Why Lano?

Pricing

Login

Book a demo

Why Lano?

Pricing



Book a demoLogin

General Terms and Conditions for Business and Licensing

For companies reselling Lano's services, please find the applicable Terms and Conditions here.

Lano Software GmbH, Revaler Str. 30, 10245 Berlin, Germany (hereinafter referred to as the “Provider” or “Lano”).


Version 2.1 – September 2022


Section 1: Scope

(1) These General Terms and Conditions for Business and Licensing (hereinafter referred to as “GTC”) in the version applicable at the time of the Customer’s order shall regulate the contractual relationship between the Provider (hereinafter referred to as “Lano” or the “Provider”) and people (hereinafter referred to as the “Customer”) who order software and accompanying services from the Provider. The Provider and the Customer are individually referred to as the “Party” and collectively as “Parties”.

(2) The Customer warrants that it is acting as an entrepreneur within the meaning of section 14 of the German Civil Code (BGB) in the exercise of its trade, business or profession. 

(3) There are no verbal supplementary agreements between the Parties. These GTC shall apply exclusively. No deviating terms and conditions of the Customer, which are contrary to these GTC, shall apply; this shall also be the case if the Provider does not expressly contradict the Customer’s terms and conditions.

Section 2: Subject of the Contract

(1) Lano offers its Customers a web-based, software-as-a-service solution. The Customer can choose between the following Service Modules of Lano

  1. Managing of Contractors and/or (hereinafter referred to as “Module 1”)

  2. Hiring and Managing of Remote Employees and/or (hereinafter referred to as “Module 2”)

  3. Simplification of Global payroll (hereinafter referred to as “Module 3”)

Subject of Module 1 is the management of local and international contractors (freelancers, service providers etc.). The software solution offered by Lano supports companies with organisation and the payment of contractors.

Subject of Module 2 is that Lano has established a network of employers and Employer of Record Partner(s) and, through its software, Customers can hire and manage employees in different countries. The Customer onboards the Employee(s) that are hired via the Employer of Record Partner(s) via the Software and makes documents available for such Employee(s). Specifics of this Module 2 are regulated under the terms of the Master Service Agreement which will be concluded with the Customer and Lano. 

Subject of Module 3 is that Lano automates payments to employees of the Customer (“Payroll Employees”) and contractors with one of Lano’s or the Customer’s payroll partners. Specifics of this Module 3 can be regulated under the terms of the Master Service Agreement which can be concluded with the customer and respective individual assignments. 

(2) Contractors, Employees of Record and Payroll Employees may also use a version of Lano’s software for their own purposes. These GTC shall not apply to them.

(3) The subject of the contract is the provision of the Software offered by Lano for the use of its functionalities (hereinafter referred to as “Software”), the provision of storage space for data generated by the Software or required for the use of the Software (hereinafter referred to as “Application Data”) as well as the provision of the selected module and, if applicable, support services by the Provider to the Customer against payment of the agreed fee by the Customer to the Provider.

(4) The functional scope of the Software arises from these GTC as well as the selected module and the service description specified in the ordering process (available at https://www.lano.io/en/pricing/). Insofar as the information on the module or the service description does not differ from these GTC, the Provider shall not be obliged to provide further support services in regard to the subject of the contract. However, if not already concluded, a Master Agreement may be agreed between the Parties at any time. Irrespective of the specific individual agreement between the Parties, the right of the Provider to administer, update and maintain the Software shall remain unaffected. The information agreed to be rendered to the Customer must not be impaired by this.

Section 3: Conclusion of the contract

(1) In order to be able to use the Software from Lano, a customer account must be created. Once registration has been completed, the Customer shall receive an email with a link for Double Opt-in and can then set their password by themselves. 

(2) A contract between the Customer and the Provider regarding the respective module ordered shall only be concluded when the Provider accepts the registration by email or in another way, for example, releasing the module in the Software to the Customer.

(3) Should the Customer wish to order a module which is not included in the starter package, it may request it from the Provider via the Software.

(4) Payment obligations would be governed by the module selected and are derived from the respective module description.

Section 4: Provision of the Software and hosting the Application Data

(1) At the latest, during the course of the working day following the conclusion of the contract, the Provider shall have  the Software ready, that is ordered, in the respective current version on one or more servers for use in accordance with the following provisions.

(2) The Provider shall be liable for ensuring that the module ordered and the Software provided are free of defects throughout the duration of the contract period, in particular that they are free from viruses and similar malware, which nullify the suitability of the Software for use as per the contract. Insofar as the Provider obtains the Software from third parties, it must have the last generally available version of the respective Software available on the market for use by the Customer no later than six months after general market release by the manufacturer. Insofar as the Provider manufactures the Software itself, it shall ensure that the Software it manufactures always corresponds to the tried and tested state of the art.

(3) Upon acceptance of the offer, the Provider shall send the Customer a link by email for the user (“Administrator”) specified by it at the time of ordering, via which the Customer can set a password. The Customer must choose a sufficiently secure password known only to it. Using its email address and the password chosen by the Customer, the Customer can log on to the website fms.lano.io in order to use the Software as the Administrator. The access data, including the password, must be kept secret by the Customer and not made available to unauthorised third parties. If permitted by the module selected, additional employees of the Customer appointed by it may be granted access to the Software. These and the Administrator are considered to be “authorised users”.

(4) The Customer may also send user invitations to contractors via the administration area of the fms.lano.io website using email addresses provided by it. During the logging on process, the invited user is asked to provide their login information, contact details and a password. The user can use this data to log on to fms.lano.io after activation of the account and confirmation by the Customer in the user or contractor area. Contractor accounts within the meaning of section 4 enable contractors to manage contract relations with several clients via the Lano website. The use of the contractor accounts is not exclusively limited to one customer or client.

(5) For access to the Software supplied, the Customer requires an Internet connection and an up-to-date browser of the types Internet Explorer, Chrome or Firefox. The Provider does not guarantee support for other browsers. Appropriate hardware is also required (e.g. an Internet-enabled terminal), which is able to run the above-mentioned browsers.

(6) The Provider shall make storage space available on the server for the Application Data from the date on which the service is initially provided agreed in section 4(1). The storage space for the Application Data is generally limited to 500 GB, unless specified to the contrary due to the licence model chosen. The Parties may agree to a different provision in writing.

(7) The Customer has no claim to the provision of a particular server for its sole use. With separation of the Customer’s data files within the scope of the server’s performance, the Provider may allow a large number of customers to use the server simultaneously.

(8) The Software and Application Data are backed up on the server regularly, at least daily. Backups are stored for 30 calendar days.

(9) The Customer shall inform the Provider without delay if there is a suspicion that the access data and/or passwords of the Customer or its users may have become known to unauthorised persons.

(10) If and to the extent that the provision of a new version or a change is accompanied by a change in the functionality of the Software, in the Customer’s work processes supported by the Software and/or by restrictions to the usability of previously generated data,the Provider shall notify the Customer of this in writing no later than six weeks prior to such a change taking effect. Should the Customer not object to the change in writing within a period of two weeks from receipt of the notice of the change, the change shall become part of the contract. Whenever such changes are announced, the Provider shall draw the Customer’s attention to the aforementioned deadline and the legal consequences of its expiry should the Customer not exercise its right to object.

(11) The transfer point for the Software and Application Data is the router output of the servers used by the Provider.

Section 5: Availability of the Software and access to the Application Data

(1) During the operating period (Mon-Fri: 7-8 p.m.), the Provider shall owe availability of the Software at the transfer point (interface between the Internet and the server hosting the Software) of 99% per month. The Parties understand availability to mean the possibility of using the Software at the transfer point in accordance with the contract.

(2) The Software is also considered to be available with

(a) disruptions to parts of the technical infrastructure or the Internet required for execution of the Software which are not to be provided by the Provider or its vicarious agents;

(b) disruptions or other events not caused by the Provider or its vicarious agents;

(c) scheduled unavailability within the scope of subsection 4;

(d) negligible reductions in the suitability of the Software for use in accordance with the contract.

(3) The Provider shall make available to the Customer a website (https://www.lano.io/help-center) for support questions or error messages. In addition, the Provider may be reached via the contact information provided on its website (email addresses and telephone numbers) for support questions or error messages. Questions and error messages are processed in Berlin during working days between 7 a.m. and 8 p.m. within a reasonable period of time depending on the urgency of the matter.

(4) The Provider is entitled to arrange scheduled unavailability of the Software and/or the server for updates, maintenance, data backup and other work required on the Software and/or server. Such scheduled unavailability should be announced to the Customer with notice of at least one week and, as a rule, it should be scheduled at low-traffic times (Monday to Friday between 8 p.m. and 6 a.m. as well as on weekends and national public holidays). Prior notice by the Provider is not required for urgently needed work, e.g. to close security loopholes or to maintain functionality. During the scheduled unavailability, the Customer shall have no legal claim to use the Software and/or the server. Should the Customer use the Software and/or the server during the scheduled period of unavailability, however, it shall have no claim for defect liability or compensation in the event of a reduction in or suspension of service.

Section 6: Other services of the Provider

(1) Documentation

(a) The Provider shall provide the Customer online (e.g. at https://www.lano.io/help-center) with information which enables the Customer to use the software for the purposes stipulated in the contract. The information is to be regularly amended if there are significant changes to the use of the Software.

(b) Should the Provider supply third-party Software and the documentation in German and or English is not available from this third party, the Provider shall be entitled to provide only the documentation that is available with them..

(c) The Customer shall be entitled to store, print and reproduce a reasonable quantity of the documentation provided while maintaining existing trade mark notations. Otherwise, the restrictions on the use of the documentation agreed under 7 for the Software shall apply accordingly.

(2) Further services of the Provider may be agreed at any time in text form (e.g. by email), in particular training on the application. Other such services shall be provided against reimbursement of the proven expenditure at the prices of the Provider generally applicable at the time of the order.

Section 7: Rights of use and application of the Software, rights of the Provider in the event that usage authorisation is exceeded

(1) The Customer shall receive simple, non-sublicensable and non-transferable rights of use for the Software, limited to the term of this contract, in accordance with the following provisions.

(2) Details of the rights of use result from the descriptions stipulated in the ordering process and the selected module, which apply as a supplement to these GTC.

(3) The Customer, and depending on the selected module, the Customer’s employees and users registered in accordance with section 4(4) and confirmed by the Customer shall be entitled to use the Software. 

(4) The Customer’s right of use is limited to access to the Software on the server. There shall be no physical transfer of the Software to the Customer. The Customer may only use the Software for its own business activities.

(5) The Customer shall not be entitled to make changes to the Software. This does not apply to changes which are necessary for the correction of errors, provided that the Provider is in default with correction of the error, refuses to rectify the error or is unable to rectify the error due to the initiation of insolvency proceedings.

(6) Should the Provider create new versions, updates, upgrades or other new deliveries relating to the Software during the term, the above rights shall also apply to these.

(7) Insofar as rights are not expressly granted to the Customer, the Customer shall not be entitled to them. In particular, the Customer shall not be entitled to use the Software, including the source code, beyond its agreed use or to allow it to be used by third parties or to make the Software available to third parties. In particular, it shall not be permitted to copy, sell or transfer the Software for a limited period of time, especially not to lease or lend it. The Customer shall take the necessary precautions to prevent use of the Software by unauthorised persons.

(8) The Customer shall be liable for ensuring that the website and Software supplied to it by the Provider are not used for purposes which are racist, discriminatory, pornographic, endanger the protection of minors, are politically extreme or otherwise illegal or in breach of official regulations or regulations or that corresponding data, in particular Application Data, is not created and/or stored on the server. The Customer is responsible for the content posted by it and the users. The Provider does not check the contents for completeness, accuracy, legitimacy, topicality, quality or suitability for a specific purpose.

(9) The services available on the platform are intended exclusively for the intended purposes. Use for other commercial purposes is prohibited, unless such use has been previously been expressly permitted by the Provider in writing. Unauthorised commercial use shall include, in particular, all offers and applications of paid content, services and/or products, both its own and that of third parties, all offers and applications and the execution of activities with a commercial background such as competitions, prize draws, bartering, advertisements or pyramid systems.

(10) In the event of a breach of the above provisions, the Provider shall reserve the right to block the Customer’s or user’s access, either temporarily or permanently, but not before corresponding notification and the granting of a reasonable period of time to remedy the breach by the Customer. In the event of a temporary or permanent block, the Provider shall block the access authorisation and notify the Customer accordingly. Should the Customer continue to infringe or repeatedly infringe the above regulations despite a corresponding reminder from the Provider and if it is responsible for this, the Provider may terminate the contract extraordinarily without observing a notice period. Further claims on the part of the Provider shall remain unaffected.

