Thefollowing contract is concluded between the customer (responsible party), referred to here as the "Customer", and Mamgo GmbH & Co. KG (order processor) herein referred to as "Contractor", Judengasse 4, 69469 Weinheim, the following contract is concluded.
The Client wishes to commission the Contractor with the services specified in § 3. Part of the execution of the contract is the processing of personal data. In particular, Art. 28 DS-GVO imposes certain requirements on such commissioned processing. In order to comply with these requirements, the Parties enter into the following agreement, the performance of which shall not be remunerated separately unless expressly agreed.
For reasons of simplified reading, this document does not differentiate between genders (e.g.: applicants or users). Corresponding terms apply to all genders for the purpose of equal treatment.
(1) Pursuant to Article 4 (7) of the GDPR, the controller is the entity which alone or jointly with other controllers determines the purposes and means of the processing of personal data.
(2) Pursuant to Article 4 (8) of the GDPR, the processor is a natural or legal person, public authority, agency or other entity which processes personal data on behalf of the controller.
(3) Pursuant to Article 4 (1) of the GDPR, personal data means any information relating to an identified or identifiable natural person (hereinafter "data subject"); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
(4) Personal data requiring special protection are personal data pursuant to Art. 9 DS-GVO revealing the racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership of data subjects, personal data pursuant to Art. 10 GDPR on criminal convictions and offences or related security measures, as well as genetic data pursuant to Art. 4 (13) GDPR, biometric data pursuant to Art. 4 (14) GDPR, health data pursuant to Art. 4 (15) GDPR, and data concerning the sex life or sexual orientation of a natural person.
(5) Processing is pursuant to Art. 4 (2) GDPR any activity carried out with or without the consent of the data subject. 2 GDPR any operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, filing, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
(6) Pursuant to Article 4 (21) of the GDPR, the supervisory authority shall be an independent state body established by a Member State pursuant to Article 51 of the GDPR.
(1) The Controller and the Processor and, if applicable, their representatives shall cooperate with the supervisory authority in the performance of their duties upon request.
(2) To the extent that the Controller is exposed on its part to an inspection by the supervisory authority, administrative offense or criminal proceedings, the liability claim of a data subject or a third party or any other claim in connection with the processing at the Processor, the Processor shall support it to the best of its ability.
(3) The Processor shall regularly monitor the internal processes as well as the technical and organizational measures to ensure that the Processing in its area of responsibility is carried out in compliance with the requirements of applicable data protection law and that the protection of the rights of the Data Subject is ensured.
(1) The order includes the following: The Contractor shall receive job advertisements from the Responsible Party for placement on various platforms. These job advertisements refer to electronic application forms on the websites of the responsible party and/or the contractor and, if applicable, its subcontractor. In this case, the application data is transmitted to the system of the Principal and stored. In doing so, the Contractor processes personal data for the Client within the meaning of Art. 4 No. 2 and Art. 28 DS-GVO on the basis of this Agreement.
(2) The Parties conclude the present Agreement to concretize the mutual rights and obligations under data protection law. In case of doubt, the provisions of this agreement shall take precedence over the provisions of the main agreement.
(3) The provisions of this agreement shall apply to all activities which are related to the main agreement and during which the contractor and its employees or persons commissioned by the contractor come into contact with personal data originating from the customer or collected for the customer.
(4) The term of this contract is based on the term of the main contract, unless obligations or rights of termination beyond this arise from the following provisions.
(5) In the context of accessing our website or in the context of contacting us by form or e-mail, we generally do not use fully automated automatic decision-making pursuant to Article 22 DS-GVO. If we use these procedures in individual cases, we will inform you about this separately, provided this is required by law. We do not process data automatically with the aim of evaluating certain personal aspects (profiling).
(1) The Customer shall be solely responsible for assessing the permissibility of the processing pursuant to Article 6 (1) of the GDPR and for safeguarding the rights of the data subjects pursuant to Articles 12 to 22 of the GDPR. Nevertheless, the Contractor shall be obligated to forward all such requests to the Client without undue delay, provided that they are recognizably directed exclusively to the Client.
(2) Changes to the object of processing and changes to procedures shall be agreed jointly between the Client and the Contractor and specified in writing or in a documented electronic format.
(3) As a rule, the Client shall issue all orders, partial orders and instructions in writing or in a documented electronic format. Verbal instructions shall be confirmed immediately in writing or in a documented electronic format.
