Contract for order processing in accordance with Art. 28 GDPR


The contracting parties have entered into an order processing relationship with the service agreement. In order to specify the resulting rights and obligations in accordance with the provisions of the European General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data, on the free movement of such data and repealing Directive 95/46/EC – GDPR), and the Federal Data Protection Act (BDSG), the contracting parties conclude the following agreement.


between customer

Musterfrau GmbH

represented by Maike Musterfrau (responsible)

Hauptstraße 1, 12345 Musterstadt

– Responsible – hereinafter referred to as Client –


C.W.G. Whistleblowing GmbH

represented by the managing director: Johannes Jakob

Georgenstrasse 27, 82054 Sauerlach, Germany

– Processor – hereinafter referred to as contractor

– Client and Contractor – hereinafter collectively – referred to as contracting parties


Scope of application

The agreement applies to the collection, processing and deletion (hereinafter: processing) of all personal data (hereinafter: data) that are the subject of the service agreement or arise in the context of its implementation or become known to the contractor. Data from the contractor's employees do not fall within the scope of application insofar as they exclusively relate to the employment relationship with the contractor.


Specification of the order content

Subject and duration of the intended processing
The subject and duration of the order processing are determined by the service agreement. In principle, the Contractor offers services via The subject of the order is therefore generally data processing within the framework of the whistleblower platform.
The duration of this order corresponds to the duration of the service agreement.

Type and purpose of the intended processing of data

The following descriptions of the nature and purpose of the Contractor's tasks are the subject of the contract:
  • Providing an application for managing information on various topics.
  • Maintenance of the application with regard to adaptation to new and/or changed legal provisions, if necessary extension of the range of functions, adaptation and updating of the application stack with regard to security.
  • Support and service in the operation and configuration of the application.

The contractually agreed data processing takes place exclusively in a member state of the European Union or in another state party to the Agreement on the European Economic Area.

Any relocation to a third country requires the prior consent of the Client and may only take place if the special requirements of Art. 44 et seq. GDPR are met.

Type of data

The subject of the processing of personal data are the following types/categories of data (enumeration/description of the data categories):

  • Personnel master data: first name, last name, e-mail, telephone number, rights
  • Comments and attachments created by an editor
  • Contact details whistleblower: name, e-mail, telephone number
  • Comments and attachments created by a whistleblower
  • Contract billing and payment data
  • Contract master data
Categories of data subjects

The categories of data subjects affected by the processing include:

  • Employees
  • Contact persons
  • Whistleblowers

Technical and organizational measures

The Contracting Parties agree on the specific technical and organisational security measures set out in the Annex "Technical and Organisational Measures" ("TOM") to this Agreement. The Annex is subject of this Agreement (Annex 1).
The Contractor must establish security in accordance with Art. 28 para. 3 lit. c, 32 GDPR, in particular in conjunction with Art. 5 para. 1, para. 2 GDPR. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the different probability of occurrence and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR must be taken into account.

These measures are documented, controlled and audited together with the information security guidelines within the framework of ISO 27001.

This documentation, control and audit includes:

The Contractor will provide the Client with all necessary information that is required to prove compliance with the legal requirements set out in this Agreement. In particular, he will enable checks/inspections carried out by the Client or another auditor commissioned by the Client and support their implementation. Proof of the implementation of such measures, which not only concern the specific order, can also be provided by submitting an up-to-date attestation, reports by sufficiently qualified and independent bodies (e.B. auditors, independent data protection auditors), by complying with approved rules of conduct in accordance with Art. 40 GDPR, certification in accordance with Art. 42 GDPR or a suitable certification by IT security or data protection audit (e.B. according to BSI basic protection) can be provided. The Contractor undertakes to inform the Client immediately of the exclusion of approved rules of conduct in accordance with Article 41 (4) GDPR, the revocation of a certification in accordance with Article 42 (7) GDPR and any other form of cancellation or substantial modification of the aforementioned evidence.

The Client can satisfy himself at any time for inspection purposes in the contractor's premises during normal business hours without disturbing the course of operations of the appropriateness of the measures to comply with the legal requirements or the technical and organizational requirements required for the execution of this contract.