(11) Insofar as and to the extent that a database, databases, a database work or database works are created on the Provider’s server during the term of this contract, in particular through the compilation of Application Data, as a result of activities carried out by the Customer permitted under this Agreement, all rights thereto shall be transferred to the Customer. The Customer shall remain the owner of the databases or database works and the rights thereto after the end of the contract.

Section 8: Obligations and duties of the Customer

(1) The Customer shall be obliged not to interfere or permit interference with the Software outside of normal use or to penetrate or promote such penetration of the Provider’s data networks without authorisation (e.g. carrying out load and/or penetration tests).

(2) The Customer agrees that it shall only access the Software and Application Data on the basis of these GTC and any cooperation agreement and via the interfaces provided by the Provider. In addition, the Customer shall not circumvent any safeguards which the Provider has taken to protect the Software and Application Data.

(3) Furthermore, the Customer shall be obliged to notify the Provider immediately of any defects in the contractual services, in particular defects in the Software. Should the Customer fail to make notification in good time for reasons for which it is responsible, this shall constitute contributory cause or contributory negligence. Insofar as the Provider was unable to remedy the situation as a result of the omission or delay in the notification, the Customer shall not be entitled to reduce the agreed remuneration, wholly or in part, to demand compensation for the damage caused by the defect or to extraordinary termination of the contract due to the defect without notice. The Customer must demonstrate that it is not responsible for the failure to notify.

(4) The Customer shall keep the username and password it uses secret, shall not pass them on to any unauthorised third party and shall protect them from access by third parties using appropriate and standard measures. The same shall apply to other access data known to the Customer in association with the use of the Software as well as to access data for user accounts set up by the Customer itself. Should the username and/or password nevertheless become known to unauthorised third parties or should the Customer suspect that this is the case, the Customer is obliged to inform the Provider immediately. The access data of former employees and contractors must be immediately deactivated or changed by the Customer.

(5) The Customer shall indemnify the Provider against claims by third parties which are based on unlawful use of the Software by them or which result from data protection, copyright or other legal disputes caused by the Customer, which are connected with use of the Software.

(6) The Customer shall ensure that it observes all rights of third parties to material used by it (e.g. when transmitting texts/data from third parties to the Provider’s server); it must also take appropriate measures to ensure that any content posted by users does not violate the rights of third parties.

(7) Before sending data and information to the Provider, the Customer must check them for viruses and use state-of-the-art antivirus programs.

(8) When the Customer transmits data to the Provider in order to generate Application Data, the Customer must back it up regularly and in accordance with the importance of the data, creating its own backup copies in order to enable reconstruction of the data and information in the event of their loss.

(9) If and to the extent that the Customer is given the technical opportunity to do so by mutual consent, it shall regularly save the Application Data and employment related data stored on the server by download. In particular, the Customer may save invoices, profiles, templates and other documents on its own data carriers at any time using the export functionalities provided by the Provider. The Customer shall be responsible for compliance with the retention periods stipulated by commercial and tax law for invoices and other tax-relevant documents which can be retrieved via the export function. The obligation of the Provider to back up data in accordance with section 4(8) of this contract shall remain unaffected.

(10) The Customer shall require authorised users as per section 4(3) to comply with all the provisions of section 8 accordingly.

Section 9: Confidentiality

(1) Confidential information is information expressly designated as confidential by the Party providing the information and information, the confidentiality of which is clear from the circumstances of its transfer. The Application Data in particular shall be treated confidentially by the Provider, should it become aware of the data.

(2) No confidential information shall be deemed to exist if the Party receiving the information demonstrates that the information was known to it or generally available to it prior to the date of receipt; was known to the public or publicly available prior to the date of receipt; became known to or generally available to the public after the date of receipt without the Party providing the information being responsible for this.

(3) The Parties shall maintain confidentiality with regard to all confidential information of which they have knowledge within the scope of this contractual relationship or shall use such information only with the prior written consent of the other Party vis-à-vis third parties – irrespective of the purpose.

(4) Excluded from this is the transfer or disclosure of confidential information due to judicial or government orders and due to prior consent to the specific transfer by the other Party.

(5) The Parties shall undertake to protect all confidential information brought to their attention as part of the contract using appropriate confidentiality measures.

(6) The Provider shall be entitled to publish the name, logo and activity of the Customer as well as the type of activity exclusively for its own reference purposes, for example on websites operated by it, insofar as the Customer does not object to this in writing. In the event of an objection by the Customer, the Provider shall immediately remove the reference. Public statements by the Parties regarding their cooperation shall otherwise be made only by prior mutual written agreement.

(7) The obligations as per subsection 2 shall also exist for an indefinite period beyond the end of the contract, for as long as an exception has not been established as per subsection 1.

Section 10: Data protection

(1) The Parties shall comply with the applicable data protection regulations, in particular those valid in Germany, and shall require their employees working in connection with the contract and its execution to maintain confidentiality in the handling of personal data, insofar as they are not already generally obliged to do so by law.

(2) Insofar as data from the Customer’s contractors Employer of Record Employee(s) or Payroll Employee(s) is processed when using the Software for the purposes of managing and paying them the Parties shall act as joint controllers for data protection with regard to the processing of this data in accordance with Article 26 of the GDPR and the agreement on joint responsibility attached as Appendix 1. Subject to Section 10 (3) below, the parties shall otherwise act as independent, autonomous controllers.

(3) When using processors according to Art. 4 no. 8 GDPR within the scope of these Terms and Conditions, the Parties are obliged to conclude a contract in accordance with Art. 28 GDPR. The parties shall inform each other in good time of any intended engagement of processors before concluding the contract. The other party may object to the engagement of the processor if the party has legitimate doubts about the processor's compliance with GDPR (or other data privacy related legislation(s)). Before the engagement of the processor, the respective party may request the submission of the processing agreement with the processor in order to verify compliance with the requirements of Art. 28 GDPR. If the processing of personal data takes place in a third country, the party using the processor shall demonstrate to the other party the existence of the guarantees for an adequate level of data protection in the third country.

(4) Insofar as the personal data of authorised users is processed on the platform as per section 4(3), the Provider shall act as a Processor in accordance with Article 28 of the GDPR and the processing contract attached to this contract as Appendix 2. This also applies to the collection, processing or use of any other personal data (e.g. data on salaried employees or end customers of customer) with the help of the Software for purposes other than those described in Appendix 1, provided however, that Customer shall vouch for the fact that it is entitled to process personal data in accordance with the applicable regulations, in particular provisions of data protection law, and in the event of an infringement shall indemnify Lano against third-party claims.

(5) The Provider shall point out that the usage activities may be monitored to the extent permitted by law. Where appropriate, this may also include the logging of IP connection data and the course of conversations as well as their analysis in the event of a concrete suspicion of a violation of the existing GTC and/or in the event of a concrete suspicion of the existence of any other illegal act or criminal offence.

(6) To the extent that personal data is transferred outside the European Union or the European Economic Area (third country transfer) and the European Commission has not issued an adequacy decision for these countries according to Art. 45 GDPR, the Standard Contractual Clauses (SCC) shall apply as appropriate safeguards according to Art. 46 GDPR. If Lano is controller and the recipient of the personal data is controller, Module 1 of the SCC in Appendix 5 shall apply. If Lano is controller and the recipient of the personal data is processor, Module 2 of the SCC in Appendix 6 shall apply. 

Section 11: Remuneration and terms and conditions

(1) Remuneration for the services to be provided, the granting of use of the Software and the provision of storage space is based on the module selected in each case, the amount of which is stated in the ordering process. The Provider may adjust the amount of the fee in accordance with section 15.

(2) The fee for the selected module specified in the order process is processed automatically using the chosen method of payment. If the Customer has justifiably terminated the contract on exceptional grounds, the lump sum must be repaid on a pro rata basis.

(3) Payment may be made using the payment methods offered by the Provider. The Provider may instruct the payment service provider chosen by the Customer to make payments in accordance with the terms of this Agreement. The Provider shall reserve the right to exclude certain methods of payment. Insofar as payment against invoice is offered, the Provider shall reserve the right to carry out a credit check in individual cases.

(4) Other services shall be provided by the Provider at cost (time & material) according to the general list prices of the Provider valid at the time of the order.

(5) The Provider shall be entitled to send invoices in text form to the Customer’s email address it provided.

(6) Remuneration is payable plus VAT at the statutory rate applicable in each case.

(7) Offsetting by the Customer is not permitted unless the counterclaim by the Customer is undisputed or legally enforceable.

Section 12: Contacts and escalation level

(1) For the purpose of channelling communications, particularly in the event of disruptions to the service structure, the Parties shall each designate in writing a primary contact, who can make legally binding statements for the respective Party or can make such statements within four working days after the main contact of the other Party has informed them in writing of a situation and the need for a decision.

(2) If agreement at the level of the main contacts is not reached within six working days of notification of the facts and the need for a decision, the matter shall be submitted without delay to the respective management of the Parties or the representatives appointed by them for a decision. A final decision is to be reached at this escalation level within a period of a further six working days from receipt of the matter.

(3) The escalation deadlines specified above shall not inhibit response, execution, recovery or other deadlines agreed in this Agreement, including the appendices. However, before the escalation procedure has been completed, an extraordinary termination is generally ineffective if and to the extent that the termination is to be based on a difference of opinion between the Parties regarding the performance of services.

Section 13: Liability

(1) In the event of intent or gross negligence, the Parties shall be liable to each other without limitation for all damage caused by them and their legal representatives or vicarious agents.

(2) In the event of minor negligence, the Parties shall be liable without limitation for death, personal injury or damage to health.

(3) Otherwise, a Party shall only be liable if it has breached an essential contractual obligation. Essential contractual obligations are those obligations which are of particular importance to achievement of the goal of the contract as well as all those obligations which, in the event of a culpable breach, could jeopardise the achievement of the purpose of the contract. In such cases, liability shall be limited to reimbursement of the foreseeable, typically occurring damages. The Provider’s strict liability for compensation (section 536(a) of the German Civil Code) for defects existing at the conclusion of the contract is excluded; subsections 1 and 2 shall remain unaffected.

(4) Should the Provider default on operational provision of the Software, liability shall be governed by section 13. The Customer shall be entitled to withdraw from the contract if the Provider does not comply with a two-week grace period set by the Customer, i.e. does not supply the full agreed functionality of the Software within the grace period.

(5) If, after operational provision of the Software and/or Application Data, the Provider should fail, either wholly or in part, to comply with the agreed obligations, the monthly flat-rate usage fee shall be reduced pro rata for the period during which the Software and/or the Application Data were not available to the Customer to the agreed extent or the storage space was not available to the agreed extent. Ongoing user fees shall apply only for transactions that were actually carried out despite the restriction or discontinuation of services using the Software. Should the Provider be responsible for this non-performance, the Customer may also claim compensation in accordance with Section 13(1).

(6) A party shall only be obliged to pay a contractual penalty if this contract expressly provides for this. A contractual penalty need not be reserved. Offsetting with and against it is permissible.

(7) Neither Party shall be obliged to fulfil its contractual obligations in the event of and for the duration of force majeure. In particular, the following circumstances shall be regarded as force majeure in this sense: fire/explosion/flooding for which the Party is not responsible; war, mutiny, blockade, embargo; more than 6 weeks of industrial action which is not culpably caused by the Party; technical Internet issues which are beyond the influence of either Party; this shall not apply if and to the extent that the Provider also supplies the telecommunications service. Each Party shall immediately notify the other party in writing of the occurrence of an instance of force majeure.

(8) Liability under the German Product Liability Act shall remain unaffected.

Section 14: Duration, termination

(1) The contractual relationship begins with the conclusion of the contract and is for an indefinite period. The services shall be provided no later than on the working day following conclusion of the contract.

(2) A minimum contract term of 1 month shall apply. The contractual relationship may be terminated by either Party in writing with notice of one month to the end of the minimum contract term. Following expiry of the minimum contract term, the contract shall be extended again by the minimum contract term, unless the Contract has been effectively terminated.

(3) Extraordinary termination due to or in association with a breach of duty shall only be possible following a prior written warning with a reasonable period of not less than 14 working days.

(4) Should the Party entitled to terminate the contract have been aware of circumstances justifying extraordinary termination for more than two months, it may no longer use them as a basis for termination.