(4) The Customer shall inform the Contractor immediately if it discovers errors or irregularities in the review of the order results.
(5) The Customer shall be obligated to treat as confidential all knowledge of business secrets and data security measures of the Contractor obtained within the scope of the contractual relationship. This obligation shall remain in force even after termination of this Agreement.
(6) The Controller shall confirm verbal instructions without delay (at least in text form).
(7) The Processor shall inform the Controller without delay if it is of the opinion that an instruction violates data protection regulations. The Processor shall be entitled to suspend the implementation of the corresponding instruction until it is confirmed or amended by the Controller.
(8) In the event of a change or long-term prevention of the contact persons, the Contractual Partner shall be informed immediately and in principle in writing or electronically of the successors or the representatives. The instructions shall be retained for their period of validity and subsequently for three full calendar years.
(1) Within the scope of the performance of the Main Contract, the Contractor shall have access to the personal data specified in more detail in Annex 1. These data comprise the special categories of personal data listed in Annex 1 and identified as such.
(2) The group of persons affected by the data processing is shown in Annex 2.
(1) The Contractor shall be obligated to observe the statutory provisions on data protection and not to disclose information obtained from the Client's domain to third parties or expose it to their access. Documents and data shall be secured against disclosure to unauthorized persons, taking into account the state of the art.
(2) The Contractor shall organize the internal organization within its area of responsibility in such a way that it meets the special requirements of data protection. It shall take all necessary technical and organizational measures to adequately protect the Customer's data pursuant to Art. 32 DS-GVO, in particular at least the measures listed in Annex 3 of
a) Access control
b) Access control
c) Access control
d) Forwarding control
e) Input control
f) Order control
g) Availability control
h) Separation requirement The Contractor reserves the right to change the security measures taken, while ensuring that the contractually agreed level of protection is not undercut.
(3) The appointment of a company data protection officer is not required for the Contractor pursuant to Article 37 DS-GVO in conjunction with Section 38 BDSG n.F..
(4) The persons employed in data processing by the Contractor are prohibited from collecting, processing or using personal data without authorization. The Contractor shall oblige all persons entrusted by it with the processing and fulfillment of this Agreement (hereinafter referred to as employees) accordingly (obligation of confidentiality, Art. 28 (3) (b) DS-GVO) and shall ensure compliance with this obligation with due care. These obligations must be formulated in such a way that they remain in force even after termination of this contract or the employment relationship between the employee and the contractor. The Client shall be provided with evidence of the obligations in a suitable manner upon request.
(1) In the event of disruptions, suspected data protection violations or breaches of contractual obligations of the Contractor, suspected security-related incidents or other irregularities in the processing of personal data by the Contractor, persons employed by it within the scope of the contract or by third parties, the Contractor shall inform the Customer immediately in writing or text form. The same shall apply to audits of the Contractor by the data protection supervisory authority.
The notification of a personal data breach shall contain at least the following information:
a) a description of the nature of the personal data breach, including, to the extent possible, the categories and number of data subjects, the categories affected and the number of personal data records affected;
b) a description of the measures taken or proposed by the Contractor to remedy the breach and, if applicable, measures to mitigate its possible adverse effects.
(2) The Contractor shall immediately take the necessary measures to secure the Data and mitigate any possible adverse effects of the Data Subjects, inform the Customer thereof and request further instructions.
(3) The Contractor shall furthermore be obligated to provide the Customer with information at any time insofar as the Customer's data is affected by a breach pursuant to paragraph 1.
(4) Should the Customer's data at the Contractor be endangered by seizure or attachment, by insolvency or composition proceedings or by other events or measures of third parties, the Contractor shall inform the Customer thereof without undue delay, unless it is prohibited from doing so by court or official order. In this context, the Contractor shall immediately inform all competent bodies that the decision-making authority over the data lies exclusively with the Customer as the "responsible party" within the meaning of the GDPR. (5) The Contractor shall inform the Customer without delay of any significant changes to the security measures pursuant to Section 6 (2).
(6) If a data protection officer is to be appointed, a change in the person of the company data protection officer/contact person for data protection shall be notified to the Customer without delay.
(7) The Contractor and, if applicable, its representative shall keep a list of all categories of processing activities carried out on behalf of the Customer, which shall contain all information pursuant to Article 30 (2) of the GDPR. The directory shall be made available to the Customer upon request.
