Contract regarding the processing of personal data with joint data controllers (Article 26 of the EU General Data Protection Regulation (EU GDPR))

between

TrustBills Marketplace GmbH, Große Elbstraße 86, 22767 Hamburg, entered in the Commercial Register of the Hamburg District Court under file number HRB 138 356

- TrustBills Marketplace -

and

TrustBills Technologies GmbH, Große Elbstraße 86, 22767 Hamburg, entered in the Commercial Register of the Hamburg District Court under file number HRB 157 446

- TrustBills Technologies GmbH -

TrustBills Marketplace and TrustBills Technologies are hereinafter jointly referred to as "Parties", and individually referred to as a "Party".

I. Preamble

TrustBills Technologies GmbH enables trading in trade receivables via an Internet auction platform. The auction platform is operated by TrustBills Marketplace. TrustBills Technologies GmbH holds a 100% stake in TrustBills Marketplace. TrustBills Marketplace provides various services to participants and collects the fees paid by the participants. It supports TrustBills Technologies GmbH by providing services. TrustBills Technologies GmbH also provides TrustBills Marketplace with a (technical) infrastructure for use in return for a lump sum payment.

II. Joint controllers in accordance with EU GDPR

The Parties are a group of companies in accordance with Article 4 No. 19 EU GDPR in conjunction with the Recital 37 EU GDPR. The purposes and the means of processing personal data as well as the type of personal data are regularly jointly determined in accordance with Article 26 EU GDPR.

III. Purpose and means of joint data processing

The purpose and means of the data processing is the operation of a joint online auction platform for the sale of trade receivables and the use of data for joint participant management (including master data, sales, billing).

IV. Assignment and description of tasks

Which party fulfils which obligation under EU GDPR, in particular with regard to the exercise of the rights of the data subject and the information obligations in accordance with Articles 13 and 14 EU GDPR, is specified below. The determination of an original data controller is based on and duly reflects the controller’s actual function and relationship with the data subject. In the event that a determination should be considered insufficient, the Parties agree on TrustBills Marketplace GmbH as the responsible data controller.

The duties of information in accordance with Articles 13 and 14 EU GDPR shall be handled by TrustBills Marketplace GmbH.

The processing of requests for information under Article 15 EU GDPR shall be handled by TrustBills Marketplace GmbH.

The processing of correction requests under Article 16 EU GDPR shall be handled by TrustBills Marketplace GmbH.

The processing of deletion requests or processing restrictions in accordance with Article 17 or 18 EU GDPR and the notification of the obligation to delete in accordance with Article 19 EU GDPR shall be handled by TrustBills Marketplace GmbH.

The processing of data transferability requests according to Article 20 EU GDPR shall be handled by TrustBills Marketplace GmbH.

The processing of objections in accordance with Article 21 GDPR shall be handled by TrustBills Marketplace GmbH.

The technical and organisational measures required under Article 24 (1) clause 1 in connection with Article 32, 35, 36 (3) EU GDPR after a risk assessment and, if necessary, data protection impact assessment, as well as the consultation of a supervisory authority or the transmission of the necessary information, shall be handled by TrustBills Technologies GmbH.

The documentation of the selection of technical and organisational measures as well as the review and updating of the measures in accordance with Article 24 (1) clause 2 EU GDPR required by Article 24 (1) clause 1 EU GDPR shall be carried out by TrustBills Technologies GmbH.

The involvement of order data processors or subcontracting order processors within the meaning of Article 28 EU GPDR and its review is the responsibility of TrustBills Technologies GmbH.

The Parties agree on the uniform appointment by TrustBills Technologies GmbH of a data protection officer for the group of companies within the meaning of Article 37 (2) EU GDPR as soon as the Parties are legally required to appoint one. As soon as he/she has been appointed, the data protection officer shall act as a point of contact for the data subjects within the meaning of Article 26 (1) clause 3 EU GDPR and coordinates the maintenance of the list of processing activities under Article 30 EU GDPR.

Under Article 26 (2) clause 2 EU GDPR, data subjects shall be provided with the essential details of this agreement on joint data controllers. TrustBills Technologies GmbH shall inform its employees by means of internal circulars. External data subjects shall be provided with the information in a general form by TrustBills Marketplace GmbH under the framework of the website.

TrustBills Technologies GmbH is responsible for an orderly process in the event of reportable data breaches in accordance with Articles 33 and 34 EU GDPR for the group of companies.

The data subject is free to assert his/her rights with and against any responsible Party. The Party sued may forward the data subject's request for processing to the other Party or to the data protection officer, provided that the latter is the lead data controller and the data subject does not suffer any disadvantage as a result of the forwarding.

