Terms, Privacy Policy and Data Processing

Terms and Conditions of Userlike

Subject Matter and Scope

  • Subject matter of these General Terms and Conditions (hereinafter "terms and conditions") is the provision of services (hereinafter "Services") of Userlike UG (limited liability), Probsteigasse 44-46, 50670 Cologne, Germany, (hereinafter "Userlike") regarding the application "Userlike" (all editions) to customers (hereinafter "Customers"), who are not consumers as defined in Section 13 of the German Civil Code (Bürgerliches Gesetzbuch – BGB).
  • These terms and conditions and any regulations in individual agreements between the Parties shall apply exclusively. Conflicting or deviating terms of Customer shall not apply, even if Userlike despite the knowledge thereof provides its Services without objecting to those conflicting or deviating terms.
  • Userlike shall have the right to change these terms and conditions within a suitable notice period. Changes shall enter into effect only if Customer has not objected to the changes within one month from the written notification of the intended change (objection period) and if in such notification Userlike informs Customer (a) on his right to object and (b) the objection period. This clause does not apply to obligations of Userlike which are prerequisite for the proper implementation of the agreement, by the breach of which attainment of the purpose of the agreement is jeopardized and on which Customer may duly rely (cardinal obligation).

Agreements and Offers

  • A completed web-based order form or any other kind of order request of the Customer constitutes a binding contractual offer regarding the requested Services of Userlike. An agreement shall be deemed concluded upon acceptance of such offer by Userlike, at the latest upon provision of the Service by Userlike.
  • Any offers by Userlike shall be deemed non-binding, unless expressly otherwise agreed. Performance dates or times mentioned in a Customer’s request are binding only if designated as binding by Userlike in writing.

Services

  • Customer shall inform Userlike without undue delay in case of malfunction or disruption of the Service.
  • Customer shall be obligated to keep personal access data (username and password) confidential against access by unauthorized third parties. Customer shall change his password immediately and shall be obligated to inform Userlike without undue delay if there is reason to suspect that unauthorized third parties have access to Customer’s password.
  • Customer shall be obligated to use the Services in accordance with the legal provisions of the territory of intended use. In particular Customer shall observe the applicable copyrights, trademark rights, patent rights and any other intellectual property or personal rights of third parties. Customer may neither use nor make available to the public any data or any information with illegal content.
  • Customer may not use the Services, to conduct attacks on Userlike or third parties, such as spamming, hacking, brute force attacks, the use of spy software, virus or worms attacks.
  • In case of an infringement of section 4 (2) to (4) of these terms and conditions Userlike may delete illegal content at any time and without prior notice or may – to the extent necessary –block access of Customer to the relevant content and/or Services until Customer has redressed the infringement. In case of a severe violation of Customer against the duties stipulated in section 4 (2) to (4) of these terms and conditions Userlike shall have the right to terminate the contract for good cause without prior notice (section 10 (2)). If Customer is responsible for the infringement he shall compensate Userlike for all damages resulting thereof.

Customer’s Obligations

  • Details of the respective contractually agreed Services can be found on the product order pages of Userlike valid at the time of the order.
  • Insofar as Userlike conducts its Services free of charge (Free Trial and Edition "Free") it may at its own discretion and at any time, in whole or parts, change, limit or cancel such Services. If doing so Userlike will take Customer’s legitimate interests into account and will notify Customer within a reasonable timeframe in advance, provided that such notification is technically feasible and reasonable.
  • Userlike provides its Services 24 hours a day, 365 days a year and ensures an availability rate of at least 99,00% of the annual mean, except for maintenance downtimes. Userlike will inform Customer about necessary maintenance downtimes in good time, if possible. Userlike is not liable for any downtimes which make its Services unavailable via internet, in particular for downtimes because of technical or other problems that are outside Userlike’s sphere of influence or control such as force majeure events or acts of third parties.

Rights of use and Reimbursement

  • Userlike grants to Customer the non-exclusive, non-transferable, non-sublicensable and unlimited right to use the Services within the scope and limited to the term of the agreement. Userlike shall be obligated to provide new versions, upgrades or updates of its Services only insofar as it is strictly necessary for the remedy of defects. Outside the scope of the agreement Customer is not entitled to use, copy or download Userlike’s Services or to make them available to any third parties.
  • Customer shall be obligated to indemnify Userlike and its subcontractors against all third party claims that are based on the illegal use of the Services or any such use that happened with his consent, or that arise, in particular, from litigation procedures involving the infringement of laws on data protection, copyright or other laws in conjunction with the use of the Services. If Customer realizes or can be expected to realize that such infringement is about to occur, he shall be obligated to notify Userlike without undue delay.

