BLACK FRIDAY

Order Processing Agreement

Between

Fitness Nation GmbH
Bergstr. 18
59394 Nordkirchen, GERMANY

– hereinafter “processor” –

and

the company named in the main contract

– hereinafter referred to as “responsible person” –

The Processor and the Controller are hereinafter also referred to individually as the “Party” or collectively as the “Parties”.

§ 1 Subject of the contract

(1) This Data Processing Agreement (“AVV”) is concluded between the parties with respect to the processing of personal data under the main contract (hereinafter “Main Contract”). The provision of services under the main contract (“Services”) requires the processing of data. If and to the extent that this data consists of or contains personal data, the processor will act as processor with regard to this data, whereas the person responsible remains responsible for this data according to Art. 28 of the General Data Protection Regulation (hereinafter “GDPR”).

(2) The Services are provided by the Processor in such a way that the Controller provides its own data, controls its transmission to the Processor and, in the case of Software as a Service models, directly controls the handling of such data uploaded to the Services . The Controller agrees and understands that the Processor does not monitor the Controller’s data or the Controller’s handling of this data, unless the Controller expressly requests the Processor to access such data in this regard. Therefore, it is the sole responsibility and obligation of the Controller to ensure that the Controller’s data is collected and transmitted in accordance with applicable data protection laws and,

(3) As a processor, the processor will only process personal data of the person responsible in accordance with the provisions of these AVV and the documented instructions of the person responsible. If the Processor is obliged by Union or Member State law to which the Processor is subject to further processing of the Personal Data, the Processor will notify the Controller of these legal requirements prior to processing, unless the relevant law requires such a notification due to a important public interest prohibits; In the latter case, the processor will inform the person responsible about the further processing as soon as this is legally permissible.

§ 2 Details of processing

(1) The details of the processing are described in the provisions below and in the main contract. Bearing in mind its obligations as the controller, the controller will inform the processor if an addition to the specifications made in the main contract is necessary.

(2) The processor will process personal data as detailed in the main contract.

(3) The processor will generally process personal data for the term of the main contract and the present GCU, unless otherwise agreed in writing.

§ 3 Place of data processing; Transmission to third countries

(1) The processor will only process personal data at its own headquarters or at the headquarters of its authorized sub-processors. According to this, all processing operations are carried out in principle in the member states of the European Union or in another state that is a party to the Treaty on the European Economic Area.

(2) Any processing of personal data outside of the EU/EEA is only permitted with prior agreement between the parties and only if the requirements of Art. 44 et seq. GDPR are met.

§ 4 Instructions of the person responsible

(1) The parties agree that these AVV contain the general instructions of the person responsible with regard to the processing of personal data on behalf of the processor.

(2) Special instructions from the person responsible that deviate from the provisions of these AVV or that impose new, additional obligations on the processor require the consent of the processor in order to be effective. For such special instructions, the parties will apply the change procedure that may have been agreed in the main contract.

(3) It is the responsibility of the person responsible to ensure that instructions given by him with regard to the processing of personal data on the order are in accordance with the applicable data protection laws, and that the order processor is able to process personal data in accordance with instructions without violating data protection laws applicable to the order processor , in particular to violate the GDPR. If the processor is of the opinion that an instruction of the person responsible violates applicable data protection laws, the processor will inform the person responsible. In such cases, the Processor is entitled to refuse to carry out the instruction until the Controller confirms the instruction.

(4) Special instructions from the person responsible are given in writing or at least in text form, by the persons responsible for this on the part of the person responsible. Oral instructions must be confirmed immediately by one of the authorized persons and at least in text form in order to be effective.

§ 5 Assurances of the processor

(1) Processor’s employees: (i) to the extent they are authorized to process the Personal Data, are bound by a duty of confidentiality or are subject to an appropriate statutory duty of confidentiality; (ii) will only process Personal Data in accordance with the instructions of the Processor, unless otherwise required under applicable data protection laws; and (iii) are instructed at regular intervals about the obligations resulting from this AVV and the applicable data protection laws, in particular the DS-GVO.

