Agreement regarding Commissioned Data Processing

The provisions of this Agreement regarding Commissioned Data Processing shall apply as between DHL Paket GmbH (hereinafter referred to as the 'Processor') and its customer (hereinafter referred to as 'Controller(s)') for managing personal data in the online systems provided for dispatch preparation in addition to the data processing required for providing postal services. This Agreement shall apply solely to the extent that Controllers use the address book functions provided by DHL Paket GmbH to permanently manage their customer addresses independent of mail-shots.

With its online systems, specifically the DHL Business Customer Portal, DHL Collection Portal, DHL Return Portal and DHL Vendor Portal, DHL Paket GmbH provides Controllers with additional functions, which are not required for providing postal services, for permanently managing their customer address independent of mail-shots (hereinafter referred to as ‘Address Book Functions’).

This Agreement regarding Commissioned Data Processing shall apply for an indefinite period and may be terminated at any time by discontinuing use of the Address Book Functions and deleting all stored data in the Address Book Functions.

1. Nature and purpose of the intended processing
   Use of the Address Book Functions is optional and serves the purpose of permanently managing the Controller's customer addresses independent of mail-shots. The Controller itself inputs, modifies, stores and deletes the data. Use of these Address Book Functions is not required for providing postal services, rather it merely assists the Controller with managing its dispatch addresses.
   
2. The data processing activity agreed upon shall be carried out solely within the EU/EEA. Any transfer of personal data outside the EU/EEA shall require the prior (written (including by e-mail)) consent of the Controller and then only provided that the requirements set out in Article 44 et seq. of the EU General Data Protection Regulation (GDPR) have been met.
   
3. Types of data
   The following types/categories of personal data will be processed:
   -  Name
   -  Contact data
   -  Address

The categories of data subjects are as follows:

• DHL Paket GmbH's contract customers
  
• Customers of DHL Paket GmbH's contract customers
  
• Agents of DHL Paket GmbH's contract customers

1. Taking into account the state of the art, the costs of implementation and the nature, scope and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the Processor shall implement appropriate technical and organisational measures in a manner so as to ensure that processing personal data meets the requirements of applicable data protection laws, specifically those of the GDPR and this Agreement. The Processor hereby acknowledges and ensures the aforementioned rights of the data subjects. To this end and in accordance with Article 32 GDPR, the Processor shall take technical and organisational measures and hereby confirms the implementation thereof.
   
2. The measures to be taken are data security measures and measures to ensure a level of security appropriate to the risk with respect to confidentiality, integrity, availability and resilience of the systems. The state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of likelihood and severity for the rights and freedoms of natural persons within the meaning of Article 32 (1) GDPR shall be taken into account.
   
3. The technical and organisational measures change as the state of the art progresses and will be enhanced consistently. The Processor may take appropriate alternative measures in this regard, provided that the level of security of the stipulated measures agreed upon herein is maintained.
   
4. Notwithstanding the foregoing, the Processor shall introduce a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing agreed upon herein.

1. The Processor may rectify, erase or block personal data only on instructions from the Controller. If a data subject submits a request for rectification or erasure of personal data directly to the Processor, the Processor shall forward such request to the Controller without undue delay.
   
2. The Processor shall assist the Controller, insofar as this is possible, with fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights. These rights include the 'right to be forgotten' as well as the right to rectification, data portability and the right of access.
   
3. The Processor shall not be liable for the Controller's failure to respond to the request of a data subject correctly, in due time, or at all.

In addition to the provisions and obligations set out in this Agreement, the Processor shall comply with the statutory provisions under Articles 28-33 GDPR. In light of the foregoing, the Processor shall in particular

1. process the personal data only on documented instructions from the Controller, unless required to do so by applicable laws to which the Processor is subject; in such a case, the Processor shall to the extent permitted by law inform the Controller of that legal requirement before processing the personal data. The Processor shall confirm oral instructions in writing or by e-mail without undue delay;
   
2. inform the Controller without undue delay if, in its opinion, an instruction infringes the provisions of data protection law. In such case, the Processor may suspend execution of the relevant instruction until it has been confirmed or modified by the Controller;
   
3. appoint a data protection officer or, if the Processor is not required to appoint a data protection officer, specify another contact person responsible for data protection matters;
   
4. maintain a record of processing activities;
   
5. grant access to the personal data only if and to the extent that such access is prescribed and necessary for providing the services and where the relevant employees and advisers have signed appropriate confidentiality agreements and have committed themselves to confidentiality.
   The Processor and any person acting under the authority of the Processor and/or of the Controller, who has access to personal data, shall not process those data except on instructions from the Controller, unless required to do so by law;
   
6. inform the Controller without undue delay of any inspections, investigations and/or administrative measures by a supervisory authority to the extent that these relate to the subject matter of this Agreement and this is permitted by law;
   
7. where the Controller is subject to an investigation by the supervisory authority, administrative or criminal proceedings, liability claims of data subjects or any third party or any other claims in connection with this Agreement and the processing by the Processor, give its best efforts to support the Controller in this regard;
   
8. inform the Controller as soon as possible of any complaints, applications or requests or other communications from data subjects, data protection authorities or third parties in connection with processing personal data by the Processor and/or the Controller. Insofar as the Controller is obliged under applicable data protection law to respond to a request from a data subject in connection with processing that data subject's data, the Processor shall support the Controller in transferring the requested information. However, the Processor shall not be required to respond directly to requests of data subjects; it need only refer the data subject to the Controller.