(5) Notwithstanding the provisions of subsection 3, the Provider may terminate the contract without compliance with a notice period if the Customer is in arrears for two consecutive months with the payment of the prices or a not inconsiderable part of the prices or in a period of more than two months with payment of the fee of an amount equal to fee for two months. If this is the case, the Provider may additionally claim flat-rate compensation in the amount of one quarter of the remaining monthly basic lump sum until the end of the regular contract period. The Customer shall reserve the right to provide evidence of lesser damage.

Section 15: Changes to this contractual relationship, price adjustments

(1) The Provider shall be entitled to amend provisions of these GTC which do not lead to a significant redesign of the contract structure or affect it at any time and without stating reasons, provided that this change does not lead to a redesign of the contract structure as a whole. The essential provisions of the contract structure include, in particular, provisions relating to the type and scope of the contractually agreed services, the duration and termination of the contract.

(2) Furthermore, the Provider shall be entitled to amend or supplement these GTC insofar as this is necessary to eliminate difficulties in the execution of the contract with the Customer due to regulatory loopholes which have arisen after conclusion of the contract. The amended conditions shall be emailed to the Customer at least six weeks prior to them coming into force. The changes shall be deemed to have been approved if the Customer does not object to them in text form. The objection must be received within six weeks of receipt of the notification of the amended conditions. The Provider shall make particular reference to the possibility of objection and the significance of the six-week period in the notification of the changed conditions. Should the Customer exercise its right of objection, the Provider’s wish for change shall be considered rejected. The contract shall then continue without the proposed amendments. The right of the Parties to terminate the contract shall remain unaffected.

(3) Under the following conditions, the Provider shall be entitled to increase the prices to be paid by the Customer for the recurring services to be provided within the scope of the contract in order to compensate for an increase in its total costs. The total costs shall consist of costs for the maintenance and operation of the digital (encryption and decryption) infrastructure, the technical supply of the Software including the costs for additional programs and features, fees for any copyright and ancillary copyrights, material costs, labour and incidental wage costs including contract and temporary work costs, costs for customer management (e.g. call centres, IT systems) and costs of general administration.

(a) Prices may only be adjusted up to the extent of the cost increase and equivalent to the share of the increased cost element in the total cost; it is permitted only if the cost increase is based on changes which occurred after conclusion of the contract and which were not initiated by the Provider. This is the case, for example, where sub-suppliers, vendors or other service providers of the Provider increase their prices, if the contractual services are subject to modified or additional taxes or levies or in the event of collective wage increases.

(b) Any cost savings shall be taken into account in the calculation of the Provider’s total cost burden. An increase in prices shall be permitted only once per calendar year. If circumstances which occurred after conclusion of the contract and which were not caused by the Provider lead to a reduction in the Provider’s total costs within the meaning of this clause, the Provider shall undertake to reduce the prices to be paid by the Customer to the extent of the cost reduction and according to the share of the reduced cost element in the total costs. The Provider may take into account any increases in individual costs, insofar as these have not already been taken into account in the context of a price increase.

(c) Should the increase in prices exceed 5% of the prices applicable up to the time of the increase, the Customer shall be entitled to terminate the contract within four weeks of receipt of the notification of the increase with effect from the time the increase comes into force. Should the Customer utilise this special right of termination, the increase shall not take effect and the contract shall be terminated with effect from the date on which the price increase comes into force. Should the Customer not terminate the contract or not terminate it within the time limit, the contract shall continue at the new service rate from the time specified in the notification.

(d) The Provider shall specifically draw the Customer’s attention to the right of termination and the consequences of termination not being made in due time as part of its notification of the increase in the service rate. The Provider shall inform the Customer of any adjustment to the service rate at least six weeks before its entry into force.

(4) Notwithstanding the above, the Supplier shall be entitled to adjust the prices accordingly in the event of a change in the statutory VAT.

Section 16: Final provisions

(1) There shall be no additional verbal provisions outside this contract and its appendices. Any previous agreements on the subject of the contract shall hereby be rendered invalid. In order to be effective, any amendments or additions to this contract and its appendices must be made in writing (e.g. email). This shall also apply to the waiver of the requirement for written form.

(2) The possible invalidity of individual provisions of this contract shall not affect the validity of the remaining content of the contract. Should loopholes become apparent in the application of this contract for which the Parties have not provided, or should the invalidity of a provision be legally determined or determined by both Parties, they shall undertake to close or replace this loophole or invalid provision in a manner, which is appropriate and reflects the economic purpose of the contract.

(3) German substantive law applies to the contractual relationship.

(4) The exclusive place of jurisdiction shall be the registered office of the Provider unless otherwise mandated by a standard.


Section 17: List of appendices

  • Appendix 1: Contract for joint controllers as per Article 26 of the GDPR;

  • Appendix 2: Processing contract (DPA) as per Article 28 of the GDPR.

  • Appendix 3 to the DPA: Technical and organisational measures of the Provider

  • Appendix 4 to the DPA: Subcontractual relationships of the Provider

  • Appendix 5: Standard Contractual Clauses (Module 1)

  • Appendix 6:  Standard Contractual Clauses (Module 2)



Appendix 1

Agreement on cooperation as joint controllers within the meaning of Article 26 of the GDPR with regard to data of Contractors, Employees of Records and Payroll Employees

Preamble


The Customer (hereinafter: “Controller 2”) and the Provider (hereinafter: “Controller 1”) are independent companies which, within the scope of using the services of Controller 1, regularly jointly process personal data from the 


  1. (In case of Module 1) Contractors and/or

  2. (In case of Module 2) Employees of Records and/or

  3. (In case of Module 3) Payroll Employees


in order to manage them. In this connection, they have jointly defined the purposes and means of processing. Between both Controllers, there is a relationship of joint responsibility for the named data subjects as per Article 26 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, the free movement of data and the repeal of Directive 95/46/EC, “GDPR”). With regard to the data of the authorised users for Lano at Controller 2 or Controllers 2 other data described in Clause 10 III of the GTC, there exists an order processing relationship as per Article 28 of the GDPR. The corresponding order processing contract is attached as Appendix 2. 

 

The Parties shall endeavour to comprehensively protect the privacy of the data subjects and their personal data and to guarantee lawful processing. The aim of this Agreement is to transparently define which of the contracting parties shall fulfil which of the obligations as per the European General Data Protection Regulation, in particular with regard to the exercising of the rights of the data subjects as specified in Articles 12–23 of the GDPR and how the information obligations as per Articles 13 and 14 of the GDPR are fulfilled. This Agreement is attached as Appendix 1 to the General Terms and Conditions with this application.


Against this background, the contracting parties shall agree the following:


Section 1: Scope and definitions


(1) The following provisions apply to all services provided by Controller 1 to Controller 2 on the basis of the Main Contract.


(2) Should the term “data processing” or “processing” be used in this Agreement, this shall generally refer to the use of personal data. Data processing or the processing of data refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, synchronisation or combination, blocking, erasure or destruction.


(3) Reference is made to the other definitions in Article 4 of the GDPR.


(4) Controllers 1 and 2 are hereinafter abbreviated to C1 and C2. 


Section Section 2: Functions and relationships of the joint controllers with respect to the data subjects


(1) With the help of the software offered by C1, contractors and/or Employer of Record Employees and/or Payroll Employees can network and manage their work related data and documents with C2. C2 is able to manage its workforce using C1’s software and thus, in particular, has access to the data of the contractors and employees they provide in its profiles and for other work related performance and management

 

(2) The contracting parties shall process the personal data of the following data subjects

 

  1. (In case of Module 1) Contractors and/or

  2. (In case of Module 2) Employer of Record Employees and/or

  3. (In case of Module 3) Payroll Employees

 

(3) The contracting parties process the following categories of data:

  1. Profile data (name, form of address, title/academic degree, date of birth, self-description, skills, photo)

  2. Contact details (email address, telephone number, address)

  3. Order data of orders from C2 (order details, services)

  4. Order history

  5. Order billing data and payment information (invoice details, bank details, credit card information)

  6. Other documents provided by C2 or the data subject for C2

Section 3: Purposes and means of data processing


The Parties shall jointly determine the following purposes and means of processing: 

The main purpose of data sharing is the management of the above-mentioned data for order generation and settlement between the data subjects and C2 by means of C1’s platform.  


Section 4: Contact point for data subjects


The Parties have not established a central contact point for questions from data subjects regarding data protection issues arising as a result of joint data processing. Data subjects may either contact


Lano Software GmbH, 

Revaler Str. 30

10245 Berlin

Germany 


or 


the contact address of C2.

Section 5: Transfer to third countries and subcontractors


The processing and use of data by both C1 and C2 shall take place mainly within the territory of the Federal Republic of Germany, in a Member State of the European Union or in another State party to the Agreement on the European Economic Area. Any relocation to a third country must be communicated to the other Controller and may only take place if the specific requirements of Article 44 et seq. of the GDPR have been fulfilled.


If personal data is transferred to a third country and there is no adequacy decision for that country, the Standard Contractual Clauses (Module 1) in Annex 5 apply.


C1 shall agree to the use of the subcontractors of C2 listed in Appendix 4.


Section 6: Technical and organisational measures


The Contracting Parties shall undertake, in particular in compliance with the principles of correct data processing as per Article 32 in conjunction with Article 5(1) of the GDPR, to ensure through appropriate controls that the jointly processed personal data is processed exclusively in accordance with this Agreement and the underlying Main Contract. The joint controllers shall mutually assure each other that the personal data shall be handled securely and in compliance with data protection regulations. In particular, they will ensure the following safeguards:


  • Unauthorised persons shall be denied access to personal data. This shall apply irrespective of whether the data is stored in electronic form or as hard copy.

  • Computer systems are to be secured by passwords and kept technically up to date.

  • The personal data may only be viewed and processed by those persons who are entrusted with the specific order processing. Employees are obliged to treat personal data confidential.

  • The data of different clients or business partners is systematically separated according to the task.

  • Insofar as the Controllers determine that special transmission methods are necessary according to the state of the art in order to guarantee the secure transmission of electronically stored data, these shall be implemented. 

  • The Controllers shall mutually assist each other in the fulfilment of the rights of the data subjects, in particular with regard to data portability, rectification, restriction of the processing and erasure, notification and exchange of information, upon first request and within the scope of their abilities. Should a Controller receive a data protection request from a data subject which is also relevant for the other Controller, the Controller shall immediately forward this request to the other Controller, leaving them to respond to the request, or carry it out jointly.

  • Furthermore, the Controllers shall support each other in all other obligations arising for the Controllers from the GDPR and, if applicable, from other data protection regulations and special statutes which concern joint data processing.


Section 7: Mutual information obligations


The Controllers shall immediately inform each other of any disruptions, breaches of data protection law or the provisions laid down in this Agreement by the persons employed by them or any suspected breaches or irregularities in the processing of personal data relating to joint data processing. This shall apply, in particular, to unauthorised access to personal data by third parties (e.g. hacking). The Controller where the data protection breach occurred shall document the process including the effects and remedial measures and make this documentation available to the other Controller at any time on request. Should the Controller be unable to comply with its legal reporting obligation due to delayed, incomplete, incorrect or otherwise improper information from the other Controller, the Controller shall compensate all damages resulting from this delay. The Controllers shall support each other in the comprehensive and timely fulfilment of any reporting obligations.


In the event of any control measures taken by a data protection supervisory authority, or in the event of other requests, investigations or enquiries by the data protection supervisory authority, the Controllers shall inform each other without delay of the implementation of the control measure as far as personal data relating to joint processing is concerned.


C2 shall appoint a contact for C1 to whom messages as per sections 7 and 8(3) are to be sent.


Section 8: Distribution of duties in response to rights of data subjects 


  1. In the event that a data subject asserts rights to the rectification, erasure or blocking of personal data or to information about the stored personal data, the party against whom the rights are asserted shall be responsible for the fulfilment of the claims of the data subject.

  2. Should the rights of data subject be asserted in accordance with the preceding paragraph, the Parties shall mutually assist each other to the extent necessary or appropriate to safeguard the rights of the data subjects.

(3) The Parties shall be obliged to notify each other without delay if a data subject asserts rights in accordance with subsection 1, unless it can be excluded that the assistance of the other Party is necessary in accordance with subsection 3.


Section 9: Fulfilment of information obligations


  1. C1 has formulated a privacy policy for the platform at lano.io and for the app solution. C1 is responsible for the legality and completeness of the privacy policy. C1 shall provide all information to the data subjects in a concise, transparent, intelligible and easily accessible form, using clear and plain language.