In addition, the Contractor shall provide the Client with all the necessary information that he needs for the above-mentioned audits as well as for an assessment of the consequences of the intended processing operations for the protection of the data (data protection impact assessment i.S.d. Art. 35 GDPR).

In consultation with the Client, the Contractor must take all necessary measures to secure the data or the security of the processing, in particular also taking into account the state of the art, as well as to reduce possible adverse consequences for data subjects.

The technical and organizational measures are subject to technical progress and further development. In this respect, the Contractor is permitted to implement alternative adequate measures. The safety level of the defined measures must not be undercut. Significant changes are documented.

Correction, restriction and deletion of data

Provided data carriers and data records remain the property of the client.
The Contractor does not edit or delete the data processed in the order on his own authority, but only according to documented instructions of the client.
Insofar as a data subject contacts the Contractor directly in this regard, the Contractor shall immediately forward this request to the Client.
After completion of the contractually agreed services or earlier at the request of the Client, but at the latest with the termination of the service agreement, the complete data will be deleted from the system after 6 weeks in accordance with data protection regulations. However, this data remains in the data backups (technically necessary backups). These backups will be completely deleted after another 3 years. Access to backups is limited to system administrators and takes place only on the instructions of the Client.
As an alternative to the instruction of deletion, the Client may also receive all documents in the possession of the Contractor, created processing and usage results as well as data stocks (as well as copies or reproductions made thereof), which are in connection with the contractual relationship, for the relief of the contractor. The same applies to test and scrap material. A deletion protocol must be submitted to the Client on request.
The Contractor may also retain documentation that serves as proof of order and proper data processing beyond the end of the contract in accordance with the respective retention periods until the end of the contract. For these stored data, the above-mentioned obligations for deletion and delivery on the instructions of the Client apply after the end of the retention period.

Data protection control and other obligations of the Contractor

In addition to compliance with the provisions of this order, the Contractor has legal obligations in accordance with Articles 28 to 33 GDPR; in this respect, he guarantees in particular compliance with the following requirements:

A data protection officer has been appointed in writing to carry out his duties in accordance with Articles 38 and 39 GDPR. He can be reached by e-mail via . The current contact details are easily accessible on the Contractor's homepage

The preservation of confidentiality in accordance with Art. 28 para. 3 sentence 2 lit.b, 29, 32 para. 4 GDPR.

In carrying out the work, the Contractor will only use employees who are committed to confidentiality and have previously been familiarised with the data protection provisions relevant to them. The Contractor and any person subordinate to the Contractor who has access to personal data may only process such data in accordance with the Instructions of the Client, including the powers granted in this Contract, unless they are legally obliged to process it.

The implementation and compliance with all technical and organizational measures required for this order in accordance with Art. 28 para. 3 sentence 2 lit.c, 32 GDPR is documented accordingly, see Annex 1.
Upon request, the Client and the Contractor shall cooperate with the supervisory authority in the performance of their duties.
In addition to the statutory data protection supervision existing for him, the Contractor submits to the control of the existing data protection supervision for the Client (here: the Federal Commissioner for Data Protection and Freedom of Information) and to the control by the data protection officer of the Contractor with the exception of those areas that have no connection to the fulfillment of the order. In particular, he tolerates the rights of access, inspection and questioning of those named, including access to documents protected by professional secrets. The same applies to the contractor's employees.
This also applies if a competent authority investigates in the context of administrative offence or criminal proceedings with regard to the processing of personal data during order processing at the Contractor.
Insofar as the Client is exposed to an inspection by the supervisory authority, an administrative offence or criminal proceedings, the liability claim of a data subject or a third party or another claim in connection with the order processing at the Contractor, the Contractor must support him to the best of his ability.
The obligations of confidentiality and the rights of those named to refuse to give evidence under the law remain unaffected.
The Contractor regularly monitors the internal processes as well as the technical and organisational measures to ensure that the processing in his area of responsibility is carried out in accordance with the requirements of the applicable data protection law and that the protection of the rights of the data subject is guaranteed.

