Supplementing Terms for Data Processing

Supplementing Terms for Commissioned Data Processing

(status: 11. October 2019)

  1. General remarks
    1. These terms apply to the agreement on the rights and duties of the Customer and TSI, insofar as personal data are gathered, processed or used within the scope of the service performance (pursuant to the GTC and the also applicable documents) by TSI on behalf of the Customer in the definition of Regulation (EU) 2016/679 (GDPR) and the BDSG [German Federal Data Protection Act].
  2. Customer’s responsibility and rights to give instructions
    1. The Customer, as the data controller responsible for the processing, is responsible for the assessment of the permissibility of the gathering, processing and use of personal data, as well as the protection of the rights of data subjects. The Customer shall ensure that the conditions prescribed by law or authorities are provided and respectively that the requirements are fulfilled such as the obtaining of consent declarations. This also applies to requirements, for example, for the organisation of the commissioned data processing from the circumstance that the Customer is subject to its local data protection law.
    2. Within its area of responsibility, the Customer shall exempt TSI from the rights of third parties brought against TSI. Rights of data subjects shall be asserted exclusively against the Customer pursuant to Sec. 62 (1) BDSG.
    3. Additional instructions from the Customer relating to the processing of personal data, which go beyond the contractually agreed Services and product parameters and which entail additional expense for TSI, shall be remunerated separately accordingly. TSI can terminate the contract in case of instructions the implementation of which is impossible for TSI or possible only at disproportionately high additional expense. Additional instructions require the written form.
  3. Scope, kind and purpose of the gathering, processing or use of data 
    1. The subject, duration, kind and purpose of the data processing taking place, as the case may be, are determined by the Customer through its product choice, the service specifications of which result from the GTC and, if any, the also applicable documents, and which are specified herein with regard to the requirements under data protection regulations.
    2. Types of data
       The subject of the gathering, processing and/or use of personal data can be the following data types/categories (enumeration/description of the data categories):
      • Name
      • Address
      • Contract master data (contractual relationship, interest in products or contracts)
      • Contract billing and payment data
      • Access data
      • Consumption data
      • Movement and activity data
      • Logins, workplaces, work periods
      • Log data
      • Log data capable of identifying persons or personal log data (user names, IP addresses, etc.)
      • Contact data (e.g. phone number, email address)
    3. Group of data subjects
       The group of data subjects whose data are used within the scope of this contract can cover the following categories of persons:
      • Customers
      • Contacts/business partners
      • Employee data
  4. Obligation for confidentiality of the persons authorised for the processing
    1. All persons, who might access the Client’s data listed under point 3 in accordance with the contract, must be obligated for observation of the data secret according to Art. 28 GDPR and Sec. 62 (5) sent. 2 BDSG [German Federal Data Protection Act], and be instructed of the special data protection obligations resulting from this contract and the applicable limitation of instructions and purpose.
  5. Ensuring the technical and organisational measures
    1. As the commissioned data processor, TSI assures an appropriate protection level in the processing of personal data as appropriate to the risk, meanwhile taking the relevant technical guidelines and recommendations of the Federal Office for Information Security into account in the process.
    2. TSI shall take appropriate measures based on the current state of technology to fulfil the requirements for the security of data processing as defined in Sec. 64 (3) BDSG. The Contractor shall inform the Client on request about risk assessments and the measures taken.
    3. The Parties agree that the technical and organisational measures are subject to technical progress and further development. To this end, the Contractor is permitted to implement adequate alternative measures. The Contractor must inform the Client thereof on request and ensure that it is not fallen below the security level of the defined measure. 
  6. Hiring of subcontractors
    1. The Client generally agrees to the Contractor subcontracting carefully selected external companies, in particular but not exclusively in the areas of hosting, maintenance and installation, telecommunications services, user service, development, cleaning staff, auditors, and disposal of data carriers.
    2. TSI shall observe the requirements of Sec. 62 BDSG when awarding subcontracts and arrange the contractual agreement with the subcontractor in such a way that it is consistent with the data protection requirement defined in this Agreement between the Contractor and the Client.
