungsgesetz zum Bürgerlichen Gesetzbuch) in good time before placing an order, and
c) the immediate confirmation of receipt of the customer's order by electronic means.
4.5 The text of the agreement (consisting of the product information, the delivery conditions and, if applicable, product description) shall be sent to the customer on a permanent data carrier (e. g., offer documents or e-mail).
4.6 The customer authorizes the provider to use customer data (such as specifications, which the customer hands over to the provider to get offers) to further train artificial intelligence models which are capable of automatically creating RFQ drafts by using customer data. Such artificial intelligence models are developed and owned by a third-party provider (which will on request of customer be disclosed to it), but exclusively dedicated to and used only by provider. The customer also authorizes the provider to use customer data to further train provider's own machine learning models to create price calculations and suggestions. The customer is aware that it might be technically extremely complex, but not entirely impossible, to draw conclusions about individual customer data from such improved models. In this respect, the customer waives all rights to the model and vis-à-vis the provider ensures that other holders of rights to the data do the same.
5. Shop content, prohibited activities
5.1 All rights in the provider's online shop and its content ("shop content") are owned exclusively by the provider or its licensors and are protected by copyright or other intellectual property rights. The compilation of the shop content is also protected as such by copyright.
5.2 The shop content may only be accessed and displayed online for the customer's own purposes during the term of the customer agreement. The customer is prohibited from copying, distributing and/or publishing shop content.
5.3 Also prohibited is any action that is likely to impair the operation of the shop and the technical infrastructure behind it. This includes in particular
a) the implementation of viruses, worms, malware, trojans or harmful properties,
b) the use of software, scripts, bots or databases in connection with the use of the shop,
c) the automatic reading, blocking, overwriting, modification, copying of data and/or other content,
d) activity to decrypt, decompile, disassemble, reconstruct, or otherwise attempt to discover the source code, any software or proprietary algorithms used, except as permitted by mandatory non-waivable provisions.
e) For each case of culpable violation of this section 5.3 by customer, its employees, consultants, subcontractors or other third parties engaged by it, provider shall be entitled to a payment by customer of an appropriate contractual penalty, the amount of which shall be determined by provider at its sole discretion, and the appropriateness of which may be subject to review by the competent court. Payment of the penalty shall be without prejudice to any further claim for damages. Any contractual penalty paid shall be set off against any claims for damages, the contractual penalty constituting the minimum damage.
6. Suspension
6.1 The provider may suspend the customer's access to the online shop if the provider determines that
a) the use of the online shop (i) poses a security risk to the online shop and/or a third party; (ii) adversely affects the online shop or other customer's systems or content; (iii) violates applicable law or third-party rights; (iv) could subject provider, its affiliates or third parties to liability for damages; or (v) is fraudulent,
b) the customer violates these Terms of Use,
c) the customer is in default of its payment obligations for more than 30 days.
6.2 The provider shall inform the customer of the suspension by sending a notification to the e-mail address associated with the customer account prior to the suspension, unless the provider has to act immediately due to urgency and is therefore unable to send a prior notification to the customer.
6.3 The suspension shall be revoked as soon as the customer has resolved the problem that led to the suspension.
6.4 Provider's right to suspend customer's access to the online shop is in addition to provider's right to terminate these Terms of Use pursuant to section 10 and to exercise any other remedies available to provider under applicable law.
7. Delivery conditions, availability of products
7.1 Provider delivers the products pursuant to the agreements made with customer during the ordering process.
7.2 If no or no deviating delivery time is specified for the respective product in the online shop, it shall be 120 business days. The delivery period shall be calculated in the case of payment in advance on the banking day after the payment order is issued to the remitting bank or, in the case of other payment methods, on the day after the conclusion of the contract and shall end with the expiry of the last day of the period.
7.3 If no items of the product selected by the customer are available or are only temporarily unavailable at the time of the customer's order, provider shall inform the customer of this immediately. If the product is permanently not available, provider shall refrain from an order confirmation. In this case, a contract is not concluded. Provider shall inform the customer thereof without undue delay and, if applicable, reimburse without undue delay any consideration already received.
