Agreement on commissioned data processing (AVV]
according to Art. 28 Para. 3 General Data Protection Regulation (GDPR]
§ 1 Subject matter and duration of the contract
(1] This agreement regulates the rights and obligations of the parties in connection with the processing of personal data by the contractor (data processor] on behalf of the customer (controller]. It applies to all activities in which employees of the contractor or third parties commissioned by him may come into contact with personal data of the controller.
(2] The term of this agreement is based on the term of the main contract for the use of the "BusWay" software. It ends automatically with the termination of the main contract, unless there are statutory retention obligations.
§ 2 Type and Purpose of Processing
(1] The data processor provides the data controller with a Software-as-a-Service (SaaS] platform. The processing includes the collection, storage, evaluation and provision of data to support operational processes.
(2] The purpose of the processing is the digital route assignment, navigation of driving personnel, management of route information and the technical safeguarding of the operation of the software.
§ 3 Type of Data and Category of Data Subjects
(1] Categories of data subjects: Employees of the customer (drivers, dispatchers, administrators].
(2] Type of personal data processed:
- Identification data (username, e-mail address, first and last name].
- Location and movement data (GPS coordinates during active use of the app, route histories].
- Device metadata (IP address, device ID, operating system version, app version].
- Usage data (timestamps of logins, created or traveled routes, synchronization logs].
§ 4 Obligations of the Data Processor
(1] The data processor processes personal data exclusively within the framework of the agreements made and in accordance with the instructions of the data controller, unless it is obliged to process it in a different way by legal regulations.
(2] The data processor ensures that all persons authorized to process the personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
(3] The data processor shall take all necessary measures in accordance with Art. 32 GDPR (Security of processing] to ensure a level of protection appropriate to the risk.
(4] The data processor shall support the data controller to the best of its ability in complying with the obligations mentioned in Art. 32 to 36 GDPR (e.g. notification of personal data breaches].
§ 5 Obligations of the Data Controller
(1] The data controller bears the sole responsibility for assessing the permissibility of the processing in accordance with Art. 6 para. 1 GDPR and for safeguarding the rights of the data subjects (e.g. informing employees about GPS tracking].
(2] The data controller usually issues its instructions through the use of the software functions (e.g. creating or deleting users]. Verbal instructions must be confirmed in writing or in text form (e-mail] without delay.
§ 6 Technical and Organisational Measures (TOM]
(1] The data processor has taken appropriate technical and organizational measures to protect the data from unauthorized access, loss or alteration.
- Confidentiality: Encryption of data transmission (SSL/TLS], password protection (hashing], access controls.
- Integrity: Input control, logging of system accesses, separation of client data (logical separation].
- Availability: Regular backups, redundant server infrastructure, emergency plans (disaster recovery].
- Resilience: Use of scalable cloud infrastructures and regular review of system security.
§ 7 Subcontracting
(1] The data controller grants the data processor the general permission to involve further data processors (sub-contractors] to fulfill the contractual obligations.
(2] The data processor informs the data controller of any intended change regarding the involvement or replacement of further data processors. The data controller has the right to object.
(3] The currently used sub-contractors are listed in the appendix to this contract.
§ 8 Control Rights
(1] The data controller has the right to check the compliance with the legal regulations and the regulations of this contract at the data processor to a reasonable extent. Since this is a SaaS solution, the proof can primarily be provided by certificates or test reports from independent third parties.
§ 9 Deletion and Return of Data
(1] After completion of the provision of the processing services, the data processor deletes all personal data or returns it to the data controller, unless there is a legal obligation to store it.
§ 10 Final Provisions
(1] Should individual parts of this agreement be ineffective, this does not affect the effectiveness of the remaining provisions.
(2] The law of the Federal Republic of Germany applies. The place of jurisdiction is the registered office of the data processor.
The data processor uses the following service providers to fulfill its service:
| Service | Service Provider | Server Location |
|---|---|---|
| Hosting, Database & Backend | Strato AG | Berlin / Karlsruhe, DE |
| Map Data & Geocoding | Google Cloud EMEA | Dublin, IE (EU] |
| Reseller / Merchant of Record | Paddle.com Market Ltd | London, UK (Adequacy decision] |