  2. C1 shall amend and supplement the online privacy policy insofar as this is necessary or appropriate due to changes in the data processing procedures or for legal reasons. Should C2 become aware of circumstances that make it necessary or appropriate to amend or supplement the privacy policy, C2 shall notify C1 immediately.

  3. C1 shall undertake to make the essential content of the agreement on joint responsibility based on data protection law available to the data subjects (Article 26(2) of the GDPR).


Section 10: Miscellaneous

(1) In the event of any conflicts between the provisions of this Agreement and the provisions of the Main Contract, the provisions of this Agreement shall prevail.

(2) Amendments and additions to this Agreement shall require the mutual consent of the Parties, with specific reference to the provisions of this Agreement to be amended. There are no verbal supplementary agreements and they are also excluded for future amendments to this Agreement.

(3) This Agreement shall be subject to German law.

(4) Should access to the data be prevented by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities etc.), the Parties shall notify each other.

Appendix 2

Processing contract within the meaning of Article 28 of the GDPR with regard to the data of Users of Lano at the Customer

Preamble

Between the Customer (hereinafter referred to as: “Controller”) and the Provider (hereinafter referred to as: “Processor”) exists a contractual relationship within the meaning of Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data, the free movement of data and the repeal of Directive 95/46/EC, “GDPR”)with regard to the data of users with the Controller. Joint responsibility shall exist with regard to the data of the contractors in accordance with Article 26 of the GDPR. The corresponding contract is in Appendix 1.

This Agreement, including all appendices (collectively referred to as the “Agreement”) specifies the data protection obligations of the Parties arising from the underlying General Terms and Conditions for Business and Licensing (“GTC”). This Agreement is attached as Appendix 2 to the General Terms and Conditions with this application.

The Processor shall commit to the Controller to fulfil this Agreement in accordance with the following provisions:


Section 1: Scope and definitions

(1) The following provisions apply to all processing services within the meaning of Article 28 of the GDPR which the Processor provides to the Controller on the basis of the Main Contract.

(2) Should the term “data processing” or “processing” of data be used in this Agreement, this shall generally refer to the use of personal data. Data processing or the processing of data refers to any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, synchronisation or combination, blocking, erasure or destruction.

(3) Reference shall be made to the other definitions in Article 4 of the GDPR.


Section 2: Subject and duration of the data processing

(1) The Processor shall process personal data on behalf of and in accordance with the instructions of the Controller.

(2) The subject of the order is the use of the platform provided by the Processor as software-as-a-service (“SaaS”) for the management of the contractors of the Controller and the associated management of the beneficial employees in the platform of the Processor within the scope agreed with the Processor in accordance with the GTC.

(3) This Agreement shall apply exclusively to the processing of personal data by the Processor in accordance with the instructions given and which is limited to the user accounts of the Controller’s employees. Insofar as the Parties are deemed to be acting independently or jointly according to data protection law, this Agreement shall not apply.

(4) The duration of this Agreement corresponds to the duration of the Main Contract.


Section 3: Type and purpose of data processing

The type and purpose of the processing of personal data by the Processor are specified in the GTC. This includes the following activities and purposes:

The Processor provides the Controller with its platform as a software-as-a-service service. The Controller uses the platform to manage its contractors and set up corresponding user accounts for its employees.

This management includes contract management and compliance, sourcing, payment, onboarding, HR planning, monitoring, budget planning and internal performance evaluation. 


Section 4: Categories of data subjects

Under this Agreement, personal data of the following categories of data subjects is to be processed:

  • Employees of the Controller (who use lano to manage contractors and/or Employer of Record Employees and/or Payroll Employees)


Section 5: Type of personal data

The following types of data are affected by order processing:

  • Registration data (address, name, date of birth, business contact details)

  • Profile data (photo, language)

  • Activities in the software (project management, partner network, invoice payment)


Section 6: Rights and obligations of the Controller

(1) The Controller shall have sole responsibility for assessing the admissibility of data processing and for safeguarding the rights of the data subjects and is thus the controller within the meaning of Article 4(7) of the GDPR.

(2) The Controller is entitled to issue instructions regarding the type, scope and methods of data processing. At the request of the Processor, verbal instructions shall be confirmed immediately by the Controller in writing or in text form (e.g. by email).

(3) Insofar as the Controller considers it necessary, persons authorised to issue instructions may be named. The Controller shall inform the Processor of this in writing or in text form. In the event that these persons authorised to issue instructions change at the Controller, the Processor shall be informed of this in writing or in text form, with designation of the new person.

(4) The Controller shall notify the Processor immediately if errors or irregularities are discovered in association with the processing of personal data by the Processor.


Section 7: Obligations of the Processor

(1) Data processing

The Processor shall process personal data exclusively in accordance with this Agreement and/or the underlying Main Contract, as well as in accordance with the instructions of the Controller.

(2) Rights of the data subject

The Processor shall support the Controller as far as is possible in fulfilling the rights of the data subjects, in particular with regard to rectification, restriction of processing and erasure, notification and provision of information. Should the Processor process the personal data referred to in section 5 of this Agreement on behalf of the Controller and should this data be the subject of a request for data portability as per Article 20 of the GDPR, the Processor shall make the relevant data record available to the Controller within a reasonable period of time, otherwise within seven working days, in a structured, commonly used and machine-readable format.

At the instruction of the Controller, the Processor shall correct, erase or restrict the processing of the personal data referred to in Section 5 of this Agreement, which are processed by order. The same shall apply if this Agreement provides for the correction, erasure or restriction of the processing of data.

Insofar as a data subject contacts the Processor directly for the purpose of correcting, erasing or restricting the processing of the personal data referred to in Section 5 of this Agreement, the Processor shall forward this request to the Controller immediately upon receipt.

(3) Control obligations

The Processor shall ensure, by means of appropriate controls, that the personal data processed in the order is processed exclusively in accordance with this Agreement and/or the Main Contract and/or the corresponding instructions.

The Processor shall organise its company and operating procedures in such a way that the data processed on behalf of the Controller is secured to the extent necessary in each case and is protected against unauthorised access by third parties.

The Processor shall confirm that it has designated a data protection officer in accordance with Article 37 of the GDPR and, if applicable, in accordance with section 38 of the Federal Data Protection Act (BDSG) and that it is monitoring compliance with data protection and data security regulations with the involvement of the data protection supervisor. The data protection officer of the Processor is currently:

Ms Iana Kaminska

support@lano.io (marking your letter “FAO Data protection officer”)

(4) Information obligations

For its part, the Processor shall notify the Controller immediately if, in its opinion, an instruction issued by the Controller violates statutory provisions. The Processor shall be entitled to suspend execution of the relevant instruction until it is confirmed or amended by the Controller.

The Processor shall support the Controller in complying with the obligations referred to in Articles 32 to 36 of the GDPR, taking into account the nature of the processing and the information available to it.

(5) Location of the data processing

The processing of the data shall take place principally within the territory of the Federal Republic of Germany, in a Member State of the European Union or in another State party to the Agreement on the European Economic Area. Any relocation to a third country may only occur if the specific requirements of Article 44 et seq. of the GDPR have been fulfilled.

(6) Erasure of personal data following completion of order 

Following termination of the Main Contract, the Processor shall either erase or return all personal data processed on behalf of the Controller, provided that the erasure of said data does not conflict with any statutory storage obligations of the Processor. The erasure related to data protection is to be documented and confirmed to the Controller on request.


Section 8: Control rights of the Controller

(1) Following timely prior notification during normal business hours and without interrupting the operations of the Processor or endangering the safeguards for other controllers and at its own expense, the Controller shall be entitled to check compliance with the regulations on data protection and the contractual agreements to the extent required either itself or via third parties. The controls may also be carried out by accessing the Processor’s existing industry-standard certifications, current audits or reports from an independent party (such as a certified accountant, external data protection officer, auditor or external data protection auditor) or via self-reporting. The Processor shall provide the necessary assistance to carry out the checks.


(2) The Processor shall inform the Controller of the implementation of control measures taken by the supervisory authority insofar as the measures or data processing may concern that carried out by the Processor for the Controller.


Section 9: Subcontractual relationships

(1) The Controller shall authorise the Processor to use other processors in accordance with the following paragraphs in Section 9 of this Agreement. This authorisation shall constitute general written authorisation as per Article 28 (2) of the GDPR.


(2) In fulfilling the order , the Processor is currently working with the subcontractors named in Appendix 4 that the Controller has agreed to engage.


(3) The Processor shall be entitled to engage other processors or to replace processors already engaged. The Processor shall notify the Controller in advance of any intended changes with regard to the involvement or replacement of a further processor. The Controller may object to an intended change.


(4) The objection to the proposed change shall be raised with the Processor within 2 weeks of receipt of the information about the change. In the event of an objection, the Processor may, at its own discretion, provide the service without the intended change or propose an alternative additional processor and agree this with the Controller. Should provision of the service without the intended change not be reasonable to the Processor – for example, due to the associated disproportionate expenses for the Processor – or if agreement on another processor fails, the Controller and the Processor may terminate this Agreement and the Main Contract with notice of one month to the end of the month.


(5) Where an additional further processor is involved, a level of protection of personal data comparable to that of this Agreement must always be guaranteed. The Processor shall be responsible to the Contractor for all acts and omissions of the other processors employed by it.


Section 10: Confidentiality

(1) The Processor shall be obliged to maintain confidentiality when processing data for the Controller.


(2) When fulfilling the order, the Processor shall be obliged to use only employees or other vicarious agents who themselves are obliged to maintain confidentiality when handling the personal data provided and who have been familiarised with the data protection requirements in an appropriate manner. On request, the Processor shall provide evidence to the Controller of the performance of these obligations.


(3) Should the Controller be subject to other rules regarding confidentiality, it shall inform the Processor accordingly. The Processor shall require its employees to comply with these confidentiality rules in accordance with the requirements of the Controller.


Section 11: Technical and organisational measures

(1) The technical and organisational measures set out in Appendix 3 shall be agreed as appropriate. The Processor may update and amend these measures, provided that such updates and/or changes do not significantly reduce the level of protection.


(2) The Processor shall observe the principles of proper data processing in accordance with Articles 32 and 5(1) of the GDPR. It guarantees the contractually agreed and legally required data security measures. It shall take all necessary measures to secure the data or ensure the security of processing, in particular also taking into account the state of the art, as well as to mitigate potentially adverse consequences for data subjects. The measures to be taken shall include, in particular, measures to protect the confidentiality, integrity, availability and resilience of the systems and measures to ensure continuity of processing after incidents. In order to always be able to guarantee an appropriate level of processing security, the Processor shall regularly evaluate the measures implemented and make adjustments if necessary.


Section 12: Liability/exemption

(1) The Processor shall be liable to the Controller in accordance with the statutory provisions for all damage caused by culpable breaches of this Agreement or the statutory data protection provisions applicable to it which the Processor, its employees or those commissioned by it to execute the contract cause in the performance of the contractual service. The Processor shall not be obliged to pay damages, provided that the Processor proves that it processes the data of the Controller provided to it exclusively in accordance with the instructions of the Controller and has complied with its obligations from the GDPR specifically imposed on Processors.


(2) The Controller shall indemnify the Processor against all claims of third parties which are asserted against the Processor as a result of a culpable breach of the obligations under this Agreement or applicable data protection regulations by the Controller.


Section 13: Miscellaneous

(1) In the event of any conflicts between the provisions of this Agreement and the provisions of the Main Contract, the provisions of this Agreement shall prevail.


(2) Amendments and additions to this Agreement shall require the mutual consent of the Parties, with specific reference to the provisions of this Agreement to be amended. There are no verbal supplementary agreements and they are also excluded for future amendments to this Agreement.


(3) This Agreement shall be subject to German law.


(4) If access to the data that the Controller has transmitted to the Processor for data processing is jeopardised by third-party measures (e.g. measures taken by an insolvency administrator, seizure by tax authorities etc.), the Processor must immediately notify the Controller of this.

Appendix 3

Technical and organisational measures to ensure data processing security

The Processor agrees to have undertaken the following technical and organisational measures:

A Measures for pseudonymisation

Measures that reduce direct personal references during processing in such a way that a specific data subject can only be identified with the inclusion of additional information. The additional information is to be kept separately from the pseudonym using appropriate technical and organisational measures.

Description of the pseudonymisation: None because it is being processed on a central server.         