Data Protection

  • Userlike collects, processes and uses personal identifiable information ("personenbezogene Daten") solely pursuant to German data protection legislation. Customer may find Userlike’s current privacy notice ("Datenschutzerklärung") at Userlike’s website under the section "Privacy Notice".
  • It is in Customer’s sole responsibility to collect, process or use personal identifiable information of third parties in accordance with German statutory provisions while using the Services. That applies, in particular, to his obligation to obtain the necessary consent of the parties involved, provided that no statutory provision legitimates the intended data collection, processing or usage.

Rights in Case of Defects

  • Insofar as Userlike provides its Services free of charge (Free Trail and Edition "Free") Userlike shall be not obligated to remedy defects.
  • Insofar as Userlike provides paid Services it shall be entitled to remedy the defect by delivering an update, upgraded or otherwise revised version of the Service or by implementing a workaround.
  • Liability for defects shall be excluded if the defect is caused because Customer or a third party on behalf of Customer altered Services or in any other way interfered in the Services in an inadmissible manner or because Customer or said third party made use of the Services in a way that is not compliant with the scope of the agreement or Service documentation.

Liabilities

  • Services provided free of charge (Free Trial and Edition "Free")
    Insofar as Userlike provides its Services free of charge, Userlike’s liability shall be liable in accordance with statutory provisions of German law for any damages based on intent, fraudulent intent, gross negligence or lack of a guaranteed feature. Any further liability shall be excluded. Liability for injury in life, limb or health and liability in accordance with the German Product Liabilty Act (Produkthaftungsgesetz – ProdHaftG) shall remain unaffected.
  • Paid Services
    Insofar as Userlike provides paid Services Userlike shall be liable in accordance with statutory provisions of German law for any damages based on intent or gross negligence or the lack of a guaranteed feature, including intent or gross negligence of its subcontractors.
    In the event of slight negligent breach of an obligation of Userlike which is prerequisite for the proper implementation of the agreement, by the breach of which attainment of the purpose of the agreement is jeopardized and on which Customer may duly rely, liability shall be limited to the typical damage expected under the agreement. Any other liability shall be excluded. Liability for injury in life, limb or health and liability in accordance with the ProdHaftG shall remain unaffected.
  • Liability for loss of data
    Userlike shall be liable for the loss of data in the event of slight negligence only under the conditions and within the scope of section 7 (2) and only to the extent that the damage would also have occurred if Customer had performed a duly and regular, at least daily, backup (on his local systems).

Payment Terms

  • Unless otherwise agreed, Customer may find details concerning prices on the product order pages of Userlike, valid at the time of the order.
  • All prices (including additional costs) are net prices. Userlike shall be entitled to issue electronic invoices. Billing for the respective Service will be processed in accordance with the payment method selected by Customer.
  • The billing amount is immediately due and payable without deduction upon invoicing. A payment shall only be deemed to have been made when Userlike has disposal over the amount.
  • Customer shall be in default if he does not make his payment within fourteen days after the due date and receipt of an invoice or equivalent statement of payment. In case of default, Userlike shall be entitled to claim default interest at the statutory rate (Section 288 para. 2 BGB). The assertion of further claims remains unaffected.
  • In the event that Customer is in default of (a) payment or a significant part thereof, for two consecutive months or (b) in an amount that is at least equivalent to the amount due for a period of two months, Userlike shall be entitled to block access to the Services. Userlike’s right to terminate the contract for good cause without prior notice (section 10 (2)) remains unaffected.

Term and Termination of an Agreement

  • Unless otherwise agreed, the agreement has a minimum term – depending on the chosen edition of the Service – of one, twelve or twenty-four months and may be terminated without notice at the end of each term. Unless terminated in due time the agreement shell be deemed extended each time for the applicable minimum term. As for Custom Customers – depending on the chosen edition of the Service – a minimum term of twelve or twenty-four months with a notice period of three months to the end of each term shall apply.
  • Notice of Termination can be provided either by using Userlike’s relevant communications tools on its website or in text format (eMail).
  • The right to terminate the agreement for good cause without notice remains unaffected. A good cause shall apply in particular if the terminating party, taking into account all circumstances of the specific case and weighing the interests of both parties, cannot reasonably be bound to the agreement until expiration of the relevant term.
  • If Customer opts for deleting his entire account at Userlike, also Customer’s corresponding data will be automatically deleted. It is therefore Customer’s responsibility to backup his data on his local account before deleting his account.