7.4 Delivery of the products is limited to the Federal Republic of Austria, Belgium, China, Croatia, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hong Kong, Hungary, India, Israel, Italy, Japan, Latvia, Liechtenstein, Lithuania, Luxembourg, Malaysia, Malta, Mexico, Netherlands, New Zealand, Poland, Portugal, Romania, Singapore, Slovakia, Slovenia, South Africa, Spain, Sweden, Switzerland, Taiwan, Thailand, Turkey, United Kingdom and USA. If your desired delivery location is not listed, please contact us.
8. Fees
8.1 Access to the online Shop is free of charge. Additional functionalities and services within the Shop can be booked separately based on individual contracts.
8.2 With regard to the products, the prices at the time of ordering shall apply.
9. Payment, invoice
9.1 Payment shall be made (i) by bank transfer or (ii) via a payment service provider pursuant to the agreements made with customer during the ordering process.
9.2 Detailed information on payment methods, payment dates and any additional costs incurred can be found and in individual offers.
10. Term, termination
10.1 In case not otherwise individually agreed, following term and termination condition apply.
10.2 The customer agreement is concluded for an indefinite period. It begins with the date of registration and ends with the effectiveness of a termination by the provider or the customer.
10.3 The provider may terminate the customer agreement at any time with a period of notice of one month to the end of the month. The customer may terminate the customer agreement at any time. The right to terminate for good cause remains unaffected for both parties.
10.4 Unless the possibility of terminating the customer agreement by means of a delete function in the customer account (e. g., in the settings of the customer account) is provided, a termination shall be made in text form (letter, e-mail).
10.5 Consequences of termination
a) In the event of termination of the customer agreement, the customer account shall be blocked as of the termination date and the customer shall no longer have access to his customer account.
b) In the event of termination of the customer agreement, the provider shall be entitled to irretrievably delete the data created in connection with the customer account upon expiry of any statutory retention periods 30 calendar days after the termination takes effect. For personal data, the regulations on data protection shall apply with priority, which may also provide for a shorter period for deletion.
c) The customer is obliged to export and save his data on his own responsibility in due time before termination of the customer agreement or expiry of the aforementioned period.
11. Warranty
11.1 The provider shall endeavor to ensure that the use of the online shop is as uninterrupted as possible within the scope of its technical and operational abilities, but there shall be no entitlement to uninterrupted use. It is not warranted that access to or use of the online shop will not be interrupted or impaired by maintenance work, further developments or otherwise by disruptions.
11.2 The provider shall not assume any warranty for material defects and defects of title for the online shop, except in cases where the Provider has fraudulently concealed the respective material defect or defect of title.
12. Liability
When using the online shop, provider shall be liable in accordance with the statutory provisions only in the event of intent or gross negligence.
13. Data protection
13.1 All information on the processing of personal data can be found in the provider's data protection notice. It is available at "data protection notice".
13.2 Where provider processes personal data on behalf of customer such processing constitutes commissioned data processing according to Article 28 of the EU General Data Protection Regulation. In relation to such processing, Providers’ Data Processing under Commission GDPR (attached Annex 1) applies.
14. Confidentiality
14.1 "Confidential Information" shall mean all information and documents of the other party which are marked as confidential or which are to be regarded as confidential according to the circumstances, in particular information on operational processes, business relationships and know-how.
14.2 In case no prior ranking individual NDA between parties has been signed that covers the purchasing under these terms, the parties agree not to disclose confidential information, unless otherwise expressly stated in these Terms of Use. This obligation continues for a period of 5 years after termination of the customer agreement. For trade secrets within the meaning of Directive (EU) 2016/943 the confidentiality obligation remains unaffected also for the period after 5 years as long as the respective information does qualify as trade secret.
14.3 The parties shall only grant access to confidential information to those bodies or employees or bodies or employees of affiliated companies within the meaning of Sections 15 and following German Stock Corporation Act (Aktiengesetz) who have previously been subject to confidentiality obligations corresponding to the confidentiality obligations of these Terms of Use. A transfer to other third parties is only permitted if they are bound to secrecy by professional secrecy. Furthermore, the parties will only disclose the Confidential Information to those employees and other third parties who need to know in order to comply with these Terms of Use and - as far as employees are concerned - will oblige such employees to maintain confidentiality to the extent permitted by employment law even after they have left the company.