B Measures for encryption

Measures or operations where a clearly legible text/information is converted into an illegible, i.e. not easily interpretable string (ciphertext) by means of an encryption process (cryptosystem):

Only known encryption libraries and encryption algorithms are to be used.

Use of appropriate encryption algorithms (such as AES, 3DES, SHA2) and key sizes

Type Key size in bits

Symmetrical 128

Asymmetrical 2048

Hashes 200 – 256

Encrypted data is to be decrypted only when used.

Plain text data is to be securely deleted immediately after use.

Separation of (encrypted) data and keys.

Store keys on separate systems.


C Measures to safeguard confidentiality


Admittance control

Measures which physically prevent unauthorised persons from admittance to IT systems and data processing systems used to process personal data, as well as confidential files and data carriers:

Description of the admittance control system:

Pass reader, controlled key distribution, chip card etc.

Door locking (electronic door opener etc.)

Porter

Surveillance equipment (alarm systems, video)

Surveillance equipment (alarm systems, video)


System access control

Measures to prevent unauthorised persons from processing or using data protected by data protection laws.


Description of the access control system:

System and data access are restricted to authorised users

Users must identify themselves with username and password

User rights are granted only to a limited extent

All logins/logouts are recorded

Use of a central password policy


Data access control

Measures to ensure that persons authorised to use the data processing system may access only that data which they are authorised to access, so that personal data cannot be read, copied, altered or removed without authorisation during processing, use and storage.


Description of the data access control system:


Authorisation policies (profiles, roles etc.) and their documentation

Evaluation/logs

Encryption of data carriers

Archiving concept

Logging of access and abuse attempts

System and data access are restricted to authorised users

Users must identify themselves with username and password

Separation rule

Measures to ensure that data collected for different purposes is processed separately and is therefore separated from other data and systems in such a way as to prevent unplanned use of such data for other purposes.

Description of the separation control process:

Authorisation policies

Systems allow data segregation by different software

Productive and test systems are separated from each other

Records are only accessible via systems which are predefined

Database user rights are centrally output and managed


D Measures to ensure integrity


Data integrity

Measures to ensure that stored personal data is not damaged by system malfunctions:


Description of the data integrity:

Installation of new releases and patches with release/patch management

Functional test of installation and releases/patches by IT department

Logging

Transport processes with individual responsibility

Transmission control

Measures to ensure that it is possible to verify and determine the bodies to which personal data has been or may be transmitted or made available using data communication equipment:


Description of the transmission control:

Logging

Transport processes with individual responsibility

Checksums

Transport control

Measures to ensure that the confidentiality and integrity of personal data are protected during the transfer of personal data and when transporting data carriers:


Description of the transport control:


Transmission of data via encrypted data networks or tunnelling connections (VPN)

Transport processes with individual responsibility

Encryption methods which detect data changes during transport

HTTPS

Comprehensive logging procedures

Input control

Measures to ensure that it is possible after the fact to check and ascertain whether personal data has been entered into, altered, or removed from DP systems and if so, by whom.

Description of the input control process:


Logging all system activities and retaining these logs for at least three years

Log evaluation systems

Checksums

Digital signatures

Use of centralised rights management to input, modify and delete data

E Measures to ensure availability and resilience


Availability control

Measures to ensure that personal data is protected from accidental destruction or loss.

Description of the availability control system:

Backups are created on a regular basis

There is a backup and recovery plan in place

Backup files are stored in a secure and remote location

Localisation

Data recovery is regularly tested

As well as various other measures of the server service providers

Rapid recoverability

Measures to ensure the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident


Description of the measures for rapid recoverability:


Data backup procedures

Regular testing of data recoverability

Emergency plans

Reliability

Measures to ensure that all system functions are available and that any malfunctions which occur are reported:


Description of the reliability measures:


Automatic monitoring with email notification

Emergency plans with responsibilities

IT emergency service 24/7

Regular tests to restore data

F Measures for the regular evaluation of data processing security


Review procedures

Measures which ensure data processing is secure and complies with data protection requirements.


Description of the review procedures:


Data protection management

Formalised processes for data protection incidents

Instructions from the client are documented

Formalised job management

Service level agreements for executing controls

Involvement of external data protection officers in all data protection issues

Order control

Measures to ensure that personal data processed on behalf of others is processed only in strict compliance with the client’s instructions:


Description of job control measures:


Instructions from the client are documented

Formalised job management

Appendix 4 

Subcontractual relationships

For performance of the order, the processor is currently working with the following other processors that the controller has agreed to engage.


1. Docusign 

Name/company: DocuSign, Inc., 221 Main Street, Suite 1550, San Francisco, CA 94105

Function/services: Electronic processing of contractual documents

Registered office: San Francisco, Deutschland

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): Binding Corporate Rules


2. Adobesign 

Name/company: Adobe Systems Software Ireland Limited ,4-6 Riverwalk, Dublin 24, Republic of Ireland

Function/services: Electronic processing of contractual documents

Registered office: Dublin, Republic of Ireland

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): Binding Corporate Rules


3. Stripe

Name/company: Stripe, Inc.

Function/services: Online payment processing

Registered office: San Francisco, USA


Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Stripe.


4. Sendgrid / Twilio

Name/company: Twilio Ireland Limited

Function/services: Email delivery platform

Registered office: Dublin, Ireland


Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): Binding Corporate Rules


5. Google Analytics


Name/company: Google LLC

Function/services: Data analysis


Registered office (city, country): Mountain View, USA


Guarantee of an adequate level of data protection in the event of processing in third countries: We have concluded an EU Commission standard contract with Google LLC for the Product Google Analytics.


6. Fin API

Name/company: finAPI GmbH

Function/services: Payment gateway 

Registered office (city, country): Munich, Germany


7. Currencycloud 

Name/company: Currencycloud Ltd

Function/services: Payment service

Registered office (city, country): London, UK

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Currency Cloud.


8. Rapyd 

Name/company: Rapyd Financial Network (2016) Ltd., North West House, 119 Marylebone Rd, Marylebone, London, NW1 5PU. 

Function/Services: Zahlungsdienstleister

Registered office: London, England

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Rapyd 


9. Google Sign in 

Name/company:  Google Ireland Limited, Gordon House, Barrow Street, Dublin 4, Irland (for users from the EU and Swiss) bzw. Google LLC 1600 Amphitheatre Parkway Mountain View, CA 94043, USA (for all other users)

Function/Services: Log-in Service

Registered office: U.S.A

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Google 


10. Segment

Name/company:  Segment Inc, 55 2nd St, 4th Fl., San Francisco, CA 94105, USA 

Function/Services: collecting and analyzing usage data and for playing interest-based personalized advertising

Registered office: U.S.A

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Segment 


11. Mixpanel 

Name/company:  Mixpanel, Inc., 405 Howard St., CA 94105 San Francisco, USA

Function/Services: stores and processes information about user behavior

Registered office: U.S.A

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Mixpanel 


12. Customer.io 

Name/company:  Peaberry Software Inc., Attn: Legal, 9450 SW Gemini Dr., Suite 43920, Beaverton, Oregon 97008-7105

Function/Services: stores and processes information about user behavior

Registered office: U.S.A

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Peaberry Software Inc.

13. ip2ocation

Name/company: Hexasoft Development Sdn. Bhd.

Function/services: IP geolocation solution

Registered office: Bayan Baru, Malaysia

No data processing.

14. Leeway

Name/company: Leeway

Function/services: Contract management/ contract negotiation and execution

Registered office: 13 rue Sainte-Ursule 31000 Toulouse, France

Guarantee of an adequate level of data protection in the event of processing in third countries (outside the EU or EEA): We have concluded an EU Commission standard contract with Leeway

15. Leadoo

We use Leadoo’s tracking service to learn what some users are doing on the site and combine this data with other data we can gather from e.g. chat interactions. Leadoo uses ETag tracking in order to hook together the same user’s behaviour over several sessions. Please check out Leadoo Marketing Technologies Ltd’s Privacy Policy (https://leadoo.com/privacy-policy/) for more information on what is tracked and what your rights are. Leadoo works as the Processor and we work as the Controller for the data in terms of GDPR. You can stop the tracking by emptying your browser’s cache after the visit. For more on how Leadoo works as a GDPR-compliant processor, see https://leadoo.com/privacy-policy-processor/

Appendix 5

Standard Contractual Clauses (Module 1)

Clause 1 – Purpose and scope


  1. The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.) for the transfer of personal data to a third country.

  2. The Parties:

  • the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

  • the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)


have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).


3. These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

4. The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.


Clause 2 – Effect and invariability of the Clauses


1. These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.


2. These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.


Clause 3 – Third-party beneficiaries


1. Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

 

  • Clause 1, Clause 2, Clause 3, Clause 6, Clause 7


  • Clause 8 – Module One: Clause 8.5 (e) and Clause 8.9 (b) 


  • Clause 9 – Intentionally blank


  • Clause 12 – Module One: Clause 12 (a) and (d)


  • Clause 13


  • Clause 15.1 (c), (d) and (e)


  • Clause 16 (e)


  • Clause 18 – Module One: Clause 18 (a) and (b)


2. Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.

 

Clause 4 – Interpretation


1. Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.


2. These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.


3. These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.

 

Clause 5 – Hierarchy


In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.


Clause 6 – Description of the transfer(s)


The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.


Clause 7 – Optional - Docking clause


Intenionally blank.


Clause 8 – Data protection safeguards


The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.


8.1 Purpose limitation


The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B. It may only process the personal data for another purpose:


1. where it has obtained the data subject’s prior consent;


2. where necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or


3. where necessary in order to protect the vital interests of the data subject or of another natural person.


8.2 Transparency


1. In order to enable data subjects to effectively exercise their rights pursuant to Clause 10, the data importer shall inform them, either directly or through the data exporter:


2. of its identity and contact details;


3. of the categories of personal data processed;


4. of the right to obtain a copy of these Clauses;


5. where it intends to onward transfer the personal data to any third party/ies, of the recipient or categories of recipients (as appropriate with a view to providing meaningful information), the purpose of such onward transfer and the ground therefore pursuant to Clause 8.7.


6. Paragraph (a) shall not apply where the data subject already has the information, including when such information has already been provided by the data exporter, or providing the information proves impossible or would involve a disproportionate effort for the data importer. In the latter case, the data importer shall, to the extent possible, make the information publicly available.


7. On request, the Parties shall make a copy of these Clauses, including the Appendix as completed by them, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including personal data, the Parties may redact part of the text of the Appendix prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information.


8. Paragraphs (a) to (c) are without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.


8.3 Accuracy and data minimisation


1. Each Party shall ensure that the personal data is accurate and, where necessary, kept up to date. The data importer shall take every reasonable step to ensure that personal data that is inaccurate, having regard to the purpose(s) of processing, is erased or rectified without delay.


2. If one of the Parties becomes aware that the personal data it has transferred or received is inaccurate, or has become outdated, it shall inform the other Party without undue delay.


3. The data importer shall ensure that the personal data is adequate, relevant and limited to what is necessary in relation to the purpose(s) of processing.


8.4 Storage limitation


The data importer shall retain the personal data for no longer than necessary for the purpose(s) for which it is processed. It shall put in place appropriate technical or organisational measures to ensure compliance with this obligation, including erasure or anonymisation (This requires rendering the data anonymous in such a way that the individual is no longer identifiable by anyone, in line with recital 26 of Regulation (EU) 2016/679, and that this process is irreversible.) of the data and all back-ups at the end of the retention period.


8.5 Security of processing


1. The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the personal data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access (hereinafter ‘personal data breach’). In assessing the appropriate level of security, they shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subject. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner.


2. The Parties have agreed on the technical and organisational measures set out in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.


3. The data importer shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.


4. In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the personal data breach, including measures to mitigate its possible adverse effects.


5. In case of a personal data breach that is likely to result in a risk to the rights and freedoms of natural persons, the data importer shall without undue delay notify both the data exporter and the competent supervisory authority pursuant to Clause 13. Such notification shall contain i) a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), ii) its likely consequences, iii) the measures taken or proposed to address the breach, and iv) the details of a contact point from whom more information can be obtained. To the extent it is not possible for the data importer to provide all the information at the same time, it may do so in phases without undue further delay.


6. In case of a personal data breach that is likely to result in a high risk to the rights and freedoms of natural persons, the data importer shall also notify without undue delay the data subjects concerned of the personal data breach and its nature, if necessary in cooperation with the data exporter, together with the information referred to in paragraph (e), points ii) to iv), unless the data importer has implemented measures to significantly reduce the risk to the rights or freedoms of natural persons, or notification would involve disproportionate efforts. In the latter case, the data importer shall instead issue a public communication or take a similar measure to inform the public of the personal data breach.