(8) The Contractor shall cooperate to an appropriate extent in the creation of the procedure directory by the Customer. The Contractor shall provide the Customer with the required information in an appropriate manner.
(1) The Processor shall oblige external data centers and other sub-processors to design their internal organization in such a way that it meets the special requirements of data protection. In particular, data processing shall take place on data processing equipment for which the data center or other sub-processor has taken all technical and organizational measures to protect personal data. The Processor shall establish security pursuant to Art. 28 (3) lit. c, 32 DSGVO, in particular in connection with Art. 5 (1), (2) DSGVO. Overall, the measures to be taken are data security measures and to ensure a level of protection appropriate to the risk with regard to confidentiality, integrity, availability and the resilience of the systems. In this context, the state of the art, the implementation costs and the nature, scope and purposes of the processing as well as the varying likelihood and severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32 (1) of the GDPR shall be taken into account (details in Annex 2).
(2) The Contractor undertakes to provide the Customer, upon the latter's verbal or written request and within a reasonable period of time, with all information and evidence required to carry out a control of the Contractor's technical and organizational measures.
(3) The Customer shall document the results of the inspection and inform the Contractor thereof. In the event of errors or irregularities discovered by the Customer, in particular during the inspection of the results of the order, the Customer shall inform the Contractor without delay. If facts are discovered during the inspection, the future avoidance of which requires changes to the ordered procedure, the Customer shall inform the Contractor of the necessary procedural changes without delay.
(4) At the request of the Customer, the Contractor shall provide the Customer with a comprehensive and up-to-date data protection and security concept for the order processing and on persons authorized to access the data. (5) The Contractor shall provide the Customer with evidence of the obligation of the employees pursuant to Section 6 (4) upon request.
(1) Within the scope of its contractual obligations, the Contractor shall be authorized to establish subcontracting relationships with subcontractors ("Subcontractor Relationship"), provided that it notifies the Customer thereof in advance and the Customer has given its prior written consent to the engagement of the subcontractor. The Contractor shall be obliged to carefully select subcontractors according to their suitability and reliability. When engaging subcontractors, the Contractor shall oblige them in accordance with the provisions of this Agreement and shall ensure that the Customer can exercise its rights under this Agreement (in particular its inspection and monitoring rights) directly against the subcontractors. If subcontractors in a third country are to be involved, the Contractor shall ensure that an appropriate level of data protection is guaranteed at the respective subcontractor (e.g. by concluding an agreement based on the EU standard data protection clauses). Upon request, the Contractor shall provide the Customer with evidence of the conclusion of the aforementioned agreements with its subcontractors.
(2) A subcontractor relationship within the meaning of these provisions does not exist if the Contractor commissions third parties with services that are to be regarded as purely ancillary services. These include, for example, postal, transport and shipping services, cleaning services, telecommunication services without any specific reference to services provided by the Contractor to the Customer and guarding services. Maintenance and testing services constitute subcontractor relationships subject to approval insofar as they are provided for IT systems that are also used in connection with the provision of services for the customer.
(1) The Contractor shall support the Client as far as possible with suitable technical and organizational measures in fulfilling the Client's obligations pursuant to Art. 12-22 and Art. 32 and 36 of the GDPR.
(2) If a Data Subject asserts rights directly against the Contractor, such as the right to information, correction or deletion of his/her data, the Contractor shall not react independently, but shall immediately refer the Data Subject to the Client and await the Client's instructions.
(1) For the compensation of damages suffered by a data subject due to inadmissible or incorrect data processing or use in accordance with data protection laws within the scope of commissioned processing, the client alone shall be liable to the data subject in the internal relationship with the contractor.
(2) The parties shall each release themselves from liability if one party proves that it is not responsible in any respect for the circumstance through which the damage to a data subject occurred.
(1) The Customer may terminate the main contract in whole or in part without notice if the Contractor fails to fulfill its obligations under this contract, violates provisions of the GDPR with intent or gross negligence or is unable or unwilling to carry out an instruction of the Customer. In the case of simple - i.e. neither intentional nor grossly negligent - violations, the Customer shall set the Contractor a reasonable deadline within which the Contractor can remedy the violation.