14.4 Excluded from the foregoing obligations of confidentiality is such confidential information
a) which was demonstrably already known to recipient at the time of the conclusion of these Terms of Use without breach of any contractual or statutory duty of confidentiality, or become lawfully known to recipient thereafter from a third party without being subject to any duty of confidentiality,
b) which is publicly known at the time of conclusion of the customer agreement or are made publicly known thereafter, unless this is based on a breach of the customer agreement,
c) which has been independently developed by a party independently of any confidential Information obtained under Terms of Use,
d) which must be disclosed due to legal obligations or by order of a court or authority or is disclosed for reasons of legal defense. To the extent permitted and possible, the recipient subject to the disclosure obligation will give prior notice to the other party,
e) which is disclosed by one party with the prior written consent of the other party.
14.5 Publications relating to the subject matter of the Terms of Use are only permitted with the consent of both parties. For publications concerning the provider, the regulations at: https://brandguide.bosch.com/document/78/en#/the-brand-management/brand-positioning must be observed.
14.6 Customer agrees not to carry out any observation, examination, dismantling or reverse engineering of the online shop without the prior consent of provider, unless the online shop is publicly available. Customer is not entitled to disassemble, decompile or translate received Software into any other code form, without prejudice to the customer's mandatory copyright rights under Articles 5 and 6 of EU Directive 2009/24/EC (exceptions to acts requiring consent and decompilation).
15. Export control and customs
15.1 In case not otherwise individually agreed, the following export control and customs conditions apply.
15.2 Each party is entitled to refuse to perform its obligations under these Terms of Use insofar as the performance is prohibited or impaired by foreign trade law (including, without limitation, national and international (re-)export control and customs regulations, including embargos and other sanctions) which is – in accordance with this law – applicable to these Terms of Use ("Foreign Trade Law"). In such cases, either party is entitled to terminate these Terms of Use to the extent necessary. If a partial performance is excluded for technical or legal reasons or if a party has no interest in a partial performance, the termination shall lead to the termination of the entire contract.
15.3 If the fulfilment of the contract is delayed due to approval, authorization or similar requirements under Foreign Trade Law (hereinafter collectively referred to as Authorization"), agreed delivery periods and delivery dates shall be extended/postponed accordingly and neither party shall have any liability for non-compliance related to such delay. Should an authorization be refused or not be granted within three (3) months from the date of application, either party shall be entitled to terminate these Terms of Use, in any case to the extent that the fulfilment of the contract requires the authorization. If a partial performance is excluded for technical or legal reasons or if a party has no interest in a partial performance, the termination shall lead to the termination of the entire contract.
15.4 Each party shall notify the other party within a reasonable time period upon becoming aware of a Foreign Trade Law, which may prohibit or impair performance to Section 15.1 or delay in performance according to Section 15.2.
15.5 Upon provider’s request, customer must provide any information and documents necessary to comply with Foreign Trade Law or requested by authorities in relation to Foreign Trade Law. Such information and documents including, without limitation, information on end customers/users, the destination and the intended end-use of the online shop and/or products. Provider, in its sole discretion, shall be entitled to withdraw from any contracts or to refuse the performance under these Terms of Use if the customer does not provide the provider with such information and documents within a reasonable period of time.
15.6 In the event that customer provides the online shop to any third party (specifically including any affiliate of the customer), the customer shall comply with applicable Foreign Trade Law. Provider is entitled to refuse to perform its obligations under these Terms of Use and to terminate the license terms and conditions for cause if customer breaches this obligation.
15.7 To the extent permitted by applicable law, provider takes no liability for any claims of the customer for damages related to or arising from provider’s refusal to perform obligations under these Terms of Use or termination of the customer agreement in accordance with Sections 15.1, 15.2, 15.4 and 15.5.