7. The data importer shall document all relevant facts relating to the personal data breach, including its effects and any remedial action taken, and keep a record thereof.


8.6 Sensitive data


Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions or offences (hereinafter ‘sensitive data’), the data importer shall apply specific restrictions and/or additional safeguards adapted to the specific nature of the data and the risks involved. This may include restricting the personnel permitted to access the personal data, additional security measures (such as pseudonymisation) and/or additional restrictions with respect to further disclosure.


8.7 Onward transfers


The data importer shall not disclose the personal data to a third party located outside the European Union (The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) unless the third party is or agrees to be bound by these Clauses, under the appropriate Module. Otherwise, an onward transfer by the data importer may only take place if:


1. it is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;


2. the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 of Regulation (EU) 2016/679 with respect to the processing in question;


3. the third party enters into a binding instrument with the data importer ensuring the same level of data protection as under these Clauses, and the data importer provides a copy of these safeguards to the data exporter;


4. it is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings;


5. it is necessary in order to protect the vital interests of the data subject or of another natural person; or


6. where none of the other conditions apply, the data importer has obtained the explicit consent of the data subject for an onward transfer in a specific situation, after having informed him/her of its purpose(s), the identity of the recipient and the possible risks of such transfer to him/her due to the lack of appropriate data protection safeguards. In this case, the data importer shall inform the data exporter and, at the request of the latter, shall transmit to it a copy of the information provided to the data subject.


Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.


8.8 Processing under the authority of the data importer


The data importer shall ensure that any person acting under its authority, including a processor, processes the data only on its instructions.


8.9 Documentation and compliance


1. Each Party shall be able to demonstrate compliance with its obligations under these Clauses. In particular, the data importer shall keep appropriate documentation of the processing activities carried out under its responsibility. 


2. The data importer shall make such 

documentation available to the competent supervisory authority on request.

 

Clause 9 – Use of sub-processors


Intentionally blank.



Clause 10 – Data subject rights


1. The data importer, where relevant with the assistance of the data exporter, shall deal with any enquiries and requests it receives from a data subject relating to the processing of his/her personal data and the exercise of his/her rights under these Clauses without undue delay and at the latest within one month of the receipt of the enquiry or request. (That period may be extended by a maximum of two more months, to the extent necessary taking into account the complexity and number of requests. The data importer shall duly and promptly inform the data subject of any such extension.) The data importer shall take appropriate measures to facilitate such enquiries, requests and the exercise of data subject rights. Any information provided to the data subject shall be in an intelligible and easily accessible form, using clear and plain language.


2. In particular, upon request by the data subject the data importer shall, free of charge:


  • provide confirmation to the data subject as to whether personal data concerning him/her is being processed and, where this is the case, a copy of the data relating to him/her and the information in Annex I; if personal data has been or will be onward transferred, provide information on recipients or categories of recipients (as appropriate with a view to providing meaningful information) to which the personal data has been or will be onward transferred, the purpose of such onward transfers and their ground pursuant to Clause 8.7; and provide information on the right to lodge a complaint with a supervisory authority in accordance with Clause 12(c)(i);


  • rectify inaccurate or incomplete data concerning the data subject;


  • erase personal data concerning the data subject if such data is being or has been processed in violation of any of these Clauses ensuring third-party beneficiary rights, or if the data subject withdraws the consent on which the processing is based.


3. Where the data importer processes the personal data for direct marketing purposes, it shall cease processing for such purposes if the data subject objects to it.


4. The data importer shall not make a decision based solely on the automated processing of the personal data transferred (hereinafter ‘automated decision’), which would produce legal effects concerning the data subject or similarly significantly affect him/her, unless with the explicit consent of the data subject or if authorised to do so under the laws of the country of destination, provided that such laws lays down suitable measures to safeguard the data subject’s rights and legitimate interests. In this case, the data importer shall, where necessary in cooperation with the data exporter:


  • inform the data subject about the envisaged automated decision, the envisaged consequences and the logic involved; and


  • implement suitable safeguards, at least by enabling the data subject to contest the decision, express his/her point of view and obtain review by a human being.


5. Where requests from a data subject are excessive, in particular because of their repetitive character, the data importer may either charge a reasonable fee taking into account the administrative costs of granting the request or refuse to act on the request.


6. The data importer may refuse a data subject’s request if such refusal is allowed under the laws of the country of destination and is necessary and proportionate in a democratic society to protect one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679.


7. If the data importer intends to refuse a data subject’s request, it shall inform the data subject
of the reasons for the refusal and the possibility of lodging a complaint with the competent
supervisory authority and/or seeking judicial redress.


Clause 11 – Redress


1. The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.


2. In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.


3. Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:


  • lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;


  • refer the dispute to the competent courts within the meaning of Clause 18.


4. The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.


5. The data importer shall abide by a decision that is binding under the applicable EU or Member State law.


6. The data importer agrees that the choice made by the data subject will not prejudice his/her
substantive and procedural rights to seek remedies in accordance with applicable laws.


Clause 12 – Liability


  1. Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

  2. Each Party shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages that the Party causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter under Regulation (EU) 2016/679.

  3. Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

  4. The Parties agree that if one Party is held liable under paragraph (c), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

  5. The data importer may not invoke the conduct of a processor or sub-processor to avoid its
    own liability.


Clause 13 – Supervision


  1.  The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

  2. The data importer agrees to submit itself to the jurisdiction of and cooperate with the
    competent supervisory authority in any procedures aimed at ensuring compliance with these
    Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and
    comply with the measures adopted by the supervisory authority, including remedial and
    compensatory measures. It shall provide the supervisory authority with written confirmation
    that the necessary actions have been taken.


Clause 14 – Local laws and practices affecting compliance with the Clauses


  1. The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

  2. The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:


  • the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;


  • the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; (As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.)


  • any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.


3. The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.


4. The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.


5. The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). 


6. Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation . The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.


Clause 15 – Obligations of the data importer in case of access by public authorities

 

15.1 Notification


1. The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:


  • receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or


  • becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.



2. If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.


3. Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). 


4. The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.


5. Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.


15.2 Review of legality and data minimisation


1. The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).


2. The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. 


3. The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.


Clause 16 – Non-compliance with the Clauses and termination


1. The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.


2. In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).


3. The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:


  • the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;


  • the data importer is in substantial or persistent breach of these Clauses; or


  • the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.


In these cases, it shall inform the competent supervisory authority  of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.


4. Personal data that has been transferred prior to the termination of the contract pursuant to paragraph (c) shall at the choice of the data exporter immediately be returned to the data exporter or deleted in its entirety. The same shall apply to any copies of the data.  The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.


5. Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.


Clause 17 – Governing law


These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.

 

Clause 18 – Choice of forum and jurisdiction

 

  1. Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

  2. The Parties agree that those shall be the courts of Germany.

  3. A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

  4. The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX


ANNEX I


  1. LIST OF PARTIES


Data exporter:


Name: Lano Software GmbH


Address: Revaler Straße 30, 10245 Berlin


Contact person’s name, position and contact details: Ms Iana Kaminska, Data protection officer


support@lano.io (marking your letter “FAO Data protection officer”)


Activities relevant to the data transferred under these Clauses: managing of contractors and/or hiring and managing of remote employees and/or simplification of global


Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of these Clauses by both parties as of the Terms effective date.


Role (controller/processor): controller


Data importer:

Name: Customer


Address: As specified in the agreement between data exporter and data importer.


Contact person’s name, position and contact details: As specified in the agreement between data exporter and data importer.


Activities relevant to the data transferred under these Clauses: The data importer provides the services to the data exporter in accordance with the agreement between the data exporter and data importer.


Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of these Clauses by both parties as of the Terms effective date.


Role (controller/processor): controller

 

 

  1. DESCRIPTION OF TRANSFER 

 

Categories of data subjects whose personal data is transferred


Employees (who use Lano to manage contractors and/or Employer of Record Employees and/or Payroll Employees)


Categories of personal data transferred


  • Profile data (name, form of address, title/academic degree, date of birth, self-description, skills, photo);

  • Contact details (email address, telephone number, address);

  • Order data of orders from C2 (order details, services);

  • Order history;

  • Order billing data and payment information (invoice details, bank details, credit card information);

  • Other documents provided by C2 or the data subject for C2.


Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.


not applicable


The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).


continuous basis


Nature of the processing


The data exporter transfers the employee-related data sets to the data importer to carry out the services booked by the Customer. The specific type of processing thus depends on the booked services.


Purpose(s) of the data transfer and further processing


The processing of personal data is carried out for the purpose of managing of contractors and/or hiring and managing of remote employees and/or simplification of global, in order to provide employees and customers with simple processes for the implementation of employment relationships.


The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period


for the duration of the performance of the booked services, which may vary depending on the Customer


For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing


not applicable

 

  1. COMPETENT SUPERVISORY AUTHORITY


Berliner Beauftragte für Datenschutz und Informationsfreiheit, 

Friedrichstraße 219

10969 Berlin, Germany


ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA

 

The data importer will implement and maintain the technical and organisational measures, including technical and organisational measures to ensure the security of the data as described under Appendix 3.


Appendix 6

Standard Contractual Clauses (Module 2)


Clause 1 – Purpose and scope

(a) The purpose of these standard contractual clauses is to ensure compliance with the requirements of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) (Where the data exporter is a processor subject to Regulation (EU) 2016/679 acting on behalf of a Union institution or body as controller, reliance on these Clauses when engaging another processor (sub-processing) not subject to Regulation (EU) 2016/679 also ensures compliance with Article 29(4) of Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23 October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC (OJ L 295, 21.11.2018, p. 39), to the extent these Clauses and the data protection obligations as set out in the contract or other legal act between the controller and the processor pursuant to Article 29(3) of Regulation (EU) 2018/1725 are aligned. This will in particular be the case where the controller and processor rely on the standard contractual clauses included in Decision 2021/915.) for the transfer of personal data to a third country.

(b) The Parties:

(i) the natural or legal person(s), public authority/ies, agency/ies or other body/ies (hereinafter ‘entity/ies’) transferring the personal data, as listed in Annex I.A (hereinafter each ‘data exporter’), and

(ii) the entity/ies in a third country receiving the personal data from the data exporter, directly or indirectly via another entity also Party to these Clauses, as listed in Annex I.A (hereinafter each ‘data importer’)

have agreed to these standard contractual clauses (hereinafter: ‘Clauses’).

(c) These Clauses apply with respect to the transfer of personal data as specified in Annex I.B.

(d) The Appendix to these Clauses containing the Annexes referred to therein forms an integral part of these Clauses.


Clause 2 – Effect and invariability of the Clauses

(a) These Clauses set out appropriate safeguards, including enforceable data subject rights and effective legal remedies, pursuant to Article 46(1) and Article 46(2)(c) of Regulation (EU) 2016/679 and, with respect to data transfers from controllers to processors and/or processors to processors, standard contractual clauses pursuant to Article 28(7) of Regulation (EU) 2016/679, provided they are not modified, except to select the appropriate Module(s) or to add or update information in the Appendix. This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a wider contract and/or to add other clauses or additional safeguards, provided that they do not contradict, directly or indirectly, these Clauses or prejudice the fundamental rights or freedoms of data subjects.

(b) These Clauses are without prejudice to obligations to which the data exporter is subject by virtue of Regulation (EU) 2016/679.



Clause 3 – Third-party beneficiaries

(a) Data subjects may invoke and enforce these Clauses, as third-party beneficiaries, against the data exporter and/or data importer, with the following exceptions:

(i) Clause 1, Clause 2, Clause 3, Clause 6, Clause 7

(ii) Clause 8 – Module Two: Clause 8.1 (b), Clause 8.9 (a), (c), (d) and (e)

(iii) Clause 9 – Module Two: Clause 9 (a), (c), (d) and (e)

(iv) Clause 12 – Module Two: Clause 12 (a), (d) and (f)

(v) Clause 13

(vi) Clause 15.1 (c), (d) and (e)

(vii) Clause 16 (e)

(viii) Clause 18 – Module Two: Clause 18 (a) and (b)

(b) Paragraph (a) is without prejudice to rights of data subjects under Regulation (EU) 2016/679.


Clause 4 – Interpretation

(a) Where these Clauses use terms that are defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that conflicts with rights and obligations provided for in Regulation (EU) 2016/679.