Integration

  • Userlike provides software-based technical support in the communication of its customers with third parties via independent messenger applications such as Facebook Messenger and Telegram.
  • The telephone numbers Userlike imparts to its customers to use with messenger applications are supplied by cloud communication providers. There is no contractual relationship established between Userlike’s customers and cloud communication providers. Userlike’s customers are not entitled to be provided with a leaving or disclosure of the telephone number, nor with benefits in respect of these cloud communication providers.
  • Installation or maintenance of the operation of the messenger applications is not included in the scope of services of Userlike’s products. Userlike does not have any contractual relationship with the providers of these messenger applications. Alterations in the settings of the messenger applications or improper handling of these can lead to interruptions and harm its functioning. In such cases, Userlike will work to restore functionality.
  • If the messenger application’s provider bans individual telephone numbers, Userlike will inform customers about this and impart to them a new number. If customers decide to accept this offer, all recipients will have to be recruited and verified again.
  • Also not included in the scope of services of Userlike’s products is the equipment of third parties that is necessary for the messenger applications to be used. Userlike does not have any contractual relationship with the third parties.

Miscellaneous

  • Userlike shall have the right to provide its Services with the help of subcontractors. Userlike shall be liable for any Services provided by subcontractors to the same extent that Userlike is liable for its own actions.
  • Information specified on the product order page, in brochures and other documents serves only to describe the products and does not constitute a guarantee, particularly a guarantee of a certain quality. Guarantees must be expressly confirmed by Userlike in writing.
  • The contractual relations between Userlike and Customer shall be governed by German law under exclusion of the UN Convention on Contracts for the International Sale of Goods.
  • If Customer is merchant within the meaning of the German Commercial Code (Handelsgesetzbuch – HGB), a legal person governed by public law or a special fund (Sondervermögen) under public law, exclusive place of jurisdiction shall be Cologne, Germany. The same applies, if Customer has no general place of jurisdiction in Germany or if his domicile or his usual place of residence is unknown at the time an action is filed. Userlike’s right to file an action against Customer at its general place of jurisdiction remains unaffected.
  • Should provisions of an agreement with Customer including these term and conditions are or become invalid in parts or as a whole, validity of the remaining provisions shall remain unaffected and the invalid parts shall be replaced by the relevant statutory provision.

Last revision: 10 February 2016

Terms, Privacy Policy and Data Processing

Privacy Policy of Userlike

General

Data protection and data security are of utmost importance for Userlike UG (limited liability), hereinafter "Userlike" or "we". In the following we may provide answers to your most frequent questions to what personal data we collect, process and use in connection with our website and what your possibilities are to influence this data usage.

We would like to point out that this privacy statement applies only to our website https://www.userlike.com and its subpages (hereinafter "Websites") but not to websites of third parties that are linked with our Websites. As Userlike has no measures to influence data usage of said third parties, we recommend that you also assess those third parties’ privacy statements.

"Bundesdatenschutzgesetz – BDSG") and the German Telemedia Act ("Telemediengesetz – TMG").

What is the subject matter of this privacy statement?

The subject matter of this privacy statement is personal data. According to Section 3 (1) BDSG, these are individual details on personal or objective circumstances of a certain person or certain persons. This includes details such as your name, your postal address, your email address, your telephone number or, where appropriate, also use-data. Use-data is data that is necessary to use the Website of Userlike and its services as for example information on the start, end and the extent of usage of our Websites and access data that is required to use our services.

What data is collected and how is it used?

Automated data usage

For technical reasons, when accessing our Websites your internet browser automatically transmits data to us. This applies to the following data:

  • Your date and time of access
  • Your browser type and version
  • The operating system you use
  • URL of your previously visited website
  • Quantity of data transmitted

Such data is collected and processed for technical reasons only, is at no time assigned to any identifiable person and is deleted right after the end of your visit at our Website.

Live chat

In order to use our live chat at our Websites you must register with your name and your email address. We use this data together with the information you transmit via the chat to advise you in the best possible way.