15.8 Any customs-cross-border provision of digital products (incl. related know-how, technology, or data) shall be made exclusively in electronic form.
15.9 Insofar as the customer purchases products from us that fall under the scope of Article 12g of Regulation (EU) No. 833/2014 or Article 8g of Regulation (EC) No. 765/2006 as amended, the following shall apply:
i. The customer shall not sell, export or re-export, directly or indirectly, to the Russian Federation or Belarus or for use in the Russian Federation or Belarus any goods or technology supplied under or in connection with this contract that fall under the scope of Article 12g of Council Regulation (EU) No 833/2014 or Article 8g of Regulation (EU) No. 765/2006, as amended from time to time.
ii. The customer shall undertake its best efforts to ensure that the purpose of clause 15.9.i is not frustrated by any third parties further down the commercial chain, including by possible resellers.
iii. The customer shall set up and maintain an adequate monitoring mechanism to detect conduct by any third parties further down the commercial chain, including by possible resellers, that would frustrate the purpose of clause 15.9.i.
iv. If the customer breaches clause 15.9.i, 15.9.ii or 15.9.iii, at least negligently, this shall entitle us to immediately cease further deliveries to the customer and to terminate this contract and any contracts concluded under this contract at any time, insofar as these have not yet been fully performed. In this case, a previous warning letter to be issued before the termination notice shall not be required. The statutory right of both parties to terminate this contract for cause shall not be affected by this.
v. The customer shall immediately inform us about any problems in applying clauses 15.9.i, 15.9.ii or 15.9.iii, including any relevant activities by third parties that could frustrate the purpose of clause 15.9.i The customer shall make available to us information concerning compliance with the obligations under clauses 15.9.i, 15.9.ii or 15.9.iii within two weeks of the simple request of such information.
16. Changes to the online shop
The provider reserves the right to change, amend or discontinue the online shop at any time. The customer shall have no claim to the retention of the online store. Provider will endeavor in each case to consider the legitimate interests of the customer.
17. Change of the Terms of Use
17.1 The provider is entitled to change or supplement these Terms of Use at any time with effect for the future if this is necessary due to legal changes or due to functional or technical developments of the online shop.
17.2 The customer shall be notified of a change or addition at least 30 days before it takes effect on a permanent data carrier (e. g., by e-mail or paper printout). If the customer does not object to the change or amendment within 30 days of the announcement of the change or amendment, this shall be deemed to be consent to the change or amendment ("deemed consent"); the provider shall make separate reference to this in the announcement. The deemed consent does not apply to a change that affects a main service of the customer agreement if this would result in an unfavorable disproportion between service and consideration to the detriment of the customer. In the event of an objection, the customer agreement shall be continued under the previous conditions.
17.3 Editorial changes to these Terms of Use, i.e., changes that do not affect the customer agreement, such as the correction of typing errors, shall be made without notifying the customer.
18. Applicable law, place of jurisdiction
18.1 The law of the Federal Republic of Germany shall apply to the exclusion of the UN United Nations Convention on Contracts for the International Sale of Goods.
18.2 The exclusive place of jurisdiction for all legal disputes arising from or in connection with these Terms of Use shall be Stuttgart, Germany.
19. Final provisions
19.1 Operational disruptions caused by unavoidable events (i) beyond provider's control, (ii) which could not be averted with reasonable effort, and (iii) which could not have been foreseen even when exercising with extreme care, and (iv) which make provider's obligations under these Terms of Use considerably more difficult or completely or partially impossible, such as strikes, lockouts, exceptional weather conditions, operational or traffic disruptions and transport obstructions ("force majeure"), discharge provider from its obligations under these Terms of Use for the duration of such an event plus a reasonable restart period.
19.2 Legally relevant declarations and notifications to be made to the provider after the conclusion of the contract (e. g., setting of deadlines) shall be made in text form (letter, e-mail) to be effective).
19.3 Should any provision of these Terms of Use be or become invalid or unenforceable, this shall not affect the remaining provisions.