Clause 5 – Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties, existing at the time these Clauses are agreed or entered into thereafter, these Clauses shall prevail.


Clause 6 – Description of the transfer(s)

The details of the transfer(s), and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred, are specified in Annex I.B.


Clause 7 – Optional - Docking clause

Intenionally blank.


Clause 8 – Data protection safeguards

The data exporter warrants that it has used reasonable efforts to determine that the data importer is able, through the implementation of appropriate technical and organisational measures, to satisfy its obligations under these Clauses.


8.1   Instructions

(a) The data importer shall process the personal data only on documented instructions from the data exporter. The data exporter may give such instructions throughout the duration of the contract.

(b) The data importer shall immediately inform the data exporter if it is unable to follow those instructions.


8.2   Purpose limitation

The data importer shall process the personal data only for the specific purpose(s) of the transfer, as set out in Annex I.B, unless on further instructions from the data exporter.


8.3   Transparency

On request, the data exporter shall make a copy of these Clauses, including the Appendix as completed by the Parties, available to the data subject free of charge. To the extent necessary to protect business secrets or other confidential information, including the measures described in Annex II and personal data, the data exporter may redact part of the text of the Appendix to these Clauses prior to sharing a copy, but shall provide a meaningful summary where the data subject would otherwise not be able to understand the its content or exercise his/her rights. On request, the Parties shall provide the data subject with the reasons for the redactions, to the extent possible without revealing the redacted information. This Clause is without prejudice to the obligations of the data exporter under Articles 13 and 14 of Regulation (EU) 2016/679.


8.4   Accuracy

If the data importer becomes aware that the personal data it has received is inaccurate, or has become outdated, it shall inform the data exporter without undue delay. In this case, the data importer shall cooperate with the data exporter to erase or rectify the data.


8.5   Duration of processing and erasure or return of data 

Processing by the data importer shall only take place for the duration specified in Annex I.B. After the end of the provision of the processing services, the data importer shall, at the choice of the data exporter, delete all personal data processed on behalf of the data exporter and certify to the data exporter that it has done so, or return to the data exporter all personal data processed on its behalf and delete existing copies. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit return or deletion of the personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process it to the extent and for as long as required under that local law. This is without prejudice to Clause 14, in particular the requirement for the data importer under Clause 14(e) to notify the data exporter throughout the duration of the contract if it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under Clause 14(a).


8.6   Security of processing

(a) The data importer and, during transmission, also the data exporter shall implement appropriate technical and organisational measures to ensure the security of the data, including protection against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to that data (hereinafter ‘personal data breach’). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purpose(s) of processing and the risks involved in the processing for the data subjects. The Parties shall in particular consider having recourse to encryption or pseudonymisation, including during transmission, where the purpose of processing can be fulfilled in that manner. In case of pseudonymisation, the additional information for attributing the personal data to a specific data subject shall, where possible, remain under the exclusive control of the data exporter. In complying with its obligations under this paragraph, the data importer shall at least implement the technical and organisational measures specified in Annex II. The data importer shall carry out regular checks to ensure that these measures continue to provide an appropriate level of security.

(b) The data importer shall grant access to the personal data to members of its personnel only to the extent strictly necessary for the implementation, management and monitoring of the contract. It shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

(c) In the event of a personal data breach concerning personal data processed by the data importer under these Clauses, the data importer shall take appropriate measures to address the breach, including measures to mitigate its adverse effects. The data importer shall also notify the data exporter without undue delay after having become aware of the breach. Such notification shall contain the details of a contact point where more information can be obtained, a description of the nature of the breach (including, where possible, categories and approximate number of data subjects and personal data records concerned), its likely consequences and the measures taken or proposed to address the breach including, where appropriate, measures to mitigate its possible adverse effects. Where, and in so far as, it is not possible to provide all information at the same time, the initial notification shall contain the information then available and further information shall, as it becomes available, subsequently be provided without undue delay.

(d) The data importer shall cooperate with and assist the data exporter to enable the data exporter to comply with its obligations under Regulation (EU) 2016/679, in particular to notify the competent supervisory authority and the affected data subjects, taking into account the nature of processing and the information available to the data importer.


8.7   Sensitive data

Where the transfer involves personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data, or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences (hereinafter ‘sensitive data’), the data importer shall apply the specific restrictions and/or additional safeguards described in Annex I.B.


8.8   Onward transfers

The data importer shall only disclose the personal data to a third party on documented instructions from the data exporter. In addition, the data may only be disclosed to a third party located outside the European Union (The Agreement on the European Economic Area (EEA Agreement) provides for the extension of the European Union’s internal market to the three EEA States Iceland, Liechtenstein and Norway. The Union data protection legislation, including Regulation (EU) 2016/679, is covered by the EEA Agreement and has been incorporated into Annex XI thereto. Therefore, any disclosure by the data importer to a third party located in the EEA does not qualify as an onward transfer for the purpose of these Clauses.) (in the same country as the data importer or in another third country, hereinafter ‘onward transfer’) if the third party is or agrees to be bound by these Clauses, under the appropriate Module, or if:

(i) the onward transfer is to a country benefitting from an adequacy decision pursuant to Article 45 of Regulation (EU) 2016/679 that covers the onward transfer;

(ii) the third party otherwise ensures appropriate safeguards pursuant to Articles 46 or 47 Regulation of (EU) 2016/679 with respect to the processing in question;

(iii) the onward transfer is necessary for the establishment, exercise or defence of legal claims in the context of specific administrative, regulatory or judicial proceedings; or

(iv) the onward transfer is necessary in order to protect the vital interests of the data subject or of another natural person.

Any onward transfer is subject to compliance by the data importer with all the other safeguards under these Clauses, in particular purpose limitation.


8.9   Documentation and compliance

(a) The data importer shall promptly and adequately deal with enquiries from the data exporter that relate to the processing under these Clauses.

(b) The Parties shall be able to demonstrate compliance with these Clauses. In particular, the data importer shall keep appropriate documentation on the processing activities carried out on behalf of the data exporter.

(c) The data importer shall make available to the data exporter all information necessary to demonstrate compliance with the obligations set out in these Clauses and at the data exporter’s request, allow for and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or audit, the data exporter may take into account relevant certifications held by the data importer.

(d) The data exporter may choose to conduct the audit by itself or mandate an independent auditor. Audits may include inspections at the premises or physical facilities of the data importer and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in paragraphs (b) and (c), including the 

results of any audits, available to the competent supervisory authority on request.


Clause 9 – Use of sub-processors

(a) The data importer has the data exporter’s general authorisation for the engagement of sub-processor(s) from an agreed list. The data importer shall specifically inform the data exporter in writing of any intended changes to that list through the addition or replacement of sub-processors at least two weeks  in advance, thereby giving the data exporter sufficient time to be able to object to such changes prior to the engagement of the sub-processor(s). The data importer shall provide the data exporter with the information necessary to enable the data exporter to exercise its right to object.


(b) Where the data importer engages a sub-processor to carry out specific processing activities (on behalf of the data exporter), it shall do so by way of a written contract that provides for, in substance, the same data protection obligations as those binding the data importer under these Clauses, including in terms of third-party beneficiary rights for data subjects. (This requirement may be satisfied by the sub-processor acceding to these Clauses under the appropriate Module, in accordance with Clause 7.) The Parties agree that, by complying with this Clause, the data importer fulfils its obligations under Clause 8.8. The data importer shall ensure that the sub-processor complies with the obligations to which the data importer is subject pursuant to these Clauses.

(c) The data importer shall provide, at the data exporter’s request, a copy of such a sub-processor agreement and any subsequent amendments to the data exporter. To the extent necessary to protect business secrets or other confidential information, including personal data, the data importer may redact the text of the agreement prior to sharing a copy.

(d) The data importer shall remain fully responsible to the data exporter for the performance of the sub-processor’s obligations under its contract with the data importer. The data importer shall notify the data exporter of any failure by the sub-processor to fulfil its obligations under that contract.

(e) The data importer shall agree a third-party beneficiary clause with the sub-processor whereby

– in the event the data importer has factually disappeared, ceased to exist in law or has 

become insolvent – the data exporter shall have the right to terminate the sub-processor 

contract and to instruct the sub-processor to erase or return the personal data.


Clause 10 – Data subject rights

(a) The data importer shall promptly notify the data exporter of any request it has received from a data subject. It shall not respond to that request itself unless it has been authorised to do so by the data exporter.

(b) The data importer shall assist the data exporter in fulfilling its obligations to respond to data subjects’ requests for the exercise of their rights under Regulation (EU) 2016/679. In this regard, the Parties shall set out in Annex II the appropriate technical and organisational measures, taking into account the nature of the processing, by which the assistance shall be provided, as well as the scope and the extent of the assistance required.

(c) In fulfilling its obligations under paragraphs (a) and (b), the data importer shall comply with 

the instructions from the data exporter.


Clause 11 – Redress

(a) The data importer shall inform data subjects in a transparent and easily accessible format, through individual notice or on its website, of a contact point authorised to handle complaints. It shall deal promptly with any complaints it receives from a data subject.

(b) In case of a dispute between a data subject and one of the Parties as regards compliance with these Clauses, that Party shall use its best efforts to resolve the issue amicably in a timely fashion. The Parties shall keep each other informed about such disputes and, where appropriate, cooperate in resolving them.

(c) Where the data subject invokes a third-party beneficiary right pursuant to Clause 3, the data importer shall accept the decision of the data subject to:


(i) lodge a complaint with the supervisory authority in the Member State of his/her habitual residence or place of work, or the competent supervisory authority pursuant to Clause 13;

(ii) refer the dispute to the competent courts within the meaning of Clause 18.

(d) The Parties accept that the data subject may be represented by a not-for-profit body, organisation or association under the conditions set out in Article 80(1) of Regulation (EU) 2016/679.

(e) The data importer shall abide by a decision that is binding under the applicable EU or Member State law.

(f) The data importer agrees that the choice made by the data subject will not prejudice his/her 

substantive and procedural rights to seek remedies in accordance with applicable laws.


Clause 12 – Liability

(a) Each Party shall be liable to the other Party/ies for any damages it causes the other Party/ies by any breach of these Clauses.

(b) The data importer shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data importer or its sub-processor causes the data subject by breaching the third-party beneficiary rights under these Clauses.

(c) Notwithstanding paragraph (b), the data exporter shall be liable to the data subject, and the data subject shall be entitled to receive compensation, for any material or non-material damages the data exporter or the data importer (or its sub-processor) causes the data subject by breaching the third-party beneficiary rights under these Clauses. This is without prejudice to the liability of the data exporter and, where the data exporter is a processor acting on behalf of a controller, to the liability of the controller under Regulation (EU) 2016/679 or Regulation (EU) 2018/1725, as applicable.

(d) The Parties agree that if the data exporter is held liable under paragraph (c) for damages caused by the data importer (or its sub-processor), it shall be entitled to claim back from the data importer that part of the compensation corresponding to the data importer’s responsibility for the damage.

(e) Where more than one Party is responsible for any damage caused to the data subject as a result of a breach of these Clauses, all responsible Parties shall be jointly and severally liable and the data subject is entitled to bring an action in court against any of these Parties.

(f) The Parties agree that if one Party is held liable under paragraph (e), it shall be entitled to claim back from the other Party/ies that part of the compensation corresponding to its/their responsibility for the damage.

(g) The data importer may not invoke the conduct of a sub-processor to avoid its own liability.


Clause 13 – Supervision

(a) The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer, as indicated in Annex I.C, shall act as competent supervisory authority.

(b) The data importer agrees to submit itself to the jurisdiction of and cooperate with the competent supervisory authority in any procedures aimed at ensuring compliance with these Clauses. In particular, the data importer agrees to respond to enquiries, submit to audits and comply with the measures adopted by the supervisory authority, including remedial and compensatory measures. It shall provide the supervisory authority with written confirmation that the necessary actions have been taken.


Clause 14 – Local laws and practices affecting compliance with the Clauses

(a) The Parties warrant that they have no reason to believe that the laws and practices in the third country of destination applicable to the processing of the personal data by the data importer, including any requirements to disclose personal data or measures authorising access by public authorities, prevent the data importer from fulfilling its obligations under these Clauses. This is based on the understanding that laws and practices that respect the essence of the fundamental rights and freedoms and do not exceed what is necessary and proportionate in a democratic society to safeguard one of the objectives listed in Article 23(1) of Regulation (EU) 2016/679, are not in contradiction with these Clauses.