(1) The Contractor shall return to the Client after termination of the main contract or at any time upon the Client's request all documents, data and data carriers provided to the Contractor or - at the Client's request, unless there is an obligation to store the personal data under Union law or the law of the Federal Republic of Germany - delete them. This shall also apply to any data backups at the Contractor. The Contractor shall provide documented proof of the proper deletion of any data still in existence. Documents to be disposed of shall be destroyed using a document shredder in accordance with DIN 32757-1. Data carriers to be disposed of shall be destroyed in accordance with DIN 66399.
(2) The Customer shall have the right to control the complete and contractually compliant return or deletion of the data at the Contractor in a suitable manner.
(3) The Contractor shall be obligated to treat the data of which it has become aware in connection with the main contract as confidential even beyond the end of the main contract. The present agreement shall remain valid beyond the end of the main contract for as long as the Contractor has personal data at its disposal which were forwarded to it by the Client or which it has collected for the Client.
(1) The parties agree that the defense of the right of retention by the Contractor within the meaning of Section 273 of the German Civil Code (BGB) with respect to the data to be processed and the associated data carriers is excluded.
(2) Amendments and supplements to this Agreement must be made in writing. This shall also apply to any waiver of this formal requirement. The precedence of individual contractual agreements remains unaffected by this.
(3) If individual provisions of this agreement are or become wholly or partially invalid or unenforceable, this shall not affect the validity of the remaining provisions in each case.
(4) This agreement is subject to German law. The exclusive place of jurisdiction is the Contractor's registered office (68526 Ladenburg).
Annex 1 - Description of data/categories of data requiring special protection
Annex 2 - Description of data subjects/groups of data subjects
Annex 3 - Technical and organizational measures of the contractor
Annex 4 - Approved subcontractors
APPENDIX 1
- First name
- Last name
- Gender
- Age
- Address
- Telephone / mobile number
- E-mail address
- Information on education and schooling
- Language skills
- Curriculum vitae
- Testimonials
- Assessment of the candidate
- If applicable, skills tests, screening questions from companies
- If applicable, audio and/or video application of the candidates
Other data provided to us voluntarily.
APPENDIX 2
Categories of data subjects whose personal data are processed
- Applicants
- Contact persons at the customer
- Other contact persons (e.g. service providers of the customer)
- Employees of the contractor
APPENDIX 3
Beim Auftragnehmer sind nachfolgende technische und organisatorische Maßnahmen zur Datensicherheit i.S.d. Art. 32 DSGVO getroffen worden:
1. Zutrittskontrolle
(1) Maßnahmen, die Unbefugten den Zutritt zu den Datenverarbeitungsanlagen, mit denen personenbezogene Daten verarbeitet oder genutzt werden, verwehren:
Ein unbefugter Zutritt ist zu verhindern, wobei der Begriff räumlich zu verstehen ist.
(2) Der Auftragnehmer setzt folgende technischen bzw. organisatorischen Maßnahmen zur Zutrittskontrolle ein:
Für alle relevanten Standorte sind Sicherheitszonen und deren physischer Schutz in einem Sicherheitszonenkonzept definiert, dokumentiert und kann auf Anfrage vorgelegt werden. Inhaltliche Punkte des Konzeptes sind zum Beispiel:
- Beaufsichtigung von Fremdpersonen innerhalb der Sicherheitszonen, kontrollierte Zugangsvergabe, Beaufsichtigung von Fremdpersonen innerhalb der Sicherheitszonen, kontrollierte Zugangsvergabe
- Festlegung der geschützten Bereiche und der personellen Verantwortlichkeiten
- Festlegung der zutrittsberechtigten Personen – Zutrittsregelungen für betriebsfremde Personen
- Maßnahmen zur Innen- und Außenhautsicherung
- Das Sicherheitszonenkonzept wird min. 1x pro Jahr überprüft
2. Zugangskontrolle
(1) Maßnahmen, die verhindern, dass Datenverarbeitungssysteme von Unbefugten genutzt werden können:
- Das Eindringen Unbefugter in die DV-Systeme ist zu verhindern.