Annex 1
Agreement
Data Processing under Commission GDPR
between
customer
– hereinafter referred to as “Data Controller” –
and
provider
– hereinafter referred to as “Data Processor” –
Preamble
The present Agreement specifies the obligations of the parties on data protection according to the order detailed in the Terms of Use (referred to hereinafter as "Contract"). It is applicable to all activities connected to the Contract and in which employees of the Data processor or sub-processors of the Data Processor may process personal data ("data") of the Data Ccontroller.
1. Subject matter, duration and specification of contract data processing
1.1 The subject matter of contract data processing under commission is described in the Contract. Substantially, the Data Processor's tasks comprise the following:
Wish to exchange information regarding potential and following potentially performed deliv-ery of electronic components or printed circuit boards based on customer requirements manufactured by third party
1.2 The type and purpose of contract data processing under commission are described in the Contract and specifically comprise:
User management, identification and access control within the customer tenant
1.3 The processing comprises the categories of data specified below:
Personal details: gender, department first name, last name E-Mail address
1.4 The following categories of individuals are affected by the processing:
- Customer and clients
- Suppliers
1.5 Any services in connection with data processing under commission under this Agreement shall be rendered exclusively in a member state of the European Union or in an-other contracting state of the Agreement on the European Economic Area. Any relo-cation to a third country requires the Data Controller's prior agreement and is permit-ted only if the special requirements of Art. 44 et seqq. GDPR have been satisfied. An adequate level of protection in the third country:
has been established by an adequacy decision by the Commission (Art. 45 (3) GDPR);
is ensured by binding corporate rules (Art. 46 (2) lit. b) in conjunction with Art. 47 GDPR);
is ensured by standard data protection clauses (Art. 46 (2) lit. c) and d) GDPR).
1.6 The Data Processor processes personal data at the instruction of the Data Controller. This comprises activities as described in detail in the Contract and in the performance specification. With regard to data processing under commission, the Data Controller is responsible for compliance with the statutory regulations on data protection and especially for the legitimacy of data processing.
1.7 At first, the instructions will be set forth within the Contract and may subsequently be amended, supplemented or replaced by the Data Controller in writing or in text form (single instruction) to the indicated persons of the Data Processor. Single instructions going beyond the services agreed in the contract, will be treated as a change request, and the Data Processor is entitled to request adequate financial compensation.
1.8 Any oral instructions shall be confirmed by the Data Controller without delay, at least in text form.
1.9 The Data Processor shall inform the Data Controller without delay if it is of the opinion that an instruction violates data protection rules. The Data Processor is entitled to suspend compliance with the instruction in question until it is either confirmed or changed by the Data Controller.
2. Obligations of the Data Processor
2.1 The Data Processor may process personal data of data subjects only within the scope of the assignment and the documented instructions of the Data Controller. In the event that the Data Processor is obliged to process data differently as a result of national or European law, it shall point out the circumstance to the Data Controller before processing begins unless that law prohibits such information on important grounds of public interest.
2.2 The Data Processor shall set up the internal organisation of his area of responsibility in such a manner that it meets the specific requirements of data protection. The Data Processor shall take the technical and organisational measures described in Appendix 1 so as to ensure an adequate protection of the Data Controller's personal data. The purpose of these measures is to ensure long-term confidentiality, integrity, availability and resilience of the systems and services in connection with the processing of personal data under commission. The Data Controller is informed of these technical and organisational measures. It is the Data Controller's responsibility to ensure that these measures provide an adequate level of protection regarding the risks of personal data processing.
2.3 The Data Processor reserves the right to change the technical and organisational measures taken, but must guarantee that the level of protection agreed in the contract is not reduced.
2.4 To the best of his ability and within the scope of the services or under the contract, the Data Processor shall assist the Data Controller in dealing with requests and claims of data subjects according to chapter III of the GDPR and in respecting its obligations specified in Articles 32 to 36 GDPR. For these services, the Data Processor is entitled to adequate financial compensation.
2.5 The Data Processor warrants that its employees involved in the processing of the Data Controller's personal data and other individuals working for the Data Processor are prohibited from processing such personal data outside the scope of the Data Controller's instructions. The Data Processor further ensures that the individuals authorised to process personal data have signed an agreement of confidentiality or are subject to an adequate confidentiality clause. This obligation of confidentiality and secrecy shall remain in effect even beyond completion of an assignment.