Upon request, the Contractor shall prove the technical and organizational measures taken to the Customer within the scope of his control powers and responsibility of this contract.

Subcontracting relationships

Subcontracting relationships within the meaning of this regulation are to be understood as services that relate directly to the provision of the main service.

This does not include ancillary services that the Contractor uses, e.g. as telecommunications services, postal/transport services, maintenance and user service or the disposal of general data carriers as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing systems.

The Contractor may only make use of further contractors (subcontractors) with the prior express written consent of the Client. In the case of general written approval, the Contractor shall immediately inform the Client of any intended change in relation to the involvement or replacement of subcontractors. The Client may object to such changes. In the event of subcontracting, the Contractor is also obliged to take appropriate and legally compliant contractual agreements and control measures that correspond to the Contractor's level of protection in order to guarantee the data protection and data security of the Client's data, even in the case of outsourced ancillary services. This is ensured by ISO 27001 by the Contractor.

All data is stored encrypted by subcontractors. The keys are not known to the subcontractors.

Subcontractors are selected according to the following criteria:
  1. The supplier/service provider must submit a contract for order data processing.
  2. Suppliers/service providers should be certified according to DIN ISO 27001 if possible.
  3. The data processing of the supplier/service provider takes place on German servers.
  4. A transfer of the data to third countries is excluded.
In the contractual agreement with the subcontractor, the Client must be granted control and verification rights in accordance with this agreement. The Client is also entitled, upon written request, to receive information from the Contractor about the content of the contract concluded with the subContractor and the implementation of the subcontractor's data protection-relevant obligations contained therein.
If the subContractor does not comply with its data protection obligations, the Contractor shall be liable to the Client for compliance with the subcontractor's obligations. In this case, at the request of the Client, the Contractor must terminate the subcontractor's employment in whole or in part or terminate the contractual relationship with the subContractor if and to the extent that this is not disproportionate.
The transfer of personal data of the Client to the subContractor and his first action are only permitted if all requirements for a subContractor are met.
Further outsourcing by the subContractor is not permitted; unless there is an express written consent from the main Contractor.
All contractual provisions between the Contractor and the Client are also to be imposed on the subContractor and fulfilled and complied with by the subcontractor.

Control rights of the Client

The Client has the right to carry out inspections in consultation with the Contractor or to have them carried out in individual cases by an auditor to be appointed. He has the right to satisfy himself of the Contractor's compliance with this agreement in his business operations by means of random checks, which are usually to be notified in good time.
The Contractor ensures that the Client can satisfy himself that the Contractor's obligations under Art. 28 GDPR have been complied with. The Contractor undertakes to provide the Client with the necessary information on request and, in particular, to prove the implementation of the technical and organizational measures.
Proof of such measures, which do not only concern the specific order, can be provided by
  • compliance with approved rules of conduct in accordance with Article 40 GDPR;
  • certification according to an approved certification procedure in accordance with Art. 42 GDPR;
  • current attestations, reports or report extracts from independent bodies (e.g auditors, accountants, data protection officers, IT security department, data protection auditors, quality auditors);
  • a suitable certification by IT security or data protection audit (e.B. according to BSI basic protection).
For the facilitation of inspections by the Client, the Contractor can assert an appropriate claim to remuneration (but a maximum of 1,000 euros net per year).