    3. In the Annex to the “Supplementing Terms for the Commissioned Data Processing”, which TSI publishes on its website (, TSI informs about the respectively engaged subcontractors, which are entrusted with the processing of personal data or parts thereof. Intended engagements or replacements of further subcontractors will be published in a timely manner in the same place. The careful selection of hired subcontractors for the performance of the commissioned data processing on behalf of the Customer is solely up to TSI. The Customer’s right to prohibit the involvement of subcontractors pursuant to Sec. 62 (3) BDSG remains unaffected thereof. If the Customer exercises its right to object, TSI reserves the right to terminate the commissioned data processing contract.
    4. TSI engages further subcontractors for the problem-free operation of TSI’s technical and organisational infrastructure, which neither process the Customer’s personal data nor have access to them.
  7. Support for the data controller responsible for the processing in case of requests and claims brought by data subjects
    1. TSI, as the commissioned data processor, supports the Customer, as the data controller responsible for the processing, by suitable means so as to ensure that the provisions regarding the rights of data subjects are observed. Additional services and additional expense for TSI, going beyond the contractually agreed Services and Product parameters, shall be remunerated separately accordingly.
  8. Support for the data controller responsible for the processing regarding the reporting duty
    1. If the Contractor discovers that the Client’s data stored at its site, which are relevant for the contract, have been transmitted illegally or have otherwise been made known illegally to third parties, it shall immediately inform the Client thereof regardless of causation.
    2. This also applies in case of serious interruptions in operations (e.g. longer outage of a server system), or in case of a suspected other violation of regulations on the protection of personal data or other irregularities in the handling of the Customer’s relevant data.
    3. TSI shall support the Customer in compliance with Sec. 64 to Sec. 67 and Sec. 69 BDSG using the information available to the TSI. Additional services and additional expense for TSI, going beyond the contractually agreed services and product parameters, shall meanwhile be remunerated separately accordingly.
    4. The Client shall inform the Contractor if it discovers errors or irregularities in the check of the results of the work order.
  9. Return and deletion of the personal data after the end of the commissioned data processing
    1. After completion of the contractually agreed work or at an earlier point on the Client’s request – at the latest on termination of the service level agreement – the Contractor shall surrender to the Client all documents having come into its possession, any results of processing and use that have been created, and data stocks that are related to the contractual relationship and which might permit conclusion as to specific persons; or it shall destroy them upon prior agreement and in a manner compliant with data protection regulations. 
    2. No data carriers will be exchanged between the parties to this commissioned data processing. Therefore, no provisions regarding a return have to be defined herein.
  10. Audit rights of the data controller responsible for the data processing
    1. On request, TSI shall provide the Client with all required information, in particular the logs prepared according to Sec. 76 BDSG, to prove compliance with the obligations of the data controller responsible for the processing, to the appropriate extent and in an appropriate format. Additional Services and additional expense for TSI shall be remunerated separately accordingly.
    2. TSI shall facilitate audits that are carried out by the Customer or an auditor assigned by it.
  11. Duty to provide information regarding the data protection officer
    1. In order to comply with Sec. 70 (2) BDSG, the Client shall inform TSI of the names and contact details of each data controller responsible for the data processing (if different from the Client) and, if applicable, of the data protection officer or officers, and it shall notify of any changes promptly and without request. 
  12. Obligation of the commissioned data processor to notify when an instruction violates data protection
    1. If TSI believes that an instruction from the Client violates the provisions of the GDPR or other data protection regulations of the EU or the Member States, TSI shall inform the data controller immediately. 
  13. Miscellaneous provisions
    1. The invalidity of one of the provisions of this contract does not affect the validity of the remaining provisions. If a provision should prove to be invalid, TSI shall replace it by a new provision, which comes closest to what the Customer and TSI have intended.
Errors and omissions excepted. Only the latest German print version is legally binding.