When you start our live chat we temporarily collect and process your IP address. By doing so we are able to identify where your access provider is located which we assume might be also the country where you access our live chat. The purpose of this information is to help Userlike to provide you with a live chat that serves your needs best. The temporally collection of your IP address serves solely this purpose and your IP address will not be stored.

Furthermore, Userlike stores the chat record. This shall not only spare you the inconvinience of recalling the whole chat history of past chats when you ask for our assistance via live chat but shall also ensure an continuous quality control regarding our live chat. If you do not want to have your chat record stored please contact us and we will delete it immediately. You may find our contact details at the end of this privacy statement (see question 7).

Use of Services

If you decide to make use of our services, we may ask you for further personal data. If you make use of services that are free of charge (e.g. Free Trial or Edition "Free") this is the name of your company or your website address, your first name, surname and username, your email address andyour password. If you want to use our fee-based services (e.g. Edition "Team", "Corporate", "Business", "Custom" or "Flex") you must furthermore provide us with the necessary payment details, depending on the chosen payment method (e.g. credit card details, etc.).

Depending on the individual use of the relevant service we might process further personal data insofar as it is necessary to render our services. This relates for example to the content of chats or chat records that have been conducted and stored by making use of our services and IT infrastructure.

Amazon Services

Userlike uses Amazon Cloudfront as content delivery network and Amazon Simple Email Service (Amazon SES) for sending emails.

Transfer of personal data

Userlike will transfer data to third parties only to the extent necessary to render its services. For any other purposes we will transfer personal data to third parties only with your prior and explicit consent. That applies in particular to the transfer of personal data for advertising purposes. Exceptions to this rule apply only in the following cases:

  • If required for investigating the illegal use of the services of Userlike or for legal proceedings, personal data will be transferred to the criminal investigation authorities and, if legally obliged, to injured third parties. We are also legally obliged to give certain public authorities information. These are criminal investigation authorities, public authorities which prosecute administrative offences entailing fines and the German finance authorities.
  • Occasionally we depend on contractually affiliated external companies and external service providers to supply services such as the supply of advertising measures (only if you have given your explicit prior consent), processing payments (credit card etc.), storing your data and customer service. In such cases, information is transferred to these companies or individuals in order to enable them to process this information further. The service providers may only use the data for the purposes stipulated by Userlike and solely in accordance with German data protection laws.
  • In order to further develop our business, we may alter the corporate structure of Userlike e.g. by changing its legal form. We may also form, sell or buy subsidiaries, divisions or parts of the company. In such transactions, customer information together with the part of the company to be transferred will be passed on. Every time personal data are transferred to third parties to the extent prescribed, Userlike will ensure that this is done in accordance with this privacy statement and the relevant data protection laws.

What should you know concerning our newsletter and our blog?

Userlike provides a newsletter service and a blog both free of charge. They inform you about news on Userlike, its services and other topics that might be of interest to you. You can receive both, newsletter and blog, via email. To subscribe for our newsletter service just use the opt-in option during the registration process or use the subscription function at the Dashboard. If you want to subscribe for our weekly blog just visit https://www.userlike.com/en/blog.

Of course you can unsubscribe both the newsletter service and the blog at any time. You may find information on how to unsubscribe with effect for the future in every newsletter and blog.

Will my usage behavior be evaluated, e.g. for advertising purposes?

Usage profiles

Userlike may create usage profiles under pseudonyms to the extent permitted by law. We can evaluate these for the purposes of advertising, market research or to design our Websites and services in a needs-based manner. No direct conclusions can be drawn about you as an individual. The profile data is not linked to any other information about your person. You can object to the creation of usage profiles at any time. To do so just inform us via support@userlike.com. Regarding special features in connection with the use of "Google Analytics", please see the section "Google Analytics", below.

Cookies

Userlike makes use of so-called "cookies" in order to be able to offer you a comprehensive range of functions and to make it easier to use our websites. Cookies are small files which are stored on your computer with the help of the internet browser.

If you do not want to use cookies, you can prevent them from being stored on your computer using the corresponding settings on your internet browser. Please note that this may restrict the functional capability and the range of functions of our services. Regarding the special use of cookies in connection with "Google Analytics", "Google Conversion Tracking" and "Google Remarketing" and the possibilities to deactivate them, please see the following sections of this privacy statement.