Notification of Contractor Violations

The Contractor shall support the Client in complying with the obligations referred to in Articles 32 to 36 of the GDPR on the security of personal data, reporting obligations in the event of data breaches, data protection impact assessments and prior consultations.
The Contractor shall inform the Client immediately in the event of serious disruptions to its operations, in the event of suspected violations of this agreement and statutory data protection regulations, in the event of violations of such provisions or other irregularities in the processing of the Client's data. This applies in particular with regard to the reporting obligation pursuant to Art. 33 para. 2 GDPR as well as to corresponding obligations of the Client pursuant to Art. 33 and Art. 34 GDPR. The Contractor undertakes to provide the Client with appropriate support in its obligations for order processing in accordance with Articles 33 and 34 GDPR if necessary . Notifications pursuant to Art. 33 or 34 GDPR for the Client may only be carried out by the Contractor after prior instructions in accordance with the following paragraph of this contract. These include, among others:
  • ensuring an adequate level of protection through technical and organisational measures that take into account the circumstances and purposes of the processing as well as the predicted probability and severity of a possible infringement due to security gaps and enable immediate detection of relevant infringement events
  • the obligation to report personal data breaches to the Client without undue delay
  • the obligation to support the Client in the context of its duty to provide information to the data subject and to provide him with all relevant information in this context without delay
  • supporting the Client for its data protection impact assessment
  • the support of the contracting entity in the context of prior consultations with the supervisory authority.
The contractor can claim appropriate remuneration (according to the current price list of EGOTEC AG) for support services that are not included in the service description or are not attributable to misconduct on the part of the contractor.

Authority of the Client

Verbal instructions are confirmed immediately by the Client (at least in text form, e.B e-mail) or the Contractor documents them in his time recording or in text form.
The Contractor must inform the Client immediately if he he believes that an instruction violates data protection regulations. The Contractor is entitled to suspend the execution of the corresponding instruction until it is confirmed or changed by the Client.

Final provisions

Changes and additions to this contract for order processing and all its components – including any assurances of the Contractor – require a written agreement and the express indication that it is a change or addition to these conditions. This also applies to the waiver of this formal requirement.
Should individual provisions of this agreement be ineffective or unenforceable, the validity of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision whose effects come closest to the objective pursued by the contracting parties with the invalid or unenforceable provision. The above provisions apply accordingly in the event that the agreement proves to be incomplete.


Client Maike Musterfrau (Musterfrau GmbH)

Musterstadt den 01.01.1999


Contractor          C.W.G. Whistleblowing GmbH


This is an electronically generated document and is effective even without a signature. Please save this document or print it out for your records.



Annex 1 – Technical and organisational measures

Confidentiality (Art. 32 para. 1 lit.b GDPR)

  • Access control
    • No unauthorized access to data processing systems, electric door openers, alarm systems
  • Physical access control
    • No unauthorized system use thanks to strong passwords, automatic locking mechanisms, two-factor authentication
  • Access control
    • No unauthorized reading, copying, modification or removal within the system, thanks to authorization concepts and needs-based access rights, logging of accesses
    • Encryption of disks
  • Separation control
    • Separate processing of data collected for different purposes
  • Pseudonymization (Art. 32 Abs. 1 lit. a DS-GVO; Art. 25 Abs. 1 DS-GVO)
    • The processing of personal data in such a way that the data can no longer be assigned to a specific data subject without the use of additional information, provided that this additional information is stored separately and is subject to appropriate technical and organizational measures

Integrity (Art. 32 para. 1 lit.b GDPR)

  • Disclosure control
    • No unauthorized reading, copying, modification or removal during electronic transmission or transport through encryption and Virtual Private Networks (VPN) as well as electronic signature
  • Input control
    • Determine whether and by whom personal data has been entered, modified or removed into data processing systems through logging and document management

Availability and resilience (Art. 32 para. 1 lit.b GDPR)

  • Availability control
    • Protection against accidental or willful destruction or loss through a backup strategy
    • Prducktive system and backup are located in different data centers
    • Use of a database cluster with nodes in different fire compartments
    • Use of a cluster to operate the application with nodes in different fire compartments
    • Uninterruptible power supply (UPS) in the data center
    • Virus protection
    • Firewall on all servers
    • Reporting channels and emergency plans
    • Rapid recoverability (Art. 32 para. 1 lit.c GDPR)

Procedures for periodic review, evaluation and evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)

  • Data Protection Management
  • Incident-Response-Management
  • Data protection-friendly default settings (Art. 25 para. 2 GDPR)
  • Order control
    • No order processing within the meaning of Art. 28 GDPR without corresponding instructions from the client
    • Clear contract design
    • Formalized order management
    • Strict selection of the service provider
    • Pre-conviction obligation
    • Follow-up checks