V. Data transmission

Joint responsibility alone does not give the Parties a basis for the processing and transmission of personal data. This requires a separate justification under Article 6 EU GDPR, which, unless a different determination is made in individual cases, lies in the legitimate interests of the Parties under Article 6 (1) clause 1 lit. f in conjunction with Recital 48 GDPR, to transmit personal data within a group of companies for internal administrative purposes, including the processing of personal data of customers and employees. A transfer to a third country is not envisaged.

VI. Jointly used personal data

The parties shall jointly process the following categories of data:

  • Master data and contact details of participants' employees and customers
  • Contact information, product interest, communication history of interested parties and media representatives.
  • Personal data that is made available to TrustBills Marketplace by uploading contract documents.
  • Master and contact data of employees of suppliers, service providers and other business partners
  • Master and contact data of third parties, as far as these are apparent from the business email communication

VII. Data security

The personal data collected shall be transmitted to our own servers in encrypted form and stored there. The data is only stored there. The data shall not be passed on to third parties.

Each Party shall inform the other Party as soon as it becomes aware of a data breach or as soon as a data subject asserts his rights.

It is agreed that the security guidelines for which TrustBills Technologies GmbH is responsible shall be adopted and applied by the other Party. All employees of a party are obligated to this and shall be informed about the special protection of personal data.

VIII. Contract term

This agreement is concluded for an indefinite period. It can be terminated by either Party with 3 months' notice to the end of the month. This shall not affect the right to terminate the contract for just cause. Any notice of termination must be issued in writing to become effective.

IX. Legal venue, side agreements, severability

The place of performance for the mutual obligations is Hamburg. The law of the Federal Republic of Germany shall apply. The exclusive legal venue for all disputes arising in connection with this contract, including disputes based on tort, is Hamburg.

There are no side agreements to this contract. Changes or additions must be made in writing to be legally effective. This also applies to the waiver of the written form requirement.

Should any provision of this contract be invalid, this shall not affect the validity of the remaining provisions of this contract. This also applies if the contract contains a loophole. In place of an invalid provision or loophole, the Parties shall agree an appropriate substitute provision which comes closest to what the Parties would have wanted if they had considered this aspect.

Hamburg, 01/8/2019 sgd. Jörg Hörster & Dr. Johannes Ulbricht
TrustBills Technologies GmbH

Hamburg, 01/8/2019 sgd. Jörg Hörster & Dr. Johannes Ulbricht
TrustBills Marketplace GmbH

Obligations according to EU GDPRData controller
Determination of the type of personal dataTrustBills Technologies GmbH & TrustBills Marketplace
Determination of the purpose and means of data processingTrustBills Technologies GmbH & TrustBills Marketplace
Article 26 (1) EU GDPR – Determination of responsibility with regard to the individual obligations in an agreementTrustBills Technologies GmbH & TrustBills Marketplace
Article 26 (1) EU GDPR – Indication of a point of contact for the data subjectsTrustBills Technologies GmbH
Article 26 (2) EU GDPR – Making the essence of the agreement availableTrustBills Technologies GmbH & TrustBills Marketplace
Article 13 EU GDPR – Duty to inform when collecting personal data from the data subjectTrustBills Marketplace
Article 14 EU GDPR – Duty to inform when collecting personal data not collected from the data subjectTrustBills Marketplace
Article 15 EU GDPR – Processing of the data subject's request for informationTrustBills Marketplace
Article 16 EU GDPR – Processing of the data subject's request for correctionTrustBills Marketplace
Article 17 or Article 18 EU GDPR, Article 19 EU GDPR – Processing of requests for deletion or requests to restrict processing and notification of an obligation to deleteTrustBills Marketplace
Article 20 EU GDPR – Processing of requests for transmission (data portability)TrustBills Marketplace
Article 21 EU GDPR – Processing of objectionsTrustBills Marketplace
Article 24 (1) in conjunction with Article 32, Article 35, Article 36 (3) EU GDPR – Determination of technical and organisational measures after risk assessment and data protection impact assessment if necessary; consultation of the supervisory authority/transmission of the necessary informationTrustBills Technologies GmbH
Article 24 (1) EU GDPR – Documentation of the selection of the technical and organisational MeasuresTrustBills Technologies GmbH
Article 24 (1) EU GDPR – Review and updating of technical and organisational MeasuresTrustBills Technologies GmbH
Article 28 EU GDPR – Involvement and verification of order processors and subcontracting order processorsTrustBills Technologies GmbH
Article 30 EU GDPR – Keeping the list of processing activitiesTrustBills Technologies GmbH
Article 33, 34 EU GDPR – Processes in the event of reportable data breachesTrustBills Technologies GmbH
Article 37 EU GDPR – Appointment of a data protection officerTrustBills Technologies GmbH

This website uses cookies to ensure you get the best experience on our website. Cookie Policy