Google Analytics

Userlike uses Google Analytics, a web analytics tool provided by Google Inc. ("Google"). Google Analytics uses cookies which help to analyze how users use the Website. The information generated by the cookie on your use of the Webiste (including your abbreviated IP address), is transmitted and stored on a server in the USA. Google will use this information to assess your use of the Website, to compile reports on your website activities for Userlike and to provide other services relating to your Website activities and internet usage. It is also possible that Google may transmit this information to third parties if this is prescribed by law or if third parties process this information on behalf of Google.

You can deactivate Google Analytics using an add-on to your browser which you can download here: https://tools.google.com/dlpage/gaoptout?hl=en.

Google Conversion Tracking

Userlike uses Google Conversion Tracking. If you access our Websites via a Google ad, Google AdWords stores a cookie on your computer. This cookie loses its validity after 30 days and is only used to detect whether you visit our Websites during this period. No conclusions can be drawn about you as an individual. The information collected with the aid of the Conversion cookie helps Userlike to create statistics about its conversion rate. This means that we find out how many users come to visit our Website via a Google ad.

If you do not wish to participate in the tracking process, you can deactivate cookies for Google Conversion Tracking by specifying in your browser settings that cookies from the "googleadservices.com" domain are to be blocked.

Remarketing

Userlike uses Google Remarketing, Twitter Ads and Facebook Custom Audiences from Your Website. It means that we display targeted advertisements to previous Web visitors of our Websites that have been interested in our services when they visit other internet sites in the Google Partner network, Twitter.com and its webpages, and Facebook.com and its webpages, respectively. This is being done by using cookies which first analyse your use of our Websites and will then be used to display our advertisements on third party websites. Cookies thereby only use pseudonymous data that is not linked to any personally identifiable information.

You can object to this interest-based marketing in the following ways:

Google Remarketing:
Use the add-on to your browser to deactivate Google Analytics (see "Google Analytics") and it will at the same time deactivate Google Remarketing, too. You can also deactivate the use of cookies of third parties, e.g. by visting the deactivation site of the Network Advertising Initiative at http://www.networkadvertising.org/choices/.

To learn more about the privacy practices and policies of Google, visit their Privacy Policy page: https://www.google.com/policies/privacy/

Twitter Ads:
To object to Twitter’s interest-based ads use the instructions on their website: https://support.twitter.com/articles/20170405. Twitter also supports Do Not Track. You can opt-out of Twitter’s interest-based ads by using this software.

To learn more about the privacy practices and policies of Twitter, visit their Privacy Policy page: https://twitter.com/privacy.

Facebook Custom Audiences from Your Website:
To object to Facebook’s interest-based ads use the instructions on their website at https://www.facebook.com/about/ads/#568137493302217.

Facebook also adheres to the Self-Regulatory Principles for Online Behavioral Advertising established by the Digital Advertising Alliance. You can also opt-out from interest-based advertising of Facebook and other participating companies through the Digital Advertising Alliance in the USA http://www.aboutads.info/choices/, the Digital Advertising Alliance of Canada in Canada http://youradchoices.ca/ or the European Interactive Digital Advertising Alliance in Europe http://www.youronlinechoices.eu/ , or opt-out by adjusting your mobile device’s settings.

To learn more about the privacy practices and policies of Facebook, visit their Privacy Policy page: https://www.facebook.com/privacy/explanation

Which rights to information and deletion do you have?

You may, at any time and free of charge, request information from Userlike about the data stored by us, its recipients, categories of recipients to which we transfer your data and the purposes for which your data is stored. You also have the right to request that we correct, delete or block your personal data, if the use of it does not comply with existing legal regulations, in particular if data is incomplete or incorrect.

To do so, please contact support@userlike.com or send us a message at the following address.

Who may you contact for questions on data protection at Userlike?

If you have any queries or suggestions on data protection please do not hesitate to contact us at the following address:

Userlike UG (haftungsbeschränkt)
Probsteigasse 44-46
D-50670 Cologne

Can this privacy statement be amended?

Userlike reserves the right to amend this Privacy Statement if this proves to be necessary because of regulatory changes or because of additional or altered services of Userlike or third parties. You can inform yourself of the current version of the Privacy Statement at https://www.userlike.com/terms.