(2) The processor may not make any copies or duplicates of the personal data processed in the order within the scope of the order processing without the prior consent of the person responsible. However, this does not apply to copies that are required to ensure proper data processing and the proper provision of services (including data backup), as well as copies that are required to comply with statutory retention requirements.

(3) The processor will appoint a competent and reliable data protection officer if and as long as the legal requirements for the appointment of a data protection officer exist. The processor will inform the person responsible of the contact information of a data protection officer appointed in this way.

§ 6 Technical and organizational measures

(1) Before processing begins, the processor must implement the technical and organizational measures listed at www.fitness-nation.com/support/tom.html and maintain these during the term of this GCU. These are technical and organizational measures to ensure a level of protection appropriate to the risk with regard to the confidentiality, integrity, availability and resilience of the systems. The state of the art, the implementation costs and the type, scope, circumstances and purposes of the processing as well as the different probability of occurrence and severity of the risk for the rights and freedoms of natural persons within the meaning of Art. 32 Para. 1 DS-GVO are taken into account.

(2) Because the technical and organizational measures are subject to technical progress and technological developments, the processor is permitted to implement alternative and appropriate measures if this exceeds the security standard of the measures specified at www.fitness-nation.com/support/tom.html is not undercut.

§ 7 Engagement of sub-processors

(1) The processor may only engage sub-processors with regard to the processing of personal data on behalf of the person responsible with the prior consent of the person responsible. The person responsible then gives his consent to the use of the sub-processors named under www.fitness-nation.com/support/subunternehmer.html.

(2) The processor will impose on each sub-processor obligations with regard to data protection, confidentiality and data security that are at least as strict as the obligations of the processor towards the controller laid down in these GCU. If a sub-processor fails to comply with these obligations imposed on it, the processor shall be liable for these violations as if it were its own fault.

(3) The processor will notify the controller in writing of any new assignment of a sub-processor. If, after receiving such a notification, the person responsible states within thirty (30) days that he objects to the use, giving a reasonable reason, the parties will seek an amicable solution. In such a case, if an amicable solution cannot be reached within two (2) months, the controller has the right to terminate the main contract with regard to those services for which the use of the proposed sub-processor is necessary.

(4) The parties agree that providers of mere ancillary services are not processors within the meaning of data protection laws; this includes, in particular, transport services from postal or courier services as well as money transport services, telecommunications services, security services and cleaning services. Irrespective of this, the processor will enter into non-disclosure agreements customary in the industry with such subcontractors.

(5) The regulations in this § 7 also apply if a sub-processor is engaged in a third country outside the EU or the EEA. Subject to the consent of the controller to the use of the sub-processor, the controller hereby authorizes the processor to enter into a contract on behalf of the controller with a sub-processor who processes data of the controller outside the EU or the EEA, including the EU standard contractual clauses for the transmission of personal data to processors in third countries dated 05.02.2010 or possibly later by the EU Commission or the competent supervisory authority standard data protection clauses.

§ 8 Obligations to support the person responsible

(1) At the Controller’s written request, the Processor shall provide reasonable support to the Controller in the event of an investigation or inquiry by a data protection supervisory authority, to the extent that such investigation or inquiry relates to the Services. Processor will use reasonable efforts to assist Controller in complying with any obligations related to such investigation or request. If a data protection supervisory authority starts an investigation directly with the processor or sends a corresponding request directly to the processor, the processor will inform the data controller immediately, insofar as it is permitted to do so, and cooperate in the context of this investigation or request.

(2) The Processor shall inform the Controller immediately if it discovers a violation of the protection of personal data in connection with the processing of personal data under this GCU. If, as a result of such a notification, the person responsible has reporting obligations to data protection supervisory authorities and/or data subjects (in particular from Articles 33, 34 DS-GVO), the processor will support the person responsible in fulfilling these reporting obligations to an appropriate and necessary extent. Insofar as the processor is not at fault for a reportable data protection incident, the processor is entitled to charge for the support services in accordance with the remuneration rates agreed in the main contract.