2.6 The Data Processor shall inform the Data Controller without delay as soon as it becomes aware of any violation of the protection of the Data Controller's personal data. The Data Processor shall take the necessary measures to safeguard personal data and to alleviate possible disadvantageous consequences for the data subject and shall consult with the Data Controller in that respect without delay.
2.7 The Data Processor is obliged to appoint a competent and reliable Data Protection Officer according to Art. 37 GDPR to the extent and as long as the statutory prerequisites for such an obligatory appointment are in force. The Data Controller shall be informed of the contact data of this individual for the purpose of making direct contact. Any change of Data Protection Officer shall be communicated to the Data Controller without delay.
Data Protection Officer of the Data Processor:
Data Protection Officer
Information Security and Privacy (C/ISP)
Robert Bosch GmbH
Postfach 30 02 20
70442 Stuttgart
GERMANY
or
The Data Processor shall ensure that its obligations according to Art. 32 (1) lit. d) GDPR are complied with and put in place a process for regular examination of the effectiveness of the technical and organisational measures to ensure the safety of processing.
2.8 The Data Processor shall correct or erase personal data if instructed accordingly by the Data Controller and if this is a part of the scope of instructions. If appropriate erasure or a restriction of data processing is not possible, the Data Processor shall destroy any data carriers and other materials in accordance with the regulations of data protection on the basis of a single instruction by the Data Controller unless this has already been agreed in the contract.
2.9 The personal data shall be erased at the date of completion of the respective Contract. It is up to the Data Controller to prepare backup copies of its personal data and to move such personal data before the end of the contract. The Data Processor is not obliged to hand over personal data to which the Data Controller has direct access.
2.10 The Data Processor undertakes to maintain a record of data processing activities according to Art. 30 (2) GDPR.
3. Obligations of the Data Controller
3.1 It is the Data Controller's responsibility to provide the Data Processor with the personal data in due time so as to enable the latter to provide the services according to the Contract. The Data Controller is responsible for the quality of the personal data. The Data Controller shall inform the Data Processor immediately and completely in the event that it should identify any errors or irregularities with regard to data protection rules or in the performance of the Data Processor when checking the work results.
3.2 In the event that claims should be made by a data subject in connection with Art. 82 GDPR, the Data Controller and the Data Processor undertake to assist each other in the defence against such claims.
Enquiries from data subjects
If a data subject contacts the Data Processor demanding correction, erasure, restriction of processing or information about the personal data, the Data Processor shall refer the data subject to the Data Controller if allocation to the Data Controller is possible on the basis of the information provided by the data subject.
4. Ways of verification
4.1 If so requested, the Data Processor shall submit suitable proof to the Data Controller that the obligations set forth in Art. 28 GDPR and in the present Agreement are complied with. For the purpose of proving compliance with the agreed obligations, the Data Processor may provide the Data Controller with certificates and third-party test results (e.g. according to Art. 42 GDPR or ISO 27001) or with test reports from the internal Data Protection Officer or any individual to whom this task has been assigned by the Data Protection Officer.
4.2 In the event that spot checks by the Data Controller or an auditor appointed by the Data Controller should turn out to be necessary in individual cases, these shall be conducted during regular business hours from Monday to Friday between 8 a.m. and 5 p.m. without disruption of operations and after an adequate notification period of at least 4 days. The Data Processor is entitled to make approval of such checks dependent on signing an adequate declaration of secrecy by the Data Controller or the auditor assigned by the Data Controller. If the auditor appointed by the Data Controller should be a competitor of the Data Processor, the Data Processor is entitled to object. Such objection shall be declared to the Data Controller in text form.
4.3 In the event that an audit should be carried out by the data protection supervisory agency or another state authority, chapter 6.2 shall apply accordingly. Signing a confidentiality obligation is not required if the supervisory authority is subject to professional or statutory confidentiality any breach of which shall be penalised in accordance with the German Criminal Code.