Last revised: August 1, 2015

Terms, Privacy Policy and Data Processing

Data Processing

1. Contract and specifications for data processing on behalf

  1. 1.1. This agreement for data processing on behalf (referred to hereinafter as “DPA”) sets out the rights and duties of the parties under data protection law which arise from the contracts which already exist between the parties or will be concluded between them in the future (referred to hereinafter as “main contract”) and under which the Processor provides processing of personal data on behalf of the Controller.
  2. 1.2. This DPA and all its components apply in all cases where Controller engages the Processor for processing personal data (referred to hereinafter as “data”) on the Controller’s behalf according to Art. 28 GDPR (General Data Protection Regulation). This DPA constitutes the framework for a multitude of different data processing procedures.
  3. 1.3. In the case of discrepancies, the provisions of this DPA including all its components have priority over the provisions of the appropriate main contract.
  4. 1.4. The specifications in terms of data protection law which are applicable for the different processing procedures (referred to hereinafter as “specifications”) will be agreed upon before the commencement of the data processing and fixed in annexes to the DPA (referred to hereinafter as “annexes”). They stipulate in particular the subject matter and the duration as well as the mode and purpose of the data processing, the data categories and the categories of persons concerned (data subjects) as well as the technical and organisational measures to be implemented (referred to hereinafter as “TOM”).
  5. 1.5. The annexes are part of the DPA. In the case of discrepancies, the annexes have priority over the more general provisions of the DPA. If reference is made to the DPA hereinafter or in the annexes, such reference must be deemed to pertain to the DPA including all its components.

2. Responsibility and processing on instructions

  1. 2.1. The Controller is solely responsible under this DPA for compliance with the applicable statutory provisions including but not limited to the lawfulness of the disclosures made to the Processor and the lawfulness of data processing (“controller” in terms of Art. 4 no. 7 GDPR).
  2. 2.2. The Processor, for the purposes of data processing, acts solely on the instructions given by the Controller except in the case of an exemption according to Art. 28 subs. 3 a) GDPR (statutory processing obligation). Oral instructions, if any, must be confirmed in electronic form without undue delay (“unverzüglich”). If the Controller acts as a data processor on behalf of a third party, the Controller’s obligations under the data processing contract with the third party are deemed to constitute direct instructions by the Controller which are also applicable in the relationship with the Processor if these obligations are stricter than those agreed in this DPA. The Controller will inform the Processor of any such third-party requirements regarding data processing on behalf in electronic form.
  3. 2.3. The Processor will rectify or delete the data to be processed under the contract or restrict the processing of such data (referred to hereinafter as “blocking”) if the Controller so instructs the Processor and this is within the agreed limits of the authority to give instructions.
  4. 2.4. The Processor will inform the Controller without undue delay (“unverzüglich”) if it considers an instruction to be contrary to the applicable data protection regulations or this DPA. The Processor is entitled to suspend the implementation of the instruction until it is confirmed or adjusted by the Controller by notice in electronic form. The Processor is entitled to refuse the implementation of instructions which obivously are contrary to data protection law.
  5. 2.5. The parties will designate to each other by notice in electronic form one or several mutual contact persons to be addressed for data protection issues, including their appointed data protection officers. If the contact persons or their contact data change, the parties are obliged to mutually inform each other by notice in text form.
  6. 2.6. The Processor ensures that the persons who are authorised to process the data (a) are familiar with the instructions given by the Controller and comply with them and (b) have been committed to secrecy or are subject to an appropriate statutory obligation of secrecy. The obligation of secrecy and confidentiality continues in effect even after the termination of the data processing.
  7. 2.7. If the Controller acts as a data processor on behalf of a third party, the obligations imposed on the the Processor by this DPA are deemed to apply and be immediately binding also in the relationship between the third party and the Processor. This applies to all services which the Processor provides to the third party on the Controller’s behalf. The third party is in particular entitled to assert the right to control and information according to § 8 directly against the Processor.

3. Processing security

  1. 3.1. The parties agree TOM according to Art. 32 GDPR to ensure adequate protection of the data (referred to hereinafter as “Annex TOM”).
  2. 3.2. The right to make changes to the Annex TOM is reserved to the Processor; it must however be ensured that the changes do not cause the protection level to fall below the contractually agreed protection level. The Processor is obliged to notify the Controller of any essential changes by notice in electronic form and such essential changes are subject to prior consent to be given by the Controller by notice in text form.