(2) Der Auftragnehmer setzt folgende technischen (Kennwort- / Passwortschutz) und organisatorischen Maßnahmen hinsichtlich der Benutzeridentifikation und Authentifizierung ein:
- Kennwortverfahren (u.a. Sonderzeichen, Mindestlänge, regelmäßiger Wechsel des Kennworts)
- Automatische Sperrung (z. B. Kennwort oder Pausenschaltung)
- Protokollierung der Passwortnutzung
- Authentifizierung durch Benutzernamen und persönliches Passwort
- Einrichtung eines Benutzerstammsatzes pro User
- Verschlüsselung von Datenträgern
- Einsatz einer Firewall (Abschottung interner Netzwerke gegen ungewollte oder gezielte Zugriffe von außen)
3. Zugriffskontrolle
(1) Maßnahmen, die gewährleisten, dass die zur Benutzung der Datenverarbeitungssysteme Berechtigten ausschließlich auf die ihrer Zugriffsberechtigung unterliegenden Daten zugreifen können, und dass personenbezogene Daten bei der Verarbeitung, Nutzung und nach der Speicherung nicht unbefugt gelesen, kopiert, verändert oder entfernt werden können:
- Unerlaubte Tätigkeiten in DV-Systemen außerhalb eingeräumter Berechtigungen sind zu verhindern.
(2) Der Auftragnehmer sorgt für eine bedarfsorientierte Ausgestaltung des Berechtigungskonzepts und der Zugriffsrechte sowie deren Überwachung und Protokollierung:
- Differenzierte Berechtigungen (Profile, Rollen, Transaktionen und Objekte)
- Kontrolle der Aktivitäten des Systemadministrators
- Auswertungen (z .B. Fernwartung mit Detailergebnisprotokoll)
- Veränderung (z.B. jede Systemanmeldung / Datenänderung etc. wird protokolliert)
- Löschung (kontrollierte Vernichtung von Ausdrucken, Datenträgern etc.)
- Absicherung der Bereiche, in denen Datenträger aufbewahrt werden (Datenträgerarchiv)
- Verwendung des Schreibschutzes bei Datenträgern
- Trennung von Test- und Produktionsbetrieb
- Abschottung interner Netze
- Kopierkontrolle
4. Weitergabekontrolle
(1) Maßnahmen, die gewährleisten, dass personenbezogene Daten bei der elektronischen Übertragung oder während ihres Transportes oder ihrer Speicherung auf Datenträger nicht unbefugt gelesen, kopiert, verändert oder entfernt werden können, und dass überprüft und festgestellt werden kann, an welchen Stellen eine Übermittlung personenbezogener Daten durch Einrichtungen zur Datenübertragung vorgesehen ist:
- Aspekte der Weitergabe personenbezogener Daten sind zu regeln: insbesondere elektronische Übertragung, Datentransport, Übermittlungskontrolle.
(2) Der Auftragnehmer regelt Maßnahmen bei Transport, Übertragung und Übermittlung oder Speicherung auf Datenträger (manuell oder elektronisch) sowie bei der nachträglichen Überprüfung:
- Verschlüsselung / Tunnelverbindung (VPN=Virtual Private Network)
- Verwendung der elektronischen Signatur und von sicheren Leitungswegen
- Protokollierung der Datenübermittlung und der Empfänger
- Festlegung der Übermittlungswege und der Datenempfänger
- Dokumentation der Abruf- und Übermittlungsprogramme
- Dokumentation des Transportwegs
- Verwendung verschließbarer Transportbehälter
5. Eingabekontrolle
(1) Maßnahmen, die gewährleisten, dass nachträglich überprüft und festgestellt werden kann, ob und von wem personenbezogene Daten in Verarbeitungssysteme eingegeben, verändert oder entfernt worden sind:
Die Nachvollziehbarkeit bzw. Dokumentation der Datenverwaltung und -pflege ist zu gewährleisten:
(2) Maßnahmen zur nachträglichen Überprüfung, ob und von wem Daten eingegeben, verändert oder entfernt (gelöscht) worden sind:
- Protokollierungs- und Protokollauswertungssysteme, lückenlose Vorgangsprotokollierung für jeden Einzelfall
- Protokollierung von Eingaben, Veränderungen und Löschungen personenbezogener Daten
- Speicherung des Veranlassers und des Grunds einer Eingabe, Veränderung oder Löschung im Datenbestand.