4.4 The Data Processor is entitled to request adequate compensation for carrying out such an audit as per chapter 6.2 or 6.3, unless the reason for such an audit is the strong suspicion that a data protection breach has taken place within the scope of responsibility of the Data Processor. In such a case, details of the suspicion must be submitted by the Data Controller together with the notification of the examination.
5. Sub-Processors (additional contract data processors)
5.1 Before involving subprocessors, the Data Processor shall obtain the Data Controller's consent in advance; such consent shall not be withheld without important reason.
5.2 Upon written request of the Data Controller, the Data Processor shall provide information regarding the data protection obligations of its subprocessors at any time.
5.3 The provisions of this chapter 7 shall also apply if a subprocessor in a third country is involved - observing the principles of Chapter 5 of the GDPR. The Data Processor agrees to cooperate to the required extend in meeting the prerequisites as set in Chapter 5 of the GDPR.
6. Liability
6.1 The limitations of liability under statutory law and the Contract are applicable.
6.2 The Data Controller shall indemnify the Data Processor against any claims lodged by third parties against the Data Processor as a result of the processing of personal data according to the instructions of the Data Controller unless the claim of such third party is based on processing the personal data by the Data Processor in violation of instructions.
7. Obligations of information, written form clause, choice of law
7.1 In the event that the Data Controller's personal data processed by the Data Processor should be placed at risk as a result of seizure or confiscation, insolvency or settlement proceedings or by other events or measures of a third party, the Data Processor shall inform the Data Controller without delay. In this connection, the Data Processor shall inform all third parties without delay that the control and ownership of the personal data exclusively lies with the Data Controller as "controller", as defined in the GDPR.
7.2 Any amendments and additions to the present Agreement and its constituent elements – including any assurances granted by the Data Processor – shall be made in the form of a written agreement which may also be in electronic form and include an explicit reference that it is an amendment or addition to this Agreement. This shall also apply to the waiver of the requirements of this format.
7.3 In the event of contradictions, the regulations in this data protection Agreement shall take precedence over the regulations of the Contract. If individual regulations of the present Agreement should become invalid, the validity of the agreement as such shall not be affected.
7.4 This Agreement shall be governed by German law.
Appendix 1: Technical and organizational measures/security concept
1. Measures to ensure confidentiality (Art. 32 para. 1 lit. b of the GDPR)
- Physical access control
No unauthorized access to data processing systems - Logical access control
No unauthorized system use, e.g.: (secure) passwords, automatic locking mechanisms, two-factor authentication, data encryption - Data access control
No unauthorized reading, copying, changing or removing within the system, e.g.: authorization concepts and user-specific access rights, logging of access - Separation control
Separate processing of data collected for various purposes, e. g. multi-client capability, sandboxing
2. Measures to ensure integrity (Art. 32 para. 1 lit. b of the GDPR)
- Transfer control
No unauthorized reading, copying, changing or removing during electronic transmission or transport, e. g.: encryption, Virtual Private Networks (VPN)
3. Measures to ensure availability and resilience (Art. 32 para. 1 lit. b of the GDPR), e. g.
- Availability control
Protection against accidental damage or destruction or loss, e. g.: backup strategy, firewall - Order control
No data processing under commission according to Art. 28 of the GDPR without corresponding instructions from the Data Controller, e. g.: explicit contract design, formalized order management, stringent selection of the service provider, obligation to convince in advance, follow-up inspections - Resilience
Systems and services (e. g. storage, access, line capacities, etc.) are designed in a way that even intermittent high stresses or high constant loads of processings can be ensured
4. Measures for the encryption of personal data, e. g.
- Symmetrical encryption
- Asymmetrical encryption
- Hashing
5. Measures to quickly restore the availability of personal data to them after a physical or technical incident, e. g.
Back-up concept
6. Procedures for periodical review, assessment and evaluation (Art. 32 para. 1 lit. d of the GDPR; Art. 25 para. 1 of the GDPR), e. g.
- Privacy management
- Incident response management
- Data protection by default (Art. 25 para. 2 of the GDPR)
- Assessment by DSO, IT audits
- External assessment, audits