4. Notification of data breaches and data processing errors

  1. 4.1. The Processor will notify the Controller without undue delay (“unverzüglich”) if it becomes aware of any breach of the data entrusted to it by the Controller which has occurred within its sphere of organisation, as described in Art. 4 no. 12 GDPR, or if there is any specific reason to suspect that a data breach has occurred with the Processor.
  2. 4.2. The Controller will inform the Processor without undue delay (“unverzüglich”) if it becomes aware of any processing errors.
  3. 4.3. The Processor will take, without undue delay (“unverzüglich”), all measures which are required to eliminate the data breach described in § 4.1 or the errors described in § 4.2 and mitigate any possible detrimental consequences or impact, in particular with regard to the data subjects concerned. For such purpose, the Processor will consult with the Controller. Oral information about any incidents according to § 4.1 or § 4.2 must be documented and confirmed by notice in electronic form without undue delay (“unverzüglich”).

5. Data transfer to a recipient in a third country or in an international organisation

The transfer of data to a recipient in a third country outside the EU and the EEA is permissible if the requirements fixed in Articles 44 et seqq. GDPR are complied with and, in addition, the transfer is subject to prior consent to be given by the Controller by notice in electronic form. The further details are stipulated in one or several annexes.

6. Subcontracting of additional processors acting on behalf

  1. 6.1. The Processor is entitled to have the processing of personal data carried out by other processors acting on behalf in whole or in part (referred to hereinafter as “subcontractors”).
  2. 6.2. Good cause is deemed given if there is legitimate reason to doubt that the subcontractor will perform the agreed services in accordance with the applicable statutory data protection provisions and requirements or in accordance with this DPA. If this is not possible for the Processor or not reasonable for the Controller, the respective party is entitled to extraordinary termination of the main contract for good cause.

    Good cause is deemed given if there is legitimate reason to doubt that the subcontractor will perform the agreed services in accordance with the applicable statutory data protection provisions and requirements or in accordance with this DPA. If this is not possible for the Processor or not reasonable for the Controller, the respective party is entitled to extraordinary termination of the main contract for good cause.
  3. 6.3. The Processor will agree with the subcontractor on provisions with exactly the same contents as are stipulated in this DPA. In particular, the TOM to be agreed with the subcontractor must be equivalent in terms of the protection level to those agreed herein.
  4. 6.4. Services which the Processor procures as mere subsidiary services to support its business activities outside the data processing on behalf are not deemed to constitute subcontracting within the meaning of this clause. The Processor is however obliged to take adequate precautionary measures for these subsidiary services, too, to ensure protection of the data.

7. Rights of data subjects and support and assistance to the Controller

If a data subject asserts claims according to chapter III GDPR against any of the parties, such party will inform the other party without undue delay (unverzüglich”). The Processor will support and assist the Controller within the realms of possibility in handling any such claims and in complying with the duties specified in Art. 33 to 36 GDPR.

8. Controller’s right to control and information

  1. 8.1. The Processor will provide the Controller with appropriate evidence to demonstrate compliance with its duties. The Controller will check the appropriateness of the evidence provided.
  2. 8.2. As to the compliance with and implementation of the agreed protection measures and their proven efficiency, the Processor may refer to adequate certifications or other appropriate testing records or certificates. In particular, certifications according to Art. 42 GDPR and other certifications or evidence according to Art. 40 GDPR are deemed to be adequate certifications or evidence. In addition, the following certifications may be appropriate, too: certification according to ISO 27001 or ISO 27017, an ISO 27001 certification based on IT Grundschutz (IT basic protection), certification according to acknowledged and appropriate industry standards or a testing certificate according to SOC / PS 951. The certification and testing procedures must be conducted by an acknowledged independent third party. The Processor is obliged to make its certificates or testing certificates available to the Controller. Appropriate additional documents (e.g. activity reports of the data protection officer or extracts from auditors’ reports) can also be made available to the Controller to document compliance with the agreed protection measures. The Controller’s right to inspection according to § 8.3 remains unaffected.
  3. 8.3. The Controller is entitled to conduct, during usual business hours and without interfering with the Processor’s operations and, as a rule, following an appropriate notification to be given reasonable time before the intended audit, audits/ inspections at the Processor’s premises to verify compliance with the applicable data protection regulations. The Processor may request as a prerequiste for the audit/ inspection the prior signing of a non-disclosure agreement to ensure confidentiality of the data of other customers and the TOM implemented by the Processor.
  4. 8.4. The parties, for the purpose of remedying any insufficiencies found in the audit/ inspection, will consult on the measures to be implemented.
  5. 8.5. If a supervisory authority makes use of its powers according to Art. 58 GDPR, the parties will inform each other without undue delay (“unverzüglich”). They will support and assist each other within their respective sphere of control and responsibility in fulfilling the obligations imposed on them by the competent supervisory authority.