(3) The processor will support the controller, taking into account the type of processing and the information available to the processor, in a data protection impact assessment that may have to be carried out with regard to the processing of personal data, including, where necessary, consultation with the competent data protection supervisory authority (Art. 35 , 36 GDPR). The processor is entitled to calculate the expenses for the support services according to the remuneration rates agreed in the main contract.

(4) The processor will inform the person responsible immediately if a data subject should contact the processor directly with a complaint, inquiry or in order to exercise rights to which he or she is entitled. The processor will not respond to the request itself unless the controller has expressly instructed the processor to do so. Processor will provide reasonable assistance to Controller in responding to such complaints, inquiries and requests from data subjects. The processor is entitled to calculate the expenses for the support services according to the remuneration rates agreed in the main contract.

§ 9 Return or Deletion Return of personal data

(1) Upon being instructed to do so by the Controller during the term of this GCU or after its termination or after the processing of personal data under the relevant individual contract has ended, the Processor will either destroy, erase or return the data processed on behalf of the Controller. If applicable laws prohibit the processor from destroying, deleting or returning the personal data processed in the order, the processor will no longer actively process this data, but only to comply with the legal provisions,

(2) The processor will create a log of each destruction or deletion of personal data, which will be made available to the person responsible on request.

§ 10 Auditrechte

(1) The person responsible is entitled to use the business premises of the processor within the framework of normal business hours (Monday to Friday from 9:00 a.m. to 5:00 p.m.) at his own expense, without disrupting the operational process and with strict confidentiality of the company and business secrets of the processor , in which data of the person responsible are processed, to ensure compliance with these AVV. The person responsible will generally announce such an on-site inspection in good time (at least two weeks in advance).

(2) As a rule, the person responsible is entitled to carry out an on-site inspection within the meaning of the previous paragraph per calendar year. This does not affect the right of the person responsible to carry out further on-site inspections in the event of special events.

(3) If the person responsible commissions a third party to carry out the inspection, the person responsible must obligate the third party in writing in the same way as the person responsible is obligated to the processor on the basis of these AVV. In addition, the person responsible must oblige the third party to maintain secrecy and secrecy, unless the third party is subject to a professional obligation of confidentiality. At the request of the processor, the person responsible must submit the commitment agreements with the third party to the processor without delay. The controller may not entrust a competitor of the controller with the control.

(4) Instead of an on-site inspection, proof of compliance with this AVV can also be provided by compliance with approved codes of conduct in accordance with Art. 40 GDPR, certification in accordance with an approved certification procedure in accordance with Art. 42 GDPR and the submission of a suitable one , current attestations, reports or excerpts from reports from independent bodies (e.g. auditors, auditors, data protection officers, IT security department, data protection auditors or quality auditors) or a suitable certification by IT security or data protection audit – e.g. according to ISO 27001 – (“audit report”) , if the audit report enables the person responsible in a reasonable way to convince himself of the compliance with these AVV.

(5) If and to the extent that an on-site inspection has not become necessary due to misconduct on the part of the processor, the processor is entitled to charge for the on-site inspections in accordance with the remuneration rates agreed in the main contract.

§ 11 Other Provisions

(1) The present AVV is subject to the same law as the main contract, and for all disputes arising out of and in connection with this AVV the courts agreed upon by the parties in the main contract shall have exclusive jurisdiction.

(2) Changes or additions to the present AVV are only effective if they have been made in writing.

(3) If a provision of these AVV is declared invalid or unenforceable by the competent court, the remaining provisions shall remain fully effective.

(4) This AVV comes into force upon conclusion of the main contract as its integral part. Regardless of the end of the contract period of the main contract, it applies until and automatically expires when all personal data has been deleted by the processor and/or all sub-processors used.