- Rückgängigmachen aller Veränderungen
6. Auftragskontrolle
(1) Maßnahmen, die gewährleisten, dass personenbezogene Daten, die im Auftrag verarbeitet werden, nur entsprechend den Weisungen des Auftraggebers verarbeitet werden können:
Technisch / organisatorische Maßnahmen zur Abgrenzung der Kompetenzen zwischen Auftraggeber und Auftragnehmer:
- Eindeutige Vertragsgestaltung
- Formalisierte Auftragserteilung (Auftragsformular)
- Kontrolle der Vertragsausführung
- Klare Abgrenzung der Kompetenzen und Pflichten zwischen Auftragnehmer und Auftraggeber
- Festlegung der Sicherheitsmaßnahmen
7. Verfügbarkeitskontrolle
(1) Maßnahmen, die gewährleisten, dass personenbezogene Daten gegen zufällige oder mutwillige Zerstörung oder Verlust geschützt sind:
Der Auftragnehmer hat entsprechende Maßnahmen etabliert zur Datensicherung (physikalisch / logisch):
- Backup-Verfahren
- Spiegeln von Festplatten, z. B. RAID-Verfahren
- Unterbrechungsfreie Stromversorgung
- Getrennte Aufbewahrung
- Virenschutz / Firewall
- Meldewege und Notfallpläne
- Maßnahmen, um die Verfügbarkeit der personenbezogenen Daten und den Zugang zu ihnen bei einem physischen oder technischen Zwischenfall rasch wiederherzustellen
- Etablierte Brandschutzmaßnahmen
- Nutzung der Fernwartung (schnelle Verfügbarkeit)
- Erlass von Dienstanweisungen und Sicherheitsrichtlinien
8. Trennungsgebot
(1) Maßnahmen, die gewährleisten, dass zu unterschiedlichen Zwecken erhobene Daten nur getrennt verarbeitet werden können:
Der Auftragnehmer hat entsprechend Maßnahmen zur getrennten Verarbeitung (Speicherung, Veränderung, Löschung, Übermittlung) von Daten mit unterschiedlichen Zwecken etabliert:
- „Interne Mandantenfähigkeit“ / Zweckbindung
- Funktionstrennung (Produktion / Test)
- Arbeiten mit Pseudonymen
- Signifikante Dokumentation der Verarbeitungsprogramme
- Restriktiver Einsatz von SQL
- Einrichtung logischer Datenbanken
- Datenschutzfreundliche Anwendung des Data Warehousing und des Data Mining
9. Sonstige Maßnahmen
(1) Sonstige Maßnahmen, die geeignet sind, die innerbetriebliche Organisation so zu gestalten, dass sie den besonderen Anforderungen des Datenschutzes gerecht wird:
Der Auftraggeber hat zusätzliche Maßnahmen zur Erhöhung der Anforderungen des Datenschutzes etabliert:
- Incident-Response-Management;
- Datenschutzfreundliche Voreinstellungen (Art. 25 Abs. 2 DSGVO);Auftragskontrolle (keine Auftragsdatenverarbeitung im Sinne von Art. 28 DS-GVO ohne entsprechende Weisung des Auftraggebers, z.B.: Eindeutige Vertragsgestaltung, formalisiertes Auftragsmanagement, strenge Auswahl des Dienstleisters, Vorabüberzeugungspflicht, Nachkontrollen)
- Datenschutz-Management
- ein Verfahren zur regelmäßigen Überprüfung, Bewertung und Evaluierung der Wirksamkeit der technischen und organisatorischen Maßnahmen zur Gewährleistung der Sicherheit der Verarbeitung
- Interne Prozessaudits zur Datensicherheit / Datenschutz
- Security Assessments
- Zertifizierten DSB / Information Security Officer
- Erhöhte Awareness und Schulung für Mitarbeiter
- Etablierte Datenschutzorganisation
APPENDIX 4
The Controller has authorized the use of the following sub-processors:
1. Google Cloud Platform, Google LLC 1600 Amphitheatre Parkway, Mountain View, CA 94043.
- Provision of server structure, exclusive server location: EU
2. Jobufo GmbH, Friedrichstr. 231, 10969 Berlin
- Provision of application forms as well as transmission of applications
3. Zapier, Inc. 548 Market St. #62411, San Francisco, CA 94104-5401
- Sending of applications by e-mail in the absence of an applicant management system (third country transfer: conclusion of standard contractual clauses)4.
4. TYPEFORM, S.L. Calle de Pallars 108 (Atico), 08018 - Barcelona (Spain)
- Software for the creation of performant application forms, if not provided by the client
ORDER PROCESSING DOCUMENT