9. Liability and damages

  1. 9.1. If a data subject asserts claims for damages against either of the parties for breach of data protection regulations, the party against which the claims are asserted is obliged to inform the other party without undue delay (“unverzüglich”).
  2. 9.2. The Controller and Processor are liable to the data subjects according to the regulation contained in Art. 82 GDPR.
  3. 9.3. The parties will support and assist each other in defending themselves against the claims for damages asserted by data subjects unless this would endanger the legal position of one party in relation to the other party or the supervisory authority or to third parties.

10. Costs

The Processor will bear the costs incurred by it in connection with the measures taken by the Controller. This includes in particular the costs incurred by the Processor in connection with controls and inspections carried out by the Controller according to § 8.

11. Term

An annex is deemed terminated upon termination of the main contract without a separate notice of termination being required to end the annex. In this case, the Processor is obliged, at the Controller’s choice, either to return the data processed under the annex or delete the data in accordance with the applicable data protection requirements without undue delay (“unverzüglich”) and confirm this to the Controller by appropriate notice in electronic form. The Processor will also notify the Controller by appropriate notice in text form if the Processor is itself subject to a statutory obligation to store the data in question.

12. Continuing validity and transfer of old contracts

The DPA, as of its signing, supersedes the existing contracts according to § 11 BDSG (German Federal Data Protection Act). If the parties, prior to concluding this DPA, have agreed on specifications according to § 1, these will continue in effect and apply analogously under the DPA unless they are superseded by annexes which pertain to the same data to be processed.

13. Information for end customers

The provider allows the client to individualize the chat widget and extend the functional scope of the service. All settings are stored in the client's customer account. The activation of optional chat functions is not necessary for the operation of the core service of the chat and is a free decision of the client.

Depending on the function used, the activation of these optional functions may result in personal data of the client's end customers being forwarded to subcontractors of the provider for further processing. All the subcontractors are listed in the appendix, point 9: Optional add-on providers.

Upon activation of the respective function, the subcontractor shall be deemed to have been approved by the customer; a right of objection pursuant to Clause 6.2 shall then not exist. If the client activates optional functions in the chat widget, the client undertakes to inform the users of the chat widget about the use of these functions in conformity with data protection. Furthermore, the client undertakes to check the functional scope of the chat widget and to ensure that the data protection settings of the account are correctly configured.

14. Final provisions

  1. 14.1. .If the Controller’s data should be endangered while under the Processor’s custody due to seizure or confiscation, insolvency or composition proceedings or other incidents or measures taken by third parties, the Processor will be obliged to inform the Controller by notice in electronic form without undue delay (“unverzüglich”). The Processor will inform all responsible parties involved without undue delay (“unverzüglich”) that the responsibility for the data lies exclusively with the Controller.
  2. 14.2. There are no oral side agreements. Changes and amendments to the DPA require appropriate agreement in electronic form to be valid as well as explicit reference to this DPA. Any non-compliant oral agreements between the parties will be deemed to be invalid. This also applies to any changes to the present clause.
  3. 14.3. If only one provision of this DPA should be or become invalid or void in whole or in part, this will be without prejudice to the validity of the remaining provisions of this DPA. The statutory provisions will apply in lieu of the invalid or void provision if the gap which has arisen as a result of the invalidity cannot be filled by supplementary contract interpretation (“ergänzende Vertragsauslegung”) according to §§ 133, 157 BGB (German Civil Code). However, both parties will be obliged to enter into negotiations without undue delay (“unverzüglich”) to reach an agreement to replace the invalid or void provision and which corresponds most closely to the legal and economic purpose and intention of the the invalid or void provision and which in particular comes up to the nature of the agreement which is an agreement for the performance of a continuing obligation (“Dauerschuldverhältnis”) and which is meant to regulate data protection issues
  4. 14.4. This DPA is governed by German law with the exception of the conflict of laws rules; Art. 3 subs. 3 and subs. 4 of the Rome I Regulation remain unaffected.

On request, we will gladly send you the documents on technical and organizational measures that we refer to in our data processing agreement.

Last revised: May 1, 2018