1. The Processor may not engage any additional processor (i.e., subcontractor) without the prior express written consent of the Controller.
   
2. Where the Processor engages an additional processor for carrying out specific processing activities on behalf of the Controller, the same obligations as set out in this Agreement shall be imposed on that additional processor.
   
3. The Controller hereby consents to the addition of subcontractors on the basis of the provisions contained in this clause. The Processor shall inform the Controller in good time before adding or replacing subcontractors, by giving reasonable advance notice of a new additional processor (including full details of the processing carried out by the new processor). The advance notice shall be effected via the DHL Business Customer Portal.
   
4. Before any additional processor processes personal data of the Controller for the first time, the Processor shall carry out an appropriate due diligence to ensure that the additional processor is in a position to offer the level of protection for the Controller's personal data prescribed by this Agreement, the services agreement and applicable law.
   
5. If the Controller has legitimate objections to Processor's use of an additional processor, the Controller shall notify the Processor thereof immediately in writing within five business days of receipt of the Processor's notification. For the avoidance of doubt, the parties agree that objections by the Controller shall not be legitimate if the additional processor has passed the security audit for the Processor's suppliers - unless the Controller can demonstrate that the new processor constitutes an unreasonable risk to the protection of personal data (e.g., if the additional processor has violated security regulations in the past) or is a competitor of the Controller.
   
6. Notwithstanding the foregoing, if the Controller objects to the engagement of an additional processor, the parties shall consult in good faith to arrive at an appropriate solution. The Processor may in particular decide (i) not to use the intended processor or (ii) to take the corrective action requested by the Controller and engage the processor. If none of the aforementioned options or some other option is reasonably feasible and the Controller still has legitimate objections, the Controller may rescind this Agreement by deleting all stored data and discontinuing use of the Address Book Functions.
   
7. If and to the extent that outsourced ancillary services are involved, the Processor shall make appropriate and lawful contractual agreements and take appropriate control measures to ensure adequate protection and security of the Controller's data.

1. Subject to reasonable advance notice from the Controller of at least ten business days and to ensure and review compliance with the technical and organisational security measures and the obligations arising under this Agreement, the Processor shall permit the Controller or another auditor mandated by the Controller to carry out audits if
   (a) the Controller has reason to suspect that the Processor is not acting in compliance with the technical and organisational measures and/or the obligations hereunder;
   (b) a security event occurs;
   (c) the Controller's supervisory authority responsible requires such audit.
   
2. Notwithstanding the foregoing, compliance with the provisions may be demonstrated by
   (a) adherence to approved codes of conduct; and/or
   (b) certification in accordance with an approved certification mechanism pursuant to Article 42 of the GDPR; and/or
   (c) current attestations, reports or excerpts of reports by independent bodies. Upon the Controller's request, the Processor shall provide the Controller with a copy of the audit report signed by the external auditor so that the Controller can adequately verify that the Processor is implementing or performing the technical and organisational measures and obligations under this Agreement.
   
3. Audits will be carried out during normal business hours, with an appropriate scope and without disrupting business operations. In the event that the Controller engages an independent auditor to perform the audit, such independent auditor shall sign a nondisclosure agreement first. The independent auditor may not be a competitor of the Processor.
   
4. If the audit causes the Processor or any additional processor to incur expenses in excess of one business day, the Controller agrees to reimburse the expenses for each day in excess thereof.

1. The Processor shall support the Controller in complying with the obligations set out in Articles 33 to 36 GDPR concerning the security of personal data, notification obligations in the event of personal data breaches, data protection impact assessments and prior consultations. This shall include, in particular
   (a) reporting personal data breaches to the Controller without undue delay;
   (b) supporting the Controller in its duty to inform the data subject and providing the Controller with all relevant information without undue delay in this connection;
   (c) supporting the Controller with data protection impact assessments;
   (d) supporting the Controller with the record of processing activities;
   (e) supporting the Controller with consultations with the supervisory authority.
   
2. The Processor may claim remuneration for the support services set out in paragraph 1 (c) and (d).

1. After completing the contractually agreed upon work, or prior thereto at the Controller's request, albeit not later than upon the termination of the use of the Address Book Functions, the Processor shall confirm erasure of the personal data to the Controller.
   
2. Records serving to document proper data processing shall be retained by the Processor in accordance with the respective retention periods. The Processor may discharge its obligations by turning them over to the Controller upon completion of the services.

Exclusive place of jurisdiction for disputes arising out of this Agreement and any individual contracts of carriage within the scope of this Agreement shall be Bonn (Germany). The Agreement shall be governed by German law.

1. Should the Controller's data be the subject of an investigation and seizure, an order of attachment, confiscation in connection with bankruptcy or insolvency proceedings or similar events or third party actions whilst those data are within the Processor's sphere of control, the Processor shall notify the Controller thereof without undue delay. The Processor shall notify all parties to such action without undue delay that the data concerned are the exclusive property of and within the sphere of control of the Controller, that the Controller has the sole right to dispose over such data and that the Controller is responsible for the application of data protection law.
   
2. Should any provision of this Agreement be deemed invalid, unlawful or unenforceable for whatever reason, the relevant provision shall be excluded and the remaining provisions of this Agreement shall be given full force and effect as if this Agreement had been executed without the invalid provision.
   
3. This Agreement is governed by the laws of the Federal Republic of Germany.