(b) The Parties declare that in providing the warranty in paragraph (a), they have taken due account in particular of the following elements:

(i) the specific circumstances of the transfer, including the length of the processing chain, the number of actors involved and the transmission channels used; intended onward transfers; the type of recipient; the purpose of processing; the categories and format of the transferred personal data; the economic sector in which the transfer occurs; the storage location of the data transferred;

(ii) the laws and practices of the third country of destination– including those requiring the disclosure of data to public authorities or authorising access by such authorities – relevant in light of the specific circumstances of the transfer, and the applicable limitations and safeguards; (As regards the impact of such laws and practices on compliance with these Clauses, different elements may be considered as part of an overall assessment. Such elements may include relevant and documented practical experience with prior instances of requests for disclosure from public authorities, or the absence of such requests, covering a sufficiently representative time-frame. This refers in particular to internal records or other documentation, drawn up on a continuous basis in accordance with due diligence and certified at senior management level, provided that this information can be lawfully shared with third parties. Where this practical experience is relied upon to conclude that the data importer will not be prevented from complying with these Clauses, it needs to be supported by other relevant, objective elements, and it is for the Parties to consider carefully whether these elements together carry sufficient weight, in terms of their reliability and representativeness, to support this conclusion. In particular, the Parties have to take into account whether their practical experience is corroborated and not contradicted by publicly available or otherwise accessible, reliable information on the existence or absence of requests within the same sector and/or the application of the law in practice, such as case law and reports by independent oversight bodies.)

(iii) any relevant contractual, technical or organisational safeguards put in place to supplement the safeguards under these Clauses, including measures applied during transmission and to the processing of the personal data in the country of destination.

(c) The data importer warrants that, in carrying out the assessment under paragraph (b), it has made its best efforts to provide the data exporter with relevant information and agrees that it will continue to cooperate with the data exporter in ensuring compliance with these Clauses.

(d) The Parties agree to document the assessment under paragraph (b) and make it available to the competent supervisory authority on request.

(e) The data importer agrees to notify the data exporter promptly if, after having agreed to these Clauses and for the duration of the contract, it has reason to believe that it is or has become subject to laws or practices not in line with the requirements under paragraph (a), including following a change in the laws of the third country or a measure (such as a disclosure request) indicating an application of such laws in practice that is not in line with the requirements in paragraph (a). 

(f) Following a notification pursuant to paragraph (e), or if the data exporter otherwise has reason to believe that the data importer can no longer fulfil its obligations under these Clauses, the data exporter shall promptly identify appropriate measures (e.g. technical or organisational measures to ensure security and confidentiality) to be adopted by the data exporter and/or data importer to address the situation . The data exporter shall suspend the data transfer if it considers that no appropriate safeguards for such transfer can be ensured, or if instructed by the competent supervisory authority to do so. In this case, the data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses. If the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise. Where the contract is terminated pursuant to this Clause, Clause 16(d) and (e) shall apply.


Clause 15 – Obligations of the data importer in case of access by public authorities


15.1   Notification

(a) The data importer agrees to notify the data exporter and, where possible, the data subject promptly (if necessary with the help of the data exporter) if it:

(i) receives a legally binding request from a public authority, including judicial authorities, under the laws of the country of destination for the disclosure of personal data transferred pursuant to these Clauses; such notification shall include information about the personal data requested, the requesting authority, the legal basis for the request and the response provided; or

(ii) becomes aware of any direct access by public authorities to personal data transferred pursuant to these Clauses in accordance with the laws of the country of destination; such notification shall include all information available to the importer.

(b) If the data importer is prohibited from notifying the data exporter and/or the data subject under the laws of the country of destination, the data importer agrees to use its best efforts to obtain a waiver of the prohibition, with a view to communicating as much information as possible, as soon as possible. The data importer agrees to document its best efforts in order to be able to demonstrate them on request of the data exporter.

(c) Where permissible under the laws of the country of destination, the data importer agrees to provide the data exporter, at regular intervals for the duration of the contract, with as much relevant information as possible on the requests received (in particular, number of requests, type of data requested, requesting authority/ies, whether requests have been challenged and the outcome of such challenges, etc.). 

(d) The data importer agrees to preserve the information pursuant to paragraphs (a) to (c) for the duration of the contract and make it available to the competent supervisory authority on request.

(e) Paragraphs (a) to (c) are without prejudice to the obligation of the data importer pursuant to Clause 14(e) and Clause 16 to inform the data exporter promptly where it is unable to comply with these Clauses.


15.2   Review of legality and data minimisation

(a) The data importer agrees to review the legality of the request for disclosure, in particular whether it remains within the powers granted to the requesting public authority, and to challenge the request if, after careful assessment, it concludes that there are reasonable grounds to consider that the request is unlawful under the laws of the country of destination, applicable obligations under international law and principles of international comity. The data importer shall, under the same conditions, pursue possibilities of appeal. When challenging a request, the data importer shall seek interim measures with a view to suspending the effects of the request until the competent judicial authority has decided on its merits. It shall not disclose the personal data requested until required to do so under the applicable procedural rules. These requirements are without prejudice to the obligations of the data importer under Clause 14(e).

(b) The data importer agrees to document its legal assessment and any challenge to the request for disclosure and, to the extent permissible under the laws of the country of destination, make the documentation available to the data exporter. It shall also make it available to the competent supervisory authority on request. 

(c) The data importer agrees to provide the minimum amount of information permissible when responding to a request for disclosure, based on a reasonable interpretation of the request.


Clause 16 – Non-compliance with the Clauses and termination

(a) The data importer shall promptly inform the data exporter if it is unable to comply with these Clauses, for whatever reason.

(b) In the event that the data importer is in breach of these Clauses or unable to comply with these Clauses, the data exporter shall suspend the transfer of personal data to the data importer until compliance is again ensured or the contract is terminated. This is without prejudice to Clause 14(f).

(c) The data exporter shall be entitled to terminate the contract, insofar as it concerns the processing of personal data under these Clauses, where:

(i) the data exporter has suspended the transfer of personal data to the data importer pursuant to paragraph (b) and compliance with these Clauses is not restored within a reasonable time and in any event within one month of suspension;

(ii) the data importer is in substantial or persistent breach of these Clauses; or

(iii) the data importer fails to comply with a binding decision of a competent court or supervisory authority regarding its obligations under these Clauses.

In these cases, it shall inform the competent supervisory authority  of such non-compliance. Where the contract involves more than two Parties, the data exporter may exercise this right to termination only with respect to the relevant Party, unless the Parties have agreed otherwise.

(d) The data importer shall certify the deletion of the data to the data exporter. Until the data is deleted or returned, the data importer shall continue to ensure compliance with these Clauses. In case of local laws applicable to the data importer that prohibit the return or deletion of the transferred personal data, the data importer warrants that it will continue to ensure compliance with these Clauses and will only process the data to the extent and for as long as required under that local law.

(e) Either Party may revoke its agreement to be bound by these Clauses where (i) the European Commission adopts a decision pursuant to Article 45(3) of Regulation (EU) 2016/679 that covers the transfer of personal data to which these Clauses apply; or (ii) Regulation (EU) 2016/679 becomes part of the legal framework of the country to which the personal data is transferred. This is without prejudice to other obligations applying to the processing in question under Regulation (EU) 2016/679.


Clause 17 – Governing law

These Clauses shall be governed by the law of one of the EU Member States, provided such law allows for third-party beneficiary rights. The Parties agree that this shall be the law of Germany.


Clause 18 – Choice of forum and jurisdiction

(a) Any dispute arising from these Clauses shall be resolved by the courts of an EU Member State.

(b) The Parties agree that those shall be the courts of Germany.

(c) A data subject may also bring legal proceedings against the data exporter and/or data importer before the courts of the Member State in which he/she has his/her habitual residence.

(d) The Parties agree to submit themselves to the jurisdiction of such courts.

APPENDIX


ANNEX I

A. LIST OF PARTIES

Data exporter:

Name: Lano Software GmbH


Address: Revaler Straße 30, 10245 Berlin


Contact person’s name, position and contact details: Ms Iana Kaminska, Data protection officer


support@lano.io (marking your letter “FAO Data protection officer”)


Activities relevant to the data transferred under these Clauses: managing of contractors and/or hiring and managing of remote employees and/or simplification of global


Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of these Clauses by both parties as of the Terms effective date. 


Role (controller/processor): controller


Data importer:


Name: Customer


Address: As specified in the agreement between data exporter and data importer.


Contact person’s name, position and contact details: As specified in the agreement between data exporter and data importer.


Activities relevant to the data transferred under these Clauses: The data importer provides the services to the data exporter in accordance with the agreement between the data exporter and data importer.


Signature and date: The parties agree that execution of the Agreement by the data importer and the data exporter shall constitute execution of these Clauses by both parties as of the Terms effective date.


Role (controller/processor): processor


B. DESCRIPTION OF TRANSFER


Categories of data subjects whose personal data is transferred

Employees (who use Lano to manage contractors and/or Employer of Record Employees and/or Payroll Employees)


Categories of personal data transferred

  • Registration data (address, name, date of birth, business contact details)

  • Profile data (photo, language)

  • Activities in the software (project management, partner network, invoice payment)


Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures.

No sensitive data is transferred.


The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis).

continuous basis


Nature of the processing

The data exporter transfers the employee-related data sets to the data importer to carry out the services booked by the Customer. The specific type of processing thus depends on the booked services.


Purpose(s) of the data transfer and further processing

The processing of personal data is carried out for the purpose of managing of contractors and/or hiring and managing of remote employees and/or simplification of global, in order to provide employees and customers with simple processes for the implementation of employment relationships.


The period for which the personal data will be retained, or, if that is not possible, the criteria used to determine that period

for the duration of the performance of the booked services, which may vary depending on the Customer


For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing

not applicable


C. COMPETENT SUPERVISORY AUTHORITY

Berliner Beauftragte für Datenschutz und Informationsfreiheit, 

Friedrichstraße 219

10969 Berlin, Germany


ANNEX II – TECHNICAL AND ORGANISATIONAL MEASURES INCLUDING TECHNICAL AND ORGANISATIONAL MEASURES TO ENSURE THE SECURITY OF THE DATA


The data importer will implement and maintain the technical and organisational measures, including technical and organisational measures to ensure the security of the data as described under Appendix 3.


ANNEX III – LIST OF SUB-PROCESSORS


The controller has authorised the use of the sub-processors, the detailed list of such sub-processors shall be promptly shared by the controller as and when requested.


ANNEX IV - Discount & Offer Vouchers Standard Terms & Conditions


Lano Software GmbH will, from time to time, produce offers and discounts (Offers and Discounts) for its Services to its Clients.

  1. Lano shall notify the Client at least seven (7) days in advance of any changes to the discount that is offered pursuant to the Offers and Discounts.

  2. Client shall inform Lano at least fourteen (14) days in advance of any changes to the discount that is offered pursuant to these Offers and Discounts.

  3. The Client and Lano ( “Parties” ) agree that the Offers and Discounts are not intended to create an agency relationship of any kind; and both Parties agree not to contract any obligations in the name of the other, to use each other’s credit in conducting any activities under these Offers and Discounts.

  4. The Offer and Discounts constitute the entire agreement between the Client and Lano, and supersedes all prior writings or oral agreements. These Offers and Discounts may be amended only by a written agreement clearly setting forth the amendments and signed by both Parties hereto.

  5. Lano shall not be liable for any loss, damage or injury suffered or sustained (even if caused by negligence) as a result of accepting and/or using the Offers and Discounts, except for any liability which cannot be excluded by law.

  6. Lano accepts no responsibility for late, lost or misdirected email or other communications. Lano assumes no responsibility for any failure to receive a claim or for inaccurate information or for any loss, damage or injury as a result of technical or telecommunications problems, including security breaches. If such problems arise, then Lano may modify, cancel, terminate or suspend this Offer.

  7. Lano solely reserves the right, at its discretion, to extend, cancel, terminate, and/or modify the Offers and Discounts. 

  8. Lano reserves the right to discontinue the Offers and Discount at any time with no prior notification except for the existing Clients who are availing these Offers and Discounts.

  9. It is the intent of the Parties that all questions with respect to the construction of the Offers and Discounts and the rights of the Parties shall be determined in accordance with the applicable provisions of the laws of Germany.

  10. Please write to us at: legal@lano.io if you have any questions or need further clarification. 










1.

© Lano Software GmbH 2024